I have several viruses at the moment it seems (cos one is just not enough!).
Asspin was helping me fight them after i got some names off the housecall online virus scanner, but so far rebooting in safe mode, deleting from Run and Run Service and ending the task in Task Manager has not gotten rid of them.

They are fond of disabling my Norton, freezing the computer, bringing up strange black screens, bumping the internet off (I'm on dial up), refusing to open things like My Computer for short periods, putting weird icons in the task bar, etc.

Any other suggestions would be great! Asspin - they won't go away! (How are you by the way? :p )

I am also not able to connect to mIrC as it says i don't have Ident.

Thanks guys:confused:

when I get home tomorrow nite I will post some instructions for you to do, and then you will need to post the log (hijackthis).

And I can show you what to delete, which would be a step in the right direction.

Try /server irc.efnet.net and you shoud connect eventually. You may be to the point however, where you want to format, install antivirus, install a better firewall, then reconnect to the internet.

Thanks so much guys.
Obviously the bit i did wasn't enough and I have just let it get worse.

Does formatting mean wiping my harddrive?

I can follow whatever you say to the T! I am quite clueless though (as you know)!

I am back on mIRC - thanks Asspin!

I'll hang out in your channel hoping to catch one of you tomorrow :)

Well you did something right... at least your ident is the one you set, not a random one now. And yes, formatting will wipe the drive.

Megan,

Before you format, please try this

Get http://216.180.233.162/~merijn/files/HijackThis.exe

That file. Run it, and either copy/paste the log file here, or attach the logfile to your post. Also, while you are online, can you run a virus scan @ www.pandasoftware.com/Products/activescan and when it's done scanning, save the activescan.txt and post it here as well. I can take a look at both logs, and let you know what you have, how to clean it, and possibly save you from having to completely redo your system.

Redoing your system should be considered last resort. If you do choose to redo your system, make sure you backup ALL OF YOUR FILES FIRST!

Backup your email, your address book, your favorits, your my documents, and anything else that you want to keep. When you format your hard drive, you are wiping it CLEAN. Nothing will remain on the hard drive.

Oh man, i don't know how to thank you guys for all your help with this.
You have been so freaking awesome!

I will leave the scnas going while i go to uni and post the logs tonight when i get home.

THANK YOU!!!!!!!

Here is the HIjackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 9:36:15 AM, on 10/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINNT\system32\MSTask.exe
c:\winnt\system32\os2\FireDaemon.EXE
c:\winnt\system32\os2\smss.exe
C:\WINNT\system32\stisvc.exe
c:\winnt\system32\os2\FireDaemon.EXE
c:\winnt\system32\os2\SVCHOST.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iPod\iTunesHelper.exe
C:\WINNT\system32\winamp32.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\winamp32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ircserv.exe
C:\WINNT\system32\hhs.pif
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\3J\My Documents\Megan!\Uni Work\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ihug.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe ircserv.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iPod\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Windows32 Configuration Loader] winamp32.exe
O4 - HKLM\..\Run: [Windows Security] ms32.pif
O4 - HKLM\..\Run: [MS Sys Security] mswin.pif
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Up Service] up32.pif
O4 - HKLM\..\Run: [HTML Help System] hhs.pif
O4 - HKLM\..\RunServices: [Windows32 Configuration Loader] winamp32.exe
O4 - HKLM\..\RunServices: [Windows Security] ms32.pif
O4 - HKLM\..\RunServices: [MS Sys Security] mswin.pif
O4 - HKLM\..\RunServices: [Up Service] up32.pif
O4 - HKLM\..\RunServices: [HTML Help System] hhs.pif
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Configuration Loader] spooIsrv.exe
O4 - HKCU\..\Run: [MS-DOS Service] MS-DOS.PIF
O4 - HKCU\..\Run: [Windows32 Configuration Loader] winamp32.exe
O4 - HKCU\..\Run: [MS Sys Security] mswin.pif
O4 - HKCU\..\Run: [Windows Security] ms32.pif
O4 - HKCU\..\Run: [Up Service] up32.pif
O4 - HKCU\..\Run: [HTML Help System] hhs.pif
O4 - HKCU\..\RunServices: [MS Sys Security] mswin.pif
O4 - HKCU\..\RunServices: [Windows Security] ms32.pif
O4 - HKCU\..\RunServices: [Up Service] up32.pif
O4 - HKCU\..\RunServices: [HTML Help System] hhs.pif
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128936085040
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06BA267A-A6E2-4AB1-B9DD-B0DEA5100CA9}: NameServer = 203.0.178.191
O17 - HKLM\System\CS1\Services\Tcpip\..\{06BA267A-A6E2-4AB1-B9DD-B0DEA5100CA9}: NameServer = 203.0.178.191
O23 - Service: 10105 - Unknown owner - \\203.173.48.12\Admin$\eraseme_72665.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: radmm - Unknown owner - C:\WINNT\System32\r_server.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\TEMP\RarSFX0\svchost.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: FireDaemon Service: smss (smss) - Unknown owner - c:\winnt\system32\os2\FireDaemon.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: FireDaemon Service: SVCHO (SVCHO) - Unknown owner - c:\winnt\system32\os2\FireDaemon.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Okay, I've gone thru all the running files, and here's the list. Looks like your main problem is a spywareworm.

Remove
C:\WINNT\system32\ircserv.exe
Some sort of IRC server (shouldnt be running when windows starts BAD!)

Remove
C:\WINNT\system32\hhs.pif

Remove
F2 - REG:system.ini: Shell=Explorer.exe ircserv.exe

Remove
O4 - HKLM\..\Run: [Windows Security] ms32.pif <-- http://www.sophos.com/virusinfo/analyses/w32rbotarn.html

Remove
O4 - HKLM\..\Run: [MS Sys Security] mswin.pif <-- http://www.sophos.com/virusinfo/analyses/w32rbotarn.html

Remove
O4 - HKLM\..\RunServices: [Windows Security] ms32.pif
O4 - HKLM\..\RunServices: [MS Sys Security] mswin.pif
O4 - HKLM\..\RunServices: [Up Service] up32.pif
O4 - HKLM\..\RunServices: [HTML Help System] hhs.pif
O4 - HKCU\..\Run: [MS-DOS Service] MS-DOS.PIF
O4 - HKCU\..\Run: [MS Sys Security] mswin.pif
O4 - HKCU\..\Run: [Windows Security] ms32.pif
O4 - HKCU\..\Run: [Up Service] up32.pif
O4 - HKCU\..\Run: [HTML Help System] hhs.pif
O4 - HKCU\..\RunServices: [MS Sys Security] mswin.pif
O4 - HKCU\..\RunServices: [Windows Security] ms32.pif
O4 - HKCU\..\RunServices: [Up Service] up32.pif
O4 - HKCU\..\RunServices: [HTML Help System] hhs.pif

Its a W32/Rbot-ARN - spyware worm, that runs an IRC server (all of the above things are part of said worm)


Remove
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\TEMP\RarSFX0\svchost.exe" /service (file missing)

Remove
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)


Things that can be removed to help speed up machine (ie dont need to be in the startup)

C:\Program Files\CyberLink\Shared Files\RichVideo.exe <-- DVD Player Program
C:\Program Files\Common Files\Real\Update_OB\realsched.exe <-- Real Player Update
C:\WINNT\system32\winamp32.exe <-- Winamp
C:\WINNT\system32\winamp32.exe (shouldnt need to run twice)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot <-- Real Player Update
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <-- Quicktime Bootup (doesnt have to run on boot)
O4 - HKLM\..\Run: [Windows32 Configuration Loader] winamp32.exe <-- winamp tray

Nice work. Good luck getting them all Megan. ;)
If you were here I would just say to take it to Vamp!

Hi guys,
I have removed everything you said Vamp - triple checked it! I then scanned again with HijackThis and I'll post the new log below...

I had a bit of trouble with the other scan, it froze after only scanning 5 files, i rebooted and tried again but it did the same thing. That was before i got home and read your post and deleted those files, so I'll try again now.

Thanks again! So much! I would really love to not have to format - I don't think i have enough blank discs to back up all the crap I have on here at the moment! ;)

Logfile of HijackThis v1.99.1
Scan saved at 6:33:57 PM, on 10/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINNT\system32\MSTask.exe
c:\winnt\system32\os2\FireDaemon.EXE
c:\winnt\system32\os2\smss.exe
C:\WINNT\system32\stisvc.exe
c:\winnt\system32\os2\FireDaemon.EXE
c:\winnt\system32\os2\SVCHOST.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iPod\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\3J\My Documents\Megan!\Uni Work\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ihug.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iPod\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Configuration Loader] spooIsrv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128936085040
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06BA267A-A6E2-4AB1-B9DD-B0DEA5100CA9}: NameServer = 203.0.178.191
O17 - HKLM\System\CS1\Services\Tcpip\..\{06BA267A-A6E2-4AB1-B9DD-B0DEA5100CA9}: NameServer = 203.0.178.191
O23 - Service: 10105 - Unknown owner - \\203.173.48.12\Admin$\eraseme_72665.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PSEXESVC - Unknown owner - C:\WINNT\System32\PSEXESVC.EXE
O23 - Service: radmm - Unknown owner - C:\WINNT\System32\r_server.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\TEMP\RarSFX0\svchost.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: FireDaemon Service: smss (smss) - Unknown owner - c:\winnt\system32\os2\FireDaemon.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: FireDaemon Service: SVCHO (SVCHO) - Unknown owner - c:\winnt\system32\os2\FireDaemon.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hi guys,
I have removed everything you said Vamp - triple checked it! I then scanned again with HijackThis and I'll post the new log below...

I had a bit of trouble with the other scan, it froze after only scanning 5 files, i rebooted and tried again but it did the same thing. That was before i got home and read your post and deleted those files, so I'll try again now.

Thanks again! So much! I would really love to not have to format - I don't think i have enough blank discs to back up all the crap I have on here at the moment! ;)

After you removed the files with hijackthis, did you try scanning after that?

Hi guys,
Sorry for not replying earlier.
Left the scan downloading while i went to uni yesterday and it said i had no viruses or anythign else. I wasn't sure it had scanned everything (as i wasn't here to watch it) so clicked the "my computer" icon to get it to scan again - it froze up.

Do you want me to do a House call scan?

Can't hurt.

Hi guys,
Sorry for not replying earlier.
Left the scan downloading while i went to uni yesterday and it said i had no viruses or anythign else. I wasn't sure it had scanned everything (as i wasn't here to watch it) so clicked the "my computer" icon to get it to scan again - it froze up.

Do you want me to do a House call scan?
Either housecall
http://housecall.trendmicro.com

or Panda Software
http://www.pandasoftware.com/Products/activescan

Or, if you cannot use active x, use this java based one (you need java installed from www.java.com (http://www.java.com) to run it though)

http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php


Also, from your earlier hijackthis log, can you remove

Remove
O23 - Service: 10105 - Unknown owner - \\203.173.48.12\Admin$\eraseme_72665.exe (file missing)

Sorry, I missed that one

I haven't had any trouble running the housecall scan before so left it scanning this mornign while i wen tto uni.

Came home to find the computer screen black and writing that said to insert System Boot disk and press enter.

I restarted and it did a disk check and now everything seems to be ok - it let me connect to the net.

Should i try scanning again - is that what made it go nuts?

PS Slightly off-topic - Asspin the Foo Fighters announced a show in my city (you know how they weren't doing one?) skipped a lecture to get presale tickets today, the website collapsed and but somehow when it came up online all 800 presale tix (its only a 3000 ppl venue) were gone. :( In 45mins! :mad:

Deleted the file you said Vamp - here is the new log...

Logfile of HijackThis v1.99.1
Scan saved at 3:34:03 PM, on 10/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINNT\system32\MSTask.exe
c:\winnt\system32\os2\FireDaemon.EXE
C:\WINNT\system32\stisvc.exe
c:\winnt\system32\os2\FireDaemon.EXE
c:\winnt\system32\os2\SVCHOST.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\iPod\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\mIRC\mirc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ihug.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iPod\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Configuration Loader] spooIsrv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128936085040
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06BA267A-A6E2-4AB1-B9DD-B0DEA5100CA9}: NameServer = 203.0.178.191
O17 - HKLM\System\CS1\Services\Tcpip\..\{06BA267A-A6E2-4AB1-B9DD-B0DEA5100CA9}: NameServer = 203.0.178.191
O17 - HKLM\System\CS2\Services\Tcpip\..\{06BA267A-A6E2-4AB1-B9DD-B0DEA5100CA9}: NameServer = 203.0.178.191
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: radmm - Unknown owner - C:\WINNT\System32\r_server.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\TEMP\RarSFX0\svchost.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: FireDaemon Service: smss (smss) - Unknown owner - c:\winnt\system32\os2\FireDaemon.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: FireDaemon Service: SVCHO (SVCHO) - Unknown owner - c:\winnt\system32\os2\FireDaemon.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I haven't had any trouble running the housecall scan before so left it scanning this mornign while i wen tto uni.

Came home to find the computer screen black and writing that said to insert System Boot disk and press enter.

I restarted and it did a disk check and now everything seems to be ok - it let me connect to the net.

Should i try scanning again - is that what made it go nuts?
Can you try housecall if the panda isn't working?

I'd like to validate that you are indeed virus free or get rid of any left over files from that nasty irc virus. ;)

**edit and the hijackthis log looks good.

PS Slightly off-topic - Asspin the Foo Fighters announced a show in my city (you know how they weren't doing one?) skipped a lecture to get presale tickets today, the website collapsed and but somehow when it came up online all 800 presale tix (its only a 3000 ppl venue) were gone. :( In 45mins! :mad:

That sucks... now they will all be on eBay!

OK the housecall scan finished today!

Virus Scan 1 virus detected
Trojan/Worm Check No worm/Trojan horse detected

Results:
We have detected 1 infected file(s) with 1 virus(es) on your computer.
Detected File Associated Virus Name
C:\WINNT\system32\os2\smss.exe BKDR_IROFFER.U

Detected File Associated Virus Name Action Taken
C:\WINNT\system32\os2\smss.exe BKDR_IROFFER.U Undeletable


Housecall couldn't delete it so I did this:

On Windows 2000


Restart your computer.

Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.

Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Deleting Malware File

Before performing this solution, close all Internet Explorer windows.

Right-click Start then click Search… or Find…, depending on the version of Windows you are running.
In the Named input box, type:
CYGWIN1.DLL
In the Look In drop-down list, select the drive that contains Windows, then press Enter.
Once located, select the file then press Delete.
Repeat the steps for the following files:
CYGCRYPT-0.DLL

Was this right?:confused:

That sucks... now they will all be on eBay!

I know - bastards! I'll have to try my best MOnday to get the last lot of tix!

OK the housecall scan finished today!

Virus Scan 1 virus detected
Trojan/Worm Check No worm/Trojan horse detected

Results:
We have detected 1 infected file(s) with 1 virus(es) on your computer.
Detected File Associated Virus Name
C:\WINNT\system32\os2\smss.exe BKDR_IROFFER.U

Detected File Associated Virus Name Action Taken
C:\WINNT\system32\os2\smss.exe BKDR_IROFFER.U Undeletable


Housecall couldn't delete it so I did this:

On Windows 2000


Restart your computer.

Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.

Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Deleting Malware File

Before performing this solution, close all Internet Explorer windows.

Right-click Start then click Search… or Find…, depending on the version of Windows you are running.
In the Named input box, type:
CYGWIN1.DLL
In the Look In drop-down list, select the drive that contains Windows, then press Enter.
Once located, select the file then press Delete.
Repeat the steps for the following files:
CYGCRYPT-0.DLL

Was this right?:confused:


It did show under your hijackthis log

Running processes:
C:\WINNT\System32\smss.exe

Which is also a windows program
smss - smss.exe - Process Informationhttp://www.liutilities.com/_counter/count.php?key=load

Process File: smss or smss.exe
Process Name: Session Manager Subsystem

Anywho, did you get the file deleted?

I started the computer in safe mode and followed the instrustions but it couldn't find the above mentioned files. I tried to end task for the smss.exe in task manager but it said it couldn't as it was too crucial or something. Which makes sense if its a windows program!

I will try again with the Panda Scan today :)

lol.. if you are on IRC you could ask while you are online. ;)

Hi guys,

Have tried many times to complete a Panda Scan and it consistently bumps me off the internet, freezes up or just shuts itself down.

The furtherest i have gotten is about 3/4 the way through and it found 23 viruses (disinfected 22), 4 spyware and 5 hackers.

The next time i managed to get it up and running and past the first 5 files (where it usually freezes) it said i had 1 virus, 4 spyware and 5 hackers.

It didn't finish again though and I again had to restart my computer to right everything.

I can't get a report on what is infected as it wont finish :( Is there perhaps another scan i could do that would give you a clear picture?

I still have that funny icon down in the taskbar and there are still good and bad days with the bad days being very f**king frustrating!!

Also can you recommend a good firewall i can download and install or do i have to wait until i am virus free to do that? Norton is not working properly anymore and i need to re-install it but also think i need a better firewall and norton is not cutting it!

Thanks so much - sorry for the ongoing troubles! :o

If you have removed norton, grab AVG FREE
Site
http://free.grisoft.com/doc/1
Direct LInk
http://free.grisoft.com/softw/70free/setup/avg71free_362a652.exe

It's about a 17 meg downlaod, then has at least 3 updates to do. Works fairly good (I run it on my own laptop) and its a free antivirus.

I don't really use any firewall programs. I really don't think they are needed, and people overamplify the need for them.

I have downloaded and installed thanks Vamp!
It did a scan and found 7 viruses/trojans.
I can't copy and paste them so will type them in here later - got to run to an exam in a minute. It didn't really tell me how to get rid of them, so maybe you can help me with that?

Thanks heaps, speka to you later. :)

Hi guys,
This is what it found...

C:/ sugar babes push the button.mp3\nt.dll - Trojan horse/IRC/Back Door Flood. STATUS - Infected, embedded object

C:/ sugar babes push the button.mp3/secure.bat - Could be infected BAT/Generic. STATUS - Infected, Embedded Object

C:/ sugar babes push the button.mp3 - Trojan horse/IRC/Back Door Flood. STATUS - Infected, Archive

C:/WINNT/system32/os2/lock.bat - be infected BAT/Generic. STATUS - INfected

C:/WINNT/pro/pro.exe:/devcheck.exe - Trojan Horse HideWindow. STATUS - Infected, Embedded Object

C:/WINNT/pro/pro.exe:/Explorer.bat - be infected BAT/Generic. STATUS - Infected, Embedded Object

C:/WINNT/pro/pro.exe:/iroffer.exe - Trojan Horse MovieWorld. STATUS - Infected, Embedded Object

C:/WINNT/pro/pro.exe - Trojan Horse HideWindow. STATUS - Infected, Archive.

So there are a couple of things i don't get....I deleted most of my brothers crappy downloaded songs when he moved out, how could this still be on there with a virus?

Also, how come there are IRC viruses when lots of people use mIRC and don't get viruses? What am i doing wrong? :(

You need to write those down, or make a .txt file with all those file locations/file names and reboot into safe mode and delete them.