Jump to content


Photo

Virus/ Hijack


  • This topic is locked This topic is locked
3 replies to this topic

#1 hodger

hodger

    Member

  • New Member
  • Pip
  • 2 posts

Posted 14 June 2004 - 09:32 PM

My friend's computer was infested with several virus's a few days ago. We've run AVG several times but they seem to come back. We've run several spyware detection programs but can't seem to get rid of whats in there. Sometimes it involuntarily logs on to the internet upon boot-up. Everything has bcome snail slow and won't function. We've also reloaded the op system 3 times..........all to no avail. I'd really appreciate someone looking at the attached hijack this log. Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 4:38:05 PM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\NAVSCAN32.exe
C:\WINDOWS\System32\lsrv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\Evelyn\Application Data\mpsa.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wnstscc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/home_page.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKLM\..\Run: [A18806E0] C:\WINDOWS\System32\zmllzovzvzsljs.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Update Machine] systemse.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\arounsia.exe
O4 - HKLM\..\RunServices: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKLM\..\RunServices: [1003A130] C:\WINDOWS\System32\zmllzovzvzsljs.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemse.exe
O4 - HKCU\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] systemse.exe
O4 - HKCU\..\Run: [Alat] C:\Documents and Settings\Evelyn\Application Data\mpsa.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstscc.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8151.4501157407

#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 15 June 2004 - 10:12 AM

You have a couple of worm infections - it's possible your AVG definitions may not be up to date.

The online Trend Micro scan should find and remove these. Go to: http://housecall.trendmicro.com/ and run the scan and have it fix what it finds.

Then, reboot the computer, run another HijackThis scan and check these items for removal (some may be gone at this point):

O4 - HKLM\..\Run: [A18806E0] C:\WINDOWS\System32\zmllzovzvzsljs.exe

O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemse.exe

O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\arounsia.exe

O4 - HKLM\..\RunServices: [1003A130] C:\WINDOWS\System32\zmllzovzvzsljs.exe

O4 - HKCU\..\Run: [Microsoft Update Machine] systemse.exe

O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstscc.exe

O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe


Close all other programs (including this browser window) and click Fix Checked.

When HijackThis is finished, reboot your system, and open Windows Explorer - you may need to enable showing hidden files

Delete these four files if still present:

C:\WINDOWS\System32\lsrv.exe

C:\WINDOWS\System32\wnstscc.exe

C:\WINDOWS\System32\arounsia.exe

You will have to do a search to find this one: systemse.exe

Please note that these worms were installed using vulnerabilities that Microsoft has patched. You need to visit Windows Update and download all Critical Updates.

Run another HijackThis scan and post the log here for another look.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 hodger

hodger

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 June 2004 - 07:13 PM

Thankyou very much for your interest and help. I tried to connect to the net to download Trendmicro but unfortuneately the system was so screwed up I couldn't connect to anything. As a last ditch effort I deleted the items you suggested anyway ,but I think things were too far gone. The friend who's system was invaded is an 87 year old lady who can hardly see but is nevertheless trying to stay modern. The mistake I made in setting her up was mine, in that I failed to set up her XP firewall and provide for automatic patch updates. I thought that because she only used email and never the "internet" that she wouldn't be suseptable to virus's and hijackers. Pretty foolish of me. So I've now had to completely reload her O/S and she's started from ground zero. Thanks again for your help. Your group provides a very worthwhile service.

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 07 March 2005 - 10:18 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button