[Kuruption]

I've come across a few problems. First things first, my pc shuts down during anti-virus checks... Including, panda, trendmicro, ewguard, etc. I have multiple Svchost's running.

I also can't change my wallpaper "background" on my desktop... It's a black screen, that doesnt give me the options in settings to change. This is the old version of hijackthis... as u can see it shows them all.

Here is my hijack log:

Logfile of HijackThis v1.98.2
Scan saved at 3:15:22 PM, on 5/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [secboot] C:\WINNT\system32\mszx23.exe !!
O4 - HKCU\..\Run: [System] C:\WINNT\svchost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab


This is the new version of hijack this and it shows that my system is clean...

Logfile of HijackThis v1.99.1
Scan saved at 3:27:10 PM, on 5/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\HJT\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: drct16 - C:\WINNT\SYSTEM32\drct16.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe




It says it's clean, but i didnt do anything to make it clean... So is it just not reading it?


------------

New Update:

I got a virus checker to work, without reseting the computer. However, Backdoor.haxdoor.cn still appears among others...

Please help.

Edited by Kuruption, 30 May 2005 - 04:18 PM.

[Advertisements]

Hello Kuruption.

You have a Horseserver infection which requires some tools to get rid of.

• Download the attached file (hsfix.zip) to your desktop.
• After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
• Next, download CleanUp! Install it, but do not run it yet.
• Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
• Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
• A log will be produced which you can close out of.
• Then run HijackThis again, close any open windows and browsers and fix these:
  O20 - Winlogon Notify: drct16 - C:\WINNT\SYSTEM32\drct16.dll
• Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
• Repeat the process above.
• Restart your computer into normal mode and run at least one of the following free, online virus scans:
  http://housecall.tre.../start_corp.asp
  http://www.pandasoft...n_principal.htm
• I see no signs of a Firewall or Antivirus program on your computer. I recommend downloading and installing the following free programs:
  ZoneAlarm Firewall
  AVG7 Antivirus.
  Be sure to check for updates after installation.
• Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt

[alsocom]

Hello Kuruption.

You have a Horseserver infection which requires some tools to get rid of.

• Download the attached file (hsfix.zip) to your desktop.
• After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
• Next, download CleanUp! Install it, but do not run it yet.
• Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
• Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
• A log will be produced which you can close out of.
• Then run HijackThis again, close any open windows and browsers and fix these:
  O20 - Winlogon Notify: drct16 - C:\WINNT\SYSTEM32\drct16.dll
• Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
• Repeat the process above.
• Restart your computer into normal mode and run at least one of the following free, online virus scans:
  http://housecall.tre.../start_corp.asp
  http://www.pandasoft...n_principal.htm
• I see no signs of a Firewall or Antivirus program on your computer. I recommend downloading and installing the following free programs:
  ZoneAlarm Firewall
  AVG7 Antivirus.
  Be sure to check for updates after installation.
• Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt

[Kuruption]

I did what you asked here is the new logs.

Hsfix:

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
WINLOW
[SC] DeleteService SUCCESS
vdmt16
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

-
3. Finding files Located on system
-
vdmt16.sys
winlow.sys
cz.dll
tmp*.exe
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

Hijackthis:


Logfile of HijackThis v1.99.1
Scan saved at 8:34:00 PM, on 5/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

[alsocom]

Just one optional item left.

Step 1
Open HijackThis, run a scan, then check the following:
Resource hog that launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it but it isn't required either way.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

With all other programs and browsers closed, click fix checked.


Step 2
Reboot normally and scan with HijackThis. Post the new log as a reply to this thread.
Please let us know how the computer is behaving.

[alsocom]

Kuruption, I haven't heard from you in a few days and wanted to see if the computer is working better now.

[alsocom]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.