Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

damn pc virus/trojan...need help please

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

damn pc virus/trojan...need help please

Old 07-19-04, 01:04 PM
  #1  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
damn pc virus/trojan...need help please

last night my wife saw an email and thought I was doing something I wasn't supposed to be and clicked on the link. it was hidden in some "sexy vid" or something like that file. of course she wanted to see what I was supposed to have been looking at.then it happened; my virus scan popped up with this virus. it is a major pain in the ass.

this thing killed my virus scan, firewall and system restore. I think I removed everything on it but I still must have a few remnants around. I did a safe boot virus scan and regedit. everything seems to be removed(or atleast that is what norton is telling me). the problem is that with everything stated as gone I still can't access the internet with my cable modem. for a while I couldn't even use dialup but that fixed itself I guess. this virus is called backdoor.prorat. that's all I know. Luna was very kind in helping me search on it and there are a few variations. I did find a system recovery disc for it but I can only do a full recovery with it. as of right now I have 2 side effects from this thing.

1. I can't get online with my cable modem
2. I keep getting messenger popups from ZA about it wanting to be a server

does anyone know what settings I could check to see why my high speed connection doesn't work? it's not the modem itself because I'm using it now with another pc.

also, if all system restore are gone and this virus no longer shows up on any scans(normal, safe boot) how can I find out why I have these couple of probs.?

EDIT:

i can't make a useable backup disc because my laptop needs a floppy which it doesn't.

Last edited by ChrisHicks; 07-19-04 at 01:19 PM.
Old 07-19-04, 02:54 PM
  #2  
DVD Talk Godfather
 
Giantrobo's Avatar
 
Join Date: Apr 1999
Location: South Bay
Posts: 57,585
Received 5 Likes on 3 Posts
Here's what trendmicro.com had to say about this type of virus

I hope you find something that helps. They also have free online virus scanning if you can ever get that computer online.
Old 07-19-04, 04:02 PM
  #3  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
update:

I am now back online with the pc that was infected. it appears(hopefully) that it is now clean(crosses fingers). I have norton and zone alarm working again. I also used the free virus scan at www.trendmicro.com and said I was clean too. the only thing I can't figure out is that now messenger(msmsgs.exe) is running in the background and I can't stop it.
Old 07-19-04, 04:54 PM
  #4  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
UPDATE #2:

I have installed Spybot and I'm going to see if it will run to see what it finds. I'll keep everyone updated.

================================================== =======================

EDIT: Spybot found the following items:

CoreMetrics: Tracking cookie (Mozilla: default) (Cookie, nothing done)

Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\related.htm

Aornum: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)

Cydoor: Cache for ads (Directory, nothing done)
C:\WINDOWS\System32\AdCache\

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3783647064-1975767053-1234003639-1004\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Zones\0\1004!=W=3

FreeScratchAndWin: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)

HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)

HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)

HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)

HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)

HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)

HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)

Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb

are all these safe to remove/delete? I know about the cookies but what about the rest?
Old 07-19-04, 05:58 PM
  #5  
Senior Member
 
Join Date: Dec 1999
Posts: 327
Likes: 0
Received 0 Likes on 0 Posts
Try this:

http://www.grc.com/stm/shootthemessenger.htm

to stop the ms messenger service using that tool.
Old 07-19-04, 06:17 PM
  #6  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
the program that keeps running is msmsgs.exe. is that the same messenger? it keeps wanting to act as a server according to ZA. I just blocked its access and did the "don't show this message again" for it because it was getting annoying.
Old 07-19-04, 06:26 PM
  #7  
Senior Member
 
Join Date: Dec 1999
Posts: 327
Likes: 0
Received 0 Likes on 0 Posts
Yes i believe it is, i have been using tools over at GRC, i've used a number of the tools including his Shields Up to test my firewalls. Give it a try. All it does is help you to disable the messenger service which really doesn't do anything for the end user.
Old 07-19-04, 08:16 PM
  #8  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by ChrisHicks
UPDATE #2:

I have installed Spybot and I'm going to see if it will run to see what it finds. I'll keep everyone updated.

================================================== =======================

EDIT: Spybot found the following items:


Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\related.htm

Cydoor: Cache for ads (Directory, nothing done)
C:\WINDOWS\System32\AdCache\

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3783647064-1975767053-1234003639-1004\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Zones\0\1004!=W=3

Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb

are all these safe to remove/delete? I know about the cookies but what about the rest?
Alexia has something to do wiith IE's webSearch function. adaware(in the old days would flag it). You can delete or keep this one.

Cydoor is spyware usually found in P2P programs such as kazaa

The DSO exploits, I can't explain them, but it takes a registry entry to remove them completely. Needs to be removed

Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb

The bad one! Go here http://www.pestpatrol.com/PestInfo/r/roings_com.asp
and do an online scan-the Button is at the top right of the webpage, says "Free Pest Scan". It should detect and remove for you! If it doesn't then the manual way is:

1)Stop Running Processes:

Kill these running processes with Task Manager: unstall.exe


2)Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:
systemroot+\system\wat.dll
systemroot+\system32\wat.dll

3)Clean the registry entries
HKEY_CLASSES_ROOT\clsid\{f2863ede-7980-443a-aea2-0f46076d590f}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{f2863ede-7980-443a-aea2-0f46076d590f}
HKEY_LOCAL_MACHINE\clsid\{f2863ede-7980-443a-aea2-0f46076d590f}
HKEY_LOCAL_MACHINE\software\classes\clsid\{f2863ede-7980-443a-aea2-0f46076d590f}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{f2863ede-7980-443a-aea2-0f46076d590f}
HKEY_LOCAL_MACHINE\software\roimoi

4)Remove Files:

Remove these files (if present) with Windows Explorer:

systemroot+\system\wat.dll
systemroot+\system32\wat.dll
unstall.exe


Hope this helps

PS: Download Hijackthis and unzip to a folder NOT on the desktop or temp directory and exectute the program>click on the scan button, when finished the scan will turn to "savelog". Save the log to the hard drove. Locate and Open the log file with notepad (make sure this file type is unchecked) and copy and paste the contents back to this thread.

I can read (dicipher) HijackThis much easier

thanks

Last edited by 68ShelbyGT500KR; 07-19-04 at 08:20 PM.
Old 07-19-04, 08:19 PM
  #9  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,706
Likes: 0
Received 0 Likes on 0 Posts
msmsgs is ms messenger. it can be stopped by going into msconfig under the services tab, no need to use a 3rd party program to do it
Old 07-19-04, 09:07 PM
  #10  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by 68ShelbyGT500KR


Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb

The bad one! Go here http://www.pestpatrol.com/PestInfo/r/roings_com.asp
and do an online scan-the Button is at the top right of the webpage, says "Free Pest Scan". It should detect and remove for you! If it doesn't then the manual way is:


Kill these running processes with Task Manager: unstall.exe
I don't have this running in my Task Manager.



Originally posted by 68ShelbyGT500KR

PS: Download Hijackthis and unzip to a folder NOT on the desktop or temp directory and exectute the program>click on the scan button, when finished the scan will turn to "savelog". Save the log to the hard drove. Locate and Open the log file with notepad (make sure this file type is unchecked) and copy and paste the contents back to this thread.

I can read (dicipher) HijackThis much easier

thanks

here you go:


Logfile of HijackThis v1.98.0
Scan saved at 9:11:35 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\MYIE2\MyIE.exe
C:\Program Files\CompuServe 7.0\wcs2000.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.horrordvds.com/vb3forum/index.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.horrordvds.com/vb3forum/"); (C:\Documents and Settings\CHRISTOPHER HICKS\Application Data\Mozilla\Profiles\default\7wpgz6gp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\CHRISTOPHER HICKS\Application Data\Mozilla\Profiles\default\7wpgz6gp.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{040E6040-CDC5-4D61-81AC-C3031484AB8B}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{040E6040-CDC5-4D61-81AC-C3031484AB8B}: NameServer = 205.188.146.146
Old 07-19-04, 09:34 PM
  #11  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
I don't see anything wrong with you HijackThis log file.

FYI. {E0E899AB-F487-11D5-8D29-0050BA6940E3} is associated with Flashget (fgiebar.dll) ok no problems there

Out of curiosity, navigate to C:\WINDOWS\system32\RAMASST.exe in win explorer and richt click on the file>select properties>Version...What company is associated with that file? Toshiba?

Did Pest Scan detect and/or remove the Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb etc...?
Old 07-19-04, 09:44 PM
  #12  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
I never ran Pest Scan. when I go to their site the free scan spot never loads for me. all I get is a blank box. this Hijackthis log was done without me doing anything since my post about Spybot.
Old 07-19-04, 09:51 PM
  #13  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by 68ShelbyGT500KR


Out of curiosity, navigate to C:\WINDOWS\system32\RAMASST.exe in win explorer and richt click on the file>select properties>Version...What company is associated with that file? Toshiba?
Matsushita Electric Industrial Co.,
Old 07-19-04, 10:10 PM
  #14  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by ChrisHicks
UPDATE #2:

I have installed Spybot and I'm going to see if it will run to see what it finds. I'll keep everyone updated.

================================================== =======================

EDIT: Spybot found the following items:

CoreMetrics: Tracking cookie (Mozilla: default) (Cookie, nothing done)

Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\related.htm

Aornum: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)

Cydoor: Cache for ads (Directory, nothing done)
C:\WINDOWS\System32\AdCache\

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3783647064-1975767053-1234003639-1004\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Zones\0\1004!=W=3

FreeScratchAndWin: Tracking cookie (Internet Explorer: CHRISTOPHER HICKS) (Cookie, nothing done)

HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)

HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)

HitBox: Tracking cookie (Firebird: default) (Cookie, nothing done)

HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)

HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)

HitBox: Tracking cookie (Mozilla: default) (Cookie, nothing done)

Roings: Library (File, nothing done)
C:\WINDOWS\System32\objsafe.tlb

are all these safe to remove/delete? I know about the cookies but what about the rest?
Open SpyBot, immunize first and the run check for problems, anything in red like all of the above listed let Spybot delete.

I had a problem with the DSO Exploits returning and evenutally had to modify the registry entry to clear it from SpyBot

in case you weren't aware, if you highlight an item, to the far right of the SpyBot screen, it should give you a little info of the item
Old 07-19-04, 11:00 PM
  #15  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
I ran the pest scan and it didn't show the Roings file.
Old 07-19-04, 11:22 PM
  #16  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by ChrisHicks
I ran the pest scan and it didn't show the Roings file.
Hummm.. That's Interesting....

Do the spybot thing and if it "see's" anything in red, let it zap it off your system

How did you finally get Pestscan to work for you?
Old 07-19-04, 11:54 PM
  #17  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
different browser. it loaded right up when I used it.
Old 07-28-04, 08:46 PM
  #18  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
ok here is a question...

I just updated my Spybot definitions and did a scan. in the process this same trojan(the one this thread is about) popped up by Norton. I remember doing a scan with AdAware and it picked up something from my registry the day I got the trojan. I thought I deleted the backup but I guess I didn't.

I didn't get reinfected as far as I can tell since Norton says it's automatically deleted. but it does have a backup of the 2 files. I rechecked my registry for any hints of this trojan and found nothing. my AV and Firewall are still working properly.

I just have a remnant of this somewhere on my pc. I think it is in AdAware. do I have to do anything besides deleting my AdAware backup and my Norton backup? should I boot into safe mode to delete this stuff and rerun my AV?

the thing that has me concerned is one of the 2 files is called "services.exe". on Symantecs site they list the name as "Sservice.exe".

what should I do?
Old 07-28-04, 08:57 PM
  #19  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Where is the file located? C:\Windows\System32? If so, it should be ok. You can right click on the file, select properties and click on the "Version" tab, it should say Microsoft as the company. File size is
99.0 KB (101,376 bytes).
Double check on the exact spelling of the file in question!!

any other locations that may be present on your computer, take a look at this writeup:

http://www.neuber.com/taskmanager/pr...vices.exe.html

Don't forget to disable System Restore, Reboot to clear the Trojan/Viruses, otherwise the AV Scanner *should* still detect it.

Last edited by 68ShelbyGT500KR; 07-28-04 at 09:00 PM.
Old 07-28-04, 09:38 PM
  #20  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
it's located in C:\windows

file size is 324kb.

should I reboot in safe mode? should I delete the backups that Norton created? what about the file in Adaware? is it safe to delete that file since I already edited the registry for that when I was hit last week? no changes have been made to the registry as far as I can tell. none of the registry changes are there. when I delete the backups will the virus be rereleased on my pc?
Old 07-28-04, 09:56 PM
  #21  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by ChrisHicks
it's located in C:\windows

file size is 324kb.

should I reboot in safe mode? should I delete the backups that Norton created? what about the file in Adaware? is it safe to delete that file since I already edited the registry for that when I was hit last week? no changes have been made to the registry as far as I can tell. none of the registry changes are there. when I delete the backups will the virus be rereleased on my pc?
If you have the correct file in the system32 folder as indicated in my earlier post, you shouldn't have any problems with Norton or AdAware deletions or the 324kb services file. Only go to safe mode if it refuses to delete the file(s).
In your HijackThis log dated
Logfile of HijackThis v1.98.0
Scan saved at 9:11:35 PM, on 7/19/2004. In the running process,you have the correct path to services.exe . Somewhere between that date and today you created another problem. Can you run another HijackThis log after you finish?
Old 07-28-04, 10:03 PM
  #22  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
I do have a services.exe located in the system32 file. size is 98kb.

here is the log:

Logfile of HijackThis v1.98.0
Scan saved at 10:07:49 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\MYIE2\MyIE.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.horrordvds.com/vb3forum/index.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.horrordvds.com/vb3forum/"); (C:\Documents and Settings\CHRISTOPHER HICKS\Application Data\Mozilla\Profiles\default\7wpgz6gp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\CHRISTOPHER HICKS\Application Data\Mozilla\Profiles\default\7wpgz6gp.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
Old 07-28-04, 10:09 PM
  #23  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Your HiJack Log is squeaky clean! It should be safe to delete the adaware and norton backups. You can also delete the c:\Windows\services.exe file, the 324kb one (not the one in the system32 folder). Normal mode should delete the files/bakcups with no problem.

Run a complete scan with Norton and Adaware when done. If no problems (clean) then re-enable System Restore if you wish.
Old 07-28-04, 10:12 PM
  #24  
DVD Talk Ultimate Edition
Thread Starter
 
Join Date: Jan 2001
Location: Michigan
Posts: 4,676
Likes: 0
Received 0 Likes on 0 Posts
just reran norton and my pc came back clean. should I delete the adaware backup and the norton backup? should I still disable restore and rescan while in safe mode?
Old 07-28-04, 10:16 PM
  #25  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by ChrisHicks
just reran norton and my pc came back clean. should I delete the adaware backup and the norton backup? should I still disable restore and rescan while in safe mode?
answered above. I guess we were replying at the same time

Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.