• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
hodger

Virus/ Hijack

4 posts in this topic

My friend's computer was infested with several virus's a few days ago. We've run AVG several times but they seem to come back. We've run several spyware detection programs but can't seem to get rid of whats in there. Sometimes it involuntarily logs on to the internet upon boot-up. Everything has bcome snail slow and won't function. We've also reloaded the op system 3 times..........all to no avail. I'd really appreciate someone looking at the attached hijack this log. Thanks.

 

Logfile of HijackThis v1.97.7

Scan saved at 4:38:05 PM, on 6/14/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\System32\NAVSCAN32.exe

C:\WINDOWS\System32\lsrv.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Documents and Settings\Evelyn\Application Data\mpsa.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\WINDOWS\System32\wnstscc.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Outlook Express\MSIMN.EXE

C:\Downloads\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/home_page.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe

O4 - HKLM\..\Run: [A18806E0] C:\WINDOWS\System32\zmllzovzvzsljs.exe

O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [Microsoft Update Machine] systemse.exe

O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\arounsia.exe

O4 - HKLM\..\RunServices: [NAVSCAN32.EXE] NAVSCAN32.exe

O4 - HKLM\..\RunServices: [1003A130] C:\WINDOWS\System32\zmllzovzvzsljs.exe

O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemse.exe

O4 - HKCU\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe

O4 - HKCU\..\Run: [Microsoft Update Machine] systemse.exe

O4 - HKCU\..\Run: [Alat] C:\Documents and Settings\Evelyn\Application Data\mpsa.exe

O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstscc.exe

O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8151.4501157407

Share this post


Link to post
Share on other sites

You have a couple of worm infections - it's possible your AVG definitions may not be up to date.

 

The online Trend Micro scan should find and remove these. Go to: http://housecall.trendmicro.com/ and run the scan and have it fix what it finds.

 

Then, reboot the computer, run another HijackThis scan and check these items for removal (some may be gone at this point):

 

O4 - HKLM\..\Run: [A18806E0] C:\WINDOWS\System32\zmllzovzvzsljs.exe

 

O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe

 

O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemse.exe

 

O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\arounsia.exe

 

O4 - HKLM\..\RunServices: [1003A130] C:\WINDOWS\System32\zmllzovzvzsljs.exe

 

O4 - HKCU\..\Run: [Microsoft Update Machine] systemse.exe

 

O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstscc.exe

 

O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe

 

Close all other programs (including this browser window) and click Fix Checked.

 

When HijackThis is finished, reboot your system, and open Windows Explorer - you may need to enable showing hidden files

 

Delete these four files if still present:

 

C:\WINDOWS\System32\lsrv.exe

 

C:\WINDOWS\System32\wnstscc.exe

 

C:\WINDOWS\System32\arounsia.exe

 

You will have to do a search to find this one: systemse.exe

 

Please note that these worms were installed using vulnerabilities that Microsoft has patched. You need to visit Windows Update and download all Critical Updates.

 

Run another HijackThis scan and post the log here for another look.

Share this post


Link to post
Share on other sites

Thankyou very much for your interest and help. I tried to connect to the net to download Trendmicro but unfortuneately the system was so screwed up I couldn't connect to anything. As a last ditch effort I deleted the items you suggested anyway ,but I think things were too far gone. The friend who's system was invaded is an 87 year old lady who can hardly see but is nevertheless trying to stay modern. The mistake I made in setting her up was mine, in that I failed to set up her XP firewall and provide for automatic patch updates. I thought that because she only used email and never the "internet" that she wouldn't be suseptable to virus's and hijackers. Pretty foolish of me. So I've now had to completely reload her O/S and she's started from ground zero. Thanks again for your help. Your group provides a very worthwhile service.

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0