0

Hi
Yesterday a friend of mine loaded some files from a cd. After that every folder has a similar folder inside it. For example if the folder name is bon jovi then inside the folder there is another folder with the name bon jovi. This happened to every folder in the system. So i scanned my sys with norton and it found a virus and rectified the problem. But norton said that LSASS.exe, services.exe etc have been infected and quarantined. Now when i shutdown the system its not shutting down nor restarting. Wat should i do now??

3
Contributors
4
Replies
5
Views
11 Years
Discussion Span
Last Post by ovexler
0

Hmm, sounds like you may still have a virus.

Download hijackThis. Extract it to its own folder. Then run it and select. Do system scan and save log. Post the contents of the log that pops up.

We will determine if you do, and if so, remove it.

0

This is the result of the scan
Logfile of HijackThis v1.99.1
Scan saved at 5:37:05 PM, on 5/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Network Associates\Common Framework\FrameworkService.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
E:\WINDOWS\System32\igfxtray.exe
E:\WINDOWS\System32\hkcmd.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
E:\WINDOWS\REGEDIT.EXE
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\cisvc.exe
E:\WINDOWS\system32\netdde.exe
E:\WINDOWS\system32\cidaemon.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
E:\Program Files\Enigma Browser\Enigma.exe
E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)
O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 www.mcafee.com
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 www.mcafeesecurity.com
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 www.mcafeeb2b.com
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 www.nai.com
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 www.grisoft.com
O1 - Hosts: 127.4.7.4 kaspersky-labs.com
O1 - Hosts: 127.4.7.4 www.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 kaspersky.com
O1 - Hosts: 127.4.7.4 www.kaspersky.com
O1 - Hosts: 127.4.7.4 downloads1.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads2.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads3.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 downloads4.kaspersky-labs.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 www.grisoft.cz
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 www.norton.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 www.sarc.com
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 www.vaksin.com
O1 - Hosts: 127.4.7.4 forum.vaksin.com
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 www.norman.com
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 www.trendmicro.com
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 www.trendmicro.co.jp
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 www.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 www.secunia.com
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 www.winantivirus.com
O1 - Hosts: 127.4.7.4 pandasoftware.com
O1 - Hosts: 127.4.7.4 www.pandasoftware.com
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 www.esafe.com
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 www.f-secure.com
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 www.bhs.com
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 www.datafellows.com
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 www.cheyenne.com
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 www.ontrack.com
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 www.sands.com
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 www.sophos.com
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 www.icubed.com
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 www.perantivirus.com
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 www.virusalert.nl
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 www.pagina.nl
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 castlecops.com
O1 - Hosts: 127.4.7.4 www.castlecops.com
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 www.virustotal.com
O1 - Hosts: 127.4.7.4 www.ca.com
O1 - Hosts: 127.4.7.4 ca.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: iShodh Toolbar - {5F1ABCDB-A875-46c1-8345-B72A45670064} - E:\PROGRA~1\ISHODH~1\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Bron-Spizaetus] "E:\WINDOWS\ShellNew\RakyatKelaparan.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ccApp] E:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [googletalk] "E:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [Tok-Cirrhatus-3444] "E:\Documents and Settings\Administrator\Local Settings\Application Data\br7911on.exe"
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://E:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://E:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{46210A11-9686-475E-82FF-CA7B92322B44}: NameServer = 203.187.192.15,203.187.192.12
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ModuleUsage - E:\WINDOWS\system32\l60ulgd9160.dll (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - E:\WINDOWS\QVJVTg\command.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - E:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

0

Hi, you do have some things to be removed. Run HJT again, and place a check next to these items.

R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)

O3 - Toolbar: iShodh Toolbar - {5F1ABCDB-A875-46c1-8345-B72A45670064} - E:\PROGRA~1\ISHODH~1\toolbar.dll

O4 - HKLM\..\Run: [Bron-Spizaetus] "E:\WINDOWS\ShellNew\RakyatKelaparan.exe"

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O20 - Winlogon Notify: ModuleUsage - E:\WINDOWS\system32\l60ulgd9160.dll (file missing)

O23 - Service: Command Service (cmdService) - Unknown owner - E:\WINDOWS\QVJVTg\command.exe (file missing)

Click Fix Checked.

____________________________________________________

Download Hoster.

  • Unzip Hoster to

C:\Hoster .[*]Run Hoster.exe from its new home[*]Click "Make Hosts Writable?" in the upper right corner (If available) .[*]Click Restore Original Hosts and then click OK.[*]Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

_____________________________________________________

Please download ewido anti-malware it is a free version of the program.

  1. Install ewido anti-malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

  • Open up Ewido
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
  • Close ewido anti-malware.

Reboot.

______________________________________________

Post a new HJT log, and the ewido log

0

The problem is that XP sp2 for some reaasone blocked editing by regedit to service under local system ....

What I did is :

I secet the service "symantec password validation service" and on the LogOn tab instead of "local system" I used "This account" and supplied the user as the
.\Administrator
And the addministrator PWD ....

That sove the problem .....

To verify that you suffer from the same problem as I did just first before doing the above change ... set the "Allow to interact ...." check box .... An restart your PC .... this time you will clearly see the error about "regedit ....."

Good luck :lol: ....

(I got to that thing ... only after I have reinstalled XP 3 times ..... :o )

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.