Infected by a soberj worm

[Richie]

The error comes up every 2-3 minutes saying STOP: 0x10020A2F Possible Reason: the firewall is blocking one or more system files.

Could anyone please give me advise on how to fix this?

[Mobo]

Hi and welcome Richie

Lets have a closer look at whats going on and run a few scanners in the process first..

First
Get The latest version of Adaware
You can download the free version here:
[Only Registered and Activated Users Can See Links. Click Here To Register...]

or here (alternate download location)
[Only Registered and Activated Users Can See Links. Click Here To Register...]

You need to be logged on as Adminstrator through the installation.
For ease in installation and operation, view the tutorial here [Only Registered and Activated Users Can See Links. Click Here To Register...]

Just download it to your desktop and then to install click on the file you just downloaded (aawsepersonal.exe). You will be guided through the installation. It is recommended to use the default setting of "Protect anyone who uses this computer".

On the main screen of Adaware please look for the *check for updates now* link, just above the start button in the bottom right corner or you can click on the Webupdate button that looks like a globe icon at the top. Press * connect* to let it check for any recent updates. If any are found, please let it download and install them.

Now, configure your settings. Click the gear icon at the top. These are the recommended settings:

AAW SE settings

General Button
Safety:
Check (Green) all three.

Advanced Button
Logfile Detail Level:
All options under this should be checked (Green).

Tweak Button
Check (Green) the following:
Log Files
Include basic Ad-Aware settings in logfile:
Include additional Ad-Aware settings in logfile:
Please do not check (Green): Include Module list in logfile:

On your first scan, use the Full Scan (Perform full system scan) mode.

Let Adaware remove any *bad* objects found. Reboot your PC and scan again. Repeat this process until no more bad items are found. It may take several scans to clean everything, depending on the type of infections found.
________________________
Download Spybot - Search & Destroy, from here [Only Registered and Activated Users Can See Links. Click Here To Register...] if you haven't already got the program.
For ease in installation and operation you can opt to view the tutorial here [Only Registered and Activated Users Can See Links. Click Here To Register...]

Click on Settings, and Settings again. Go to the Webupdate section, and check Display also available beta versions.

Now press Online, and search for, and put a check mark next to all updates, and install following the prompts.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Secondly
Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

[Only Registered and Activated Users Can See Links. Click Here To Register...]

Save this file into the directory you made previously and then run the program named hijackthis.exe. When the program opens click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. When it completes checking/applying updates press the back button.

Now click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post.

[Richie]

Thank you very much for your quick reply.. I am running the adaware now, but I can't connect to the internet for some reason.. Anyway I used this pc to get the hijackthis log... here it is.

Logfile of HijackThis v1.99.0
Scan saved at 1:51:17 PM, on 13/Jan/05
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\NORMAN\nvc\bin\Zanda.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINNT\Explorer.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\csrss.exe
C:\WINNT\System32\hostservice.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
\accountant\garry\My Pictures\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [Only Registered and Activated Users Can See Links. Click Here To Register...]
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [discrun] C:\WINNT\System32\diagspool.exe
O4 - HKLM\..\Run: [diagsysdi**] C:\WINNT\System32\hostservice.exe %srun%
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [Key Logger] c:\csrss.exe
O4 - HKCU\..\Run: [hostcrypt32] C:\WINNT\System32\diagspool.exe
O4 - HKCU\..\Run: [cryptx] C:\WINNT\System32\hostservice.exe %srun%
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northpac.co.nz
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E94941F-808C-4D31-9710-2D7CBCB6843C}: NameServer = 192.168.0.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northpac.co.nz
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = northpac.co.nz
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norman API-hooking helper - Unknown - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown - C:\NORMAN\nvc\bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE

I really appreciate your help.

[Mobo]

Download this tool, load it onto a floppy and run it on the system now then reboot and try it on the net..

[Only Registered and Activated Users Can See Links. Click Here To Register...]

[Mobo]

In addition please rescan with hijack and post a fresh log after rebooting from the Symantec scanner.