filius
Jun 6 2005, 07:57 AM
Well... My computer was giving me trouble before, so I got someone to come over and wipe the memory and re-install the OS and everything.
The person that came over told me that I had a virus called "ServicesS.exe".
Anyway... I had saved all my stuff on a CD. When I put all this stuff back on my desktop, I began having trouble again.
I was wondering if this virus could have spread through the CD.
Also, what should I do to remove, prevent it (and any other da** virus) from coming back and driving me nuts?
I'm so sick of this. I'm getting an Mac, next time.
(OS: XP)
Help me, I beg you! :'(
Bobbi Flekman
Jun 6 2005, 11:21 AM
Download HijackThis.
http://www.bleepingcomputer.com/files/hijackthis.phphttp://209.133.47.12/~merijn/files/HijackThis.exehttp://www.downloads.subratam.org/hijackthis.zipIf you are on Windows XP,
extract the file. Do not just doubleclick on it! This opens HijackThis in a temporary folder. This would interfere with the possibility to make back-ups.
Unzip to a folder other than your Desktop or the Temp folder. Then, doubleclick HijackThis.exe, and click "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that and copy and paste its contents in this thread.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
filius
Jun 6 2005, 02:22 PM
Okay... something just happened.
I used to have an Admin account on XP, and so did the other person on this computer.
But now, neither of us can log on. What happens is, the wallpaper loads and it hangs. So it's just the wallpaper there with no icons or taskbar, NOTHING.
So went into safe mode and changed my account type to "Limited". It works now.
I tried to scan, but I don't have access to all sorts of files now that I'm not an Administrator.
So now, I don't know what to do...
I'm going to go into safe mode and run the Hijackthis... I hope it works.
EDIT:
I ran Hijackthis in safe mode using the Administrator Account. This is what the logfile says:
Logfile of HijackThis v1.99.1
Scan saved at 10:25:53 PM, on 6/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F19A32BF-045C-D215-B018-891F2A09E49D} - C:\DOCUME~1\CHRIST~1\APPLIC~1\BIASJU~1\trust nurb.exe
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Win32 NDIS Device] ndiswin.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SeekLoveDrvBike] C:\Documents and Settings\All Users\Application Data\Flag Bleh Seek Love\bytesafe.exe
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4203.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Windows TM] ServicesS.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [REMOVE ME] winsdoga.exe
O4 - HKLM\..\RunServices: [Win32 NDIS Device] ndiswin.exe
O4 - HKLM\..\RunServices: [Windows TM] ServicesS.exe
O4 - HKLM\..\RunServices: [REMOVE ME] winsdoga.exe
O4 - HKLM\..\RunOnce: [Win32 NDIS Device] ndiswin.exe
O4 - HKLM\..\RunOnce: [Windows TM] ServicesS.exe
O4 - HKLM\..\RunOnce: [REMOVE ME] winsdoga.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
So, am I screwed?
Is there a way of getting rid of these problems and viruses with reinstalling the OS or doing something drastic? If there isn't, then I'll do whatever I need to do..
Mosaic1
Jun 6 2005, 04:22 PM
Bobbi isn't here right now. But I see you have been around. You have the virus for sure. And we want that gone.
However, I am thinking your no Explorer in regular mode in Admin accounts is a debugger issue.
Go here in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
If there is the explorer.exe subkey, then highlight it and look in the right pane for an entry named Debugger.
What does it say for the data?
Although I bet the file is gone. So you'll need to remove the subkey. To do that you'll likely have to be signed in as an admin. Try that in Safe mode in a short bit.
But do not reboot yet. Let me know if that entry is in your registry. Then I'll give you more instructions so you can try to clean up while you are there.
Mosaic1
Jun 6 2005, 04:26 PM
Post a startuplist too please. In Hijackthis press the Config Button
Click Misc Tools
Check both boxes next to the Generate StartupList log and then click the generate startuplist log button.
Paste the contents into your next reply here.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.