Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible Trojan? s3xy.bz


  • Please log in to reply

#1
koala_sprint

koala_sprint

    New Member

  • Member
  • Pip
  • 1 posts
Hi there,
Just got my pc back from being fixed and seem to have a virus of some sort. After signing into my homepage I'm automatically redirected to http://s3xy.bz then the computer shuts down about 60-90 seconds later.
Have run Hijack this and posted the log below. Will appreciate any help on this matter.
Thanks
Stephen

Logfile of HijackThis v1.99.1
Scan saved at 7:37:43 AM, on 8/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Rpcmon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\taskmqrs.exe
C:\WINDOWS\System32\mwupdate32.exe
C:\WINDOWS\System32\wmapp.exe
C:\WINDOWS\System32\taskmqrs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Stephen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tiscali.co.uk/broadband/
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [File System] taskmqrs.exe
O4 - HKLM\..\Run: [microsft windows updates] mwupdate32.exe
O4 - HKLM\..\Run: [Windows Media APP] wmapp.exe
O4 - HKLM\..\RunServices: [File System] taskmqrs.exe
O4 - HKLM\..\RunServices: [microsft windows updates] mwupdate32.exe
O4 - HKLM\..\RunServices: [Windows Media APP] wmapp.exe
O4 - HKCU\..\Run: [File System] taskmqrs.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi koala_sprint and Welcome to GeekstoGo!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download and Install
CleanUp!
Dont use it yet!

CleanUp will Remove all temporary files,so if you have anything you want to keep stored in a temporary folder,please move it now!

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Click Start-> Click Run-> Type in Services.msc and Click OK!

Scroll that list and locate this entry

Remote Procedure Call (RPC) Monitoring<< Bad Service!

Make sure the name matches exact,there are usually 2 good running services with similar names!

Remote Procedure Call (RPC)<< Good Service!
and
Remote Procedure Call (RPC) Locator<< Good Service!

Once you locate Remote Procedure Call (RPC) Monitoring-> Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled!

Exit the Services Page!

Open up Pocket Killbox!

Now,Highlight the list of files below and press Ctrl+C at the same time to Copy!

C:\WINDOWS\System32\mwupdate32.exe
C:\WINDOWS\System32\wmapp.exe
C:\WINDOWS\System32\taskmqrs.exe
C:\WINDOWS\System32\Rpcmon.exe


In Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot-> Click the Red Circle to Delete!

Click "Yes" to Confirm

Click "Yes" to Reboot


If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Run those files through Killbox again to confirm all deleted!

C:\WINDOWS\System32\mwupdate32.exe
C:\WINDOWS\System32\wmapp.exe
C:\WINDOWS\System32\taskmqrs.exe
C:\WINDOWS\System32\Rpcmon.exe


As you enter each-> place a tick by these selections

"Standard File Kill"
"End Explorer Shell while Killing File"


Click the Red Circle to Delete!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [File System] taskmqrs.exe

O4 - HKLM\..\Run: [microsft windows updates] mwupdate32.exe

O4 - HKLM\..\Run: [Windows Media APP] wmapp.exe

O4 - HKLM\..\RunServices: [File System] taskmqrs.exe

O4 - HKLM\..\RunServices: [microsft windows updates] mwupdate32.exe

O4 - HKLM\..\RunServices: [Windows Media APP] wmapp.exe

O4 - HKCU\..\Run: [File System] taskmqrs.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Now Open and Run CleanUp!-> When it prompts you to Log Off-> Select NO!

Scan the entire System with Ewido-> Clean all it finds and be sure to click the tab to Save a report!

Click Start-> Run-> Copy&Paste the blod print below into the Open Box and Click OK!

sc delete Rpcmon

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!



Post back with a fresh HijackThis log and the reports from Ewido and Panda!

Edited by Cretemonster, 14 August 2005 - 09:32 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP