sasser, downloader, netsky, bagel

Discussion in 'adware, spyware & hijack cleaning' started by SWCS, May 4, 2004.

Thread Status:
Not open for further replies.
  1. SWCS

    SWCS Registered Member

    Joined:
    Apr 2, 2004
    Posts:
    36
    I ran Stinger and Ad-Aware and eliminated most of the infection, but I am still cannot open AVG antivirus. Attached is the Hijack This log.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:22:38 PM, on 5/4/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\shirley wanless\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.logonwisc.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.logonwisc.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Logon Wisc
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [drvddll.exe] C:\WINDOWS\System32\drvddll.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.logonwisc.net
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24c592f8e30455a96c21/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2B4BF473-5955-49EF-B1A8-1BAA7678D381}: NameServer = 207.190.94.2 207.190.94.129
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2B4BF473-5955-49EF-B1A8-1BAA7678D381}: NameServer = 207.190.94.2 207.190.94.129

    Thank you for any help you can give me. Signing out for today, Tues.

    Jim
     
    Last edited: May 4, 2004
  2. flrman1

    flrman1 Spyware Fighter

    Joined:
    Apr 11, 2004
    Posts:
    41
    Location:
    North Carolina
    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    O4 - HKCU\..\Run: [drvddll.exe] C:\WINDOWS\System32\drvddll.exe

    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete:

    The C:\WINDOWS\System32\drvddll.exe file

    Empty the recycle Bin.


    It woud be a good Idea to run the removal tool from here too:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html

    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.

    When you are sure you are clean turn it back on and create a restore point.


    IMPORTANT!: I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" ASAP!. This will patch numerous security holes in IE and Windows that these worms/viruses exploit.


    Also I notice that you do not have an antivirus running or a firewall. If I may so this without being rude, with the net as it is these days it is quite foolish to be without an antivirus and a firewall. By all means get both ASAP!

    You can get the free version of AVG here:

    http://www.grisoft.com/us/us_dwnl_free.php

    You can get the free version of Zone Alarm here:

    http://download.com.com/3000-2092-10039884.html?part=zonealarm&subj=dlpage&tag=button
     
Thread Status:
Not open for further replies.