W32.KWbot.c.worm

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

tsatsos007

Thread Starter
Joined
Aug 29, 2003
Messages
16
hey there...i ve got this bloody worm in all of my 3 pcs! i cleaned 2 of them following symantec's instructions,removal,updating definititions,updatin windows...but i think there is smth wrong with the processes!

i ve got runnin:

00THotkey.exe
blackd.exe
blackice.exe
csrss.exe
ctfmon.exe
explorer.exe
ezSP_Px.exe
Isass.exe
mdm.exe
msmsgs.exe
Navapsvc.exe
Navapw32.exe
nvsvc32.exe
PmProxy.exe
services.exe
SmAgent.exe
smss.exe
spoolsv.exe
svchost.exe [system]
svchost.exe [system,again!!]
svchost.exe [network service]
svchost.exe [local service]
svchost.exe [system,once more!!!]
system
tmesbs32.exe [system]
tmesbs32.exe [my name as administrator]
vsmon.exe [system]
winlogon.exe
zapro.exe

+ my mouse synaptic/keybord processes which i don't include in the list above


That's all folks! do u notice anythin strange??-please say so!
does anything have to do with the worm?which processes can i kill?


--2nd question: in the reg. \currentVersion\Run there is somethin like nwiz.exe /installquiet......what the f* is that?
 
Joined
Mar 20, 2003
Messages
4,823
Are these PCs XP, If so you may need to disable system restore temporarily

Nwiz is part of your Nvidia nView Control Panel so leave it be


If you're still struggling, post a hijack this log, (one PC at a time please, my brain hurts if it has to do too much work at once ;)),

To do this, Go to this page, and download 'Hijack This!'.

Unzip it, launch Hijack This, then press Scan, and press Save Log

This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

open that file
Go to Edit | Select all
Now click Edit | copy to copy it
Come back to TSG, Right Click and paste its contents here
 

tsatsos007

Thread Starter
Joined
Aug 29, 2003
Messages
16
Logfile of HijackThis v1.97.2
Scan saved at 3:21:40 ðì, on 18/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\OLIA\Local Settings\Temp\Ðñïóùñéíüò êáôÜëïãïò 1 ãéá hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ÓõíäÝóåéò
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Ñáäéüöùíï - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{958A12D9-618A-464A-8405-6466E6A08E44}: NameServer = 213.249.17.11 213.249.17.10
 
Joined
Mar 20, 2003
Messages
4,823
I'm being a bad boy here, because I am assuming something, in that ÓõíäÝóåéò

from this line

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ÓõíäÝóåéò

is actually in greek, hence the symbols.

and that panafonet.gr is your ISP?


If so, then you can consider that PC clean
 

tsatsos007

Thread Starter
Joined
Aug 29, 2003
Messages
16
let me ask you one more question..in blackice there are lots of msrpc tcp port probe reports...do i need to worry?? [ the RPC in services.msc in which option should they be chosen?restart service or what?]
 
Joined
Mar 20, 2003
Messages
4,823
If blackice is noticing them , then it is probably blocking them,

However, in light of recent events, ie MS blast, I would recommend that you install all the CRITICAL updates
 

tsatsos007

Thread Starter
Joined
Aug 29, 2003
Messages
16
yes, i live in greece,so the lang. is in greek!+panafonet is my isp!(but i kind of hate that, because i study in an american university and i need win to be in english)i'm runnin xp home gr edition but i have also the xp prof. cd......can you help me install xp prof??do i need to uninstall win xp home first?is there a problem because i have a laptop?i mean, i've heard that laptops should run the win that are already install,is that true?
--is there a problem because i run blackice+zonealarm at the same time?i don't feel secured with only one prog.! does this make any sense?
---i would appreciate if u could help me with this trouble i have with my other laptop --> http://forums.techguy.org/showthread.php?threadid=160555&highlight=cannot+see+my+desktop
(in this case i found a way to see my desktop, but i get microsoft installer all the time, plus sometimes i can't open programs that were installed before the iexplorer problem became a pain in the
***!

Thank you for your time and help!!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top