Options

Stuck

Unknown
edited April 2005 in Spyware & Virus Removal
I am usually pretty good about detecting spyware, deleting it, and keeping my computer clean, but I've recently run into a wall that I can't climb. I tried running ad-aware and spybot, but they will not open so that I can use them. Highjackthis will run on my computer, but I can't seem to make it work. Below is the log that I saved from highjackthis. I think the two main filenames for the virus are legi_866 and apili32.

Logfile of HijackThis v1.99.1
Scan saved at 8:11:14 PM, on 4/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\legi_866.exe
D:\WINDOWS\system32\apili32.exe
D:\Program Files\Registry Mechanic\RegMech.exe
D:\WINDOWS\javave32.exe
D:\WINDOWS\system32\r?gedit.exe
C:\Music\Liz\HijackThis.exe
D:\Program Files\Internet Explorer\iexplore.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F2EF0145-E3C4-F9AD-B86A-DF66B350B57C} - D:\WINDOWS\system32\addnl.dll
O4 - HKLM\..\RunOnce: [Srv32 spool service] D:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] D:\WINDOWS\System32\spoolsrv32.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\flsmngr.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - D:\WINDOWS\system32\apili32.exe
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - D:\WINDOWS\svchost.exe (file missing)

...what in God's name am I suppose to do

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited April 2005
    Hi :). Can you please zip up the following file and send it to opera.fan.1ATgmail.com (replace the AT with @)

    d:\windows\system32\flsmngr.dll

    Run the PurityScan uninstaller.

    We need to see if there are any program segments (prefetches) that may be present and are connected with the problems you are having. To do that, please do the following:

    1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

    legi_866.exe*
    javave32.exe*

    2) Then if any are found in the 'prefetch' folder, delete them.

    Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

    ===============

    Next, Open a command prompt by:

    1. Clicking "Start", then "Run...".
    2. Enter "cmd" (without the quotes).
    3. Enter "services.msc" (without the quotes).

    -

    Now, locate and 'stop' the following services, if present:

    Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) owner ... (D:\WINDOWS\system32\apili32.exe)

    Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.

    ===============

    Run HiJackThis then:

    1. Click "Open the Misc Tools Section"
    2. Click "Open Process manager"

    -

    Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

    D:\WINDOWS\System32\legi_866.exe
    D:\WINDOWS\system32\apili32.exe
    D:\WINDOWS\javave32.exe

    Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

    ===============

    Now, let's open a command prompt again. Unregister the dll(s) we're going to remove, by entering the following:

    regsvr32 /u addnl.dll

    It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

    ===============

    Run HiJackThis and click "Scan", then check(tick) the following, if present:


    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {F2EF0145-E3C4-F9AD-B86A-DF66B350B57C} - D:\WINDOWS\system32\addnl.dll

    O4 - HKLM\..\RunOnce: [Srv32 spool service] D:\WINDOWS\System32\spoolsrv32.exe
    O4 - HKCU\..\RunOnce: [Srv32 spool service] D:\WINDOWS\System32\spoolsrv32.exe

    O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - D:\WINDOWS\system32\apili32.exe


    Now, with all windows closed except HiJackThis, click "Fix checked".

    ===============

    Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"

    files...

    D:\WINDOWS\System32\legi_866.exe
    D:\WINDOWS\system32\apili32.exe
    D:\WINDOWS\javave32.exe
    D:\WINDOWS\system32\addnl.dll
    D:\WINDOWS\System32\spoolsrv32.exe

    -

    Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

    -

    Reboot.

    ===============

    This is a CWS infection so you may have more entries when you reboot. Please do not delete anything with hijackthis. Just rescan immediately after the reboot.

    ===============

    After rebooting your PC, post back a new log and let me know how everything goes.

    -

    crunchie.
Sign In or Register to comment.