Jump to content


- - - - -

Computer infected


  • This topic is locked This topic is locked
66 replies to this topic

#1 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 28 March 2005 - 03:35 PM

well guestolo hows it goin. computer got infected with about:blank.
I followed the instructions u gave others with same problem and have got my homepage fixed but i know my comp is still infected with something cuz i can only open hijackthis, tds3, etc. in safe mode.

i done a few scans and everything, adaware doesnt find anything. Also cant get into custom and default tabs in internet options/security to enable scripting, so i cant get into Email Removed or anything.

Heres my log, hope u can help, cheers guestolo ur a legend


Logfile of HijackThis v1.99.0
Scan saved at 22:19:30, on 28/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKLM\..\Run: [outpost] C:\Documents and Settings\Patrick Deighan\Local Settings\Temp\OutpostProInstall.exe
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [winmgr] C:\WINDOWS\System32\winmgr.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#2 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 28 March 2005 - 03:38 PM

p.s. havin trouble logging in which is why im logged in as guest

#3 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 29 March 2005 - 09:12 AM

Just on my way out Irish, could you do the following while waiting
Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and save it too a notepad file

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#4 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 29 March 2005 - 06:59 PM

i already had that mwav but i just downloaded it again heres the results, and thanks again guestolo


File C:\WINDOWS\System32\crmss.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\crmss.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\navapqwa.exe infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\PATRIC~1\MSDIRE~1.SYS infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "180Solutions Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\csrss.exe infected by "Trojan-Clicker.Win32.Small.dn" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\killzx.exe infected by "Trojan.Win32.KillFiles.hb" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\Messenger2.exe infected by "not-a-virus:AdWare.WinAD.i" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\file.exe infected by "Trojan-Proxy.Win32.Cimuz.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Gavin Deighan\msdirectx.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Karen Deighan\msdirectx.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000008.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000022.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000032.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001033.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\update\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\csrss.exe infected by "Trojan-Clicker.Win32.Small.dn" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\killzx.exe infected by "Trojan.Win32.KillFiles.hb" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\Messenger2.exe infected by "not-a-virus:AdWare.WinAD.i" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\file.exe infected by "Trojan-Proxy.Win32.Cimuz.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\csrss.exe infected by "Trojan-Clicker.Win32.Small.dn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\killzx.exe infected by "Trojan.Win32.KillFiles.hb" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\Messenger2.exe infected by "not-a-virus:AdWare.WinAD.i" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\file.exe infected by "Trojan-Proxy.Win32.Cimuz.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

#5 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 29 March 2005 - 07:28 PM

===Download the Pocket Killbox
UNZIP it to a folder of your choice

Save the rest of these instructions too a Notepad file and save it too desktop
Close down all other windows, disconnect from the Internet

Disable System Restore

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe


O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe

O4 - HKCU\..\Run: [winmgr] C:\WINDOWS\System32\winmgr.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\System32\crmss.exe

Select the Delete button afterwards
The Red circle and a white X
Do the same for the below entries
For any file that won't delete keep track of them, we'll need those in a bit

Do the same for these file names
C:\WINDOWS\system32\navapqwa.exe
C:\DOCUME~1\PATRIC~1\MSDIRE~1.SYS
C:\WINDOWS\csrss.exe
C:\WINDOWS\killzx.exe
C:\WINDOWS\Messenger2.exe
C:\WINDOWS\rei.exe
C:\WINDOWS\SYSTEM32\file.exe
C:\Documents and Settings\Gavin Deighan\msdirectx.sys
C:\Documents and Settings\Karen Deighan\msdirectx.sys
C:\update\rei.exe
C:\WINDOWS\System32\mqexdlm.srg


For any file that won't delete
Use the Replace on Reboot radio button
Additionally, put a tick in the "Use Dummy"
When prompted to Replace on Reboot>>Click YES
If prompted to Reboot NOW>>Click NO until you have added the last
path to the file name
At which time>>Select YES to Reboot NOW
or Restart anyways

Please try and Restart into Normal mode
Reenable System Restore
Post back a fresh log from there

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#6 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 31 March 2005 - 12:06 PM

deleted them all. this is the only one that didnt delete
C:\WINDOWS\csrss.exe

Used the Replace on Reboot radio button
Additionally, put a tick in the "Use Dummy"


heres new log

Logfile of HijackThis v1.99.0
Scan saved at 19:05:18, on 31/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#7 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 31 March 2005 - 06:40 PM

Are you still having problems signing into the forum?

This file here is a legitimate file, don't try and delete it in the System32 folder
C:\WINDOWS\system32\csrss.exe

We're just after this one
C:\WINDOWS\csrss.exe

It may be confusing because we were also after this bad guy
C:\WINDOWS\System32\crmss.exe

Notice the spelling

Let's try this again
Save these instructions too a Notepad file on the desktop and then leave it open

Disconnect completely from the Internet
Close all other windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe

O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe

O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Next: With only Pocket killbox open and
Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\csrss.exe

Select the Delete button afterwards
The Red circle and a white X
If it won't delete or not found
Use the Replace on Reboot>>Use Dummy options
Then click the Red Circle and the whiteX

Restart the computer and post a fresh Hijackthis log

Let me know how things are running

Can you also let me know the following
If I remember correctly you were using Outpost as your Firewall protection
Now I see that you have this entry in your log
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
Which Firewall protection are you running now?
Do you still have Outpost installed?
I see some entries in your log that may be leftovers

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#8 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 01 April 2005 - 09:21 AM

i changed my password but cant remember what i changed it too exactly. got it sent to my Email Removed but cant get into Email Removed because java is not enabled. have tried but cant get into custom on my security tab in internet options. think that has somethin to do with the virus.

used outpost for the free trial period but as soon as that ended my computer got infected. downloaded softperect, dont really know how to use it. its alwaays changing security settings.

heres my new log, everything seems to be ok but just wana get into enable my java so i can get into Email Removed etc.

Are you still having problems signing into the forum?

This file here is a legitimate file, don't try and delete it in the System32 folder
C:\WINDOWS\system32\csrss.exe

We're just after this one
C:\WINDOWS\csrss.exe

It may be confusing because we were also after this bad guy
C:\WINDOWS\System32\crmss.exe

Notice the spelling

Let's try this again
Save these instructions too a Notepad file on the desktop and then leave it open

Disconnect completely from the Internet
Close all other windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe

O4 - HKLM\..\RunServices: [Microsoft USB2 Driver] crmss.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [Microsoft USB2 Driver] crmss.exe

O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Next: With only Pocket killbox open and
Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\csrss.exe

Select the Delete button afterwards
The Red circle and a white X
If it won't delete or not found
Use the Replace on Reboot>>Use Dummy options
Then click the Red Circle and the whiteX

Restart the computer and post a fresh Hijackthis log

Let me know how things are running

Can you also let me know the following
If I remember correctly you were using Outpost as your Firewall protection
Now I see that you have this entry in your log
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
Which Firewall protection are you running now?
Do you still have Outpost installed?
I see some entries in your log that may be leftovers

#9 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 01 April 2005 - 09:26 AM

oops!!

posted back ur instructions instead of my log :o(

Logfile of HijackThis v1.99.0
Scan saved at 16:15:29, on 01/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 02 April 2005 - 11:24 PM

Can you try something, Microsoft Anti-Spyware Beta is having a good record at resetting
default settings

You can download it from HERE

Follow the steps in the Installation Wizard until it is ready to install the program. When the wizard is ready to install, click Install to begin installing Windows AntiSpyware (Beta).

When installation is complete, select the check box next to Launch Microsoft Windows AntiSpyware, and then click Finish.

When you click Finish on the window above, the welcome page of the Setup Assistant should open. The Setup Assistant will take you through the following four steps:1. Automatic updates
2. Real-time protection
3. SpyNet anti-spyware community
4. System scan
Click Next to begin the setup process

Step 1: Automatic updates:
You can configure Windows AntiSpyware for automatic updates. Automatic updates ensure that Windows AntiSpyware is kept up to date with the latest information about new spyware threats.

To configure this option, click Yes, automatically keep Microsoft AntiSpyware updated (recommended), and then click Next

Step 2: Real-time protection:
To enable real-time protection click Yes, help keep me secure (recommended) , and then click Next.

Step 3: SpyNet anti-spyware community:
This option will automatically report potential threats to SpyNet servers. If you do not want MS AntiSpyware calling out and reporting threats on your system to a remote server, click No, and then click Next.

Step 4: Scan your computer:
The final step of the Setup Assistant allows you to specify whether you'd like to schedule an automatic scan and also shows you how to perform an initial scan of your computer.

To configure Windows AntiSpyware to run a spyware scan automatically, select the box next to Run a spyware scan every night at 2 a.m. How to set up a scheduled spyware scan

To scan your computer for spyware, click Run Quick Scan Now.

After the scan has been completed, you'll see a window with the preliminary results of your scan. To see more detailed results click View Results.

To take the recommended action, click the Continue button at the bottom of the spyware scan results window.

Restart your computer afterwards and post back a fresh Hijackthis log

Note: Those are generic instructions for setting up Antispyware Beta
I don't have the Scheduled scan running, I update it and check manually every couple of weeks
The Autoupdater, I don't have enabled, I manually check for updates before I run the scan
Step 3, I'll leave that up to you, I clicked No

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#11 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 05 April 2005 - 03:30 PM

it didnt work i just got this msg''

Validation Not Completed: ActiveX Error
We are unable to validate your Windows installation at this time. It appears that your internet settings will not allow the genuine ActiveX control to run properly, or you may not be the system administrator of the machine you are using. We hope that you'll return later to retry the validation process so that you may enjoy the full benefits of genuine Microsoft software.



If you believe your software is not genuine, you may take the following action:



Contact your reseller


Contact your PC or software reseller to determine why you are unable to validate Windows. You can print a report of your validation results to show your reseller that will help you determine what is wrong.




or


Purchase genuine Windows


If you believe you have received counterfeit Windows software, please submit a piracy report. You may also purchase genuine Windows software to replace your existing copy.


''



my computer is working ok. i just cant get into custom in security settings/internet options.

if i log on as a different user i can get into custom/ security-settings.

might just delete me as a user altogher and log in as someone else.



heres a fresh log if it makes a difference

Logfile of HijackThis v1.99.0
Scan saved at 22:28:23, on 05/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 06 April 2005 - 08:15 AM

do u think my computer is ok to use then? i think i might just delete my user account altoghether and make a new one wat do u think?

#13 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 06 April 2005 - 07:39 PM

finally got it done!!!!!!!!!!!!!!!!!!!

sorry took so long guestolo!! heres my log

Logfile of HijackThis v1.99.0
Scan saved at 02:37:06, on 07/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

#14 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 06 April 2005 - 09:44 PM

How's everything running?
Did you get Outpost completely uninstalled?
If so you can probably remove these entries with Hijackthis
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)

I don't know much about SoftPerfect Personal Firewall, I hope it's reliable
How is it working for you?

Your log looks good

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#15 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 07 April 2005 - 06:17 AM

everything is running good. deleted those entries and restored all my ie settings but still i cant get into Email Removed etc. from my log in. the custom button in internet options/security settings is still blank out (faded) and wont let me in to enable java???

im an administrator i dont know why i can get into this? all other users can get into this.


apart from that everything is running fine. cheers for all ur help mate

#16 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 07 April 2005 - 06:25 AM

outpost is completly removed.

softperfect seems ok but ill prob change it dont really trust it too much

#17 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 07 April 2005 - 08:11 AM

just done a scan with mwav all of these viruses were found,


File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "180Solutions Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\!Submit\crmss.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

File C:\!Submit\file.exe infected by "Trojan-Proxy.Win32.Cimuz.b" Virus. Action Taken: No Action Taken.

File C:\!Submit\killzx.exe infected by "Trojan.Win32.KillFiles.hb" Virus. Action Taken: No Action Taken.

File C:\!Submit\Messenger2.exe infected by "not-a-virus:AdWare.WinAD.i" Virus. Action Taken: No Action Taken.

File C:\!Submit\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.

File C:\!Submit\msdirectx.sys infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\!Submit\MSDIRE~1.SYS infected by "Trojan.Win32.Rootkit.h" Virus. Action Taken: No Action Taken.

File C:\!Submit\navapqwa.exe infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: No Action Taken.

File C:\!Submit\rei.exe infected by "Trojan.Win32.LowZones.af" Virus. Action Taken: No Action Taken.





heres another log too, f it helps

Logfile of HijackThis v1.99.0
Scan saved at 15:08:26, on 07/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] "C:\Program Files\SoftPerfect Personal Firewall\fw.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#18 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 April 2005 - 04:47 PM

Could you take a look at this site and check to see if you have any files or folders that need deleting
http://www.sarc.com/...n.lowzones.html

We may have to edit the registry if you can't do the recommendations in the Security tab

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#19 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 09 April 2005 - 10:52 AM

:( sorry couldnt do the recommendations,

will i just go into the infected files and delete them myself? or do i need them

#20 Guest_Guest_irish-paddy_*_*

Guest_Guest_irish-paddy_*_*
  • Guests

Posted 09 April 2005 - 10:54 AM

for example, all files in C:\!Submit seem to be infected, would i be able to just delete these myself??