1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

kwbot.c virus

Discussion in 'Virus & Other Malware Removal' started by jvize, Sep 28, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. jvize

    jvize Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    6
    I need some help reading a Hijack This log ... I was just infected with the W32.kwbot.C.worm on Kazaa, and it's driving me nuts. I tried Symantec's suggestions, but to no avail. When I run NAV, it's saying that it can't verify my settings and won't start the auto-enable function. I'm getting tons of popup ads.

    Here's what my Hijack This log says:

    Logfile of HijackThis v1.97.2
    Scan saved at 3:29:14 PM, on 9/28/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Jeff\Application Data\aiao.exe
    C:\WINDOWS\System32\winservn.exe
    C:\Program Files\Norton Utilities\SYSDOC32.EXE
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Utilities\NProtect.exe
    C:\Program Files\Speed Disk\nopdb.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\PROGRA~1\NORTON~2\navw32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [savenow] C:\WINDOWS\savenow.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Ceoa] C:\Documents and Settings\Jeff\Application Data\aiao.exe
    O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37890.8183333333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B9E835C3-1B2B-4CF1-B584-9712E77AC590}: NameServer = 169.237.250.250 169.237.1.250


    Any help would be greatly appreciated!
     
  2. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Hi jvize, welcome to TSG.

    You can have HJT fix the following. Close your browser, check the following items in HJT, click Fix and reboot afterwards.


    O4 - HKLM\..\Run: [savenow] C:\WINDOWS\savenow.exe

    O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe


    If you recognize this as your ISP or network/router IP, then leave it. Someone else may know whether it's legit:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B9E835C3-1B2B-4CF1-B584-9712E77AC590}: NameServer = 169.237.250.250 169.237.1.250

    After rebooting, delete these files:

    savenow.exe

    winservn.exe


    Afterwards, download Spybot:

    http://www.safer-networking.org/index.php?lang=en&page=download

    ....after installing, have it go on line and download all updates. Then scan your system for any problems. Everything it finds in RED is safe to fix.

    :)
     
  3. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    This slipped thorough on you Buckaroo
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
     
  4. jvize

    jvize Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    6
    Thanks for the replies. I deleted the stuff in the first post (still haven't got to yours, motherboard), and when I start up Windows still calls up my dial-up connection automatically. NAV is still screwed up as well (may have to reinstall that).

    Here's my log currently (after deleting the line mentioned in motherboard's post).

    Cheers ...


    Logfile of HijackThis v1.97.2
    Scan saved at 6:45:25 PM, on 9/28/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\logonui.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Jeff\Application Data\aiao.exe
    C:\Program Files\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Utilities\NProtect.exe
    C:\Program Files\Speed Disk\nopdb.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Ceoa] C:\Documents and Settings\Jeff\Application Data\aiao.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37890.8183333333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B9E835C3-1B2B-4CF1-B584-9712E77AC590}: NameServer = 169.237.250.250 169.237.1.250
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B9E835C3-1B2B-4CF1-B584-9712E77AC590}: NameServer = 169.237.250.250 169.237.1.250


    Is the problem that internet explorer dials up when you power up and you do not want that ?
     
  6. jvize

    jvize Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    6
    One other thing to add: I noteced Download all by FlashGet is on my HJT log. I'm not using FlashGet right now. I got the virus when I was attempting to download a BS version of the program from Kazaa.

    Cheers again to all you for helping out. This is an amazing site ... just what I needed after dealing with helpless tech support people. I purchased a new computer Monday with a version of XP that wasn't patched for the Blaster worm (Microsoft still sells them, 3 months after discovering the flaw). Got the Blaster worm, spent days repairing. Got the Nachi worm. Finally had to wipe out my OS to clear things up (don't ask), and now I get this kwbot worm before I could download updates for NAV, XP, etc.

    The posters here provide a great service.
     
  7. jvize

    jvize Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    6
    Motherboard (post #5): IE tries calls up its dialer as soon as I turn my computer on. Then I was getting tons of popups. And NAV tells me that it can't verify settings every time I turn on my computer (auto-enable and e-maill scanning are out of commission too). I figure a reinstall might solve that, but I want to wait until I've cleaned the virus entirely ... I reinstalled earlier today after I followed Symantec's cleaning instructions and it screwed up the program again.
     
  8. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    If you don't use it then check these as well :
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm


    As well as add/remove programs
     
  9. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Lets now download Spybot search and destrroy . Update it as well as download any then do, a scan and fix all it finds. Then well get you do do a scan here and post back when complete.
     
  10. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    As well if you don't want internet explorer starting on restart automatically then open internet explorer then go to tools / options / connections tab and check the " never dial a connection "then apply.

    Now for your antivirus ; Try deleting it from add/remove programs then when complete do a total reinstall and see how it goes.
     
  11. jvize

    jvize Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    6
    I'm working on this. Ran Spybot and killed about 10-15 files and registry entries. No problem with the IE dial up when I rebooted, but NAV is screwed. I'm uninstalling that and going to reinstall later. I think I'm taken care.

    Thanks again for all your help!
     
  12. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Just make certain to get all the norton files , do a windows search for symantec as well as norton and delete all before reinstalling.
     
  13. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    As wel for spybot, the next time you run and finish a scan and fix any items click on the immunize button to prevent the spycrud from getting on in the first place..
     
  14. jvize

    jvize Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    6
    Did it and it looks good so far. Still haven't reinstalled Norton, but will do that next.
     
  15. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Thanks for your help here MB. That BHO was for FlashGet. Personally, I wouldn't use a download manager, but I never know whether to target them for removal with these logs as some people like their download managers.

    Turns out jvize didn't want it anyway. Glad you jumped in here and helped out.

    Take care.

    (y)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168139

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice