Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this beginner


  • This topic is locked This topic is locked
10 replies to this topic

#1 grahamd79

grahamd79

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 14 December 2004 - 04:15 PM

Hi there,
So just made an idiot out of myself and posted this in the windows 2000 area - sorry to whoever's toes I just walked over!

This is the post in the right place this time!

I just did a complete reinstall to speed up my computer and it lasted for about 2 days before it's gone all slow and tired again. It's Windows 2000 and I'm on broadband. A bunch of things ask me for internet access (I uise zone alarm) such as BGOZUI.EXE and MSVM - I do not know what any of this means - I just see that my computer is either slow or it crashes - Thius is my hijackthis log.

Logfile of HijackThis v1.97.7
Scan saved at 20:27:26, on 14/12/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Xerox One Touch\OneTouchMon.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\bgozui.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\WINNT\System32\msvcs.exe
C:\WINNT\System32\internat.exe
C:\WINNT\System32\MDM.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [icrosoft Update Machine] winini.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Compliant] bgozui.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [ynsvmdav] C:\WINNT\ynsvmdav.exe
O4 - HKLM\..\Run: [blah service] msvcs.exe
O4 - HKLM\..\RunServices: [icrosoft Update Machine] winini.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Windows Compliant] bgozui.exe
O4 - HKLM\..\RunServices: [blah service] msvcs.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [icrosoft Update Machine] winini.exe
O4 - HKCU\..\Run: [Windows Compliant] bgozui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYes...e/bridge-c7.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8328.4750347222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D1206C9-D579-46C4-BB43-8B859DCDCA9F}: NameServer = 217.169.20.20,217.169.20.21

Any help would be really appreciated.

Thanks!

Graham

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 14 December 2004 - 09:43 PM

Hi there grahamd79,

sorry to whoever's toes I just walked over!

This is the post in the right place this time!

Don't worry about it, my toes feel fine. :flowers:

I just did a complete reinstall to speed up my computer and it lasted for about 2 days before it's gone all slow and tired again.

On today's internet it only takes about 30 minutes to get infected, especially when you're not running an antivirus and an unpatched Windows. You've been hit pretty hard and I'm surprised it lasted two days.

Let's clean up some first and then see what else HijackThis can do for you.

So here's what I want you to do:

Download AVG Free. It should already come with the latest definitions so you shoud immediately boot your computer into Safe Mode, install AVG Free and run a full system scan.

Then do both of these online virus scans:
TrendMicro's HouseCall
ActiveScan

Then open Internet Explorer and click on Tools>Windows Updates. If you don't get patched you can still get infected within seconds of going online even with antivirus protection. Let your PC be scanned for what updates are needed and install ALL critical updates. You should be up to SP4. You may need to reboot after installing SP4, but then go back and get any other updates until the scan says you don't need any more.

Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what is found. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update these programs. There are update options in each program when you run them.

Spybot

Ad-aware

Now read this carefully:
How to submit a Hijackthis Log
Your version of HijackThis is out of date. Please use the link in the above linked to article and download and UNZIP HijackThis 1.98.2. Then scan again with HijackThis and post a new log. Please stick to this thread by using the Add Reply button. You should get an email notification with a link to this thread, but if you have any trouble finding it, click the My Topics link at the top of any BleepingComputer forum page.

No sweat. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#3 grahamd79

grahamd79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 19 December 2004 - 08:25 AM

Thanks for your help. I have done all of that and this is my new hijack this log:

Logfile of HijackThis v1.99.0
Scan saved at 13:20:08, on 19/12/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Xerox One Touch\OneTouchMon.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\msvcs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\System32\internat.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [blah service] msvcs.exe
O4 - HKLM\..\Run: [ynsvmdav] C:\WINNT\ynsvmdav.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Windows Compliant] bgozui.exe
O4 - HKLM\..\RunServices: [blah service] msvcs.exe
O4 - HKLM\..\RunServices: [icrosoft Update Machine] winini.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D1206C9-D579-46C4-BB43-8B859DCDCA9F}: NameServer = 217.169.20.20,217.169.20.21
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

It's quite a mess I think!

Best,

Graham

#4 grahamd79

grahamd79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 19 December 2004 - 12:51 PM

Sorry, I forgot to do the windows update bit which I now have.

Here's the log now:

Logfile of HijackThis v1.99.0
Scan saved at 17:50:43, on 19/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Xerox One Touch\OneTouchMon.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\msvcs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\System32\MDM.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [blah service] msvcs.exe
O4 - HKLM\..\Run: [ynsvmdav] C:\WINNT\ynsvmdav.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Windows Compliant] bgozui.exe
O4 - HKLM\..\RunServices: [blah service] msvcs.exe
O4 - HKLM\..\RunServices: [icrosoft Update Machine] winini.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D1206C9-D579-46C4-BB43-8B859DCDCA9F}: NameServer = 217.169.20.20,217.169.20.21
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Thanks,
Graham :thumbsup:

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 19 December 2004 - 04:21 PM

Hi again grahamd79,

Thanks for the log after updating Windows. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Scan again with HijackThis. Put a checkmark by these entries, double-checking to be sure that only these entries are checked.

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [blah service] msvcs.exe
O4 - HKLM\..\Run: [ynsvmdav] C:\WINNT\ynsvmdav.exe
O4 - HKLM\..\RunServices: [Windows Compliant] bgozui.exe
O4 - HKLM\..\RunServices: [blah service] msvcs.exe
O4 - HKLM\..\RunServices: [icrosoft Update Machine] winini.exe


Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

Reboot your computer into Safe Mode and delete the following files if they exist:

C:\WINNT\System32\msvcs.exe
C:\WINNT\System32\ynsvmdav.exe
C:\WINNT\System32\bgozui.exe
C:\WINNT\System32\winini.exe <--this file in the System32 folder only

Reboot back into normal mode, scan again with HijackThis and post another log please. Also let me know if you are having any other related problems. There may be some more registry repair needed.

Also if you are using any other user profiles please log in to each one and send a HijackThis log. And also let me know if your PC is on a network.

The thing about people

is they change

when they walk away.--Mipso


#6 grahamd79

grahamd79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 20 December 2004 - 12:49 PM

Hiya,

Here is the new log after doing those actions, there was only the bgozui one there.

Logfile of HijackThis v1.99.0
Scan saved at 17:41:20, on 20/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Xerox One Touch\OneTouchMon.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D1206C9-D579-46C4-BB43-8B859DCDCA9F}: NameServer = 217.169.20.20,217.169.20.21
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Yes I am having the problem of the computer vrashing very regularly - especially when on the internet.

Thanks,

Graham :thumbsup:

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 20 December 2004 - 07:41 PM

OK, this worm has changed some settings that is probably causing those problems.

According to Sophos the files removed were the Rbot worm which is bad news. Here are the relevant write ups:

W32/Rbot-IR
W32/Rbot-KV
W32/Rbot-RK

To put the affected settings back to default, please do the following. If you didn't have your PC set to default, refer to the Sophos articles under the Recovery and Advanced tabs and I'll link to the Microsoft articles that should help in finding what the settings should be. If you are comfortable editing the registry you can follow the instructions in those articles but let's try this first.

Re-enable DCOM
1. START>Run type in the following bold text (or copy and paste) and press Enter key: Dcomcnfg.exe
2. Click the Default Properties tab.
3. Click to select (put a checkmark in) the Enable Distributed COM on this Computer check box.
http://support.microsoft.com/kb/825750

Local Security Policy

1.  Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
NOTE: If you cannot perform this step because "Administrative Tools" does not show up in the Program list, then click Start, point to Settings, point to Control Panel, click Administrative Tools, and then click Local Security Policy. Then proceed to step two.
2. Under Security Settings, double-click Local Policies, and then click Security Options.
3. Double-click Additional restrictions for anonymous connections, and then click No access without explicit anonymous permissions under Local policy setting.
4. Restart the member computer or domain controller for the change to take effect.

http://support.microsoft.com/kb/q246261/

IMPORTANT NOTE: The information in the above quotebox is how to impose the restrictions. That's what the worm did and you want to take them away. I don't have access to Windows 2000 so I can't tell you exactly how to do it but step three needs to changed so that you do have access instead of No Access. To be sure the settings are correct, you'll need to check the following registry keys if they exist:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
HKLM\SYSTEM\ControlSet001\Control\Lsa

The default values for these keys (what you want) is 0, not 1 or 2 for \restrictanonymous

That's covered in the MS articles so read them carefully and be sure to make a backup of the registry before attempting to make any changes.
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Be sure to reboot after making the above changes.

For more information on editing the registry, click here. Or post back with any questions.

This worm is a serious breach of security. You'll need to change all your passwords and check on the security of your credit cards and any banking information, etc. It includes a keylogger so passwords that you don't have written down and use from memory will still be stolen. The worm changed the above settings to prevent you from changing your passwords, so be sure they are back at default before changing any.

You HJT log is clean. After making the above changes, please post another to make sure it is still that way.

The thing about people

is they change

when they walk away.--Mipso


#8 grahamd79

grahamd79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 21 December 2004 - 12:46 PM

So I have done all that - I still have the crashing problem though. Here is the latest log:

Logfile of HijackThis v1.99.0
Scan saved at 17:46:44, on 21/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Xerox One Touch\OneTouchMon.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\MDM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D1206C9-D579-46C4-BB43-8B859DCDCA9F}: NameServer = 217.169.20.20,217.169.20.21
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Thanks again,
Graham

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 22 December 2004 - 09:34 AM

Hi grahamd79,

That's a clean log. Can you tell me when the crashing problem started? Was it after fixing the worm with HijackThis or was it happening before?

You can fix this known resource hog with HijackThis--it won't affect the functionality of any of Microsoft Office's applications. I don't think it will help with the crashes but if it does let me know. Reboot after fixing for the change to take effect.

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

To see if the worm left anything else running that HijackThis can't see, please do this.

1. Please download DLL Compare to your desktop.

Start Dll Compare, then click on "Run Locate.com". When it tells you that's finished, click on "Compare" at the bottom right. When that finishes, click "Make a Log of What was Found" and answer "Yes" to View Log file. Copy and paste the contents of that log here.

2. If you are not running AdAware SE Personal 1.05 download and update it.
http://www.lavasoftusa.com/

Once installed please go to the settings (gear at top) button. Click the Scanning button and click to make sure you have a green checked circle by Scan Within Archives and all items under Memory and Registry.

Now Advanced button to the left and make green check next to all items under Logfile Detail Level except Negligible Objects.

Now the Tweak button on the left. Click the plus sign next to Log Files to expand and make green checkmarks next to everything that's not grayed out.

Now scan with AdAware. Save the log and post it here. It's a long log, so please hit Add Reply after you've posted the dllcompare log and paste the AdAware log in a seperate post.

The thing about people

is they change

when they walk away.--Mipso


#10 grahamd79

grahamd79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 29 December 2004 - 12:35 PM

Thank you very much for your help. I hope you had a good Xmas. Unfortuately my computer burned out and I have had to put another one in which I have installed the various antivirus, updates, and spyware removers on. The chip burned out and began smoking! That couldn't have been the worm could it?
Thanks,
Graham :thumbsup:

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 31 December 2004 - 12:58 AM

Hi Graham,

My Christmas was great and hope yours was too. Less the unfortunate trouble you had with the chip. Sorry to hear that. Don't think there is any way that the worm caused it tho--sounds like it's time had come and it just crapped out.

From your first post:

I do not know what any of this means - I just see that my computer is either slow or it crashes

Glad to hear you're now up and running, secure and updated. There are some more steps you can take to keep it that way. Some of it you've already done, but please take a few moments to read the entire article:

Simple steps to keep your computer secure!

I like to emphsize step 4 and keeping everything updated. You can keep up with the latest updates for your security software and Windows by visiting Calendar of Updates frequently.

There is also some additional good information in veteran spyware fighter Tony Klein's now classic article, So how did I get infected in the first place?

Now since there is no way to deal with your original issue any further, I'm closing this thread. We have to do that in this forum for various reasons. If you need help with something else please start a new thread and I hope you'll hang round BC and make yourself at home.

Have a great New Year. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users