https://community.hpe.com/t5/operating-system-microsoft/hijackthis/m-p/3428175#M5444 Danny, <BR /><BR />You came to the right place. My company was one of the first ones attacked by this malware. See my post:<BR /><BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=711683" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=711683</A><BR /><BR />Yours is a slightly newer version and uses a few different names.<BR /><BR />You got it because your PC did not have the latest Microsoft updates and you will get it again until you get the updates or download and run Zone Alarm. It is a good idea to run Zone Alarm. It will give you a chance to download the updates without being reinfected.<BR /><BR /><A href="http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp" target="_blank">http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp</A><BR /><BR /><BR /><BR />Boot into Safe Mode (F8 - without networking)<BR />and check the following then Fix Checked:<BR /><BR />R3 - Default URLSearchHook is missing<BR />O4 - HKLM\..\Run: [Microsoft update service] systemm.exe<BR />O4 - HKLM\..\Run: [MS FIREWALL] msfirewall.exe<BR />O4 - HKLM\..\RunServices: [MS FIREWALL] msfirewall.exe<BR />O4 - HKLM\..\RunServices: [Microsoft update service] systemm.exe<BR /><BR />O4 - HKCU\..\Run: [MS FIREWALL] msfirewall.exe<BR />O4 - HKCU\..\RunServices: [MS FIREWALL] msfirewall.exe<BR /><BR /><BR />Before you reboot open Explore (Right click on Start and select Explore) and locate the folder C:\Windows\System32. You will probably have to tell it you want to see the hidden files. See the following article:<BR /><BR /><A href="http://www.bleepingcomputer.com/forums/tutorial62.html" target="_blank">http://www.bleepingcomputer.com/forums/tutorial62.html</A><BR /><BR />Change it to display Details instead of Icons then find one of the files that you know belongs to the virus. msfirewall.exe winssv.exe or bling.exe. Sort by Date by clicking on the top of the date column. Find all other programs that have the same date. You may want to open the file O (or it may use another letter by now) with notepad to see who you got the virus from. If it says 0.0.0.0 then I think you opened an email but usually it will tell you what IP address infected it. Delete all of the files from the same date and time. Repeat for the C:\Windows and C:\ folders. <BR /><BR />Reboot with the network cable disconnected and you should be clear of the virus now. As I mentioned earlier if you don't patch your system or run Zone Alarm the virus will get you almost as soon as you reconnect the cable. Patches are at: <A href="http://windowsupdate.microsoft.com" target="_blank">http://windowsupdate.microsoft.com</A><BR /><BR />Ron Tue, 23 Nov 2004 11:49:30 GMT Ron Kinner 2004-11-23T11:49:30Z https://community.hpe.com/t5/operating-system-microsoft/hijackthis/m-p/3428173#M5442 My PC is being attacked by bling.exe ,winssv ,<BR />winfirewall virus. Can someone please help.<BR />Attached are my HijackThis Log.<BR />Your help will be much appreciated<BR /> Tue, 23 Nov 2004 00:23:03 GMT https://community.hpe.com/t5/operating-system-microsoft/hijackthis/m-p/3428173#M5442 Danny Lim_3 2004-11-23T00:23:03Z https://community.hpe.com/t5/operating-system-microsoft/hijackthis/m-p/3428174#M5443 Have a look at these:<BR /><BR /><A href="http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html" target="_blank">http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html</A><BR /><BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=711683" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=711683</A><BR /> Tue, 23 Nov 2004 03:07:41 GMT https://community.hpe.com/t5/operating-system-microsoft/hijackthis/m-p/3428174#M5443 Georg Tresselt 2004-11-23T03:07:41Z https://community.hpe.com/t5/operating-system-microsoft/hijackthis/m-p/3428175#M5444 Danny, <BR /><BR />You came to the right place. My company was one of the first ones attacked by this malware. See my post:<BR /><BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=711683" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=711683</A><BR /><BR />Yours is a slightly newer version and uses a few different names.<BR /><BR />You got it because your PC did not have the latest Microsoft updates and you will get it again until you get the updates or download and run Zone Alarm. It is a good idea to run Zone Alarm. It will give you a chance to download the updates without being reinfected.<BR /><BR /><A href="http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp" target="_blank">http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp</A><BR /><BR /><BR /><BR />Boot into Safe Mode (F8 - without networking)<BR />and check the following then Fix Checked:<BR /><BR />R3 - Default URLSearchHook is missing<BR />O4 - HKLM\..\Run: [Microsoft update service] systemm.exe<BR />O4 - HKLM\..\Run: [MS FIREWALL] msfirewall.exe<BR />O4 - HKLM\..\RunServices: [MS FIREWALL] msfirewall.exe<BR />O4 - HKLM\..\RunServices: [Microsoft update service] systemm.exe<BR /><BR />O4 - HKCU\..\Run: [MS FIREWALL] msfirewall.exe<BR />O4 - HKCU\..\RunServices: [MS FIREWALL] msfirewall.exe<BR /><BR /><BR />Before you reboot open Explore (Right click on Start and select Explore) and locate the folder C:\Windows\System32. You will probably have to tell it you want to see the hidden files. See the following article:<BR /><BR /><A href="http://www.bleepingcomputer.com/forums/tutorial62.html" target="_blank">http://www.bleepingcomputer.com/forums/tutorial62.html</A><BR /><BR />Change it to display Details instead of Icons then find one of the files that you know belongs to the virus. msfirewall.exe winssv.exe or bling.exe. Sort by Date by clicking on the top of the date column. Find all other programs that have the same date. You may want to open the file O (or it may use another letter by now) with notepad to see who you got the virus from. If it says 0.0.0.0 then I think you opened an email but usually it will tell you what IP address infected it. Delete all of the files from the same date and time. Repeat for the C:\Windows and C:\ folders. <BR /><BR />Reboot with the network cable disconnected and you should be clear of the virus now. As I mentioned earlier if you don't patch your system or run Zone Alarm the virus will get you almost as soon as you reconnect the cable. Patches are at: <A href="http://windowsupdate.microsoft.com" target="_blank">http://windowsupdate.microsoft.com</A><BR /><BR />Ron Tue, 23 Nov 2004 11:49:30 GMT https://community.hpe.com/t5/operating-system-microsoft/hijackthis/m-p/3428175#M5444 Ron Kinner 2004-11-23T11:49:30Z