Grrrr

Hi all. I finally got hit with something. Kernels32.exe was asking for access to the net. I now cant get into task manager. It tells me admin has disabled it, I am admin. I cant do system restore, it tells me its unsuccessful. I got rid of kernel32 but am not sure what damage it has done.
Am running up to date AVG, Spyware Blaster, Spybot S/D, Ad-aware 1.06 and ZA Pro. Ran Panda and came up clean.

Logfile of HijackThis v1.99.1
Scan saved at 4:02:58 PM, on 31/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\DeskTool\DeskTool.exe
C:\Program Files\Hijack this\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://s6.invisionfree.com/Computer_Friends
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://s6.invisionfree.com/Computer_Friends
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: DeskTool.lnk = C:\Program Files\DeskTool\DeskTool.exe
O4 - Startup: Shortcut to avgcc.exe.lnk = C:\Program Files\Grisoft\AVG Free\avgcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097713304671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

TIA

__________________

Your log looks clean on the surface.

Just some links to browse:

http://www.google.co.uk/search?hl=en...2.exe+&spell=1

http://groups-beta.google.com/group/...l32.exe&hl=en&

http://groups-beta.google.com/group/...restore&qt_g=1

If you have a full version XP CD I would recommend running sfc /scannow

Details here:

http://www.updatexp.com/scannow-sfc.html

Hope this helps.

Yeah it looked clean to me too Jephree. I went into regedit and fixed the task manager, the sod had set the value to 1. I only have a rescue disk, OS came on the machine.

__________________

Have you re-set System Restore by turning it off/ on?

Rt. click My Computer Properties System Restore.

Just did that now, will see if it works after a reboot.

__________________

Ok now have system restore and task manager working again. Only thing different I can see now is under documents and settings an Administrator folder has been made. Used to just be all users, default user and me?

__________________

Is this XP Home version?

What I am thinking is under the Home version the "built-in" Admin account is hidden.

Only visable via Safe Mode. Unless something was changed in order to see it.

Yes its XP home. Its possible it was hidden. I didnt do anything to make it visible, maybe the trojan? Who knows. All I'll have to do now is figure out how to hide it again. lol

__________________

Perhaps in the following... sorry, it's dawn here & I forgot to sleep

The second link is taken from the first so maybe best to start there:
Scroll to top

http://groups-beta.google.com/group/...rch+this+group

http://groups-beta.google.com/group/...35ec6a26e0e3cc

Thanks Jephree, go get some sleep.

__________________