wikki
2007-06-08, 14:11
Hi , a few days ago my explorer started to pop-up while surfing, its name was changed to Viva TermeX, S&D scan told me it was Zinblog.
S&D was'nt able to kill it and i found more problems with registry changes.
I have no protection installed, housecall doesn't work and i can't update windows sp2 to sp4.
I deleted the svchost zinblog had made from my system folder yesterday as a wild guess, but still have the 2 registry changes and maybe more.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig!=0
HKEY_USERS\S-1-5-21-448539723-484763869-1957994488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun!=W=0
I'm already backing up some data now and prepare for a format, since my windows2000 has errors as well and wasn't properly installed in the first place.
Can you give me advice what to try next please.
Thanks wikki
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:07:42, on 8-6-2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
Boot mode: Normal
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\notepad.exe
D:\WINNT\system32\notepad.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\incomin\up200\new up200\HiJackThis_v2.0.0.0.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-448539723-484763869-1957994488-1000 Startup: Publieke Omroeplezer.lnk = D:\Program Files\Publieke Omroeplezer\Polezer.exe (User '?')
O4 - Startup: Publieke Omroeplezer.lnk = D:\Program Files\Publieke Omroeplezer\Polezer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINNT\system32\browseui.dll
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
S&D was'nt able to kill it and i found more problems with registry changes.
I have no protection installed, housecall doesn't work and i can't update windows sp2 to sp4.
I deleted the svchost zinblog had made from my system folder yesterday as a wild guess, but still have the 2 registry changes and maybe more.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig!=0
HKEY_USERS\S-1-5-21-448539723-484763869-1957994488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun!=W=0
I'm already backing up some data now and prepare for a format, since my windows2000 has errors as well and wasn't properly installed in the first place.
Can you give me advice what to try next please.
Thanks wikki
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:07:42, on 8-6-2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
Boot mode: Normal
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\notepad.exe
D:\WINNT\system32\notepad.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\incomin\up200\new up200\HiJackThis_v2.0.0.0.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-448539723-484763869-1957994488-1000 Startup: Publieke Omroeplezer.lnk = D:\Program Files\Publieke Omroeplezer\Polezer.exe (User '?')
O4 - Startup: Publieke Omroeplezer.lnk = D:\Program Files\Publieke Omroeplezer\Polezer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINNT\system32\browseui.dll
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe