Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infectious Behaviour[RESOLVED]


  • This topic is locked This topic is locked

#1
DocNukem

DocNukem

    New Member

  • Member
  • Pip
  • 2 posts
Hi there

I have this nasty virus in a clients system. Started as a huge infestation - elitebar SSK e2give istbar mugly etc was picked up by my versiopn of xoftspy. I clean it out and is replaced by the time I do my next boot up. I cannot use regedit in normal mode, or TM. If I go into Safe Mode I can use these tools, but it seems none of the malware processes are running in safe mode. I scanned with NAV2004 in Safe Mode and got rid of most of the infection. Now what is visibly left is Mugly. PC Details: Win XPhome sp1

I ran the hjt in safe mode and got these results:<Latest version>
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mecer.co.za
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webr...99&sid=&lang=en
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IPOT USB Service DRIVER] hpsebc087.exe
O4 - HKLM\..\Run: [EKkE5I] C:\WINDOWS\kjsllybp.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O4 - HKLM\..\Run: [zplhsvg] c:\windows\system32\zplhsvg.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [IPOT USB Service DRIVER] hpsebc087.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\oemji\oemjisearchplus\sfbnsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.mecer.co.za
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredim...p1/imloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

If someone could please help me with this - Thank
  • 0

Advertisements


#2
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
hi sorry for the delayed response as we have been very busy here lately.

Since your original post is over a week old could you please post a fresh Hijack This log for review. if possible try and do it in normal mode. safe mode hides information from us

if you have already gotten your problem fixed please post here and let us know.

Thanks
  • 0

#3
DocNukem

DocNukem

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Thanks Guys

No Probs, I got the solution eventually. Removed the HDD and installed it into a clean computer. Then ran virusscans and the beta version of microsoft anti spyware and did some reg fixes. Now its all back to normal, so ....

Take care and thanks for being there

Regards

DocNukem
  • 0

#4
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP