Virus affecting IE6. Pls help see Hijack log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

alexander123

Thread Starter
Joined
Sep 13, 2004
Messages
24
Please help sorting out my problem and analysing my HijackThis log.

IE6 is getting slower and slower after I established connection with ISP.
Furthermore, known websites addresses can't be displayed, can't find server messages etc.
So far I have run adaware, spybot search & destroy, CWshredder - CWS keeps appearing.
This removed few problems but IE6 problems remains (f.i. can't find POP server) as well as porn site appearing.

How to proceed?

many thanks alexander


Logfile of HijackThis v1.97.7
Scan saved at 15:29:39, on 13-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winupdate.exe
C:\WINDOWS\System32\wpconfig.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\TimeSRV.exe
C:\Program Files\Digital Image\Monitor.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Alexander\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.zonnet.nl/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [CRC Value Verifier] crsss.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] winupdate.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [Windows service] slserv32.exe
O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Pollon] pollone.exe
O4 - HKLM\..\Run: [Windows Time Server] TimeSRV.exe
O4 - HKLM\..\Run: [wp_config] wpconfig.exe
O4 - HKLM\..\Run: [msconfig] wins.exe
O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] winupdate.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe
O4 - HKLM\..\RunServices: [Pollon] pollone.exe
O4 - HKLM\..\RunServices: [msconfig] wins.exe
O4 - HKLM\..\RunServices: [Windows Time Server] TimeSRV.exe
O4 - HKLM\..\RunServices: [wp_config] wpconfig.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] winupdate.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Pollon] pollone.exe
O4 - HKCU\..\Run: [wp_config] wpconfig.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] winupdate.exe
O4 - HKLM\..\RunOnce: [Pollon] pollone.exe
O4 - HKLM\..\RunOnce: [wp_config] wpconfig.exe
O4 - HKCU\..\RunOnce: [Pollon] pollone.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] winupdate.exe
O4 - HKCU\..\RunOnce: [wp_config] wpconfig.exe
O4 - Global Startup: Digital Image Monitor.lnk = ?
O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.fotovanmijnhuis.nl/plugins/huis50/nl/nl.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.5552314815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Jul 26, 2002
Messages
46,331
Hi alexander123

Welcome to TSG! :)

A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.
 

alexander123

Thread Starter
Joined
Sep 13, 2004
Messages
24
Hi Flrman 1
sorry took much longer.
Internet freezes my complete PC. Impossable to downlad small files or even send emails. Now working from other PC.
Latest notification from CWshredder on affected PC is: CWS Smartsearch removed.

Please find log below, pls advise next steps.
alexander


Logfile of HijackThis v1.98.2
Scan saved at 17:28:33, on 13-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winupdate.exe
C:\WINDOWS\System32\pollone.exe
C:\WINDOWS\System32\wpconfig.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
C:\WINDOWS\System32\slserv32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\TimeSRV.exe
C:\Program Files\Digital Image\Monitor.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\DitExp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\CMMON32.EXE
C:\Documents and Settings\Alexander\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonnet.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [CRC Value Verifier] crsss.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] winupdate.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [Windows service] slserv32.exe
O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Pollon] pollone.exe
O4 - HKLM\..\Run: [Windows Time Server] TimeSRV.exe
O4 - HKLM\..\Run: [wp_config] wpconfig.exe
O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] winupdate.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe
O4 - HKLM\..\RunServices: [Pollon] pollone.exe
O4 - HKLM\..\RunServices: [msconfig] wins.exe
O4 - HKLM\..\RunServices: [Windows Time Server] TimeSRV.exe
O4 - HKLM\..\RunServices: [wp_config] wpconfig.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] winupdate.exe
O4 - HKLM\..\RunOnce: [Pollon] pollone.exe
O4 - HKLM\..\RunOnce: [wp_config] wpconfig.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] winupdate.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Pollon] pollone.exe
O4 - HKCU\..\Run: [wp_config] wpconfig.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] winupdate.exe
O4 - HKCU\..\RunOnce: [Pollon] pollone.exe
O4 - HKCU\..\RunOnce: [wp_config] wpconfig.exe
O4 - Global Startup: Digital Image Monitor.lnk = ?
O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.fotovanmijnhuis.nl/plugins/huis50/nl/nl.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E229093A-58DB-4EC8-A88D-F077E2C57A89}: NameServer = 62.58.50.5 62.58.50.6
 
Joined
Jul 26, 2002
Messages
46,331
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [CRC Value Verifier] crsss.exe

O4 - HKLM\..\Run: [Win32 USB2 Driver] winupdate.exe

O4 - HKLM\..\Run: [starter] scvhosting.exe

O4 - HKLM\..\Run: [Windows service] slserv32.exe

O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe

O4 - HKLM\..\Run: [Pollon] pollone.exe

O4 - HKLM\..\Run: [Windows Time Server] TimeSRV.exe

O4 - HKLM\..\Run: [wp_config] wpconfig.exe

O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] winupdate.exe

O4 - HKLM\..\RunServices: [starter] scvhosting.exe

O4 - HKLM\..\RunServices: [Windows service] slserv32.exe

O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe

O4 - HKLM\..\RunServices: [Pollon] pollone.exe

O4 - HKLM\..\RunServices: [msconfig] wins.exe

O4 - HKLM\..\RunServices: [Windows Time Server] TimeSRV.exe

O4 - HKLM\..\RunServices: [wp_config] wpconfig.exe

O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] winupdate.exe

O4 - HKLM\..\RunOnce: [Pollon] pollone.exe

O4 - HKLM\..\RunOnce: [wp_config] wpconfig.exe

O4 - HKCU\..\Run: [Win32 USB2 Driver] winupdate.exe

O4 - HKCU\..\Run: [starter] scvhosting.exe

O4 - HKCU\..\Run: [Pollon] pollone.exe

O4 - HKCU\..\Run: [wp_config] wpconfig.exe

O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] winupdate.exe

O4 - HKCU\..\RunOnce: [Pollon] pollone.exe

O4 - HKCU\..\RunOnce: [wp_config] wpconfig.exe

O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.fotovanmijnhuis.nl/plugins/huis50/nl/nl.exe


Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\WINDOWS\System32\winupdate.exe
C:\WINDOWS\System32\pollone.exe
C:\WINDOWS\System32\wpconfig.exe
C:\WINDOWS\System32\slserv32.exe
C:\WINDOWS\System32\TimeSRV.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\System32\sysentry32.exe
C:\WINDOWS\System32\scvhosting.exe
C:\WINDOWS\System32\crsss.exe

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Alexander\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.


Empty the Recycle Bin


Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

When you are sure you are clean turn it back on and create a restore point.


Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself.
 

alexander123

Thread Starter
Joined
Sep 13, 2004
Messages
24
Hi Flrman 1
in the safe mode, with identified map settings, can't find sysentry32.exe and scvhosting.exe (or should this be svchost.exe?). What to do?
Secondly, can locate crsss.exe - not by search but by scanning c/windows./system via explorer. Once found, can't delete as system is either running or disk protected ??

What to do,
all the rest went well ;-)))
many tks
alexander
 

alexander123

Thread Starter
Joined
Sep 13, 2004
Messages
24
I'am back online with infected PC.
Anxious to hear if I am ok now?
if yes, what to do to prevent this from happening again?

alexander

Logfile of HijackThis v1.98.2
Scan saved at 20:32:13, on 13-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Digital Image\Monitor.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\CMMON32.EXE
C:\Documents and Settings\Alexander\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonnet.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows service] slserv32.exe
O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
O4 - Global Startup: Digital Image Monitor.lnk = ?
O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E229093A-58DB-4EC8-A88D-F077E2C57A89}: NameServer = 62.58.50.5 62.58.50.6
 

alexander123

Thread Starter
Joined
Sep 13, 2004
Messages
24
Flrman1
posted to be sure another log.
worm/padobot.V is located in windows\system32\config\systemprofile\localsettings\tempinternet files\contentIE5\fis3yl2\x[1].exe
How to remove this one as AVG can't fix it

questions earlier remain in place being how do i prevent this from happening again?
Secondly, can I remove backup folder which was created after restart incl desktop.ini/

Logfile of HijackThis v1.98.2
Scan saved at 21:22:39, on 13-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Digital Image\Monitor.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\CMMON32.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Documents and Settings\Alexander\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonnet.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows service] slserv32.exe
O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
O4 - Global Startup: Digital Image Monitor.lnk = ?
O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E229093A-58DB-4EC8-A88D-F077E2C57A89}: NameServer = 62.58.50.5 62.58.50.6
 
Joined
Jul 26, 2002
Messages
46,331
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [Windows service] slserv32.exe

O4 - HKLM\..\RunServices: [Windows service] slserv32.exe


Restart to safe mode and delete these files:

C:\WINDOWS\System32\slserv32.exe
C:\WINDOWS\System32\crsss.exe

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Alexander\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.


Empty the Recycle Bin
 

alexander123

Thread Starter
Joined
Sep 13, 2004
Messages
24
Its driving me mad. :confused:
Can't delete the files mentioned in safe mode.
crsss.exe doesn't allow me to delete it - access denied, nor does it show up in search. Trying to close in ctrl-alt-del mode closing process didn't work either. Only file I could find is c\windows\system32\crss.exe-up.txt
And the slsserver.exe is nowhere to be found. could find C\windows\prefetch\ similar file name with pf extension.

What to do dear flrman? what am i doing wrong here?

alexander

see enlosed log
Logfile of HijackThis v1.98.2
Scan saved at 1:13:28, on 14-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wpconfig.exe
C:\WINDOWS\System32\recall.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Digital Image\Monitor.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\DitExp.exe
C:\Documents and Settings\Alexander\Bureaublad\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonnet.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [wp_config] wpconfig.exe
O4 - HKLM\..\Run: [netservices] recall.exe
O4 - HKLM\..\RunServices: [wp_config] wpconfig.exe
O4 - HKLM\..\RunServices: [netservices] recall.exe
O4 - HKLM\..\RunOnce: [wp_config] wpconfig.exe
O4 - HKLM\..\RunOnce: [netservices] recall.exe
O4 - HKCU\..\Run: [wp_config] wpconfig.exe
O4 - HKCU\..\Run: [netservices] recall.exe
O4 - HKCU\..\RunOnce: [wp_config] wpconfig.exe
O4 - HKCU\..\RunOnce: [netservices] recall.exe
O4 - Global Startup: Digital Image Monitor.lnk = ?
O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
 
Joined
Jul 26, 2002
Messages
46,331
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [wp_config] wpconfig.exe

O4 - HKLM\..\Run: [netservices] recall.exe

O4 - HKLM\..\RunServices: [wp_config] wpconfig.exe

O4 - HKLM\..\RunServices: [netservices] recall.exe

O4 - HKLM\..\RunOnce: [wp_config] wpconfig.exe

O4 - HKLM\..\RunOnce: [netservices] recall.exe

O4 - HKCU\..\Run: [wp_config] wpconfig.exe

O4 - HKCU\..\Run: [netservices] recall.exe

O4 - HKCU\..\RunOnce: [wp_config] wpconfig.exe

O4 - HKCU\..\RunOnce: [netservices] recall.exe


Restart to safe mode and delete these files:

C:\WINDOWS\System32\wpconfig.exe
C:\WINDOWS\System32\recall.exe


Download TheKillbox from here:

http://www.downloads.subratam.org/KillBox.zip

Unzip the files to the folder of your choice.

Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\crsss.exe

Now put a tick by Delete on reboot.
Click on the button with the red circle with the X. It will ask for confimation. Click yes and your computer will reboot.
 

alexander123

Thread Starter
Joined
Sep 13, 2004
Messages
24
Flrman1
outstanding, that worked.

Is everthing fixed now?

and please yr advise how to protect my PC against future attacks!

Logfile of HijackThis v1.98.2
Scan saved at 9:46:31, on 14-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Digital Image\Monitor.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Alexander\Mijn documenten\Virusscan\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonnet.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Global Startup: Digital Image Monitor.lnk = ?
O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
 
Joined
Jul 26, 2002
Messages
46,331
Clean! (y)

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top