[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 774
  • Last Modified:

Virus Help

Hi. Lately, my computer has been giving me pop-ups for Winfix, and registy cleaner or something like that. Also while running Spysweeper, I get an alert of something called "csrss.lnk". I'm assuming it has something to do with virus activity and spyware. Can anyone help?
0
chriserman11
Asked:
chriserman11
  • 10
  • 10
  • 8
  • +2
3 Solutions
 
tim_quiCommented:
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.

Please download ewido, install, open program, check for updates then restart computer, press F8 before windows logo appears, select safe mode, open ewido, run scan, let it delete any malware it finds.  If it finds anything it calls serious let me know. http://www.ewido.net/en/download/
0
 
chriserman11Author Commented:
here is the URL or the log file
http://www.rafb.net/paste/results/EYR3TV46.html
0
 
tim_quiCommented:
Hey Buddy,

here's the link to your analyzed hjt log;http://www.hijackthis.de/logfiles/2bf284cc07f8de5edc8bef2c3431adc4.html

You have some problems. Upgrading to sp2 is a good idea, but we'll just address the malware.

Disable system restore;http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

Download Ewido, install, open program, check for updates, close program. Restart computer, press F8 before windows logo appears, select safe mode, open ewido, run scan, let ewido delete all it finds.

Now restart into normal mode, Run hjt again and post the log again.

0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
r-kCommented:
I posted your log at http://www.hijackthis.de/ and saved the analysis:

 http://www.hijackthis.de/logfiles/d09bd89b1dc0722af67634dab8af1c16.html

There are a number of bad files/entries there. I would at the very least run HijackThis again and have it fix the following ones:

 R3 - URLSearchHook: (no name) - {6C316027-A191-FD4C-C008-D998B067A0EB} - C:\WINDOWS\System32\optq.dll
 R3 - URLSearchHook: (no name) - {5D1C5055-8CA2-BB74-ED3D-EBB588248DA8} - C:\WINDOWS\System32\optq.dll
 O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
 O4 - HKLM\..\RunServices: [msmsgr] msmsgss.exe
 O4 - HKLM\..\RunServices: [Microsoft messenger sd] msngersd.exe
 O4 - HKLM\..\RunServices: [MicroSoft] MsMicroSoft.exe
 O4 - HKLM\..\RunServices: [Miscrosoft Windows Explorer] IEEXPLORER.exe
 O4 - HKLM\..\RunServices: [Windows notepad] notpad.exe
 O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000190.exe
 O4 - HKCU\..\Run: [Microsoft messenger sd] msngersd.exe
 O4 - HKCU\..\Run: [Miscrosoft Windows Explorer] IEEXPLORER.exe
 O4 - HKCU\..\Run: [Microsoft Configs 32] msgconfigrs.exe
 O4 - HKCU\..\Run: [Windows notepad] notpad.exe
 O4 - HKCU\..\RunServices: [Microsoft messenger sd] msngersd.exe
 O4 - HKCU\..\RunServices: [Miscrosoft Windows Explorer] IEEXPLORER.exe
 O4 - HKCU\..\RunServices: [Windows notepad] notpad.exe
 O20 - Winlogon Notify: winxyl32 - C:\WINDOWS\SYSTEM32\winxyl32.dll

Then, reboot, download and run Ewido as suggested by Tim above. Then run Ewido a couple of times in safe mode.

Then reboot, run HijackThis again, post the log to http://www.hijackthis.de/ click on "analyze" then on the next page click on "Save Analysis" at the bottom and post a link here to the saved analysis page.

Good luck.

 
0
 
r-kCommented:
Oops, sorry tim, did not know you were posting at the same time!
0
 
tim_quiCommented:
r-k,

I'm glad you joined the thread... :)
0
 
tim_quiCommented:
chriserman11,

Before you read the rest of this post a clean install - reformat - may take less time to fix this problem than all the things you must do; http://www.michaelstevenstech.com/cleanxpinstall.html


HOWEVER, if you're ready to do battle with an army of malware, here's a prescription from rpggamergirl:

Bad entries:
R3 - URLSearchHook: (no name) - {6C316027-A191-FD4C-C008-D998B067A0EB} - C:\WINDOWS\System32\optq.dll
R3 - URLSearchHook: (no name) - {5D1C5055-8CA2-BB74-ED3D-EBB588248DA8} - C:\WINDOWS\System32\optq.dll
F3 - REG:win.ini: load=C:\WINDOWS\System32\eqtjhr\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\eqtjhr\csrss.exe
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888
O4 - HKLM\..\RunServices: [msmsgr] msmsgss.exe
O4 - HKLM\..\RunServices: [Microsoft messenger sd] msngersd.exe
O4 - HKLM\..\RunServices: [MicroSoft] MsMicroSoft.exe
O4 - HKLM\..\RunServices: [Miscrosoft Windows Explorer] IEEXPLORER.exe
O4 - HKLM\..\RunServices: [Windows notepad] notpad.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000190.exe
O4 - HKCU\..\Run: [Microsoft messenger sd] msngersd.exe
O4 - HKCU\..\Run: [Miscrosoft Windows Explorer] IEEXPLORER.exe
O4 - HKCU\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKCU\..\Run: [Windows notepad] notpad.exe
O4 - HKCU\..\RunServices: [Microsoft messenger sd] msngersd.exe
O4 - HKCU\..\RunServices: [Miscrosoft Windows Explorer] IEEXPLORER.exe
O4 - HKCU\..\RunServices: [Windows notepad] notpad.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int13.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab G
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab G
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins003.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 G
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: winxyl32 - C:\WINDOWS\SYSTEM32\winxyl32.dll
O23 - Service: MsLX32 - Unknown owner - C:\WINDOWS\MsLX32.exe (file missing)
O23 - Service: chckntfs - Unknown owner - C:\WINDOWS\chckntfs.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe (file missing)
O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown owner - C:\WINDOWS\msinit.exe (file missing) G
O23 - Service: MsLX32 - Unknown owner - C:\WINDOWS\MsLX32.exe (file missing) G
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing) G
O23 - Service: norton (nortons) - Unknown owner - C:\WINDOWS\nvsnav.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe (file missing)


You have Worm_Agobot.Gen worm, W32SDBOT, Win32IRCBot.worm, Win32RBot,ajj, W32CodBot.P, AgentFD.Trojan, Backdoor.SERVU etc, etc.

Hijackthis does not delete files so you'll have to manually delete the relevant files after fixing the entries, then you still need other tools as well.

Uninstall this:
Toolbar888

These 2 F3s is dropped by W32Chod.D worm!
F3 - REG:win.ini: load=C:\WINDOWS\System32\eqtjhr\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\eqtjhr\csrss.exe

Fix for "W32Chod.D worm"
Please download MsnVirRem (Either zip or self extracting .exe), and save it to your desktop.
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item9
Once in place, right click the zip file (or double click the exe), and extract the files to your desktop. It will create another folder called MsnVirRem DO NOT RUN ANYTHING IN IT YET

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

In the new MsnVirRem folder, that you should have on your desktop, double click "MsnVir.bat" and let it run its course.
 A DOS window should pop up, "Let it run until it disappears. It will take time to scan your machine."
After it disappears, reboot back into normal mode.


This entry below is "Agent.FD trojan" often installs apropos rootkit.
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000190.exe


Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop.  Open the aproposfix folder on your desktop and run "RunThis.bat".  Follow the prompts.
When the tool is finished, please reboot back into normal mode.

He also needs MS removal tool:
MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

And Ewido in Safe Mode:
Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.

Then, post another hijackthis log for review,
0
 
chriserman11Author Commented:
OK, I fixed all those files u suggested, but I'm having problems downloading the MsnVirRem. Whenever I download it, it wants to saves as a file called "index" and it wont open or anything. Also the page for Eweido won't load, it says page cannot be viewed, or whatever.
0
 
tim_quiCommented:
Please leave a link to another hjt log.
0
 
rpggamergirlCommented:
Hi Everyone!

chriserman11,
Where you able to download and run aproposfix?

Did you do anything with any of the files yet? (I mean going into your system32 folder)
If you didn't, then all of the nasty files are still intact. Let us know please.
I'm just wondering if one of us can send you "MsnVirRem" whether you'd be able to open and run it.

We could also try another method here:(download Avenger, Please do not run it, I'll give you instructions on what to do once you have it)
http://swandog46.geekstogo.com/avenger.zip


First, tell us if you have deleted any files besides fixing those entries in Hijackthis.
We also need a new Hijackthis link, thanks.


0
 
rpggamergirlCommented:
Ooops! ...where? instead of were!
Now where's my "concentration" button, lol
0
 
chriserman11Author Commented:
this is the log file. The first line and some arn't there cuz I didn't copy it right :P

I also downloaded the avenger thing. I also sent u my email on the bullguard site. If u need me to send it again, please say so :)

an saved at 4:22:16 PM, on 4/7/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\ouefos\csrss.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://theko.tk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\System32\ouefos\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\ouefos\csrss.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\RunServices: [msmsgr] msmsgss.exe
O4 - HKLM\..\RunServices: [MicroSoft] MsMicroSoft.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft messenger sd] msngersd.exe
O4 - HKCU\..\Run: [Miscrosoft Windows Explorer] IEEXPLORER.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBCOlympics.com Alerts] c:\Program Files\NBC_Olympics_Alerts\NBCOlympics.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142144832999
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142144809842
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~2\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winxyl32 - C:\WINDOWS\SYSTEM32\winxyl32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown owner - C:\WINDOWS\msinit.exe (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: norton (nortons) - Unknown owner - C:\WINDOWS\nvsnav.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe (file missing)

0
 
r-kCommented:
Your saved analysis is here:

  http://www.hijackthis.de/logfiles/66c9fe61f0c7934ccfc5b4aa9a06e54a.html

For future reference, it is better to post the log directly to http://www.hijackthis.de/ click on "Analyze" then on "Save Analysis" on the next page, and finally post just the link to the saved page, as I have done above.

In any case, looks like you're down to just one bad entry left:

 O4 - HKLM\..\RunServices: [msmsgr] msmsgss.exe

I would suggest the following:

First locate the file named msmsgss.exe (probably in c:\windows or c:\windows\system32)

Then:

(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

(1) Right click on the file in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Close all windows.

(6) Reboot.

After reboot the file(s) will be unable to run (because no one can access them any more). The symptoms should be gone.

At this point you can clean up with a standard anti-spyware program. I suggest Ewido, but you can try others that you already have.
You can also have HijackThis remove that one bad entry.


0
 
tim_quiCommented:
You still have a worm, did you run the tools rpggamergirl suggested?

O4 - HKLM\..\RunServices: [msmsgr] msmsgss.exe


Here's a link to your analyzed hjt log;
http://www.hijackthis.de/logfiles/c1f0499763fab2436cf6692c8cea28fe.html

Delete the unnecessarily entries with hjt.
0
 
rpggamergirlCommented:
Sent you the "msnVirRem.exe" from my yahoo account.
Let us know if you can run it, if not then please post a fresh Hiajckthis log, we'll then use Avenger.
0
 
chriserman11Author Commented:
unfortunatly hotmail blocked the attachment :(

here is my log file, I hope I did it right :P

http://www.hijackthis.de/logfiles/8b1c134b759a3aa2d8cf07a60f5b9a0f.html
0
 
tim_quiCommented:
Take a look at all the "Unnecessarily" items with a read exclamation mark by them, you can use HJT to get rid of those.  

Also, navigate to this file and disable as directed above by r-k:


O20 - Winlogon Notify: winxyl32 - C:\WINDOWS\SYSTEM32\winxyl32.dll
0
 
r-kCommented:
In addition to what tim suggested, I would also get rid of the following entries:

 O4 - HKLM\..\RunServices: [MicroSoft] MsMicroSoft.exe
 O4 - HKCU\..\Run: [Microsoft messenger sd] msngersd.exe
 O4 - HKCU\..\Run: [Miscrosoft Windows Explorer] IEEXPLORER.exe

Try first with HJT itself. If that fails, removed permissions from each of these files suggested in my earlier post (Date: 04/07/2006 01:35PM PDT) and reboot etc.

 
0
 
rpggamergirlCommented:
You already downloaded the Avenger. Let's use that.

1.  *Click on Avenger.zip to open the file
     *Extract avenger.exe to your desktop

2. Copy all the text below (including the line "Files to delete:") to your Clipboard by highlighting it and pressing (Ctrl+C):
Copy all the text between those 2 lines.

-------------------------------------------------------
Files to delete:
C:\WINDOWS\System32\ndqmptvi\csrss.exe
C:\WINDOWS\SYSTEM32\winxyl32.dll
C:\WINDOWS\System32\MsMicroSoft.exe  
C:\WINDOWS\System32\msngersd.exe
C:\WINDOWS\System32\IEEXPLORER.exe  

Folders to delete:
C:\WINDOWS\System32\ndqmptvi
-------------------------------------------------------

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Run Hijackthis and put a check next to these entries, then click "Fix checked" button:

F3 - REG:win.ini: load=C:\WINDOWS\System32\ndqmptvi\csrss.exe  
F3 - REG:win.ini: run=C:\WINDOWS\System32\ndqmptvi\csrss.exe
O4 - HKLM\..\RunServices: [MicroSoft] MsMicroSoft.exe  
O4 - HKCU\..\Run: [Microsoft messenger sd] msngersd.exe    
O4 - HKCU\..\Run: [Miscrosoft Windows Explorer] IEEXPLORER.exe  O9 - Extra button:
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file  
O20 - Winlogon Notify: winxyl32 - C:\WINDOWS\SYSTEM32\winxyl32.dll
O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown owner - C:\WINDOWS\msinit.exe (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: norton (nortons) - Unknown owner - C:\WINDOWS\nvsnav.exe (file missing)
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe (file missing)  

6. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log


0
 
chriserman11Author Commented:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dlubcakp

*******************

Script file located at: \??\C:\WINDOWS\uwdhrurd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\ndqmptvi\csrss.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\winxyl32.dll deleted successfully.


File C:\WINDOWS\System32\MsMicroSoft.exe not found!
Deletion of file C:\WINDOWS\System32\MsMicroSoft.exe failed!

Could not process line:
C:\WINDOWS\System32\MsMicroSoft.exe
Status: 0xc0000034



File C:\WINDOWS\System32\msngersd.exe not found!
Deletion of file C:\WINDOWS\System32\msngersd.exe failed!

Could not process line:
C:\WINDOWS\System32\msngersd.exe
Status: 0xc0000034



File C:\WINDOWS\System32\IEEXPLORER.exe not found!
Deletion of file C:\WINDOWS\System32\IEEXPLORER.exe failed!

Could not process line:
C:\WINDOWS\System32\IEEXPLORER.exe
Status: 0xc0000034

Folder C:\WINDOWS\System32\ndqmptvi deleted successfully.

Completed script processing.

*******************

Finished!  Terminate


and the HJT log
http://www.hijackthis.de/logfiles/e66d924d6242740975c57f33262c0d2e.html

0
 
rpggamergirlCommented:
Did you install or know this program? --> NBC_Olympics_Alerts
I can't find any info on that.

Also turn on your System Restore if it's still off.
Rightclick "My computer" > properties > System Restore >
make sure that the box " Turn off system restore on all drives" is Unchecked, click OK, and immediately create a restore point.

These entries won't go?
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe (file missing)
O23 - Service: msinit (Microsoft Scheduling Agent) - Unknown owner - C:\WINDOWS\msinit.exe (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: norton (nortons) - Unknown owner - C:\WINDOWS\nvsnav.exe (file missing)    
O23 - Service: microsoft service host 32 (scvhost 32) - Unknown owner - C:\WINDOWS\System32\scvhost32.exe (file missing)  
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe (file missing)

Go to START > RUN > type in;
services.msc

In the next window, look on the right hand side for these services:
Defragmentation Management Handler
msinit
Net Functions Library
norton
microsoft service host 32
Windows Logon

Double click on each of those services and STOP the service
In the drop down menu, change the startup type to "Disabled"

Then,
Open Hijackthis > Open Misc Tools Section > Open" Delete an NT Service"
In the new window, copy and paste or type each of the following into the Open field and hit OK

FAT Defragmentation
Microsoft Scheduling Agent
nortons
scvhost 32
Netlib
winlog

run Hijackthis again and fix those 023 entries if still present.
Also try running those scanners that you couldn't run before, especially Ewido.
Try running Ewido in Safe Mode.

And as soon as you are able to do so, try downloading windows updates. You can get infected with many nasties faster than we can get you cleaned when you don't have any at least SP1 installed.
0
 
chriserman11Author Commented:
Yes, I downloaded the Olympic alert thingy to keep me up with the Winter Olympics in Turin (big hockey fan here :D)

here is the new HJT log after doing all that stuff
http://www.hijackthis.de/logfiles/e66d924d6242740975c57f33262c0d2e.html

Ewindo still isn't letting me get to the page to download it from

Where can I get updated Window Updates? lol, I knw, dumb question, but hey. :D
0
 
rpggamergirlCommented:
Good work tim_qui, :)


chriserman11,
Well, bad services are gone at least.
Not clean yet! blasted Chod.D worm just changed its folder name.


1. Please run Avenger again.

2. Copy all the text below (including the line "Files to delete:") to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\WINDOWS\System32\xqghjczndy
C:\WINDOWS\System32\ouefos


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.


Do you have Instant Messenger? maybe someone will be kind enough to send you the MsnVirRem file? or would IM block it too?
Check your Hosts file and make sure security sites are not blocked.(scroll down sometimes it has blank lines as well)
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts

Nothing should be under this line if your using the MS default hosts file --> 127.0.0.1 Locahost


>>Where can I get updated Window Updates? lol, I knw, dumb question, but hey. :D<<
there is no dumb question, only dumb answer lol, asking question is the best way to learn.

You can use IE > Tools > Windows update, to update your computer, it will then check your computer for needed updates, it will take long depending on your speed.
Maybe don't go updating just yet, especially SP2 will have problem installing into an infected machine, yours is not clean yet, the best thing to do is to keep this computer offline until its clean then you can download updates, but if you don't have another machine to access online then just try and stay offline as much as you can.
0
 
rpggamergirlCommented:
Oops didn't edit some of my post, yeah when you're ready to download update you can follow tim_qui's link.

Can you go to any security sites? if not then maybe security sites are blocked with your hosts file that's why it won't let you download Ewido.
check your hosts file first, and delete security sites if they are listed in your hosts file.
0
 
tim_quiCommented:
You could install firefox and try to download ewido with it;

http://www.mozilla.com/firefox/


You must use IE when you decide to get windows updates.  
0
 
chriserman11Author Commented:
for some reason, avenerge isn't accpeting those 2 folders to delete:
C:\WINDOWS\System32\xqghjczndy
C:\WINDOWS\System32\ouefos

I keep getting a errors
1. Error: selected files do not appear to be a valid script
2. Press OK to log error and continue, or cancel to abort
3. Error code 1813

I don't understand that -.-
0
 
rpggamergirlCommented:
do not appear to be a valid script means that Avenger couldn't process the script'
did you enter exactly as this below? all lines:(including "Folders to delete:") the command is case sensitive, "s" has to be there as in folders, not just folder. choose "Input Script Manually".

Folders to delete:
C:\WINDOWS\System32\xqghjczndy
C:\WINDOWS\System32\ouefos
0
 
chriserman11Author Commented:
ohhhhhh didn't put the "Folders to delete" thing :P

O g2g to bed, so I'll post results tomorrow

Night
0
 
chriserman11Author Commented:
**sorry for the double post**

Ok, I did the avenger thing, but never got any pop up with the log info stuff.
0
 
amiriCommented:
go to kaspersky site and download  kaspersky internet security 6  your problem will solved.
0
 
chriserman11Author Commented:
whats the kaspersky site?
0
 
tim_quiCommented:
0
 
amiriCommented:

C:\WINDOWS\System32\xqghjczndy
C:\WINDOWS\System32\ouefos                        
 you can delete these  first you boot safe mode  then  in start menu--run---regedit   find  the keys  of these        

xqghjczndy  is suspect  to be spam sender  when you boot in safe mode  try to delete these  if not possible then go to registry for deleting keys
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 10
  • 10
  • 8
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now