Can't hurt.
Either housecallOriginally Posted by MeganC
http://housecall.trendmicro.com
or Panda Software
http://www.pandasoftware.com/Products/activescan
Or, if you cannot use active x, use this java based one (you need java installed from www.java.com to run it though)
http://uk.trendmicro-europe.com/ente...all_launch.php
Also, from your earlier hijackthis log, can you remove
Remove
O23 - Service: 10105 - Unknown owner - \\203.173.48.12\Admin$\eraseme_72665.exe (file missing)
Sorry, I missed that one
- VampYre
- Videopimp Owner
- Forums Owner/Admin
Last Few Song's I've Listened To
InterWebs!
I haven't had any trouble running the housecall scan before so left it scanning this mornign while i wen tto uni.
Came home to find the computer screen black and writing that said to insert System Boot disk and press enter.
I restarted and it did a disk check and now everything seems to be ok - it let me connect to the net.
Should i try scanning again - is that what made it go nuts?
PS Slightly off-topic - Asspin the Foo Fighters announced a show in my city (you know how they weren't doing one?) skipped a lecture to get presale tickets today, the website collapsed and but somehow when it came up online all 800 presale tix (its only a 3000 ppl venue) were gone.In 45mins! :mad:
Deleted the file you said Vamp - here is the new log...
Logfile of HijackThis v1.99.1
Scan saved at 3:34:03 PM, on 10/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINNT\system32\MSTask.exe
c:\winnt\system32\os2\FireDaemon.EXE
C:\WINNT\system32\stisvc.exe
c:\winnt\system32\os2\FireDaemon.EXE
c:\winnt\system32\os2\SVCHOST.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\iPod\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\mIRC\mirc.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ihug.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iPod\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Configuration Loader] spooIsrv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128936085040
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06BA267A-A6E2-4AB1-B9DD-B0DEA5100CA9}: NameServer = 203.0.178.191
O17 - HKLM\System\CS1\Services\Tcpip\..\{06BA267A-A6E2-4AB1-B9DD-B0DEA5100CA9}: NameServer = 203.0.178.191
O17 - HKLM\System\CS2\Services\Tcpip\..\{06BA267A-A6E2-4AB1-B9DD-B0DEA5100CA9}: NameServer = 203.0.178.191
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: radmm - Unknown owner - C:\WINNT\System32\r_server.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\TEMP\RarSFX0\svchost.exe" /service (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: FireDaemon Service: smss (smss) - Unknown owner - c:\winnt\system32\os2\FireDaemon.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: FireDaemon Service: SVCHO (SVCHO) - Unknown owner - c:\winnt\system32\os2\FireDaemon.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Can you try housecall if the panda isn't working?
I'd like to validate that you are indeed virus free or get rid of any left over files from that nasty irc virus. ;)
**edit and the hijackthis log looks good.
- VampYre
- Videopimp Owner
- Forums Owner/Admin
Last Few Song's I've Listened To
InterWebs!
That sucks... now they will all be on eBay!PS Slightly off-topic - Asspin the Foo Fighters announced a show in my city (you know how they weren't doing one?) skipped a lecture to get presale tickets today, the website collapsed and but somehow when it came up online all 800 presale tix (its only a 3000 ppl venue) were gone.
OK the housecall scan finished today!
Virus Scan 1 virus detected
Trojan/Worm Check No worm/Trojan horse detected
Results:
We have detected 1 infected file(s) with 1 virus(es) on your computer.
Detected File Associated Virus Name
C:\WINNT\system32\os2\smss.exe BKDR_IROFFER.U
Detected File Associated Virus Name Action Taken
C:\WINNT\system32\os2\smss.exe BKDR_IROFFER.U Undeletable
Housecall couldn't delete it so I did this:
On Windows 2000
Restart your computer.
Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
Deleting Malware File
Before performing this solution, close all Internet Explorer windows.
Right-click Start then click Search… or Find…, depending on the version of Windows you are running.
In the Named input box, type:
CYGWIN1.DLL
In the Look In drop-down list, select the drive that contains Windows, then press Enter.
Once located, select the file then press Delete.
Repeat the steps for the following files:
CYGCRYPT-0.DLL
Was this right?:confused:
I know - bastards! I'll have to try my best MOnday to get the last lot of tix!That sucks... now they will all be on eBay!
It did show under your hijackthis log
Running processes:
C:\WINNT\System32\smss.exe
Which is also a windows program
smss - smss.exe - Process Information
Process File: smss or smss.exe
Process Name: Session Manager Subsystem
Anywho, did you get the file deleted?
- VampYre
- Videopimp Owner
- Forums Owner/Admin
Last Few Song's I've Listened To
InterWebs!
I started the computer in safe mode and followed the instrustions but it couldn't find the above mentioned files. I tried to end task for the smss.exe in task manager but it said it couldn't as it was too crucial or something. Which makes sense if its a windows program!
I will try again with the Panda Scan today :)
lol.. if you are on IRC you could ask while you are online. ;)
Panda Scan
Hi guys,
Have tried many times to complete a Panda Scan and it consistently bumps me off the internet, freezes up or just shuts itself down.
The furtherest i have gotten is about 3/4 the way through and it found 23 viruses (disinfected 22), 4 spyware and 5 hackers.
The next time i managed to get it up and running and past the first 5 files (where it usually freezes) it said i had 1 virus, 4 spyware and 5 hackers.
It didn't finish again though and I again had to restart my computer to right everything.
I can't get a report on what is infected as it wont finish
I still have that funny icon down in the taskbar and there are still good and bad days with the bad days being very f**king frustrating!!
Also can you recommend a good firewall i can download and install or do i have to wait until i am virus free to do that? Norton is not working properly anymore and i need to re-install it but also think i need a better firewall and norton is not cutting it!
Thanks so much - sorry for the ongoing troubles! :o
If you have removed norton, grab AVG FREE
Site
http://free.grisoft.com/doc/1
Direct LInk
http://free.grisoft.com/softw/70free...ee_362a652.exe
It's about a 17 meg downlaod, then has at least 3 updates to do. Works fairly good (I run it on my own laptop) and its a free antivirus.
I don't really use any firewall programs. I really don't think they are needed, and people overamplify the need for them.
- VampYre
- Videopimp Owner
- Forums Owner/Admin
Last Few Song's I've Listened To
InterWebs!
I have downloaded and installed thanks Vamp!
It did a scan and found 7 viruses/trojans.
I can't copy and paste them so will type them in here later - got to run to an exam in a minute. It didn't really tell me how to get rid of them, so maybe you can help me with that?
Thanks heaps, speka to you later. :)
Viruses
Hi guys,
This is what it found...
C:/ sugar babes push the button.mp3\nt.dll - Trojan horse/IRC/Back Door Flood. STATUS - Infected, embedded object
C:/ sugar babes push the button.mp3/secure.bat - Could be infected BAT/Generic. STATUS - Infected, Embedded Object
C:/ sugar babes push the button.mp3 - Trojan horse/IRC/Back Door Flood. STATUS - Infected, Archive
C:/WINNT/system32/os2/lock.bat - be infected BAT/Generic. STATUS - INfected
C:/WINNT/pro/pro.exe:/devcheck.exe - Trojan Horse HideWindow. STATUS - Infected, Embedded Object
C:/WINNT/pro/pro.exe:/Explorer.bat - be infected BAT/Generic. STATUS - Infected, Embedded Object
C:/WINNT/pro/pro.exe:/iroffer.exe - Trojan Horse MovieWorld. STATUS - Infected, Embedded Object
C:/WINNT/pro/pro.exe - Trojan Horse HideWindow. STATUS - Infected, Archive.
So there are a couple of things i don't get....I deleted most of my brothers crappy downloaded songs when he moved out, how could this still be on there with a virus?
Also, how come there are IRC viruses when lots of people use mIRC and don't get viruses? What am i doing wrong?
Last edited by MeganC; 11-07-2005 at 02:21 AM.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Bookmarks