1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virus affecting IE6. Pls help see Hijack log

Discussion in 'Virus & Other Malware Removal' started by alexander123, Sep 13, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. alexander123

    alexander123 Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    24
    Please help sorting out my problem and analysing my HijackThis log.

    IE6 is getting slower and slower after I established connection with ISP.
    Furthermore, known websites addresses can't be displayed, can't find server messages etc.
    So far I have run adaware, spybot search & destroy, CWshredder - CWS keeps appearing.
    This removed few problems but IE6 problems remains (f.i. can't find POP server) as well as porn site appearing.

    How to proceed?

    many thanks alexander


    Logfile of HijackThis v1.97.7
    Scan saved at 15:29:39, on 13-9-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\winupdate.exe
    C:\WINDOWS\System32\wpconfig.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\Dit.exe
    C:\Program Files\Classic PhoneTools\CapFax.EXE
    C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\TimeSRV.exe
    C:\Program Files\Digital Image\Monitor.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Alexander\Bureaublad\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.zonnet.nl/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [CRC Value Verifier] crsss.exe
    O4 - HKLM\..\Run: [Win32 USB2 Driver] winupdate.exe
    O4 - HKLM\..\Run: [starter] scvhosting.exe
    O4 - HKLM\..\Run: [Windows service] slserv32.exe
    O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Pollon] pollone.exe
    O4 - HKLM\..\Run: [Windows Time Server] TimeSRV.exe
    O4 - HKLM\..\Run: [wp_config] wpconfig.exe
    O4 - HKLM\..\Run: [msconfig] wins.exe
    O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] winupdate.exe
    O4 - HKLM\..\RunServices: [starter] scvhosting.exe
    O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
    O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe
    O4 - HKLM\..\RunServices: [Pollon] pollone.exe
    O4 - HKLM\..\RunServices: [msconfig] wins.exe
    O4 - HKLM\..\RunServices: [Windows Time Server] TimeSRV.exe
    O4 - HKLM\..\RunServices: [wp_config] wpconfig.exe
    O4 - HKCU\..\Run: [Win32 USB2 Driver] winupdate.exe
    O4 - HKCU\..\Run: [starter] scvhosting.exe
    O4 - HKCU\..\Run: [Pollon] pollone.exe
    O4 - HKCU\..\Run: [wp_config] wpconfig.exe
    O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] winupdate.exe
    O4 - HKLM\..\RunOnce: [Pollon] pollone.exe
    O4 - HKLM\..\RunOnce: [wp_config] wpconfig.exe
    O4 - HKCU\..\RunOnce: [Pollon] pollone.exe
    O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] winupdate.exe
    O4 - HKCU\..\RunOnce: [wp_config] wpconfig.exe
    O4 - Global Startup: Digital Image Monitor.lnk = ?
    O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
    O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.fotovanmijnhuis.nl/plugins/huis50/nl/nl.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.5552314815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi alexander123

    Welcome to TSG! :)

    A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.
     
  3. alexander123

    alexander123 Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    24
    Hi flrman1,
    will be there in 10 min.
    alexander
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  5. alexander123

    alexander123 Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    24
    Hi Flrman 1
    sorry took much longer.
    Internet freezes my complete PC. Impossable to downlad small files or even send emails. Now working from other PC.
    Latest notification from CWshredder on affected PC is: CWS Smartsearch removed.

    Please find log below, pls advise next steps.
    alexander


    Logfile of HijackThis v1.98.2
    Scan saved at 17:28:33, on 13-9-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\winupdate.exe
    C:\WINDOWS\System32\pollone.exe
    C:\WINDOWS\System32\wpconfig.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\Dit.exe
    C:\Program Files\Classic PhoneTools\CapFax.EXE
    C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    C:\WINDOWS\System32\slserv32.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\TimeSRV.exe
    C:\Program Files\Digital Image\Monitor.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\WINDOWS\DitExp.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\CMMON32.EXE
    C:\Documents and Settings\Alexander\Bureaublad\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonnet.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [CRC Value Verifier] crsss.exe
    O4 - HKLM\..\Run: [Win32 USB2 Driver] winupdate.exe
    O4 - HKLM\..\Run: [starter] scvhosting.exe
    O4 - HKLM\..\Run: [Windows service] slserv32.exe
    O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Pollon] pollone.exe
    O4 - HKLM\..\Run: [Windows Time Server] TimeSRV.exe
    O4 - HKLM\..\Run: [wp_config] wpconfig.exe
    O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] winupdate.exe
    O4 - HKLM\..\RunServices: [starter] scvhosting.exe
    O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
    O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe
    O4 - HKLM\..\RunServices: [Pollon] pollone.exe
    O4 - HKLM\..\RunServices: [msconfig] wins.exe
    O4 - HKLM\..\RunServices: [Windows Time Server] TimeSRV.exe
    O4 - HKLM\..\RunServices: [wp_config] wpconfig.exe
    O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] winupdate.exe
    O4 - HKLM\..\RunOnce: [Pollon] pollone.exe
    O4 - HKLM\..\RunOnce: [wp_config] wpconfig.exe
    O4 - HKCU\..\Run: [Win32 USB2 Driver] winupdate.exe
    O4 - HKCU\..\Run: [starter] scvhosting.exe
    O4 - HKCU\..\Run: [Pollon] pollone.exe
    O4 - HKCU\..\Run: [wp_config] wpconfig.exe
    O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] winupdate.exe
    O4 - HKCU\..\RunOnce: [Pollon] pollone.exe
    O4 - HKCU\..\RunOnce: [wp_config] wpconfig.exe
    O4 - Global Startup: Digital Image Monitor.lnk = ?
    O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
    O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.fotovanmijnhuis.nl/plugins/huis50/nl/nl.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E229093A-58DB-4EC8-A88D-F077E2C57A89}: NameServer = 62.58.50.5 62.58.50.6
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [CRC Value Verifier] crsss.exe

    O4 - HKLM\..\Run: [Win32 USB2 Driver] winupdate.exe

    O4 - HKLM\..\Run: [starter] scvhosting.exe

    O4 - HKLM\..\Run: [Windows service] slserv32.exe

    O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe

    O4 - HKLM\..\Run: [Pollon] pollone.exe

    O4 - HKLM\..\Run: [Windows Time Server] TimeSRV.exe

    O4 - HKLM\..\Run: [wp_config] wpconfig.exe

    O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss.exe

    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] winupdate.exe

    O4 - HKLM\..\RunServices: [starter] scvhosting.exe

    O4 - HKLM\..\RunServices: [Windows service] slserv32.exe

    O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe

    O4 - HKLM\..\RunServices: [Pollon] pollone.exe

    O4 - HKLM\..\RunServices: [msconfig] wins.exe

    O4 - HKLM\..\RunServices: [Windows Time Server] TimeSRV.exe

    O4 - HKLM\..\RunServices: [wp_config] wpconfig.exe

    O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] winupdate.exe

    O4 - HKLM\..\RunOnce: [Pollon] pollone.exe

    O4 - HKLM\..\RunOnce: [wp_config] wpconfig.exe

    O4 - HKCU\..\Run: [Win32 USB2 Driver] winupdate.exe

    O4 - HKCU\..\Run: [starter] scvhosting.exe

    O4 - HKCU\..\Run: [Pollon] pollone.exe

    O4 - HKCU\..\Run: [wp_config] wpconfig.exe

    O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] winupdate.exe

    O4 - HKCU\..\RunOnce: [Pollon] pollone.exe

    O4 - HKCU\..\RunOnce: [wp_config] wpconfig.exe

    O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.fotovanmijnhuis.nl/plugins/huis50/nl/nl.exe


    Restart to safe mode.

    How to start your computer in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete these files:

    C:\WINDOWS\System32\winupdate.exe
    C:\WINDOWS\System32\pollone.exe
    C:\WINDOWS\System32\wpconfig.exe
    C:\WINDOWS\System32\slserv32.exe
    C:\WINDOWS\System32\TimeSRV.exe
    C:\WINDOWS\System32\wins.exe
    C:\WINDOWS\System32\sysentry32.exe
    C:\WINDOWS\System32\scvhosting.exe
    C:\WINDOWS\System32\crsss.exe

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Next navigate to the C:\Documents and Settings\Alexander\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.


    Empty the Recycle Bin


    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.

    When you are sure you are clean turn it back on and create a restore point.


    Go here and do an online virus scan.

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself.
     
  7. alexander123

    alexander123 Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    24
    Hi Flrman 1
    in the safe mode, with identified map settings, can't find sysentry32.exe and scvhosting.exe (or should this be svchost.exe?). What to do?
    Secondly, can locate crsss.exe - not by search but by scanning c/windows./system via explorer. Once found, can't delete as system is either running or disk protected ??

    What to do,
    all the rest went well ;-)))
    many tks
    alexander
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Go ahead and post another Hijack This log.
     
  9. alexander123

    alexander123 Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    24
    I'am back online with infected PC.
    Anxious to hear if I am ok now?
    if yes, what to do to prevent this from happening again?

    alexander

    Logfile of HijackThis v1.98.2
    Scan saved at 20:32:13, on 13-9-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\Dit.exe
    C:\Program Files\Classic PhoneTools\CapFax.EXE
    C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Digital Image\Monitor.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\WINDOWS\DitExp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\CMMON32.EXE
    C:\Documents and Settings\Alexander\Bureaublad\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonnet.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Windows service] slserv32.exe
    O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
    O4 - Global Startup: Digital Image Monitor.lnk = ?
    O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E229093A-58DB-4EC8-A88D-F077E2C57A89}: NameServer = 62.58.50.5 62.58.50.6
     
  10. alexander123

    alexander123 Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    24
    Flrman1
    posted to be sure another log.
    worm/padobot.V is located in windows\system32\config\systemprofile\localsettings\tempinternet files\contentIE5\fis3yl2\x[1].exe
    How to remove this one as AVG can't fix it

    questions earlier remain in place being how do i prevent this from happening again?
    Secondly, can I remove backup folder which was created after restart incl desktop.ini/

    Logfile of HijackThis v1.98.2
    Scan saved at 21:22:39, on 13-9-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\Dit.exe
    C:\Program Files\Classic PhoneTools\CapFax.EXE
    C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Digital Image\Monitor.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\WINDOWS\DitExp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\CMMON32.EXE
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Grisoft\AVG6\avgw.exe
    C:\Documents and Settings\Alexander\Bureaublad\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonnet.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Windows service] slserv32.exe
    O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
    O4 - Global Startup: Digital Image Monitor.lnk = ?
    O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E229093A-58DB-4EC8-A88D-F077E2C57A89}: NameServer = 62.58.50.5 62.58.50.6
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [Windows service] slserv32.exe

    O4 - HKLM\..\RunServices: [Windows service] slserv32.exe


    Restart to safe mode and delete these files:

    C:\WINDOWS\System32\slserv32.exe
    C:\WINDOWS\System32\crsss.exe

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Next navigate to the C:\Documents and Settings\Alexander\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.


    Empty the Recycle Bin
     
  12. alexander123

    alexander123 Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    24
    Its driving me mad. :confused:
    Can't delete the files mentioned in safe mode.
    crsss.exe doesn't allow me to delete it - access denied, nor does it show up in search. Trying to close in ctrl-alt-del mode closing process didn't work either. Only file I could find is c\windows\system32\crss.exe-up.txt
    And the slsserver.exe is nowhere to be found. could find C\windows\prefetch\ similar file name with pf extension.

    What to do dear flrman? what am i doing wrong here?

    alexander

    see enlosed log
    Logfile of HijackThis v1.98.2
    Scan saved at 1:13:28, on 14-9-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wpconfig.exe
    C:\WINDOWS\System32\recall.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\Dit.exe
    C:\Program Files\Classic PhoneTools\CapFax.EXE
    C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Digital Image\Monitor.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\WINDOWS\DitExp.exe
    C:\Documents and Settings\Alexander\Bureaublad\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonnet.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [wp_config] wpconfig.exe
    O4 - HKLM\..\Run: [netservices] recall.exe
    O4 - HKLM\..\RunServices: [wp_config] wpconfig.exe
    O4 - HKLM\..\RunServices: [netservices] recall.exe
    O4 - HKLM\..\RunOnce: [wp_config] wpconfig.exe
    O4 - HKLM\..\RunOnce: [netservices] recall.exe
    O4 - HKCU\..\Run: [wp_config] wpconfig.exe
    O4 - HKCU\..\Run: [netservices] recall.exe
    O4 - HKCU\..\RunOnce: [wp_config] wpconfig.exe
    O4 - HKCU\..\RunOnce: [netservices] recall.exe
    O4 - Global Startup: Digital Image Monitor.lnk = ?
    O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [wp_config] wpconfig.exe

    O4 - HKLM\..\Run: [netservices] recall.exe

    O4 - HKLM\..\RunServices: [wp_config] wpconfig.exe

    O4 - HKLM\..\RunServices: [netservices] recall.exe

    O4 - HKLM\..\RunOnce: [wp_config] wpconfig.exe

    O4 - HKLM\..\RunOnce: [netservices] recall.exe

    O4 - HKCU\..\Run: [wp_config] wpconfig.exe

    O4 - HKCU\..\Run: [netservices] recall.exe

    O4 - HKCU\..\RunOnce: [wp_config] wpconfig.exe

    O4 - HKCU\..\RunOnce: [netservices] recall.exe


    Restart to safe mode and delete these files:

    C:\WINDOWS\System32\wpconfig.exe
    C:\WINDOWS\System32\recall.exe


    Download TheKillbox from here:

    http://www.downloads.subratam.org/KillBox.zip

    Unzip the files to the folder of your choice.

    Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

    C:\WINDOWS\System32\crsss.exe

    Now put a tick by Delete on reboot.
    Click on the button with the red circle with the X. It will ask for confimation. Click yes and your computer will reboot.
     
  14. alexander123

    alexander123 Thread Starter

    Joined:
    Sep 13, 2004
    Messages:
    24
    Flrman1
    outstanding, that worked.

    Is everthing fixed now?

    and please yr advise how to protect my PC against future attacks!

    Logfile of HijackThis v1.98.2
    Scan saved at 9:46:31, on 14-9-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\Dit.exe
    C:\Program Files\Classic PhoneTools\CapFax.EXE
    C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Digital Image\Monitor.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\WINDOWS\DitExp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Alexander\Mijn documenten\Virusscan\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonnet.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - Global Startup: Digital Image Monitor.lnk = ?
    O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Clean! (y)

    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer, turn it back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/273436

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice