0

I cannot get rid of this virus. I have read other posts, but cannot seem to get rid of this bugger. I fairly computer literate, but this one is a bugger. Any help? I am running W2k.
My HJL goes like this.....
Logfile of HijackThis v1.99.1
Scan saved at 6:58:58 PM, on 8/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
D:\program files\TELUS\FastDial\fastdial.exe
E:\Important stuff\HIJACK~1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: Show All Original Images - res://D:\program files\TELUS\FastDial\fastdial.exe/250
O8 - Extra context menu item: Show Original Image - res://D:\program files\TELUS\FastDial\fastdial.exe/227
O17 - HKLM\System\CCS\Services\Tcpip\..\{39157D99-3A97-4B0C-85A5-32745D56D397}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{61DA81E8-326F-42F1-80D9-C864FD8C2B1B}: NameServer = 216.254.141.13 209.90.160.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{39157D99-3A97-4B0C-85A5-32745D56D397}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{39157D99-3A97-4B0C-85A5-32745D56D397}: NameServer = 192.168.0.1
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINDOWS\svehost32.exe

:cry: :cry:

2
Contributors
4
Replies
5
Views
12 Years
Discussion Span
Last Post by swatkat
0

Hi,
Open NotePad, and copy the contents of the below "Quote" box:-

cd %windir%
sc config Workstation Service Library start= disabled
sc stop Workstation Service Library
sc delete Workstation Service Library
sc config Microsoft New Game 2 start= disabled
sc stop Microsoft New Game 2
sc delete Microsoft New Game 2
attrib -s -r -h wkssvc.exe
attrib -s -r -h svehost32.exe
del svehost32.exe
del wkssvc.exe

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.


Download Sysclean Pacakge, create a folder named Sysclean on Desktop, and put the downloaded file to that folder. Next download the pattern file for Windows OS (pattern file will have a name like lpt731.zip ) and extract the contents of the ZIP file to the same Sysclean folder.


Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido.


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Run Ewido, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.

Next, double-click on the sysclean.com file, and after few seconds, the Sysclean window appears. Here make sure that Automatically clean or delete infected files option is selected. Then click "Scan". After the scan is complete it gives a log, save the log file.


Reboot to normal mode, run HijackThis again, and post a fresh log along with Sysclean and Ewido logs.

0

Thanks SwatKat,
I am on Dial-up and am downloading as we speak but I am having a problem finding the pattern file for Windows OS

Thanks

0

I couldn't do the sys clean, but here is my most recent HLT log and Ewido log

Logfile of HijackThis v1.99.1
Scan saved at 1:00:24 PM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MsgSys.EXE
D:\program files\TELUS\FastDial\fastdial.exe
E:\Important stuff\HIJACK~1\HijackThis.exe


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: Show All Original Images - res://D:\program files\TELUS\FastDial\fastdial.exe/250
O8 - Extra context menu item: Show Original Image - res://D:\program files\TELUS\FastDial\fastdial.exe/227
O17 - HKLM\System\CCS\Services\Tcpip\..\{39157D99-3A97-4B0C-85A5-32745D56D397}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{61DA81E8-326F-42F1-80D9-C864FD8C2B1B}: NameServer = 216.254.141.13 209.90.160.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{39157D99-3A97-4B0C-85A5-32745D56D397}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{39157D99-3A97-4B0C-85A5-32745D56D397}: NameServer = 192.168.0.1
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINDOWS\svehost32.exe (file missing)


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           12:22:57 PM, 8/17/2005
+ Report-Checksum:      AD60026B


+ Scan result:


No infected objects found.



::Report End

Edited by happygeek: fixed formatting

0

Hi,
Open NotePad, and copy the contents of the below "Quote" box:-

cd %windir%
attrib -s -r -h svehost32.exe
del svehost32.exe
attrib -s -r -h wkssvc.exe
del wkssvc.exe

Go to File Menu > Save As, and save the file with the name Remove.bat and exit from NotePad.


Go to Start > Run and type services.msc and press ENTER. In the Services window that opens up, navigate to the service named Workstation Service Library (Microsoft Locator Service) and right-click it, and select "Properties".
In the Property window, in the "Service Status" option box click Stop. After this, in the "Startup" option box, select Disabled from the dropdown menu. Click "Apply" and then "OK".

Repeat the above operations for this service too:-
Microsoft New Game 2 (svehost32)
Exit from Services window.

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINDOWS\svehost32.exe (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Double-Click on the file Remove.bat, a small DOS type window should open and close immediately.


Reboot the PC. Scan the system with Norton AntiVirus, and check whether it detects anything or not. Also, run HijackThis and post a fresh log.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.