Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected cisvc.exe file, Application Freezes

Started by rappa4tay , Jun 02 2005 11:59 AM

  • Please log in to reply

#1
rappa4tay
Posted 02 June 2005 - 11:59 AM

rappa4tay

    New Member

  • Member
  • Pip
  • 4 posts
I've followed the instructions from the sticky... It seemed to fix my problem for about half a day, and then I started having issues again. I used ewido, adaware, norton, cleanup, spybot, and housecall. All of the definitions are up to date, and I customized all the scans as the thread instructed. The only thing I had issues with was installing service pack 2... I made sure all of the spyware was removed from my system, but when I tried to install SP2 it froze halfway through the install... when I rebooted it made me uninstall SP2 since it didnt complete, and all of my attempts after the first to install it have failed as well.

Whats happening is, if I try to browse through my computer in any application, whether it be to open a file through winamp or browse to upload to the internet... If I try to change directories, the entire application freezes. My task manager also does not open when I press ctrl+alt+del, but an icon appears in the system tray. Each additional time i press ctrl+alt+del, another icon appears.

Ewido keeps popping up a message that "cisvc.exe" in the system32 folder is infected with some type of backdoor. I keep choosing clean, but for some reason it isnt cleaning it, or it keeps coming back. From what I've read, the cisvc.exe file is a windows file for memory management, so I don't really want to delete it.

I have two hard drives, and I re-formatted the one with my Windows installed on it, thinking it would solve my proplem. Initially, it went away, but less than a day later I started having the problems all over again.

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:56:18 PM, on 6/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.117.195.49:444
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Windows Protectot] boxide.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....012/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117557534015
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15012/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe


I noticed one of the viruses my scans detected a couple of days ago "boxide.exe" is in the HJT log, even though none of the scans are picking it up anymore.

I'm just lost about what to do, aside from reformatting both of my hard drives (which really isnt an option for my D drive until I find a sufficient storage medium) and I'm really not sure that would solve my problem anyways.

Any help would be greatly appreciated.
  • 0

Advertisements

#2
rappa4tay
Posted 02 June 2005 - 05:17 PM

rappa4tay

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
bump
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP