0

I am probably out of synch with your methodology as I ran AVG 7.5 before I found your forum. However, what else is new, so I will post the log with an initial introduction and possibly you can figure out what is going on.

Dell Inspirton 3500 laptop, running Win2000 (64meg ram) very slow on internet, whereas it ran very well before I download a TWEAKUI program. ISP tech said to run malware/spyware etc, which I did - Spyware Terminator and AVG 7.5, which found and deleted a number of high threat files, i.e. worms and trojans. I can now connect to internet and get to my home page, but after that can't go anywhere. I am posting the Hijack log and would also like to know if guard.exe (which I believe is a AVG background running program - which has not been initiated by me - unchecked in AVG) could be a problem. It takes up memory when it is not supposed to be running. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:36 PM, on 1/21/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spooIsv.exe
C:\WINNT\System32\sysamp.exe
C:\Program Files\DS Clock\dsclock.exe
C:\Program Files\Desksweeper\DeskSweeper.exe
C:\Download\unzip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\System32\sysamp.exe
O4 - HKCU\..\Run: [DS Clock] C:\Program Files\DS Clock\dsclock.exe
O4 - Startup: DeskSweeper.lnk = C:\Program Files\Desksweeper\DeskSweeper.exe
O4 - Startup: dsclock.lnk = C:\Program Files\DS Clock\dsclock.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)

2
Contributors
43
Replies
44
Views
10 Years
Discussion Span
Last Post by gerbil
0

guard.exe..... i take it that you have just downloaded AVG.- this, then, is the realtime protection unit. It stops after 30 days unless you feed it money. Let it run while you can have the benefit of it. It will remain in mem even if it is not running.

Okay, now for some fun. You have a rabid emailer which is probably why you cannot get right out into the net, and a backdoor trojan. Fixing them may be easy, or it may be hard.
First, please rename Hijackthis.exe to Simplesimon.exe.

===Restart you computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the YOUR NORMAL ACCOUNT, not the Administrator account.
Go Ctrl/Alt/Del once to start task manager. Click processes tab, locate and end these three processes:

spooIsv.exe
sysamp.exe
sys32.exe [watch the spelling of that first one: spoolsv.exe is a real process, don't want to miss the baddie!]

Open an explorer window, go Tools > folder options > view tab and select the button Show hidden files and folders, Apply and OK.
Now in that window navigate to C:\WINNT\System32 and open that folder. Locate the three above .exe files and delete them. And this time the spelling of the first is VERY important. Watch out for and avoid spoolsv.exe.

Now while still in safe mode run hijackthis [SimpleSimon.exe] again; this time search for and put checks against the following if they exist:
C:\WINNT\System32\spooIsv.exe
C:\WINNT\System32\sysamp.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\System32\sysamp.exe
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)
Press Fix Checked and close hijackthis.
Reboot to normal mode.
Please download Hoster: http://www.funkytoad.com/download/hoster.zip and Extract it to your Desktop.
- click the Restore MS Hosts Button and then click OK and exit Hoster.
Finally run Hijackthis again, and post the log from THIS run.


You have not been keylogged, but your email passwords are compromised. Make new ones. On the other hand, the rogue you had does not like competition so if you had any other bots it has killed them!

0

What is a rabid emailer and being 'keylogged'? What is the explanation for getting to my homepage but not being able to navigate anywhere else? Are you sure my e-mail password has been compromised? What other effects of this nasty?

You mention in your 'fix' When the Boot Menu appears again, select Microsoft Windows XP and press Enter. I don't have XP. I have Win2000. Thanks...ennglish

0

rabid as in mad dog.. keylogger- a pgm which copies your keystrokes, paying particular attention usually to password entries such as in banking forms, and periodically sends them off, or holds them for collection by a bot.
A short description of the activities of one of your trojans courtesy f-Secure:
-joins and parts IRC channels, changes nick, creates clones, sends raw command, sends messages and notices, floods -channels
-scans for vulnerable computers using a number of exploits (see below) and reports to a hacker
-tries to spread to network shares, bruteforces share passwords using the hardcoded list
-steals logins and passwords (cached passwords, FlashFXP passwords, IE site passwords, MSN passwords)
-steals Outlook account information (SMTP and POP server names, logins and passwords)
-steals HTTP e-mail server logins and passwords (Hotmail)
-sniffs network traffic (packet sniffer)
-downloads and runs files on an infected computer
-opens a pipe-based remote command shell on an infected computer
-act as a proxy server on a selected port
-collects information about an infected system (software and hardware configuration)
-finds and terminates competing bots
-performs a DoS (Denial of Service) attack
-updates itself from Internet
==in short, your computer can be controlled remotely, is a pest to others on the network, and some of your personal info can be collected. You have a backdoor trojan - it opens your computer so that it can be controlled externally.

And the other pest is a worm. It modifies your hosts file so that you cannot contact over the web any AV and similar sites to download removal software. Which is why i recommended running Hoster. I know you have Win2000 - it is in the header of your HT log, but Hoster works for the 2000/xp series. It is just that the button has that label....
It attaches itself to any emails you send so that it may infest others, it uses your address list to send infected emails to your contacts [they'll love you for that..], it generates email addresses and sends infected emails on its own.... And it can also function as a backdoor, letting the controller into your computer.
See what i mean? I DO mean to scare you....And your computer may very well be too busy to let you do anything online.
So it's up to you... i do not expect you to trust me implicitly, but if in doubt...
Try checking your hosts file... %systemdrive%\WINNT\system32\drivers\etc. Drag the hosts file into an open notepad window. See if it has entries other than 127.0.0.1 [you will have to unhide hidden files and folders]

0

Since speaking with you earlier, another help site answered me and set up some solutions, including running AVG Anti-Spyware, setting up a FixServices.bat file, running HijackThis and deleting the same files as you list (couldn't find C:\WINNT\sys32.exe) , running a program called SDFix. Nothing changed and unfortunately I couldn't complete his instructions because it involved downloading very large programs which I cannot transfer from current program to infected one - not enough floppies and no memory stick now.

It looks like I can follow through on your solution, but let me know if what I already did throws obviates the efficacy of your method. I've already download hoster.zip and I can get it on the infected computer. I also have HijackThis on it, which , if I'm correct, is all I need just now, right?

I tried to get to Panda for a scan but the bugger wouldn't let me go there! Let me know if we should continue. I'm willing to push this old brain (69+ years) at least for a little while.

0

I've already download hoster.zip and I can get it on the infected computer. I also have HijackThis on it, which , if I'm correct, is all I need just now, right?

I tried to get to Panda for a scan but the bugger wouldn't let me go there! Let me know if we should continue. I'm willing to push this old brain (69+ years) at least for a little while.

Yep.. these were my points.. :) ;sorry i did not outline your expected limitations more fully in my earlier post....but the second post fairly lists what may be happening on your computer and how you are limited in your initial responses.
And no, what you have attempted is no problem, just go ahead and try what i said, and if you succeed then we will try some deeper searching and cleaning. If you don't succeed, we'll try something else. So for now do the thing with HT [rem to change its name!, cos some pests know it by now and block it from seeing them]. We'll get there, but once we start please don't mixnmatch solutions....I'm not being arrogant here, it is that i don't want to lose track of what you are doing. Doing stuff posted here by others is ok cos i can see that, but i'll miss action on other sites.
Cheers, an go for it.
PS.. to see some hidden files/folders like system32: in an explorer window, go tools > folder options > view tab, and press Show hidden files and folders, Apply and OK.
Do this first, and keep the setting before you commence the fix. Have a glance at your hosts file...

0

P.S. Want to be sure I understand your instructions. You wrote that I should stop the following processes in Task Manager:
spooIsv.exe
sysamp.exe
sys32.exe [watch the spelling of that first one: spoolsv.exe is a real process, don't want to miss the baddie!
] This comment in parenthesis is unclear. You also wrote: And this time the spelling of the first is VERY important. Watch out for and avoid spoolsv.exe.

It seems as if you are saying I should delete spoolsv.exe and yet avoid it. The files you indicated are spelled exactly the same.

ennglish

0

in task manager if you stop a process it is no big deal - your pc may crashor merely halt if it you choose the wrong one, but no real harm is done, a restart will cure it. If, though, you delete the wrong file in system32 some effort will need to be gone into to rebuild it....
So, in the first case i was telling you to not miss the bad one by stopping the good one, in the second cse i was telling you not to delete spoolsv.exe, as that is a good one [for printing services].
To avoid font problems, SPOOLSV.EXE is a valid M$ file. Leave it alone.
SPOOISV.EXE is the one we need to remove.
The reason for stopping a process is that it is not possible to delete a running process...

0

Thanks. I figured out the spool (L) problem. I read it wrong: L instead of I. I went into HijackThis (on a dry run) and couldn't find the following files which look like registry entries:
O4 - HKLM\..\Run: [Spooler SubSystem App]
O4 - HKLM\..\Run: [Services] C:\WINNT\System32\sysamp.exe
O23 - Service: Windows System 32 - Unknown owner -

You'll have to give me more explicit instructions on these and on HijackThis. The only place I can see for finding files is in Misc. Tools - Delete and boot or some such bar (I'm not at that computer now. Finally, renaming HijackThis.exe: I would do it from Windows Explorer in the program folder and also on the desktop shortcut. Am I right on this?

Thanks...

0

The confusions that arise through choice of font plus similar, genuine-sounding names are part of the ploy to avoid detection by the uninitiated [or the careless].
Now. Do not concern yourself with dry runs - I shall do my best to not actually harm your system.
First, we must try to stop the possibility of a malware recognising Hijackthis and also enable you to find them.
Second, we must stop the processes that we wish to remove from running.
Third, we delete those processes.
Fourth, we remove the registry keys that call those processes.
Now i shall reiterate and enlarge upon those instructions.
1. Open an explorer window, navigate to your download\unzip folder and open it; in the right pane rclick Hijackthis.exe, select rename in the context menu and change it to Strawdogs.exe.
Still in that window go to tools > folder options > view tab, look down the list and press the button Show hidden files and folders, Apply and OK.
2.We go to safe mode.... Restart your computer, press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the YOUR NORMAL ACCOUNT, not the Administrator account.
[safe mode loads the bare minimum of drivers and processes necessary to get the OS running so that we can work on it].
We shall proceed with the basic tools. Open task manager via Ctrl-Alt-Delete combined keypress [one only]. Select the processes tab, alphabetise the list by lclicking Image Name header, scroll down and search for these three processes:
spooIsv.exe
sysamp.exe
sys32.exe
---in turn highlight each and click End Process. Those will be the actual names; do not be concerned if you do not find one or any because that just means that they are not running - a function and benefit of safe mode. Close task manager.
3.Click Start, go My Computer and Local Drive C: [or open an explorer window however you wish]
-in the left pane tree [click Folders icon if you must] expand C:; expand WINNT; lclick system32.
-in the right pane search for those three files above and delete each. Collapse WINNT folder.
4.Open download\unzip and dclick Strawdogs.exe. Press Do a System scan only.
-place checks against the following:
C:\WINNT\System32\spooIsv.exe
C:\WINNT\System32\sysamp.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\System32\sysamp.exe
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)
Press Fix Checked.

Reboot to normal mode. If you have not already done so extract Hoster from its zip file to desktop or your unzip folder.
-dclick the hoster.exe and press Restore MS Hosts button. Ok and close.
-start Strawdogs again, close the explorer window and select Scan and Save a logfile.
Please post that file.
===Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.
-Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Now select the Applications tab and Run Cleaner. Close it.
-Now start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply all actions. Post the log file.

Ok, two files to post. I'll check for them.

0

...we could do this with hijackthis functions, but i want you to follow the process i have outlined above. Ignore the HT desktop icon, delete it in fact, it is not a program to use willynilly.

0

Here's the reports:
Logfile of HijackThis v1.99.1
Scan saved at 9:50:39 AM, on 1/26/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

and:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A V G A n t i - S p y w a r e - S c a n R e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + C r e a t e d a t : 1 0 : 3 5 : 2 6 A M 1 / 2 6 / 2 0 0 7
+ S c a n r e s u l t :

N o t h i n g f o u n d .

: : R e p o r t e n d

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hijack\Simplesimon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\logon.exe
O4 - HKCU\..\Run: [DS Clock] C:\Program Files\DS Clock\dsclock.exe
O4 - Startup: DeskSweeper.lnk = C:\Program Files\Desksweeper\DeskSweeper.exe
O4 - Startup: dsclock.lnk = C:\Program Files\DS Clock\dsclock.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)

Also ran ccleaner and it deleted a few temp files from browser.

ennglish

0

Hello, ENNGLISH, please say if you were you able to delete the 3 files:
C:\WINNT\System32\spooIsv.exe
C:\WINNT\System32\sysamp.exe
C:\WINNT\sys32.exe
I would like you to check for their presence as before [no need to use task manager] and report back if any have returned .

In normal mode will do...
Click Start, go My Computer and Local Drive C: [or open an explorer window however you wish]
-in the left pane tree [click Folders icon if you must] expand C:; expand WINNT; lclick system32.
-in the right pane search for the first two files above . Collapse system32 folder and highlight [lclick] WINNT in left pane. Check for the third file in the right pane.

0

Nope. None of them are there. The last one you're asking for C:\WINNT\SYS32.EXE is quarantined in my AVG 7.5 program. Also quarantined from WINNT directory are:
MSmedia.exe.ren
system32\qaz
system32\host.exe
system32\rdriv.sys
There's also a notation in AVG on deleting sys32.exe on reboot. I don't know if that was actually done.

Hope this helps...ennglish

0

Nope. None of them are there. The last one you're asking for C:\WINNT\SYS32.EXE is quarantined in my AVG 7.5 program. Also quarantined from WINNT directory are:
MSmedia.exe.ren
system32\qaz
system32\host.exe
system32\rdriv.sys
There's also a notation in AVG on deleting sys32.exe on reboot. I don't know if that was actually done.

Hope this helps...ennglish

Another P.S.
Found the following from SDFix that was run by the first tech help I had. It may explain more:

SDFix: Version 1.62

Wed 01/24/2007 - 13:53:05.89

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
rdriv

Path:
\??\C:\WINNT\system32\rdriv.sys

rdriv Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:

C:\WINNT\system32\i - Deleted
C:\WINNT\system32\spooIsv.exe - Deleted

Alternate Streams Check:

C:\WINNT\system32
No streams found.

Final Check:

Remaining Services:
------------------


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\arcldr.exe
C:\arcsetup.exe
C:\PAGEFILE.SYS
C:\CONFIG.SYS
C:\IO.SYS
C:\MSDOS.SYS

Finished

0

Good-oh, then you are clean. Just start AVG a-s, infections tab and remove sys32. It pays to have a look at what AVG has in quarantine before you do a mass removal, cos it does occasionally pick up false positives.
Cheers.

0

Not clean yet. Still can't get to past first page on internet and when I try to go to any spyware scan site, all the computer does is send lots of data packets and receives next to nothing

Sys32 has been gone for days. I think SDFix deleted it as the report stated, and it's not clean yet. Somebody's in there. The last time I tried to get to TrendMicro housecall, the screen was jumping around like something out of the Exocist!

If this is as far as we can go, I'd better get help on wiping the hard-drive and starting all over with a new operating system.

ennglish

0

No, it's not as far as we can go. If it is that your computer is still hijacked by a trojan then it is concealed. Try these scans and post any positive results. For the first two do not use your computer while it scans.
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
==RKR from http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx -read that page, dl the file at foot, start it and Scan.
==Pandasoftware ActiveScan from http://www.pandasoftware.com/products/activescan? -link is at right above the padlock: free online virus scan; just follow through the pages, supply a "valid" email address... To reduce the number of detections run CCleaner first to remove cookies.
==Kaspersky online scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
And if they do not find anything then we shall examine the traffic from your pc, find what is running.
Of course, you may be blocked from those sites..
alternative site
blacklight: http://www.majorgeeks.com/F-Secure_BlackLight_d5156.html

0

btw, your DSclock pgm. XP does a time synch test every time you connect to the net [unless you specifically stopped the service]. It keeps your pc within 10-15secs of real time. Atomic clock synch services take no account of packet travel times to/from your puter, so do not expect to be totally accurate.

0

Was able to run Blacklight, which found nothing, and Revealer that quickly came up with three registry entries, all the same,
HKLM\Security... (that's all) with description: key name contains embedded nulls

and then the scan seemed to freeze at the following entry:

HKLM\SYSTEM\SETUP\ALLOWSTART\WS2FSL

Waited for something to happen but no more progress, so aborted.

In task manager I found the following file which I've never seen before, but I don't know if it's significant: DMJMGQVAO.EXE. Revealer was listed also so I am assuming the file is not part of Revealer...but I don't know.

Again, I'm running Win2000, not XP. Still cannot get to Panda or Kaspersky. If I get a Flash Memory Stick (which I don't have yet) I probably can get Kaspersky or another Anti-Virus/Spyware. I've tried getting updates to AVG7.5 Spyware but with no luck.

ENNGLISH

0

ws2ifsl.sys should only be in WINNT\system32\drivers. [typing error? ws2fsl - there should be no such file in 2000/xp]
Search for ws2ifsl in your C: drive. It should only occur the once, as above.
DMJMGQVAO.EXE is not a known process. Use task manager to stop it running, search for it and delete it. If it starts again on reboot then it and its registry keys are being hidden.
Kaspersky and Panda scans I have listed above are online scans - u must be connected...although they download activeX controls as scanning machines and files of identifying strings they only run connected.
Go Start >run, type regedit and <enter>. Highlight My Computer at top in lh pane, then under Edit tab click find, and type in DMJMGQVAO and press <enter>. If it finds anything please export that key: look for the open folder icon in the left pane, highlight it with a lclick, go File, export... , save as DMJMG with file type .txt. Close regedit and post that txt file and any news of DMJMGQVAO.EXE behaviour after deletion.

0

I did find the file ws2ifsl.sys in WINNT\system32\drivers as well as having the system\32\dllcache.

Ran Revealer again and it hung up as before. Did a search on DMJMGQVAO and found nothing. Ran regedit and found it: here's the exported key:
ÿþW i n d o w s R e g i s t r y E d i t o r V e r s i o n 5 . 0 0

[ H K E Y _ C U R R E N T _ U S E R \ S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ E x p l o r e r B a r s \ { C 4 E E 3 1 F 3 - 4 7 6 8 - 1 1 D 2 - B E 5 C - 0 0 A 0 C 9 A 8 3 D A 1 } \ F i l e s N a m e d M R U ]

" 0 0 0 " = " D M J M G Q V A O . E X E "

" 0 0 1 " = " D M J M G Q V A O "

" 0 0 2 " = " D M J M G Q V A O , E X E "

" 0 0 3 " = " w s 2 i f s l . * "

" 0 0 4 " = " w s 2 f s l . * "

" 0 0 5 " = " w s 2 f s l . s y s "

" 0 0 6 " = " S D F i x . * "

" 0 0 7 " = " s y s t e m 3 2 . * "

" 0 0 8 " = " s y s 3 2 . e x e "

" 0 0 9 " = " d e v i c e m a n a g e r "

Also, for some reason, I am not getting an e-mal notice when you post reply.

Thanks. Hope the above tells you something...ennglish

0

a quick reply.. that key you exported is 2000's record of searches and search parameters used recently, so it looks like registry does not launch that .exe file. I'll try to get back later today on a suitable tool to track down that process.

0

Hello, ennglish. I cannot understand why if there is an alien process running, and you stop it [either via Task manager or Hijackthis] and then delete it in the same session that, if it is the root cause of blocking you from security sites such as Panda or Kaspersky, you then cannot get to those sites. Is your hosts file clean? [\windows\system32\drivers\etc\hosts - you open a new notepad and lclick drag hosts into it. There is advice, and the only entry needs to be
127.0.0.1 localhost
Actually, I've been hoping that someone else would hop in with a suggestion - there are other good scanning softwares but i would be uncomfortable advising you to run them because i do not know them intimately enough.
[the first two reports from Revealer are okay, it's jamming on ws2ifsl.sys is, it seems, a bug... with the only suggested workaround to run anolder version of RKR. Ha....]

0

Sorry, but I don't have the slightest idea what you are talking about. It does seem that you've gotten to the end of the line with this problem. Perhaps you can get another tech into the process. If not, let me know where I should go to wipe the hard-drive clean and start over. That won't be as easy as I'd like as I don't have the Win 2000 that was loaded on to the machine....Thanks.

0

P.S. Opened the hosts file and there was only the one that you mentioned:
127.0.0.1 localhost

I'll try getting on the internet tomorrow for a scan. Let you know...ennglish

0

Ennglish, help came in the form of PhilliePhan. There is a worm you need to remove. It's the "parent" of those other files we deleted. In task manager, processes, find logon.exe and stop it. Then go to WINNT\system32 and delete it. Run a new hijack this scan and fix this entry:
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\logon.exe.
Run a new scan and post it. Recheck your hosts file, and clean it as before with Hoster if needed, and retry those two security sites.

0

[the alien process i was referring to before was DMJMGQVAO.EXE - an executable with a fake, constructed name. Your Revealer log was ok as far as it went. And somehow i missed that worm that popped up in your second HT log - it surfaced after we removed the files it generated. Sigh.]

0

Something must have worked because I'm on the web with the infected lapton. Here's the Hijack Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:11:50 AM, on 2/10/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\DS Clock\dsclock.exe
C:\Program Files\Desksweeper\DeskSweeper.exe
C:\Program Files\Hijack\Simplesimon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\logon.exe
O4 - HKCU\..\Run: [DS Clock] C:\Program Files\DS Clock\dsclock.exe
O4 - Startup: DeskSweeper.lnk = C:\Program Files\Desksweeper\DeskSweeper.exe
O4 - Startup: dsclock.lnk = C:\Program Files\DS Clock\dsclock.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)

Went to Panda: it found 3 virus, 1 rootkit and 2 spyware files, but it wanted $13 to fix it. I opted out, downloaded AVG anti-virus and updates (also for avg 7.5 spyware). AVG antivirus found a backdoor trojan: TrojanHorseIRC/Backdoor.SaBot2.run in
WINNT\SYSTEM\MSIDE.EXE

I tried getting to trendmicro but had problems loading the page. Perhaps Java or ActiveX settings I don't know. But bottom line is I'm on the web and all seems well. SHould we do a follow-up or do you suggest next step?

ENNGLISH

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.