Iam running win 2000 with sp4. I believe all updates are current.
I have 2 hard drives both 80 gig. C is blue screened and am now on F. Zone labs scanned and foud the above worm in Recyler folder.
I have followed some steps suggested to delete & remove it but to no avail
"Access Denied. Source file in use"
When i run Hijack this, it only sees f drive not c where the problem is.
Log Below
Logfile of HijackThis v1.99.1
Scan saved at 15:02:08, on 09/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\system32\ZoneLabs\isafe.exe
F:\WINNT\system32\nvsvc32.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\Explorer.EXE
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\SOUNDMAN.EXE
F:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINNT\system32\internat.exe
F:\WINNT\system32\RUNDLL32.EXE
F:\Program Files\Telefonica\Kit ADSL USB\dslmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
F:\Program Files\Internet Explorer\iexplore.exe
C:\Installs\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por Telefónica Net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "F:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [hpsjbmgr] F:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Microsoft Outlook.lnk = F:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = F:\Program Files\Telefonica\Kit ADSL USB\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...ES_ZNxdm119YYDE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F5353C9-8F44-47B1-9D5D-51A0B5D0F7C7}: NameServer = 80.58.61.250 80.58.61.254
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - F:\WINNT\system32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINNT\system32\ZoneLabs\vsmon.exe
I have also run EWIDO twice logs belowewido security suite - Scan report
---------------------------------------------------------
+ Created on: 11:29:24, 14/07/2005
+ Report-Checksum: B94A1F33
+ Scan result:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Hauppauge\WinTV-Nexus\HighendTV.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\VVSN\VVSN.exe -> Adware.SaveNow : Cleaned with backup
C:\WINNT\autoclk.exe -> Trojan.Klacc.B : Cleaned with backup
C:\WINNT\system32\myself.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINNT\system32\playme.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Counted : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
F:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8H6NKHEZ\FunBuddyIconsFWBInitialSetup1.0.0.8-2[1].cab/f3Setup1.exe -> TrojanDropper.FunWeb.a : Cleaned with backup
F:\Program Files\MSN Messenger\riched20.dll -> Spyware.MyWebSearch : Cleaned with backup
F:\WINNT\autoclk.exe -> Trojan.Klacc.B : Cleaned with backup
F:\WINNT\image.exe -> Backdoor.SdBot.aad : Cleaned with backup
F:\WINNT\system32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup
F:\WINNT\system32\logi0.scr -> Backdoor.Rbot.ts : Cleaned with backup
F:\WINNT\system32\logi2.scr -> Backdoor.Rbot.ts : Cleaned with backup
F:\WINNT\system32\specific.exe/myself.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
F:\WINNT\system32\specific.exe/playme.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
F:\WINNT\system32\specixic.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
::Report End
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 12:01:16, 14/07/2005
+ Report-Checksum: 3777A79B
+ Scan result:
C:\WINNT\system32\__delete_on_reboot__myself.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
F:\WINNT\system32\__delete_on_reboot__specixic.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
::Report End
Drive F is still BLUE SCREENED:
From reading other posts it seems that my REGISTRY is corrupted. What can I do to correct this. I have also tried doing a repair from 2000 cd. No luck
Help please
Edited by gizmops, 14 July 2005 - 05:07 AM.