WareOut

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

greybomb

Thread Starter
Joined
Jul 14, 2005
Messages
2
Hello All

This is my first post and I hope that someone can help.
I have a system infected by WareOut. I have seen an archived post but my problem is not exactly the same.When I was infected I scanned with Spybot S&D and AdAware. Spybot found CWS and AdAware found WareOut. I deleted them and found the directory on the hard drive and deleted that.
Upon rebooting I was unable to get past the desktop which was in a 'cycle' with an error message in an application error box (with Exclamation mark)saying that 'explorer.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created.' The system refreshes the desktop, minimizes the error message onto the taskbar and the same thing happens again until I shut down the system. All the icons and buttons (Start) are unavailable, but I can access Task Manager. In the processes box explorer.exe is there and can be halted but DrWatson is activated very time the error message is generated. End task will end each process but it comes back again.
I have booted into safe mode but the 'cycle' happens again. I can use Safe Mode with Command Prompt and from another system have downloaded CCleaner and Hijackthis which I have run from the floppy.
This system is used to run 'Certification Exams' for IT technicians )hence the reference to Vue.com in the Hijackthis log. I have run my antivirus, spybot and adaware from the command line but it doesnt help. There isnt enough space on the drive to re-install the operating system (Windows 2000 Professional) into the same directory, so I'm a bit stuck. Any ideas please?

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 09:30:02, on 14/07/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\Profiles\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wiseup2it.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://wiseup2it.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9EB541D-CD15-4F5F-B348-466CF3581926}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vue.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vue.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = vue.com
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vue.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O20 - Winlogon Notify: style2 - C:\WINNT\q24735898_disk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

Greybomb
 
Joined
Feb 15, 2004
Messages
12,302
hi, welcome to TSG.

you should also visit Microsoft and get the Service packs, w2k is now at service pack 4, I don't know if you can just download SP4 without installing SP1 first, I would Imagine you can just install SP4, but you'd need to check this out, your computer is heavily compromised without al those patches: sasser worm, blaster etc!


ihm

can you boot to safe mode with netorking, if not can you download these tools onto another pc and burn them to disc and transfer to infected pc and run them?




Go here and download Microsoft Antispyware Beta. First in the top menu click
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick
Scan Now" and click Spyware scan options. In that window put a tick by Run a
full system scan and then put a check by all three options below that then
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it
quarantine the items that have that option rather than delete just in case.
It is a beta program and there may be false positives)

Restart your computer.


All tools can be downloaded at the link below and found on that page!


. Microsoft® Windows AntiSpyware


http://www.majorgeeks.com/downloads31.html



* Download the trial version of Ewido Security Suite here


http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.


* Click here for info on how to boot to safe mode if you don't already know
how.


How to boot to safe mode

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop


Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav, double click on it and it will extract to C:\kaspersky. Click
on the kaspersky folder and click on Kavupd, a black dos window will open
and it will update the programme for you, be patient it will take 5-10
minutes to download the new definitions. Once it's updated, click on mwavscan
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your
pc is.

http://www.spywareinfo.dk/download/mwav.exe


Run ActiveScan online virus scan here

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!


run ccleaner


post back with the logs if you can run these, especially, ewido, active scan and Mwav, for Mwav, just give the part of the log where it dinds stuff! post another hijack this log.
 

greybomb

Thread Starter
Joined
Jul 14, 2005
Messages
2
Hi Khazars

Thanks for your reply. Dont have access here to a burner but will do it at home
tonight. I'll let you know the results.

Thanks again.

Greybomb
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top