Any of ye caped crusader's able to help me out here? Norton anti virus told me Ive got this trojan but didn't seem to be able to do anything about it. It's Lurking around in MESSENGER\MSMSGS.EXE. Please tell me this is easier to cure than blooming spyware! :confused:
geezer 0 Junior Poster in Training
caperjack 875 I hate 20 Questions Team Colleague
Go
Here and Get Trojan-Hunter Fully working trial!
,,,,,,,,,,,,,,,,,,,,,,,,,,
Please download and run Adaware & Spybot Then follow the instructions in the link below to run.
Step # 2
Please do an online scan, 2 would be better,
Trend Micro http://housecall.trendmicro.com/
Microworld http://www.mwti.net/antivirus/free_utilities.asp
Make sure that you choose "fix" or "clean".
Please do this.
Download 'Hijack This!'. http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".
Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. Since Temporary folders are emptied now and then (the files are DELETED), it would not be a good idea to have your backups there. Those backups would be VITAL to restoring your system if something went wrong in the FIX process!
1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.
2. Copy and paste HijackThis.exe to the new folder.
3. Close ALL windows except HJT
4. SCAN with HJT
5. POST the log in this thread using 'Add Reply'
DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO YOUR COMPUTER'S HEALTH
geezer 0 Junior Poster in Training
Ay up Caperjack! Thanks for getting on my case... Did what you said there and here's' the results with a bit of additional info which may help muddy the waters somewhat.
The original warnings from Norton Antivirus told me that my computer was infected here (3 separate warnings after reboots):
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\Program files\Compaq\EasyAccess button...\StartEAK.exe
C:Program files\Common Files\Microsoft Shar...\wkcalrem.exe
Oddly enough all of these have tried to get internet access recently and I probably let them before the warnings :o
Anyway here's what eScan had to say for itself
File C:\WINDOWS\System32\ms0b920b.dll infected by "not-a-virus:AdWare.Visiter" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\ebennew\My Documents\Mr Migmam's woobly dangly bits\EasyDivX DVD ripper\softs\ck.exe tagged as not-a-virus:Tool.Win32.Pcwelt.a. No Action Taken.
File C:\EasyDivX\softs\ck.exe tagged as not-a-virus:Tool.Win32.Pcwelt.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3B077742.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4CBF45C3.EXE infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4D734AFD.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4D8072EF.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4DBA66AE.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\66111C09.EXE infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP2\A0000113.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP29\A0018367.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP29\A0018376.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP29\A0018377.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP29\A0018400.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP29\A0018401.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP29\A0018402.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP29\A0018403.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP29\A0018405.exe infected by "Virus.Win32.Implinker.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ms0b920b.dll infected by "not-a-virus:AdWare.Visiter" Virus. Action Taken: No Action Taken.
And here you'll be delighted to see is my latest HJT log:
Logfile of HijackThis v1.99.0
Scan saved at 00:04:54, on 23/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\internet security suite\really new hijack this\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Is any of this left over from my old spyware problem? (which never completely resolved itself)
I just use Firefox now but every few boots IE tries to access the net and if I deny it access (with ZONEALARM) I get 70 odd internet exploder windows open by themselves resulting in a crash.
Thanks in advance for saving my posterior agin. Say Hi to the Wombat for me...
Go raibh mile maith agat agus slan!
geezer 0 Junior Poster in Training
PS is " FindHolax" going to be any help here?
geezer 0 Junior Poster in Training
AHAAAAGH! I've been doing a bit of rresearch and found INetDoor in my add/remove programs bit... This is significant, I spose. Given that Symantec Net Detect is probably now infected along with nearly all my start up programs, how am i going to repair everything even if i can get rid of the Inetdoor thing? Ooer...
caperjack 875 I hate 20 Questions Team Colleague
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.
CWShredder available from these places :-
http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads/tools/CWShredder.exe
We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from here :-
http://service1.symantec.com/SUPPORT/tsgen...001052409420406
caperjack 875 I hate 20 Questions Team Colleague
I found some info here .
http://computercops.biz/postitle94182-0-0-.html
and this is why i suggest cwshredder .
http://www.doxdesk.com/parasite/CoolWebSearch.html
And most of the info in you Escan the files are in quarentene or in you system restore . you will need to turn off system restore after you run cwshredder .untill you get it all cleaned up .
geezer 0 Junior Poster in Training
Ay up Caperjack! Thanks for the helpful links there. It looks like this thing is beatable.
One thing worrying me is that I don't have the Windows Installation disks, everything came installed on the computer. So if I drop in the dummy dll then uninstall all the infected startups I won't be able to re install messenger for example, live update etc. or will I? I'm a NOVICE to say the least and don;t want a computer with psychological problems...
caperjack 875 I hate 20 Questions Team Colleague
I'm a NOVICE too!so i really cant answer that !
but first did you try CWShredder to see if it helps .
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
What have you done with all the infected files from post #3? They all need to be deleted. The system restore can probably wait until you are clean as the only way the ones in the restore folder can affect your PC is if you do a system restore :).
Download sysclean (free) from Trend Micro, allow it to clean up any bad files it finds. It may take a while, so have a cuppa whilst it's running :).
http://www.trendmicro.com/download/dcs.asp
Be sure to download and install the latest pattern file. There's a link to it at the lower left-hand colum of the page. It will not run without the pattern file.
From Trend:
Note that for the Trend Micro Sysclean Package to be effective, you must download and place the latest pattern file in the same folder as the Trend Micro Sysclean Package.
geezer 0 Junior Poster in Training
I haven't deleted anything yet because I can't reinstall any windows components that have been infected... CWShredder (new vwersion says I'm squeeky clean but I'm not eh?)
geezer 0 Junior Poster in Training
Download sysclean (free) from Trend Micro, allow it to clean up any bad files it finds. It may take a while, so have a cuppa whilst it's running :).
HA HA! I've been out and made a full roast dinner and it's only just finished!!!
:lol: Anyway here's what its log says:
/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/
2005-01-23, 15:45:40, Auto-clean mode specified.
2005-01-23, 15:45:40, Running scanner "C:\Program Files\internet security suite\sysclean\TSC.BIN"...
2005-01-23, 15:45:59, Scanner "C:\Program Files\internet security suite\sysclean\TSC.BIN" has finished running.
2005-01-23, 15:45:59, TSC Log:
Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: )
Start time : Sun Jan 23 2005 15:45:42
Load Damage Cleanup Template (DCT) "C:\Program Files\internet security suite\sysclean\tsc.ptn" (version 487) [success]
Complete time : Sun Jan 23 2005 15:45:59
Execute pattern count(1749), Virus found count(0), Virus clean count(0), Clean failed count(0)
2005-01-23, 16:00:38, An error occurred while scanning file "C:\Documents and Settings\ebennew\NTUSER.DAT": Access is denied.
2005-01-23, 16:00:38, An error occurred while scanning file "C:\Documents and Settings\ebennew\ntuser.dat.LOG": Access is denied.
2005-01-23, 16:01:01, An error occurred while scanning file "C:\Documents and Settings\ebennew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-01-23, 16:01:01, An error occurred while scanning file "C:\Documents and Settings\ebennew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-01-23, 16:32:52, An error occurred while scanning file "C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
2005-01-23, 16:32:52, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied.
2005-01-23, 16:32:53, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-01-23, 16:32:53, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-01-23, 17:19:11, Could not set file for reading on "C:\WINDOWS\$NtUninstallQ307969$\parport.sys": Access is denied.
2005-01-23, 17:19:11, Could not set file for reading on "C:\WINDOWS\$NtUninstallQ307969$\spuninst\spuninst.exe": Access is denied.
2005-01-23, 17:19:11, Could not set file for reading on "C:\WINDOWS\$NtUninstallQ307969$\spuninst\spuninst.inf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\ACRORD32.EXE-0781811F.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\AD-AWARE.EXE-2ED3360E.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\ADOBE GAMMA LOADER.EXE-1DBD7BA3.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\AGENTSVR.EXE-002E45AB.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\AUPATCH.DAT-26B17925.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\AUPDATE.EXE-2253CB60.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\AUUNZIP.DAT-0F430B30.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\AUUPDATE.DAT-1C26048B.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\BTTNSERV.EXE-156C663E.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\CCLEANER.EXE-0BCE437C.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\CLICAPI20.EXE-0884FF61.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\CPQEADM.EXE-01DAFE68.pf": Access is denied.
2005-01-23, 17:22:39, Could not set file for reading on "C:\WINDOWS\Prefetch\CPQEAKSYSTEMTRAY.EXE-02AC468C.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\CSRSS.EXE-12B63473.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\CTFMON.EXE-0E17969B.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\CWSHREDDER.EXE-075D6433.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\CWSHREDDER.EXE-1530D436.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\DIRECTCD.EXE-0A60B47C.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\DISREB~1.EXE-116A29FD.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\DRWTSN32.EXE-2B4B52AC.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\EAUSBKBD.EXE-0920B492.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\ESCNDV.EXE-2FFF20EB.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\FIND.EXE-0EC32F1E.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\FIREFOX.EXE-17EE503B.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\FIREFOX.EXE-28641590.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\GETVLIST.EXE-3374D9AD.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\HH.EXE-2D1A70B3.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-0E1BF781.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-39DC3871.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\HPGS2WND.EXE-06AC8C27.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\HPGS2WNF.EXE-3A8D0447.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\HPW8TBX.EXE-07B56719.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\INSTALL.EXE-3AEF1D3F.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\JUSCHED.EXE-1E31B7EA.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\KAVSS.EXE-0634462E.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\LSETUP.EXE-34E1AE91.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\LUALL.EXE-30AC8E48.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\LUCOMS~1.EXE-02DB5950.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\LUSETUP-LT.EXE-1D0507C4.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\LUSETU~1.EXE-1F968773.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\LUUPDATE.EXE-057DD85A.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIMN.EXE-38BA891D.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\MSMSGS.EXE-2B6052DE.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\MWAV.EXE-02FBCF70.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\MWAVSCAN.COM-2F443510.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVAPW32.EXE-14F0BD2A.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVW32.EXE-24F56911.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVW32.EXE-2F9B64D1.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\NDETECT.EXE-16E64095.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\NMAIN.EXE-2BA406E0.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-189578DA.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\OSA9.EXE-27CD7DB8.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\OUTLOOK.EXE-3784AE71.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\PATCH.EXE-1DE617D3.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\QSERVER.EXE-22A02121.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\QTTASK.EXE-342507FB.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\REALPLAY.EXE-1BF219BD.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\RL.EXE-0EB8DE0F.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-14948BEB.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-18E3301D.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-1C320F03.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-37AF1B57.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-4743EFC7.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SETHOOK.EXE-3556B5A6.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SETREFRESH.EXE-0C1D851C.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SMTRAY.EXE-025A616B.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SNDMON.EXE-0A6C21A2.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SPYBOTSD.EXE-1344276B.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SPYWAREBLASTER.EXE-20CF1E62.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SRMCLEAN.EXE-1A445B2C.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SSTEXT3D.SCR-17B3B9DD.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\STARTEAK.EXE-02E55F96.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SYMANT~1.EXE-0325DF9A.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SYMWSC.EXE-321AAE19.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.COM-1D1BBD47.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-07354F67.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.BIN-38462285.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.EXE-2B4C0858.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-1E8AE159.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\VSMON.EXE-1609C098.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\WINAMPA.EXE-0536E33F.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\WINPATROL.EXE-0E9A04D5.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\WINPATROLEX.EXE-29896382.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\WINWORD.EXE-29F5CB89.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\WINZIP32.EXE-335422C1.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\WKCALREM.EXE-23DFAF4B.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\WKDETECT.EXE-317B1611.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\WKSCAL.EXE-10AB18FB.pf": Access is denied.
2005-01-23, 17:22:40, Could not set file for reading on "C:\WINDOWS\Prefetch\WKSSB.EXE-01DCAEEA.pf": Access is denied.
2005-01-23, 17:22:41, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf": Access is denied.
2005-01-23, 17:22:41, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9C.pf": Access is denied.
2005-01-23, 17:22:41, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf": Access is denied.
2005-01-23, 17:22:41, Could not set file for reading on "C:\WINDOWS\Prefetch\ZLCLIENT.EXE-1C550EB2.pf": Access is denied.
2005-01-23, 17:27:11, An error occurred while scanning file "C:\WINDOWS\system32\config\DEFAULT": Access is denied.
2005-01-23, 17:27:11, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2005-01-23, 17:27:11, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2005-01-23, 17:27:11, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2005-01-23, 17:27:12, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2005-01-23, 17:27:12, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2005-01-23, 17:27:12, An error occurred while scanning file "C:\WINDOWS\system32\config\SOFTWARE": Access is denied.
2005-01-23, 17:27:12, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2005-01-23, 17:27:12, An error occurred while scanning file "C:\WINDOWS\system32\config\SYSTEM": Access is denied.
2005-01-23, 17:27:12, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2005-01-23, 17:28:59, An error occurred while scanning file "C:\WINDOWS\Temp\ZLT03f74.TMP": Access is denied.
2005-01-23, 17:29:06, Running scanner "C:\Program Files\internet security suite\sysclean\VSCANTM.BIN"...
2005-01-23, 18:20:45, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/23/2005 17:29:10
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 365 (86521 Patterns) (2005/01/21) (236500)
Command Line: C:\Program Files\internet security suite\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Program Files\internet security suite\sysclean
C:\WINDOWS\system32\ms0b920b.dll [TROJ_HOLAX.A]
56274 files have been read.
56274 files have been checked.
41219 files have been scanned.
224346 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/23/2005 18:20:45
---------*---------*---------*---------*---------*---------*---------*---------*
2005-01-23, 18:20:45, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/23/2005 17:29:09
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 365 (86521 Patterns) (2005/01/21) (236500)
Command Line: C:\Program Files\internet security suite\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Program Files\internet security suite\sysclean
Success Clean [ TROJ_HOLAX.A]( 1) from C:\WINDOWS\system32\ms0b920b.dll
56274 files have been read.
56274 files have been checked.
41219 files have been scanned.
224346 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/23/2005 18:20:45 51 minutes 34 seconds (3094.05 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-01-23, 18:20:45, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/23/2005 17:29:09
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 365 (86521 Patterns) (2005/01/21) (236500)
Command Line: C:\Program Files\internet security suite\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Program Files\internet security suite\sysclean
56274 files have been read.
56274 files have been checked.
41219 files have been scanned.
224346 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/23/2005 18:20:45 51 minutes 34 seconds (3094.05 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-01-23, 18:20:45, Scanner "C:\Program Files\internet security suite\sysclean\VSCANTM.BIN" has finished running.
I'm still worried about restoring the missing bits of the affected startups now that the ms0b920b has been deleted. If I shut down my computer now will it all go pear shaped on reboot?... I'm scared...
Go raibh maith agat, dudes
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Now that it's gone I think your only option is to go ahead and clean out the prefetch folder and to also do the following;
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.
Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Empty the Recycle Bin.
Which components do you believe to be missing?
I'm off to work now so will have to reply later in the day, unless one of our other members chips in :D.
geezer 0 Junior Poster in Training
Ay up Crunchie and Caperjack and any other of you public spirited nutters!
Before your last post I got very worried about simply removing the ms0b929b.dll with the antivirus... so I did a system restore to before what I did in post 12. Don't freak out! (well not yet anyway)
I checked out Caperjack's link to doxdesk and this is what got me worried, so I followed these instructions...
InetDoor variant
Unless you have an anti-virus program that specifically knows how to remove the import table entries from startup programs affected by InetDoor, removal is difficult. You can delete the file, but then any of the affected programs will refuse to run.
A short term workaround is to replace the InetDoor DLL with a dummy version that does nothing. You can then uninstall and reinstall each program with a component set to run on startup.
To do this, download InetDummy.dll and restart the computer in Safe Mode. To get the menu for Safe Mode, press F8 just as Windows starts to boot — on the NT boot loader menu if you have one, else just hammer it as the computer starts up.
Open the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me) and find the InetDoor file. It will be called msNNNNNN.dll, where NNNNNN is a six-digit hexadecimal number. There will also be .cfg and .da0 files with the same name.
Rename msNNNNNN.dll to msNNNNN.bak, then drop the InetDummy.dll file into this folder and rename it msNNNNNN.dll (the same name as the original DLL). Reboot the computer and if all goes well you can delete msNNNNNN.bak, .cfg and .da0.
This hasn't presented any problems yet but I know that some of my start up programs have been altered. Mesenger still asks for access to the internet along with IE (even though I only use Firefox) and Norton Integrator. I don't know which of them to trust so I'm denying them all...
Am I going to have to uninstall and reinstall evrything on the start up list?
Go raibh maith agat! Slan!
geezer 0 Junior Poster in Training
Oh Pants!
I just reresd the bit about not doing a system restore before removing the other viruses in post 3 ...
Lads... sorry... It's late and I've spent too long trying to work this out my brains are small and smelly. I'm not gonna touch a thing till I hear from ye again..
Slan!
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
How about doing a restore back to a time that you consider to be when your PC was doing well? But not too far that you lose any information or programs that you may need.
Then hit msconfig for a normal startup, reboot and post another log :).
chound 1 Junior Poster
This is very effective:
Run msconfig;
uncheck all the startup items
uncheck all the services
Restart
Run your anti virus software. The torjan will get defeated.
(You cant delete the torjan since it is running.)
run msconfig again and check the startup and service items which you require.
caperjack 875 I hate 20 Questions Team Colleague
This is very effective:
Run msconfig;
uncheck all the startup items
uncheck all the services
Restart
Run your anti virus software. The torjan will get defeated.
(You cant delete the torjan since it is running.)
run msconfig again and check the startup and service items which you require.
Ive never tried that ,if you do uncheck all those things how do you get to you desktop if you disable all startups and processes !
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
I wouldn't advise it myself. Though I have never actually tried it, or heard of it being tried.
If you can locate those files geezer, then delete them.
Me off to bed now. Back up and at it in another 7 hours :(.
geezer 0 Junior Poster in Training
I'm on my lunch at the minute so I can't really do much... Any way the jury seems to be out on how to get rid of this beastie...
I can't be the only one to get it can I? Can I? Please tell me I'm not the only one
:cry:
Every time I think I'm doing some thing smart, I out-stupid myself...
I'll delete all the files in the eScan log. I hope I haven't banjaxed everything by doing a system restore when some of the system restore files are infected...
G'night Crunchie. Sweet dreams... Do you guys see HJT logs when you're drifting off to sleep? :D
Go raibh maith agat agus slan!
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
I haven't gone yet :). I used to see logs when I first started, but I was doing about 30-40 a day :). I never counted sheep, I counted logs :D.
Did you think about restoring to a little while ago?
Try tghis scan at Symantec http://security.symantec.com/default.asp?productid=ssr&langid=ie&venid=sym
geezer 0 Junior Poster in Training
Did you think about restoring to a little while ago?
The files I've deleted from the eScan log were all created back at the beginning of December (5/12/04 23:03) This is a fair while ago so I'll leave this option as a later resort...
The infected files in the System volumeInformation\restore were nearly all from programs that have been regularly asking for Internet access with the exception of A001803.exe which had no Icon at all and no information in the rollover. I replaced the infamous ms0b920b.dll with the InetDummy.dll as per doxdesk instructions. All the dodgy files are in my rrecycle bin, so should I empty it before I
Try tghis scan at Symantec http://security.symantec.com/default.asp?productid=ssr&langid=ie&venid=sym
? Will permanently deleting them mess with their respective programs?
Oh by the way, when I went to the recycle bin I got five or six popups from norton antivirus saying that it had found holax in whatever file and fixed it. I can't remember which ones though of course...
I'm not going to do any more until you give me the go ahead... Its late (again :rolleyes: ) and I'm bound to banjax something if Itry to do any more. I'll lock the firewall and disable the connection till morning.
I hope you've had a good kip, Crunchie, you'll be tucking in to a nice bowl of cornflakes about now I spose :D Enjoy your day!
Hey it could be worse, I work for a medical company cleaning infected poos from hospital mattresses! ;)
Go raibh mile maith agat agus slan!
geezer 0 Junior Poster in Training
Ay up and cead mile failte!
Its the morning again... I've just enabled the connection and unlocked the fire wall. I couldn't get web access for a while and there was an extra program running icon showing in the Zone Alarm programs display (next to the lock button)
Its labelled as "Generic host process for win32 services". I checked out the program control menu and it seems to be C:\Windows\system32\svchost.exe
oddly enough it asked for internet access 2 minutes later. I allowed this and another Icon appeared this time for "Firefox listeneng to port(s):TCP1535"
I'm online now (obviously), should I be worried about the svchost.exe? I don't remember seeing any other icons apart from the zonealarm one here. Could be wrong though, it wouldn't be the first time... I'm very suspicious of anything that wants internet access right now.
Anyway I'm not going to do anything this morning for the same reasons as in the last post.
Got to go to work for some more scrubbing. Another day; another turd... lol
Mise le meas agus slan!
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
It is ok to grant C:\Windows\system32\svchost.exe internet access as it is required for your browser to work. Do not allow it server rights though.
The recycle bin can be emptied as the files there have effectively been separated from their programs already.
Any virus' in the restore folder can do no harm until you actually do a system restore, whereby you actually "restore" them.
geezer 0 Junior Poster in Training
Ay up, Crunchie!
I think that's just about sorted it... Messenger still asks for access so I tink there's a few bits of the trojan around.
I've got the XP disc now so in theory Can I uninstall messenger and any other bit of XP and reinstall from the disc?
I've done a few scans and they all say I'm clean so I'm gonna have a go at that scan where you can have a two and a half hour "cup of tea" while you're waiting :cheesy: This is what picked up the problem in the first place.
Fair play to Doxdesk too for the dummy dll thing. Invaluable!
All of this dates back to my last thread when I thought it was an About:Blank problem. No wonder noone spotted it...
Fairplay to Firefox too for outsmarting microsoft!
Most of all fairplay to yourself, Caperjack, DMR and all you folks at Daniweb for keeping me sane through all of this. Its good to know that us novice nerds are not alone in the Big Bad Web.
Good luck
Go raibh maith agat! :D
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Not wanting to go through the entire thread again, is it Windows messenger trying to get on the net, ot MSN messenger?
If Windows messenger go here http://grc.com/stm/shootthemessenger.htm and download shoot the messenger and follow the instructions. Think it is just a matter of clicking on the file. Windows messenger will then be disabled.
geezer 0 Junior Poster in Training
Ay up!
I just did the shoot the messenger thing. When I told Zone alarm to make Messenger ask for net access it promptly did...
Its just called messenger not windows mesenger or msn messenger or whatever...
The file is called msmsgs.exe in Program files/Messenger. The destination IP address (if that means anything to you ) is 192.168.1.1 Port 1900
Gotta go scrub turds...
Slan!
steosaur(oWn) 0 Junior Poster
I dont feel like reading all these threads so I'll just tell you some things to do if you still are getting that trojan. plus this will help get rid of any other bad things.
Reboot in safe mode by pressing F8 when the computer is restarting.
step1: run adaware SE in my signature
step2: click start--run--type "regedit"--and check the run folders at the end of these paths for suspicious looking keys (like somethine with .holax in the name,etc.) if your not sure about a key type it in google to find out what it is. (don't delete anything you're not sure of)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
step3: open the c:\documents and settings\(user name)\local settings(if you cant see this folder then click tools-folder options-view tab-check show hidden files [tools is at the top with "file", "edit", etc.])\temp <--clear out this folder and also the temp internet folder.
step4: open c:\program files\windows\system32 and select the view as "details" so you can see the date they were modified. Arrange them by date and look at the more recent ones for any signs of .holax or anything that looks like a virus or a suspicious .dll, like I said earlier if your not sure what it is type it in google.
step5: make sure you got all the windows updates, you have a up to date virus scanner, and I suggest a firewall like ZoneAlarm (pay attention you only need the free firewall) [http://www.zonelabs.com/store/content/promotions/zap4/zap_trial.jsp]
ps. that msgmss or whatever is in the run folders of the registry (see step 2) if you don't want it starting up, delete the keys.
geezer 0 Junior Poster in Training
Ay up!
I did everything that steosaur suggested there. Nowt suspicious turned up apart from some stuuf from ad companies in the personal profile temp folder. I deleted everything inthere anyway...
I've blocked messenger by default with Zone alarm, I'll try disabling it in the registry, batton down the hatches and hope for the best!
Thanks again for the sanity and help lads!
Go raibh maith agat!
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Geezer. Do me a favour and download and run a program, then post the log for me to check out. I will not be able to check it until some time tomorrow though.
Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.
Make sure to download it using Internet Explorer or you will only get the script :D.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.