Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected cisvc.exe file, Application Freezes


  • Please log in to reply

#1
rappa4tay

rappa4tay

    New Member

  • Member
  • Pip
  • 4 posts
I've followed the instructions from the sticky... It seemed to fix my problem for about half a day, and then I started having issues again. I used ewido, adaware, norton, cleanup, spybot, and housecall. All of the definitions are up to date, and I customized all the scans as the thread instructed. The only thing I had issues with was installing service pack 2... I made sure all of the spyware was removed from my system, but when I tried to install SP2 it froze halfway through the install... when I rebooted it made me uninstall SP2 since it didnt complete, and all of my attempts after the first to install it have failed as well.

Whats happening is, if I try to browse through my computer in any application, whether it be to open a file through winamp or browse to upload to the internet... If I try to change directories, the entire application freezes. My task manager also does not open when I press ctrl+alt+del, but an icon appears in the system tray. Each additional time i press ctrl+alt+del, another icon appears.

Ewido keeps popping up a message that "cisvc.exe" in the system32 folder is infected with some type of backdoor. I keep choosing clean, but for some reason it isnt cleaning it, or it keeps coming back. From what I've read, the cisvc.exe file is a windows file for memory management, so I don't really want to delete it.

I have two hard drives, and I re-formatted the one with my Windows installed on it, thinking it would solve my proplem. Initially, it went away, but less than a day later I started having the problems all over again.

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:56:18 PM, on 6/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.117.195.49:444
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Windows Protectot] boxide.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....012/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117557534015
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15012/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe


I noticed one of the viruses my scans detected a couple of days ago "boxide.exe" is in the HJT log, even though none of the scans are picking it up anymore.

I'm just lost about what to do, aside from reformatting both of my hard drives (which really isnt an option for my D drive until I find a sufficient storage medium) and I'm really not sure that would solve my problem anyways.

Any help would be greatly appreciated.
  • 0

Advertisements


#2
rappa4tay

rappa4tay

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
bump
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP