Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - HJH


  • Please log in to reply
6 replies to this topic

#1 HJH

HJH

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 02 January 2005 - 09:20 PM

I am very unintelligent when it comes to computers, so usually my computer's a bit wonky, but it's getting really bad lately. It's going slower than usual, takes a really long time to shut down, and my "Add/Remove Programs" is overloaded with Windows Hotfixes. And, most importantly, I've had these two viruses I've been unable to delete for ages. They are aqadcup.exe and bokja.exe

I probably won't be on again until tomorrow afternoon, but feel free to post a response any time before then. Again, any help would be much appreciated.

Thanks


Logfile of HijackThis v1.99.0
Scan saved at 9:05:57 PM, on 1/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\temp\tX8J8oK6.exe
C:\WINDOWS\srcpp32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Linda\Application Data\been.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - (no file)
O2 - BHO: (no name) - {85AEC8D5-053E-5CCC-4A50-2FF07CBD6C97} - C:\WINDOWS\System32\qot.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Linda\Local Settings\Temp\Fze.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - (no file)
O4 - HKLM\..\Run: [tX8J8oK6] C:\windows\temp\tX8J8oK6.exe
O4 - HKLM\..\Run: [srcpp32] C:\WINDOWS\srcpp32.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [cbwau] C:\WINDOWS\cbwau.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [fXrYj] C:\documents and settings\linda\local settings\temp\fXrYj.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [rP53CQG2E] C:\documents and settings\linda\local settings\temp\rP53CQG2E.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Eraw] C:\Documents and Settings\Linda\Application Data\been.exe
O4 - HKCU\..\Run: [Nhfylp] C:\WINDOWS\System32\l?ass.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Downloads - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\dial-kazemule8-uk\index.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\msdhmd.dll
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Edited by HJH, 02 January 2005 - 09:27 PM.


BC AdBot (Login to Remove)

 


#2 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 03 January 2005 - 01:47 PM

Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 03 January 2005 - 02:07 PM

HJH -- Thanks for sending your HijackThis log.


First, you are running two anti-virus programs at the same time, and they will interfere with each other. You must disable/uninstall one of them. Since your AVG-6 is obsoleted (by AVG-7), I'd recommend you delete it. (I am assuming your Nortaon AV is kept uptodate. Please inform me if I am wrong about that.)


Also, of immediate concern is the outdated version of Internet Explorer you are running. It is mandatory that you Download Internet Explorer 6 Service Pack 1.

Then, start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there to ensure you are uptodate on critical security patches.



Since you will not be able to access this page in safe mode during this fix, please print these instructions now, or save them to your desktop, to help keep track of the steps.


To start, follow this link for instructions to enable 'show all files' for your system.


1 -- After checking yourself against the following instructions, run AdAware and Spybot Search and Destroy:

Please see How to use Ad-Aware to remove Spyware for instructions on how to download, install and then use this software.

Please see How to use Spybot to remove Spyware for instructions on how to download, install and then use this software, which may catch things that Ad-Aware misses.

Please let me know if anything can not be cleaned by these utilities.


2 -- Download the stand-alone version of CWShredder from CWShredder from Intermute. After you download the program, unzip it into a directory.

Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.


3 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

R0 - HKLM\Software\Microsoft\Internet Explorer& #092;Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)

O2 - BHO: (no name) - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - (no file)

O2 - BHO: (no name) - {85AEC8D5-053E-5CCC-4A50-2FF07CBD6C97} - C:\WINDOWS\System32\qot.dll

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Linda\Local
Settings\Temp\Fze.dll

O3 - Toolbar: (no name) - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - (no file)

O4 - HKLM\..\Run: [tX8J8oK6] C:\windows\temp\tX8J8oK6.exe

O4 - HKLM\..\Run: [srcpp32] C:\WINDOWS\srcpp32.exe

O4 - HKLM\..\Run: [cbwau] C:\WINDOWS\cbwau.exe

O4 - HKLM\..\Run: [fXrYj] C:\documents and settings\linda\local settings\temp\fXrYj.exe

O4 - HKLM\..\Run: [rP53CQG2E] C:\documents and settings\linda\local settings\temp\rP53CQG2E.exe

O4 - HKCU\..\Run: [Eraw] C:\Documents and Settings\Linda\Application Data\been.exe

O4 - HKCU\..\Run: [Nhfylp] C:\WINDOWS\System32\l?ass.exe


O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file
missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32
\ms.exe (file missing)

O9 - Extra button: Downloads - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\dial-kazemule8-uk\index.html


O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} -
http://212.145.159.194/251065/dialercab/WebRecomendada.cab

O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\msdhmd.dll

O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file
missing)


These are optional items you may choose to fix:

Application Scheduler is installed along with RealOne Player and is running in startup, and is not needed. Once installed, it runs independently of RealOne Player and consumes resources. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself: (1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK .

It's also a good idea to rename realsched.exe itself to prevent this from re-installing.

This is the item to fix in HJT:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Office Startup Asistant is an optional item that if checked, will eliminate a known resource hog. You will still be able to start Office components from the Start menu. This is the item to fix in HJT:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.



4 -- Reboot into Safe Mode (How do I boot into "Safe" mode?), then use Windows Explorer to delete the following lists of program files and folders, if they still exist.


C:\WINDOWS\srcpp32.exe <-- this file

C:\WINDOWS\cbwau.exe <-- this file


C:\WINDOWS\System32\qot.dll <-- this file

C:\WINDOWS\System32\l?ass.exe (note the '?' in this filename...delete ONLY the file with the '?' in the name)

C:\WINDOWS\System32\ms.exe <-- this file

C:\WINDOWS\System32\msdhmd.dll <-- this file


C:\Documents and Settings\Linda\Application Data\been.exe <-- this file


C:\windows\temp\ <-- this folder


c:\dial-kazemule8-uk\ <-- this folder

C:\Program Files\Common Files\WinTools\ <-- this folder


Please let me know about any problems with the file/folder deletes.


5 -- Next, use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes").

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use "Control Panel > Internet Options > General tab" and click the "Delete File" button. When prompted place a check in: "Delete all offline content", then click OK.

Then, use Windows Explorer to clean out ALL the other temp folders on your system (navigate to the folder, use "Edit > Select All", press "Delete", click "Yes"):

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

* Empty your "Recycle Bin".

Double check to see if the folder C:\DOCUMENTSandSETTINGS\linda\LOCALSETTINGS\Temp is empty.

[b]Please let me know about any problems with the temp file deletes.


Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty


6 -- Now, reboot normally and run either of these two Online virus scans: Panda Active Scan or TrendMicro Housecall and put on Auto Clean.


Now, reboot once again, and run HijackThis to create a new logfile. Repost it here, and if you had any problems with the steps outlined above, please let us know what they were. Your response and the new logfile will determine the next steps for this fix.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#4 HJH

HJH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 10 January 2005 - 10:40 PM

Sorry for taking so long to respond. I've completed all the steps you outlined, daveia, and they were very helpful. Unfortunately, though, I get the feeling there's still a bit of work to be done.

First, for Step 4, I was unable to delete "C:\WINDOWS\System32\l?ass.exe". This is the message I got:

"Cannot delete lsass: Access is denied.

Make sure the disk is not full or write-protected and that the file is not currently in use."

Next, I did a Norton scan after I completed all the steps and although the aqadcup.exe virus is now gone, the bokja.exe virus is still there.

Here's my new log:

Logfile of HijackThis v1.99.0
Scan saved at 10:35:46 PM, on 1/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks in advance.

Edited by HJH, 10 January 2005 - 10:41 PM.


#5 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 11 January 2005 - 12:25 AM

Thanks for the response.

Of immediate concern is the outdated version of Internet Explorer you are running. Without the most uptodate critical fixes, you are sure to re-infect.

Please start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there to ensure you are uptodate on critical security patches.


Your comments:

for Step 4, I was unable to delete "C:\WINDOWS\System32\l?ass.exe". This is the message I got:

"Cannot delete lsass: Access is denied.

Make sure the disk is not full or write-protected and that the file is not currently in use."

A good thing, since lsass.exe is a critical system file.

The file you were looking for is l?ass.exe. If you didn't see it, that's fine. But do not delete the one called lsass.exe. I'm sorry my instructions were not more clear.

Next, I did a Norton scan after I completed all the steps and although the aqadcup.exe virus is now gone, the bokja.exe virus is still there.

You are saying that Norton cannot kill this...correct.

Okay, let's try some others:

Run these two online virus scans , reboot after each scan:

RAV<<<Add a check by 'Autoclean', leave everything else as is.

eTrust<<<'Cure' whatever is found, then delete if unsuccessful

Then re-run Norton to confirm the removal.

Please let me know the results of this.


And a question for you: Did the other scans (AdAware, Spybot, HOusecall, Panda) report anything that could not be cleaned?


Meanwhile...the HijackThis logfile is clean and free of malware. Nice work :flowers:

And once the above scans complete, please allow me to suggest some prevention steps to keep your computer clean and secure going forward. You may have already taken a few of the steps, but it never hurts to take a quick look :thumbsup:

1 -- Be sure you update your anti-virus software at least once a week.

2 -- To reduce re-infection potential for malware in the future, I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, (or Tea Timer which does the same thing) and IE/Spyad.

3 -- Use AdAware SE and Spybot S&D to regularly to scan your system.

4 -- It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

5 -- Continue using a Firewall. Zone Alarm is a fine choice.

An excellent overview is: So how did I get infected in the first place?. Be sure to visit the browser test link at the end of the article to really see how secure your system is!!

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#6 HJH

HJH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 11 January 2005 - 02:57 PM


for Step 4, I was unable to delete "C:\WINDOWS\System32\l?ass.exe". This is the message I got:

"Cannot delete lsass: Access is denied.

Make sure the disk is not full or write-protected and that the file is not currently in use."

A good thing, since lsass.exe is a critical system file.

The file you were looking for is l?ass.exe. If you didn't see it, that's fine. But do not delete the one called lsass.exe. I'm sorry my instructions were not more clear.

No, your instructions were very clear. I did a specific search for "l?ass.exe" and that's what came up. Weird, but I'll be sure not to delete it now.

#7 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 11 January 2005 - 03:54 PM

Thanks.

I think the problem may be this:

When you search for a name, the ? is treated as a wildcard by the search program, and therefore 'lsass' shows up.

When you actually look at the list of files in the directory, using Windows Explorer, you will see a filename with a ? in it if one is still there, as well as an entry for 'lsass'.

At any rate, based on the last HJT logfile, your system is clean, except for the version of IE you are running.

Thanks
daveai

Edited by daveai, 11 January 2005 - 03:55 PM.

"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users