Virus - Please Help Me!!

Discussion in 'Windows Desktop Systems' started by Needle, Dec 29, 2005.

  1. Needle

    Needle OSNN One Post Wonder

    Messages:
    3
    I've somehow caught a virus that when I think I've got rid of it, I reboot my computer and it's back! I've been using both ad-aware and norton, and they catch things and delete them, but when I reboot they're back! Please help!

    I am including a HijackThis report below:

    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINDOWS\system32\CTSvcCDA.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\system32\WinSys.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Program Files\MSI\Live Update 3\LMonitor.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\WINDOWS\sysldr32.exe
    C:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\DOCUME~1\Alex\LOCALS~1\Temp\Rar$EX08.375\HijackThis.exe
    C:\WINDOWS\system32\svchost.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myoffers.co.uk/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [WinSys] C:\WINDOWS\system32\WinSys.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
    O4 - HKLM\..\Run: [\\SHARP1\EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.EXE /P40 "\\SHARP1\EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
    O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Global Startup: 3D!Turbo Experience.lnk = C:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZB
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c283.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0237e284cab7776f3816/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105185113304
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
    O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Access Remote PC Service 4.1 (RpcSvr4x) - www.access-remote-pc.com - C:\Program Files\Access Remote PC 4.1\rpcsetup.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  2. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Needle likes this.
  3. Needle

    Needle OSNN One Post Wonder

    Messages:
    3
    Re: Please Help Me!!

    I've tried looking through msconfig but the problem is I dont' know what I'm looking at!
     
  4. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Re: Please Help Me!!

    it's tough, can you post a MSCONFIG screenshot? Hijack this is good, but it's very long. From what you describe there is more than likely something in there, and the list will be shorter. To post a screen shot, open MSCONFIG, do an ALT + Print Screen Key to grab the active window. Paste that into MS Paint, then upload.
     
  5. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    Re: Please Help Me!!

    i looked through it but cant see anything, do you know the name of the virus?
     
  6. Needle

    Needle OSNN One Post Wonder

    Messages:
    3
    Re: Please Help Me!!

    here are the screenshots of msconfig
     

    Attached Files:

  7. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Re: Please Help Me!!

    I only skimmed briefly, but try this initially.

    Uncheck EVERYTHING except

    gcasServ (ms anti-spyware)
    ccApp
    acctMgr (both AV related)

    don't worry about services for now.

    Reboot, run a scan with MS Antispyware and Norton.
     
  8. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Re: Please Help Me!!

    Now to solve the problem.

    O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe

    Troj/Agobot-A is a backdoor Trojan which runs in the background as a system process and allows unauthorised remote access to the computer.
    Troj/Agobot-A copies itself to the Windows system folder as SYSLDR32.EXE and adds entries to the registry at
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    and
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    to run itself on system restart.


    Enter safe mode, turn off system restore, and delete the file. Then enter your registry to the above locations, and remove the entries so the sl-ut can't come back.

    oh, and this is no good.

    Delete winsys.exe

    winsys.exe is a part of a surveillance software from bc-technologies. It is used to monitor and store a record of all user activities. This process should be removed to ensure your personal privacy.


    oh, and this too.

    O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
    sachostx - sachostx.exe - Process Information
    Process File: sachostx or sachostx.exe
    Process Name: W32.Looksky.A/D Worm

    Description:
    sachostx.exe is a process which is registered as the W32.Looksky.A/D Worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment. The worm has it’s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.


    and get rid of SpySherrif.

    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

    How to Remove

    Scrap this too - O8 - Extra context menu item: &Search - http:// bar.mywebsearch.com/menusearch.html?p=ZBB]

    Also slated for deletion are the following bogus services performing your everyday lame drive by install.

    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do...ridge-c283.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -
    not entirely sure on this one, but likely useless to you.

    O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
    O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
    Both are unneeded as far as I can tell.
     
    Last edited: Dec 29, 2005
    Needle and mlakrid like this.
  9. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    Thread title changed and moved to Windows Desktop.
     
  10. Johnny

    Johnny .. Commodore .. Political User

    Messages:
    5,015
    Location:
    Happy Valley
    People have to quit confusing trojans annd malware with viruses.
     
  11. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    who did?
     
  12. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    who cares? I went through the log bit by bit, uncovered the crap.

    Needle, let us know how it turns out.
     
  13. canadian_divx

    canadian_divx Canadian_divx

    also you can go to

    www.housecall.trendmicro.com and run there online scan. it will remove what it sees and it is pretty good.

    also i would pitch norton and get a program called NOD32. so far a better one that i have seen
     
  14. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Doubt it would pick up the malware. Have to agree though, NOD is aite.
     
  15. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Microsoft Antispyware combined with any reputable virus scanner has not failed me in cleaning any machine. I didn't mistake malware and trojans with viruses, I was being thorough.
     
  16. sweetiecandy

    sweetiecandy OSNN One Post Wonder

    Messages:
    2
    Please help! OK, so I had a similar virus too on windows xp. I tried to look up the virus online because i kept getting the dns404 screen. The program that keeps appearing is called "spyware strike". When I tried researching "spyware strike" on the net, nothing showed up, so I'm guessing it's really new. I thought it was similar to spyaxe in that it says that windows update has discovered viruses and adware and u have to pay to download this program to remove it. However, everytime I deleted it, it kept reappearing and I think it actually downloaded viruses/malware onto my computer so that's why I figure it was the same as spyaxe. So I followed that remedy on http://www.microsoft.com/downloads/d...displaylang=en which is also posted on other forums. The only problem is, the malware did not go away and actually came back with a vengence. The computer freezes almost as soon as it loads and on the occasion that is doesn't freeze, when I try to click on a file or program or even the start menu it freezes so I'm unable to do anything. I can't retrieve any data to post on the forum on the virus because I can't seem to get that far on the computer without it freezing. I'm not really sure how the virus got on the computer because it's my parents computer. If you could please help me to remove it, I would really appreciate it, thank you so much in advanced!