Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm stuck


  • This topic is locked This topic is locked
7 replies to this topic

#1 Oopsadaisy

Oopsadaisy

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 22 August 2005 - 03:52 PM

I've downloaded HJT but unsure what to do next. :thumbsup: I'd really appreciate some help?:flowers:
Logfile of HijackThis v1.99.1
Scan saved at 15:03:02, on 21/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\DOCUME~1\Susan_2\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Mcafee Antivirus Monitoring System32mn] VSStatmn32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\RunServices: [Mcafee Antivirus Monitoring System32mn] VSStatmn32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 22 August 2005 - 07:55 PM

Hi, Oopsadaisy,
Welcome :thumbsup:

You seem to have a worm issue.
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

1. Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye].
2. Click on "Security Agents Status".
3. Click on "Disable real-time protection".

Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.

1. Click on the Options menu and choose Settings.
2. In the left pane column click on "Real Time Protection".
3. Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"
4. Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).
5. Click the Save button and close Microsoft AntiSpyware.

Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware".
[After your system is fully cleaned reenable MSAS using the same steps but this time reverse them.]

First:
Please download ewido security suite trial version.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Please reboot into Safemode:
    Turn on the computer.
    Immediately begin tapping the F8 key (or F5 on some computers)
    Use the arrow keys to highlight Safe Mode and press the Enter key.
  • Click on ewido>scanner
    Then select "Settings"
    Under the bottom section "What to Scan?" make sure "Scan every file" is checked.
    Select "OK" and you will return to scanning options.
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • Select Perform action on all infections
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

We cannot use HijackThis until it is moved to its own permanent folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder. Do a Cut from where you now have it and Paste it in its new folder.
Double click to run it. Please post a fresh HJT log along with your ewido report in this thread.. Thanks. :flowers:

Edited by Bugbatter, 22 August 2005 - 08:01 PM.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#3 Oopsadaisy

Oopsadaisy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 23 August 2005 - 01:53 AM

Will do:) thank you very much for all your help:)

#4 Oopsadaisy

Oopsadaisy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 23 August 2005 - 04:27 PM

Problem:( I'm stuck again.

When I rebooted in safemode I couldn't read anything on the screen. It's as if the resolution is way way too low. *Shrugs* It's the only way I can describe it. It's like looking at a peice of material through a microscope. I couldn't make out anything once I opened up the ewido scanner:(

Sorry about this

#5 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 24 August 2005 - 03:40 PM

Please disable MSAS until our fix has been completed, so it does not interfere with any changes that are being made to your Registry.
1. Right-click on the Microsoft Anti-Spyware icon in the system tray [It's the one with the red and yellow bulls-eye.].
2. Click on "Security Agents Status".
3. Click on "Disable real-time protection".

Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.

1. Click on the Options menu and choose Settings.
2. In the left pane column click on "Real Time Protection".
3. Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"
4. Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).
5. Click the Save button and close Microsoft AntiSpyware.

Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware".
[After your system is fully cleaned reenable MSAS using the same steps but this time reverse them.]

Try running ewido in normal mode.
If ewido won't work in normal mode, see if you can do an online scan at Panda.
Panda: http://www.pandasoftware.com/activescan/
Click on "Scan your PC"
A box will pop-up, click "Next"; Then, type in your email address and click "Send"
Select your Country and State/Region. Click "Start"
A message may appear asking you to agree to the installation of ActiveX components on your system, click "Yes".
Please make sure all five options are checked and then click "All my computer"
Another box will pop-up, click "Close". Your scan should then begin.
When it is finished, please click "See Report" then click "Save Report"
Please post the contents of the saved report(s) along with your fresh HJT log. Thanks.

Edited by Bugbatter, 24 August 2005 - 03:50 PM.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#6 Oopsadaisy

Oopsadaisy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 24 August 2005 - 05:22 PM

Here you are:)

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:56:29, 24/08/2005
+ Report-Checksum: 7141C45D

+ Scan result:

C:\Documents and Settings\Isla\Cookies\isla@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Isla\Cookies\isla@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Isla\Cookies\isla@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Isla\Cookies\isla@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Isla\Cookies\isla@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Isla\Cookies\isla@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Norm\Cookies\norm@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Norm\Cookies\norm@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Norm\Cookies\norm@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Susan_2\Cookies\susan_2@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Susan_2\Cookies\susan_2@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Susan_2\Cookies\susan_2@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Susan_2\Cookies\susan_2@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup


::Report End

.............................................................................................................

Logfile of HijackThis v1.99.1
Scan saved at 23:02:42, on 24/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\DOCUME~1\Susan_2\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

..................................................................................................

I was reading your site and discovered this start up Application list. So I took it upon myself to check the boxes for McAfee as I uninstalled this a long time ago.
Then did what you said above.
I don't need any applications running on my pc that I can open from Start > Programs>

It's this worm thats worrying me. Where is it? Whats it doing?:thumbsup:

Thanks for your help:)

#7 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 24 August 2005 - 08:08 PM

Please print these instructions so you can refer to them.

We cannot use HijackThis until it is moved to its own permanent folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder. Do a Cut from where you now have it and Paste it in its new folder.

See if you can find the Backups that HJT saved, and move them to that permanent folder, too.

As mentioned above, HijackThis needs to be moved to a permanent folder and MicrosoftAntiSpyware needs to be disabled. I have not confirmed that your system is clean yet.

I took it upon myself to check the boxes for McAfee as I uninstalled this a long time ago.

That was not McAfee Antivirus.
The worm goes by this name: Mcafee Antivirus Monitoring System32mn
http://www.bleepingcomputer.com/startups/V...2.exe-2717.html

Where is it? Whats it doing?

I cannot tell at this point. You went ahead and checked the Run entry in HJT, so we'll do our best to fix the rest.

Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.

Configure to show all files/folders:
Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Please do a search for this file and delete it.
VSStatmn32.exe

Reboot normally.

Did you remove Limewire? If not, I suggest that you do so.
http://www.pestpatrol.com/PestInfo/l/limewire.asp
http://www.benedelman.org/spyware/p2p/

Use the uninstaller:
Open the LimeWire folder.
Double click on the Uninstall LimeWire 18c icon.
Also, delete the Limewire folder in your Program Files only IF you removed Limewire.

Please do an online scan with Kaspersky WebScanner
at http://www.kaspersky.com/service?chapter=161739400.

Next Click on Launch Kaspersky Anti-Virus Web Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:
Standard

Scan Options:
Scan Archives
Scan Mail Bases


Click OK

Now under select a target to scan:
Select My Computer
This will start the program to scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a new HJT log. Thanks.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#8 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 09 September 2005 - 08:48 PM

Due to inactivity, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users