cancel
Showing results for 
Search instead for 
Did you mean: 

HijackThis

SOLVED
Go to solution
Danny Lim_3
Occasional Visitor

HijackThis

My PC is being attacked by bling.exe ,winssv ,
winfirewall virus. Can someone please help.
Attached are my HijackThis Log.
Your help will be much appreciated
2 REPLIES
Georg Tresselt
Honored Contributor
Ron Kinner
Honored Contributor
Solution

Re: HijackThis

Danny,

You came to the right place. My company was one of the first ones attacked by this malware. See my post:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=711683

Yours is a slightly newer version and uses a few different names.

You got it because your PC did not have the latest Microsoft updates and you will get it again until you get the updates or download and run Zone Alarm. It is a good idea to run Zone Alarm. It will give you a chance to download the updates without being reinfected.

http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp



Boot into Safe Mode (F8 - without networking)
and check the following then Fix Checked:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Microsoft update service] systemm.exe
O4 - HKLM\..\Run: [MS FIREWALL] msfirewall.exe
O4 - HKLM\..\RunServices: [MS FIREWALL] msfirewall.exe
O4 - HKLM\..\RunServices: [Microsoft update service] systemm.exe

O4 - HKCU\..\Run: [MS FIREWALL] msfirewall.exe
O4 - HKCU\..\RunServices: [MS FIREWALL] msfirewall.exe


Before you reboot open Explore (Right click on Start and select Explore) and locate the folder C:\Windows\System32. You will probably have to tell it you want to see the hidden files. See the following article:

http://www.bleepingcomputer.com/forums/tutorial62.html

Change it to display Details instead of Icons then find one of the files that you know belongs to the virus. msfirewall.exe winssv.exe or bling.exe. Sort by Date by clicking on the top of the date column. Find all other programs that have the same date. You may want to open the file O (or it may use another letter by now) with notepad to see who you got the virus from. If it says 0.0.0.0 then I think you opened an email but usually it will tell you what IP address infected it. Delete all of the files from the same date and time. Repeat for the C:\Windows and C:\ folders.

Reboot with the network cable disconnected and you should be clear of the virus now. As I mentioned earlier if you don't patch your system or run Zone Alarm the virus will get you almost as soon as you reconnect the cable. Patches are at: http://windowsupdate.microsoft.com

Ron