Unsolved
This post is more than 5 years old
16 Posts
0
2722
HELP PLEASE! after windows xp os rebuild, system acting like its infected with blaster (among other things) butis not infected with it also svchos1.exe bug
I had to wipe my hard drive and do a system rebuild Wed night but then yesterday morning I checked the task manager and svchos1.exe was using up all the memory... system idle was using none. i ended the process and the memory use went to another process... svchost.exe. still 100%cpu in use. i ended that also. also since the rebuild i have had about 4 or 5 instances where a pop up message will come up stating that windows will shut down in 60 seconds and then it counts down and restarts the computer.I know this is an indicator of the Blaster Worm, but when I download the patch and removal tool from microsoft (or FixBlast) it says that the computer is not infected. When I try and install the patch by itself, run msconfig, Norton, or a few other programs the windows will dissapear within about 15 seconds. I know I have the svchos1.exe bug but cant get rid of it because Norton wont run.. I have been dealing with this nonstop since tuesday night and I am really frustrated. Any help would be greatly appreciated.
Hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 4:50:34 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchos1.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\AMSNMGR.EXE
C:\WINDOWS\System32\iexplore.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Configuration Loading] svchos1.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\Run: [WinSock Control] iexplore.exe
O4 - HKLM\..\RunServices: [Configuration Loading] svchos1.exe
O4 - HKLM\..\RunServices: [WinSock Control] iexplore.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Winsock2 driver] AMSNMGR.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/223c9c8774639c5ebd06/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
thanks
Jenna
Jenn7285
16 Posts
0
January 23rd, 2004 20:00
ok, I ran housecall... 3 files all worm agobot.bk I pressed delete but it could only delete 2: svchos1.exe was "in use"
I ran hjt again and fixed what you said to, rebooted in safe mode, but there was no amsnmgr.exe file to delete.
here is the new logfile:
Logfile of HijackThis v1.97.7
Scan saved at 5:52:34 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchos1.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\iexplore.exe
C:\WINDOWS\System32\AMSNMGR.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinSock Control] iexplore.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\Run: [Configuration Loading] svchos1.exe
O4 - HKLM\..\RunServices: [WinSock Control] iexplore.exe
O4 - HKLM\..\RunServices: [Configuration Loading] svchos1.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Winsock2 driver] AMSNMGR.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
Jenna
Yellowhammer
725 Posts
0
January 23rd, 2004 20:00
You have a couple of issues. First you have a virus which is a version of the W32/SPybot worm.
Run one of the online virus scanners such as housecall.
Then close all windows and have hijackthis fix the following if they are still present:
O4 - HKLM\..\Run: [Configuration Loading] svchos1.exe
O4 - HKLM\..\RunServices: [Configuration Loading] svchos1.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE (This is the virus startup)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/223c9c8774639c5ebd06/netzip/RdxIE601.cab
Reboot to safe mode and delete the following file:
C:\WINDOWS\System32\AMSNMGR.EXE
Post another log when finished
Jenn7285
16 Posts
0
January 23rd, 2004 22:00
My new HJT log is posted above after following the instructions given. Please Help if you can, I am desperate!
Also I dont know if this helps any but this is the CW shredder scan results
Yellowhammer
725 Posts
0
January 23rd, 2004 23:00
You still have the same issue as before.
First make sure you can view hidden files and folders. That is probably why you did not see AMSNMGR.EXE Ooen My Computer and select Tools>Folder Options>View and make sure Show Hidden Files and Folders is checked.
Close all windows and have hijackthis fix the following.
O4 - HKLM\..\Run: [WinSock Control] iexplore.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] AMSNMGR.EXE
Then reboot to safe mode and delete the file: C:\WINDOWS\System32\AMSNMGR.EXE
Post another log when done.
Yellowhammer
725 Posts
0
January 23rd, 2004 23:00
Message Edited by Yellowhammer on 01-23-2004 07:47 PM
Jenn7285
16 Posts
0
January 23rd, 2004 23:00
whoops... here they are
CWShredder v1.46.4 scan only report
Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Owner\Application Data
Username: Owner
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (472 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)
- END OF REPORT -
Jenn7285
16 Posts
0
January 23rd, 2004 23:00
Here's the new log
Logfile of HijackThis v1.97.7
Scan saved at 8:28:01 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\spools.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Configuration Loader] spools.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\RunServices: [Configuration Loader] spools.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
I am sure I deleted it, but is that it under winsock2?
Jenn7285
16 Posts
0
January 24th, 2004 00:00
Firewall is and has been enabled
ok, ran houscall again and this time it got more than the first time...
6 files:
BKDR SDBOT.GEN NON CLEANABLE IN DOCUMENTS AND SETTINGS temp internet files maybe? cant see the rest of the line
WORM AGOBOT.BK NON CLEANABLE IN RECYCLER (there are 2 of these..maybe the deleted ones...)
3 more named BKDR SDBOT.GEN all non cleanable in:
windows\system32\spools.exe
windows\system32\spools.exe.poly
windows\system32\winhlpp32.exe
I pulled up task manager and it showed that both spools.exe and IEXPLORE.EXE were taking up all or most of the CPU. there are 2 processes running under IEXPLORE.EXE and then spools.ese and spoolsv.exe.
should I try and delete all of these with housecall even though it wont delete some since they are running?
Yellowhammer
725 Posts
0
January 24th, 2004 00:00
Yellowhammer
725 Posts
0
January 24th, 2004 01:00
Delete the items that were quarantined.
Have hijackthis fix the following:
O4 - HKLM\..\Run: [Configuration Loader] spools.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\RunServices: [Configuration Loader] spools.exe
Hopefully these will not return after a fresh boot now that it appears the viruses are gone.
Yes, I would run ad-aware, and spybot S&D. You should also install SpywareBlaster and SpywareGuard. Both are available via links here.
Jenn7285
16 Posts
0
January 24th, 2004 01:00
ok, sorry that took so long. did all that and when I restarted normally everything seemed ok... even Norton Antivirus started which it hadnt done since I installed it. then I had to reboot to activate Norton and then I ran a virus scan on the whole computer. it found 2 things, couldnt repair them, so I quarantined them...
ms64.exe in system 32 folder
ob.exe in the C:\ drive folder
new log from Hijack this:
Logfile of HijackThis v1.97.7
Scan saved at 10:23:38 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\QConsole.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Configuration Loader] spools.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\RunServices: [Configuration Loader] spools.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
Is it clean? if so (or if not) do I need to download spybot search and destroy and adaware or any other things? also what should I do with the quarantined items?
Yellowhammer
725 Posts
0
January 24th, 2004 02:00
Jenn7285
16 Posts
0
January 24th, 2004 02:00
yes, Thank you SOOO much! you're a lifesaver!
and now I have Norton running so that will catch most stuff and I am fixing to download the 4 spyware programs.
Thank you again!
Jenna
Jenn7285
16 Posts
0
January 24th, 2004 02:00
new log:
Logfile of HijackThis v1.97.7
Scan saved at 10:59:31 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
clean???
the only one I dont know about is in red.... something weird happened though, when I "fixed" those things with HiJack this, a window came up and apparently something had gone wrong with the os and i had to put that cd back in for the service pack one...