removed sasser and still having problems

Hi Mike, see if you can download and run these two programs according to these instructions:  http://www.cjwd.demon.co.uk/spybot-adaware.html

Once that is done, or if you cannot download these programs, we need you to download and run a diagnostic program called Hijackthis. Warning: please do not attempt to use this tool without expert advice.  HJT will display good as well as any bad items in your log, and without expert knowledge of how to use it, you can cause damage to your computer. You can download HJT here:

http://www.spychecker.com/download/download_hijackthis.html

FYI: http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=15651

Following all instructions concerning HijackThis, post the log here in this thread, and for continuity, keep all information about this issue contained in this same thread.  Thanks, pskelley

> My problem is that I can not install NAV 2004 with out the program suddenly shutting down.  I also cannot run regedit, or msconfig without them too suddenly shutting down. 

What I did b4 was to key in the Dos Command "shutdown -a" in the Start/Run box, pressed "OK" and then activated my program(s). Whatever?

Ronnie

I ran Spybot S&D, and Adaware, between these two programs I removed over a 100 entries. My original problem still continues though.  I then ran HiJack This, and here is the report.

Logfile of HijackThis v1.97.7
Scan saved at 12:20:40 AM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37319.7389930556

Thanks,

Mike

Message Edited by mlheck63 on 06-17-2004 12:30 AM

Ok Mike, Straight from the expert:

http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_AGOBOT.WF

Run a HJT log, then with all other windows closed, choose scan, then fix these items

O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe

Then boot to safe mode

http://support.microsoft.com/default.aspx?scid=kb;en-us;315222&Product=winxp

and display hidden files: http://www.spywareguide.com/term_show.php?id=60

Then delete that file, smsc.exe.  It will probably be in C:\Windows\System32 folder.  Be care to delete the correct file, as you can see how much it looks like the valid WinTools file at the top of your running processes.  That is what threw me. Once this is complete,  reboot, the choose Start, Run and type "cleanmgr", then OK. After this runs, reboot, and post a clean log for a final check..Thanks...pskelley

Thanks for the help pskelley. I did as you described, and things seem to be back to normal now.  There was a fourth smsc entry on the log file that I also deleted.  Here is a copy of the new log file.

Logfile of HijackThis v1.97.7
Scan saved at 1:05:24 AM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\svchost.exe
D:\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37319.7389930556

Hi Mike, You have a good eye for this, sure you don't want to sign up at Boot Camp to do a little training and help us out...lol.  Seriously,  Texruss or another expert will be around as soon as possible to give the log one more look and to certify it clean. They will have some suggestions for keeping it that way.  It has been suggested it would be good for you to flush your restore points to make sure System Restore is not infected with anything.  The directions for doing so, if you need them, are in the next link.  Thanks, pskelley

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Good job Mike and pskelley... log is now clean. Please do the flush of the System Restore:


After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.

See FAQ 12 here: http://www.russelltexas.com/malware/faqhijackthis.htm

And now...how to keep the critters away forever (hopefully...I haven't had any problems since 1999 myself *;-) (Dumb lapse on my part for my Norton definition updates and I clicked on Happyworm in email....duh!)

You look clean and hearty congratulations! Now to stay that way:

Cleanup Programs and Procedures

(the four free programs in Items 2, 3, and 4 bolded below are a MUST in my opinion)

1. Spybot Search&Destroy, Ad-aware Run weekly - or after a heavy internet session. Download at the following link.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...go slow on the directions for the custom setup of Adaware and print it out as a hard copy. It will take five minutes to set up the custom scanning options for Adaware, but it's worth it as these settings will be retained and you won't have to re-enter them again.

http://www.cjwd.demon.co.uk/spybot-adaware.html

Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.

I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).

Reboot and click on Start/Run/ type: cleanmgr

If you have problems with Disk Cleanup hanging and not completing see this page for XP users:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

From MS Help: "Disk Cleanup helps free up space on your hard drive. Disk Cleanup searches your drive, and then shows you temporary files, Internet cache files, and unnecessary program files that you can safely delete. You can direct Disk Cleanup to delete some or all of those files."

I check all the selected categories and click OK at the end of Disk Cleanup.

If you have any problems with Disk Cleaner completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

2. Proactive programs: Spywareblaster & Spywareguard, first sets kill bits to stop known bad MSIE ActiveX scripts from installing, second acts like your AV to stop browser hijacks and installing of known baddies.

3. IE-Spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentally getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

Links for these at: http://www.cjwd.demon.co.uk/compsafetyonline.html

4. MVPS Hosts file at: http://mvps.org/winhelp2002/hosts.htm

The MVPS Hosts file replaces your current HOSTS file with one that prevents your computer from connecting to hostile sites by redirecting them to 127.0.0.1 which is your local computer. This is an easy way to prevent one of the most common hijackings computer users will face on the Internet! Do it now.

5. Don't forget keeping Windows updated. The automatic updates frequently fail so run it manually once a week or when new updates are publicized.

Windows Live Update Page
http://v4.windowsupdate.microsoft.com/en/default.asp
Free Windows Security CD (for those who qualify):
www.microsoft.com/security/protect/cd/order.asp

You can also start Windows Update by running Internet Explorer, pulling down Tools on top Menu bar and selecting Windows Update. Install ALL critical updates! Always!

If LiveUpdate fails (and it is prone to on MANY machines) download each patch manually from the MS advisory pages and install manually. Works for me!

6. Keep your antivirus updated.
Free AVG Antivirus for home users: http://www.grisoft.com

7. Beg, borrow, or buy a Software Firewall if at all possible. I use Norton Internet Security 2004 and it has saved my bacon more times than I can count. For a free software firewall turn on the fairly lame firewall in Windows XP (I say it is lame because it does not monitor or block outgoing traffic...only incoming...a serious omission if the threat occurs inside your network). Hopefully with the upcoming Service Pack 2 this flaw will be addressed.

http://www.microsoft.com/technet/community/columns/5min/5min-101.mspx#XSLTsection125121120120

A better choice for now for a free software firewall is Zone Alarm.
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

8. Practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will. Sometimes it won't when a new virus hits the Net and definitions take hours to create by the AV vendors. There is only one defense that works 100% for the safe protection of your machine's personal data and that is timely and accurate backups of your files. Hard drives die, viruses ruin your files, and other bad things can happen (fire, theft, etc..). Offsite backups are the best.

9. Don't forget our great analysis tool Hijackthis. We have a lot of gratitude we need to show towards the author Merijn. I hope he does great things in his future endeavors and is richly rewarded for his time and expertise in providing this super program.

Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt

(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). (don't put in a Local Settings Temp folder, or the Windows desktop, etc...as it needs a safe folder to keep backup logs). Also when XP and W2K users post here and place it in the Local Settings, the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)

See this link for graphical instruction: http://russelltexas.com/malware/faqhijackthis.htm

Forums for help and analysis of your Hijackthis logfile:

http://forums.us.dell.com/supportforums
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.wilderssecurity.com
http://www.computercops.us/forums.html
http://forums.net-integration.net
http://boards.cexx.org
http://www.bleepingcomputer.com

Good luck and safe computing!

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-)

I had shut off system restore before I even started to clean things up, so no problem there.  Thanks for all of the help and information that was given.  You guys, and gals will make me look like a hero to my Aunt.

Thanks Again,

Mike

>I had shut off system restore before I even started to clean things up, so no problem there

Special comments: I had a debate with a colleague over the order in which to turn off System Restore... Symantec advises to do it as first step. I disagree respectfully. The reason is that System Restore is the lifeline for bringing back a known working configuration. Regardless of whether nasties are in the one brought back, it may be the only way to get Windows back working if a problem arises. Thus my advice is to wait for a flush until malware cleaning is complete. YMMV.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are
one of our classmates and not on this list email me for an addition to this
list...we need all the help we can get *;-)