big problems

Discussion in 'Home Networking' started by Jim W, Mar 10, 2005.

  1. Jim W

    NBT Guest

    This basically means if you try to access any of the web-sites listed on the
    right you will in fact be sent to the MSN Address
    Since you have Spybot working you can remove all of the above entries using
    Spybot->Advanced mode->tools->Hosts file
    highlight the entries and click on remove selected entries.

    The only entry you need is local host.
    NBT, Mar 11, 2005
    1. Advertisements

  2. Jim W

    Rob Morley Guest

    ITYM localhost
    Rob Morley, Mar 11, 2005
    1. Advertisements

  3. Jim W

    NBT Guest

    Yes one of the penalties of doing things by memory instead of actually
    NBT, Mar 11, 2005
  4. Without starting an AV thread, I suggest you try NOD32. It isn't free but has a very
    good reputation for virii detection, including "unknown" ones. It uses a particularly
    efficient heuristic detection method. AVG isn't one of the better offerings (IMHO of

    I run NOD32 on the network at work and I'm very pleased with its performance.

    The link is: and click on "trial version".

    it also has a very small effect on your machine as regards slowing performance etc

    I hope this helps
    Andrew Sayers, Mar 11, 2005
  5. Jim W

    Jim W Guest

    Sorry Andrew but all links posted hear have failed, yours included

    but thank you for the advice

    Jim W, Mar 11, 2005
  6. Jim W

    Jim W Guest

    NBT, here we go

    Spybot runs in safe mode, when I go to hosts, ALL the entries are
    2130199.154.54. and there is no or should that be ITYM localhost,
    is it safe to delete them all.

    HJT? please remind me, tiring now

    Thanks for sticking with it

    Jim W, Mar 11, 2005
  7. Jim W

    mikeFNB Guest

    just finished a 24hrs shift.

    where have you got to now?

    mikeFNB, Mar 12, 2005
  8. Jim W

    NBT Guest

    ITYM I Think You Mean

    When you look in a normal "Hosts" file the first entry is localhost

    I want you for the present to ignore this and use Spybot to remove all
    the entries as previously explained.
    Then go to

    Download the Free 30 day trial period version of KAV PERSONAL .
    Disable your AVG s/ware and then install and run KAV(having 2 AV's
    running together can cause conflicts).Check updates for KAV and then run
    a scan.
    If any viruses/Trojans appear rescan until no more show up ,I want you
    to use KAV because it detects more than just viruses.

    When done post another HJT Log.

    I am being dragged off to Manchester this morning and will not be back
    until late afternoon so will not be able to reply till then.

    NBT, Mar 12, 2005
  9. Jim W

    Jim W Guest


    Used spybot to get rid of all entries in the host file, link
    to kaspersky and all other AV and windows help sites still wont work, still
    can't open and install windows updates sitting in system tray.

    Jim W, Mar 12, 2005
  10. Jim W

    Jim W Guest

    Hi Mike

    24hr shift, hospital? can you sow my daughters fingers back on please :)

    update, see last post Mike

    Jim W, Mar 12, 2005
  11. Jim W

    NBT Guest

    Well just had one of the quickest shopping trips on record!

    Did you do this in "Safe Mode" .
    If not go to "Safe Mode" run HJT

    Put a check mark against these
    O4 - HKLM\..\Run: [DsmSer] C:\WINDOWS\System32\sysup.exe
    O4 - HKLM\..\Run: [rollbk] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\Run: [AvSer] C:\WINDOWS\System32\svosm.exe
    O4 - HKLM\..\RunServices: [DsmSer] C:\WINDOWS\System32\sysup.exe
    O4 - HKLM\..\RunServices: [rollbk] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\RunServices: [AvSer] C:\WINDOWS\System32\svosm.exe

    Click on "fix checked"

    Run HJT again to make sure they are not there.

    Reboot into safe mode again and recheck HJT to make sure entries are

    If the 213 entries were again listed try deleting again and try the
    web-sites again.

    The worm prevents "System Restore" and your "Updates"


    When, W32.Serflog.B is executed, it performs the following actions:

    1. Creates the following mutex so that only one instance of the worm
    is run on the compromised computer:


    2. Creates the following hidden copies of itself:

    * %System%\sysup.exe
    * %System%\msmpatch.exe
    * %System%\svosm.exe
    * %Windir%\msmpatch.exe
    * %Windir%\dsm.exe
    * %SystemDrive%\One Eye Granny pic!.pif
    * %SystemDrive%\Me drunk at The Sea!.pif
    * %SystemDrive%\Punk Lives! lol.pif
    * %SystemDrive%\Me Love You Long Time.pif
    * %SystemDrive%\Me pic.pif
    * %SystemDrive%\HillBilly Chick lol.pif
    * %SystemDrive%\Dumb Looking Goth Chick.pif
    * %SystemDrive%\Hot Blonde!.pif
    * %SystemDrive%\Modelling Her New Bikini.pif
    * %SystemDrive%\Crazy Japanese man kicks crazy frog!.pif
    * %SystemDrive%\Funny Hitler parody!.pif
    * %SystemDrive%\My birthday pic!.pif
    * %SystemDrive%\Funny Hitler parody.pif
    * %UserProfile%\Local Settings\Application Data\Microsoft\CD

    * %System% is a variable that refers to the System folder. By
    default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32
    (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    * %Windir% is a variable that refers to the Windows
    installation folder. By default, this is C:\Windows (Windows
    95/98/Me/XP)or C:\Winnt (Windows NT/2000).
    * %SystemDrive% is a variable that refers to the drive on
    which Windows is installed. By default, this is drive C.
    * %UserProfile% is a variable that refers to the current
    user's profile folder. By default, this is C:\Documents and
    Settings\<Current User> (Windows NT/2000/XP).

    3. Drops the hidden file SystemDrive%\Crazy.Html.

    4. Adds the value:

    "[Value]" = "[File name]"

    to the registry subkeys:


    so that the worm is executed every time Windows starts.

    Where [Value] is one of the following:

    * AvSer
    * DsmSer
    * rollbk

    and where [File name] is one of the following:

    * %System%\sysup.exe
    * %System%\svosm.exe
    * %System%\msmpatch.exe
    * %Windir%\dsm.exe

    5. Adds the registry values:

    "DisableConfig" = "0"
    "DisableSR" = "0"

    to the registry subkey:


    to disable system restore.

    6. Sends a copy of itself to all the contacts in MSN Messenger using
    one of the following file names:

    * Crazy frog gets killed by train!.pif
    * Annoying crazy frog getting killed.pif
    * See my lesbian friends.pif
    * My new photo!.pif
    * Me on holiday!.pif
    * The Cat And The Fan piccy.pif
    * How a Blonde Eats a Banana...pif
    * Mona Lisa Wants Her Smile Back.pif
    * Topless in Mini Skirt! lol.pif
    * Fat Elvis! lol.pif
    * Jennifer Lopez.scr

    7. Copies itself to the following folders, which are used by various
    file-sharing applications:

    * %SystemDrive%\My Shared Folder
    * %UserProfile%\Shared
    * %ProgramFiles%\Program Files\eMule\Incoming

    Note: %ProgramFiles% is a variable that refers to the
    program files folder. By default, this is C:\Program Files.

    The worm copies itself to the above folders using the
    following file names:
    * MSN Display picture stealer.exe
    * MSN Messenger 7.exe
    * MSN Avatar Creator.exe

    8. Adds the text:


    to the following file:

    %UserProfile%\Local Settings\Application Data\Microsoft\CD

    9. Terminates the following processes:

    * apvxdwin.exe
    * atupdater.exe
    * aupdate.exe
    * autodown.exe
    * autotrace.exe
    * autoupdate.exe
    * avconsol.exe
    * avengine.exe
    * vpupd.exe
    * avsynmgr.exe
    * avwupd32.exe
    * avxquar.exe
    * bawindo.exe
    * blackd.exe
    * ccapp.exe
    * ccevtmgr.exe
    * ccproxy.exe
    * ccpxysvc.exe
    * cfiaudit.exe
    * defwatch.exe
    * drwebupw.exe
    * escanh95.exe
    * escanhnt.exe
    * firewall.exe
    * frameworkservice.exe
    * icssuppnt.exe
    * icsupp95.exe
    * luall.exe
    * lucoms~1.exe
    * mcagent.exe
    * mcshield.exe
    * mcupdate.exe
    * mcvsescn.exe
    * mcvsrte.exe
    * mcvsshld.exe
    * navapsvc.exe
    * navapw32.exe
    * nisum.exe
    * nopdb.exe
    * nprotect.exe
    * nupgrade.exe
    * outpost.exe
    * pavfires.exe
    * pavproxy.exe
    * pavsrv50.exe
    * rtvscan.exe
    * rulaunch.exe
    * savscan.exe
    * shstat.exe
    * sndsrvc.exe
    * symlcsvc.exe
    * Update.exe
    * updaterui.exe
    * vshwin32.exe
    * vsstat.exe
    * vstskmgr.exe
    * cmd.exe
    * msconfig.exe
    * msdev.exe
    * ollydbg.exe
    * peid.exe
    * petools.exe
    * regedit.exe
    * reshacker.exe
    * taskmgr.exe
    * w32dasm.exe
    * winhex.exe
    * wscript.exe

    10. Adds the following text to the Hosts file to block access to
    various Web sites, some of which may be security-related:
    NBT, Mar 12, 2005
  12. Jim W

    Clint Sharp Guest

    Jim, if you boot the PC to safe mode and run Spybot SD what does it
    Clint Sharp, Mar 12, 2005
  13. Jim W

    Jim W Guest


    Did everything you said, links still wont work


    Jim W, Mar 12, 2005
  14. Jim W

    Jim W Guest

    Only "people on page" Chris


    Jim W, Mar 12, 2005
  15. Jim W

    NBT Guest

    Just to be on the safe side in your "Messenger" options make sure that
    messenger does not run on windows start, hopefully this will stop your
    machine from receiving or sending any messages(worms) while we sort this

    Reboot in safe mode

    We will try another method of modifying the "Hosts" file.

    # Windows XP

    1. Click Start > Search.
    2. Click All files and folders.
    3. In the "All or part of the file name" box, type:


    4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
    5. Click More advanced options.
    6. Check Search system folders.
    7. Check Search subfolders.
    8. Click Search.
    9. Click Find Now or Search Now.
    10. For each Hosts file that you find, right-click the file, and then
    click Open With.
    11. Deselect the Always use this program to open this program check box.
    12. Scroll through the list of programs and double-click Notepad.
    13. When the file opens, delete all the entries referring to (complete lines e.g.

    14. Close Notepad and save your changes when prompted.

    Open file again and confirm there are no

    Hopefully you will only have localhost

    If this is so run Spybot->advanced mode->tools->IE tweaks and put a
    check in the box "lock Hosts file"

    Run HJT and copy log here so I can see what it says.
    NBT, Mar 12, 2005
  16. Jim W

    Jim W Guest

    OK NBT

    Did search for hosts, these are files that hold files, they

    host.20050310 233003.backup this one has
    "C:\WINDOWS\system32\drivers\etc\hosts.20050310-233003.backup" as the target
    in properties
    then there are about 14 more that start
    hosts.20050312-114539 backup C\WINDOWS\system32 drivers

    Basically, is it safe to delete ALL files


    Jim W, Mar 12, 2005
  17. Jim W

    NBT Guest

    If they are all copy ,bak or backup ignore we are only interested in the one
    labelled "Hosts" .
    If the "Hosts" file has no 213 entries lock it using spybot and run HJT and
    post a copy.

    NBT, Mar 12, 2005
  18. Jim W

    Jim W Guest

    Turned off Messenger in all four accounts, daughter downloaded "crazy frog"
    from one of her pals, same night problems started
    Hosts is clear
    HJT results

    Logfile of HijackThis v1.99.1
    Scan saved at 16:55:40, on 12/03/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Documents and Settings\Jim\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
    Internet Explorer provided by Freeserve
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program
    Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} -
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft
    Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
    Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
    Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
    O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AvSer] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\Run: [rollbk] C:\WINDOWS\System32\sysup.exe
    O4 - HKLM\..\RunServices: [AvSer] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\RunServices: [rollbk] C:\WINDOWS\System32\sysup.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk =
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    O8 - Extra context menu item: Search with Freeserve -
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    O9 - Extra 'Tools' menuitem: Show &Related Links -
    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
    C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    O9 - Extra button: Medion-UK - {E2FE0687-6D9A-4136-8B83-591878BF4C0E} - (file missing) (HKCU)
    O12 - Plugin for .mid: C:\Program Files\Internet
    O12 - Plugin for .spop: C:\Program Files\Internet
    O16 - DPF: Yahoo! Bingo -
    O16 - DPF: Yahoo! Dominoes -
    O16 - DPF: Yahoo! MahJong Solitaire -
    O16 - DPF: Yahoo! Tic-Tac-Toe -
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
    Class) -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
    Class) -
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
    (MsnMessengerSetupDownloadControl Class) -
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
    O23 - Service: C-DillaSrv - C-Dilla Ltd -
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON
    CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

    Jim W, Mar 12, 2005
  19. Jim W

    NBT Guest

    I want you to tick the boxes to the left hand side of these in HJT

    O4 - HKLM\..\Run: [AvSer] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\Run: [rollbk] C:\WINDOWS\System32\sysup.exe
    O4 - HKLM\..\RunServices: [AvSer] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\RunServices: [rollbk] C:\WINDOWS\System32\sysup.exe

    Then click on "fix checked" and run HJT again.

    If these 4 items have disappeared I want you to open Internet Explorer and
    manually type in ( do not click on this as a hyperlink)

    If it takes you to the web site type this location into IE

    Download the 30 day free trial .Disable your AVG (probably rt clicking on
    icon in system tray will give you the option) Install KAV ,run upgrade and
    then scan ,if it finds anything rescan until clear(It may say that Spybot
    has locked files and it is unable to scan but ignore this)

    Do you know anything about editing your Registry?

    NBT, Mar 12, 2005
  20. Jim W

    Jim W Guest


    Thank you for that, have now been able to download kaspersky, and I can open
    avg, will start scan but it may take some time

    Sorry no nothing about Registry, but I have a feeling I soon might

    Thanks again


    Jim W, Mar 12, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.