Microsoft > Windows XP
PLEASE HELP VIRUS W32.WALLZ
kopenhagen:
--- Quote ---Obviously, you are installing software that brings the virus along.
--- End quote ---
you obviously don't know about Virus attacking Random IP
Good luck
kopenhagen:
--- Quote ---Make a directory called C:\Hijack then go to
http://www.hijackthis.de/index.php?langselect=english
and download Hijackthis into the directory you made.
Bookmark the above site for later. ;)
Start Hijack, run a scan, save the scan, go back to the bookmarked site and get your saved scan analysed.
Take appropriate actions or post your scan in here (you will need a few posts to do it because of it's length)
--- End quote ---
Thanks, I have scanned it, I have located the malicious file but still can't remove it MOUSEHS.EXE
Logfile of HijackThis v1.99.1
Scan saved at 3:31:07 PM, on 6/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\A\Local Settings\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\System32\wmplayer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: (no name) - {54EE0AE1-2951-AF60-CB4B-465A304E316E} - C:\WINDOWS\System32\FYI\xteivderqx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [System hoster] longwin32.exe
O4 - HKLM\..\Run: [Explorer] explorer.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [SECRETSERVICE] C:\WINDOWS\System32\n0m0r3\v1rg.exe
O4 - HKLM\..\Run: [udtgrr] c:\windows\system32\pxhiwt.exe r
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Media Player] wmplayer.exe
O4 - HKLM\..\RunServices: [System hoster] longwin32.exe
O4 - HKLM\..\RunServices: [Explorer] explorer.exe
O4 - HKLM\..\RunServices: [Windows Media Player] wmplayer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119422031463
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4519/mcfscan.cab
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - Unknown owner - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE (file missing)
O23 - Service: fsbwsys - Unknown owner - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe (file missing)
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
merlin_2:
delete this in hi-jack this......O2 - BHO: (no name) - {54EE0AE1-2951-AF60-CB4B-465A304E316E} - C:\WINDOWS\System32\FYI\xteivderqx.dll
delete what you think should not be there.....dont worry as hij back up files
Fed:
Did you get your log file analysed at the hijackthis site as I suggested?
You have got a couple of nasties there.
Anyway, this is just crazy, why don't you re-format, then install OS, antivirus, antispyware & a firewall before you connect to the internet and it's fixed?
kopenhagen:
--- Quote ---Did you get your log file analysed at the hijackthis site as I suggested?
You have got a couple of nasties there.
Anyway, this is just crazy, why don't you re-format, then install OS, antivirus, antispyware & a firewall before you connect to the internet and it's fixed?
--- End quote ---
I did scan and analysed etc..
However, I just reformated for 3rd times this week
now I understand 2 things
1/ my ip was attacked by a virus as soon as I connect to the internet
2/ before I connect I should ENABLE my firewall! I'm just wondering it is offered by SP2?
Anyway, I just enable my firewall through network connection, so far this famous virus is not back there yet ;D
Thanks for all your help guys!
keep up the work
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version