1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

W32.KWbot.c.worm

Discussion in 'Virus & Other Malware Removal' started by tsatsos007, Sep 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. tsatsos007

    tsatsos007 Thread Starter

    Joined:
    Aug 29, 2003
    Messages:
    16
    hey there...i ve got this bloody worm in all of my 3 pcs! i cleaned 2 of them following symantec's instructions,removal,updating definititions,updatin windows...but i think there is smth wrong with the processes!

    i ve got runnin:

    00THotkey.exe
    blackd.exe
    blackice.exe
    csrss.exe
    ctfmon.exe
    explorer.exe
    ezSP_Px.exe
    Isass.exe
    mdm.exe
    msmsgs.exe
    Navapsvc.exe
    Navapw32.exe
    nvsvc32.exe
    PmProxy.exe
    services.exe
    SmAgent.exe
    smss.exe
    spoolsv.exe
    svchost.exe [system]
    svchost.exe [system,again!!]
    svchost.exe [network service]
    svchost.exe [local service]
    svchost.exe [system,once more!!!]
    system
    tmesbs32.exe [system]
    tmesbs32.exe [my name as administrator]
    vsmon.exe [system]
    winlogon.exe
    zapro.exe

    + my mouse synaptic/keybord processes which i don't include in the list above


    That's all folks! do u notice anythin strange??-please say so!
    does anything have to do with the worm?which processes can i kill?


    --2nd question: in the reg. \currentVersion\Run there is somethin like nwiz.exe /installquiet......what the f* is that?
     
  2. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Are these PCs XP, If so you may need to disable system restore temporarily

    Nwiz is part of your Nvidia nView Control Panel so leave it be


    If you're still struggling, post a hijack this log, (one PC at a time please, my brain hurts if it has to do too much work at once ;)),

    To do this, Go to this page, and download 'Hijack This!'.

    Unzip it, launch Hijack This, then press Scan, and press Save Log

    This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    open that file
    Go to Edit | Select all
    Now click Edit | copy to copy it
    Come back to TSG, Right Click and paste its contents here
     
  3. tsatsos007

    tsatsos007 Thread Starter

    Joined:
    Aug 29, 2003
    Messages:
    16
    Logfile of HijackThis v1.97.2
    Scan saved at 3:21:40 ðì, on 18/9/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ISS\BlackICE\blackd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\ISS\BlackICE\blackice.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\OLIA\Local Settings\Temp\Ðñïóùñéíüò êáôÜëïãïò 1 ãéá hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ÓõíäÝóåéò
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Ñáäéüöùíï - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: BlackICE Utility.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{958A12D9-618A-464A-8405-6466E6A08E44}: NameServer = 213.249.17.11 213.249.17.10
     
  4. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    I'm being a bad boy here, because I am assuming something, in that ÓõíäÝóåéò

    from this line

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ÓõíäÝóåéò

    is actually in greek, hence the symbols.

    and that panafonet.gr is your ISP?


    If so, then you can consider that PC clean
     
  5. tsatsos007

    tsatsos007 Thread Starter

    Joined:
    Aug 29, 2003
    Messages:
    16
    let me ask you one more question..in blackice there are lots of msrpc tcp port probe reports...do i need to worry?? [ the RPC in services.msc in which option should they be chosen?restart service or what?]
     
  6. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    If blackice is noticing them , then it is probably blocking them,

    However, in light of recent events, ie MS blast, I would recommend that you install all the CRITICAL updates
     
  7. tsatsos007

    tsatsos007 Thread Starter

    Joined:
    Aug 29, 2003
    Messages:
    16
    yes, i live in greece,so the lang. is in greek!+panafonet is my isp!(but i kind of hate that, because i study in an american university and i need win to be in english)i'm runnin xp home gr edition but i have also the xp prof. cd......can you help me install xp prof??do i need to uninstall win xp home first?is there a problem because i have a laptop?i mean, i've heard that laptops should run the win that are already install,is that true?
    --is there a problem because i run blackice+zonealarm at the same time?i don't feel secured with only one prog.! does this make any sense?
    ---i would appreciate if u could help me with this trouble i have with my other laptop --> http://forums.techguy.org/showthread.php?threadid=160555&highlight=cannot+see+my+desktop
    (in this case i found a way to see my desktop, but i get microsoft installer all the time, plus sometimes i can't open programs that were installed before the iexplorer problem became a pain in the
    ***!

    Thank you for your time and help!!
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165358

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice