?
Solved

Very Troublesome Virus!

Posted on 2005-05-11
22
Medium Priority
?
1,723 Views
Last Modified: 2012-06-21
Ok where do I start. I have cleaned all of the temp files off the computer all the cookies etc. I noticed I couldnt get AVG to install or Adaware because there was a virus or something running killing the process of the install file. So I totally pulled the Hard drive from the machine hooked it up to another machine that was clean and had AVG and Adaware etc. on it. I booted up with the clean machine and put the infected hard drive as the slave. I ran a AVG scan it found about 200 viruses got them removed I have rescanned the hard drive it found nothing. Then I ran adaware while I had the Hard drive hooked up as slave. and it found somethings it removed those. Next I decided to Rehook up the Hard drive to the computer it came out of and boot it up. So I did. Still cant install AVG or adaware or Spybot. I got a program called Counterspy to install and ran a scan found a few more malware things. I removed those. I was able to install a program called winpatrol on the machine that shows running processes startup programs etc... Zonealarm installed but the process is killed. Spybot,adaware,Avg,Avast will not install at all! You click the install file and it will not run. I have noticed this virus likes to rename itself. At one point it was named EXPLORE.exe trying to make it look like EXPLORER.exe in the task manager. I have ran Killbox to try to delete these files and everytime I restart to delete the file it just comes back and is renamed something else. And you cannot kill the process in the task manager. I have also ran mcafee stinger on the machine. If someone can help me figure this one out Big kudos to you! Because I remove spyware and viruses from machines all the time but I cant figure this out!  

This is a log showing what the machine looks like when I do a Diagnostic startup from msconfig. The virus or whatever it is is still there I can not install any anti-virus or anti-spyware tools.

Logfile of HijackThis v1.99.1
Scan saved at 11:03:17 AM, on 05/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Documents and Settings\Nicki\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Nicki\Application Data\Mozilla\Profiles\default\d04kirt2.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {1C203F13-95AD-11D0-A84B-00A0247B735B} (Sheridan ActiveTreeView Control) - https://www.ext.ch2m.com/cgi-bin/controls/sstree.cab
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0025.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {35020238-5912-11D1-9A00-00C04FD8DC2E} (DameWare DTP Control Class) - https://www.ext.ch2m.com/cgi-bin/controls/ddtp.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll


=====================================================

Here is what the machine looks like after I do a normal startup





Logfile of HijackThis v1.99.1
Scan saved at 11:34:35 AM, on 05/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\Nicki\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Nicki\Application Data\Mozilla\Profiles\default\d04kirt2.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {1C203F13-95AD-11D0-A84B-00A0247B735B} (Sheridan ActiveTreeView Control) - https://www.ext.ch2m.com/cgi-bin/controls/sstree.cab
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0025.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {35020238-5912-11D1-9A00-00C04FD8DC2E} (DameWare DTP Control Class) - https://www.ext.ch2m.com/cgi-bin/controls/ddtp.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\system32\cmdtel.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\system32\ahtun.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
0
Comment
Question by:ccjcic
  • 9
  • 6
  • 3
  • +2
22 Comments
 

Author Comment

by:ccjcic
ID: 13982324
UPDATE!!

Ok I Rehooked up the Drive as a slave drive on the Clean computer again and ran an online virus scan from panda. It found the stuff I have post below. I went in and deleted all the files. Then I rehooked up the Hard drive to the machine and started it up. I was able to get AVG,Spybot,adaware installed on the computer! But I started to run an Adaware scan and AVG started picking up things in the C: SYSTEM VOLUME INFORMATION FOLDER I had system restore disabled and if you go in and try to browse to the SYSTEM VOLUME INFORMATION folder it is not even there! but yet AVG is detecting a Trojan there! Well so I closed adaware decided to run an AVG scan on the computer. So I started an AVG scan had to leave for about 15 min. I left and I came back and the computer was in sleep mode when I came back. and i moved the mouse and it restarted all by itself! Next thing I know the Virus is back Avg etc is still installed but none of them will run! I have it booted into safe mode right now running an adaware scan. All the programs will run in safe mode but not in regular mode because that stupid virus keeps poping up!HERE IS THE LOG FROM THE PANDA SCAN:

Incident Status Location

Adware:Adware/DelFinMedia No disinfected F:\Documents and Settings\All Users\Application Data\wsxs\patchme.exe
Spyware:Spyware/Media-motor No disinfected F:\Documents and Settings\Nicki\Desktop\New Folder\backups\backup-20050510-161343-435.inf
Adware:Adware/PurityScan No disinfected F:\Documents and Settings\Nicki\Desktop\New Folder\backups\backup-20050510-170637-248.dll
Adware:Adware/PurityScan No disinfected F:\Documents and Settings\Nicki\Desktop\New Folder\backups\backup-20050510-170637-269.dll
Adware:Adware/Midaddle No disinfected F:\Documents and Settings\Nicki\Local Settings\Temp\bNX.exe
Adware:Adware/Midaddle No disinfected F:\Documents and Settings\Nicki\Local Settings\Temp\mOJhW.exe
Adware:Adware/Transponder No disinfected F:\Documents and Settings\Nicki\Local Settings\Temporary Internet Files\Content.IE5\6FAN4Z81\DrPMon[1].dll
Adware:Adware/Transponder No disinfected F:\Documents and Settings\Nicki\Local Settings\Temporary Internet Files\Content.IE5\KXCVA5AN\svcproc[1].exe
Adware:Adware/Transponder No disinfected F:\Documents and Settings\Nicki\Local Settings\Temporary Internet Files\Content.IE5\O1Q34N2B\Nail[1].exe
Adware:Adware/Transponder No disinfected F:\Documents and Settings\Nicki\Local Settings\Temporary Internet Files\Content.IE5\O1Q34N2B\Poller[1].exe
Adware:Adware/PurityScan No disinfected F:\Documents and Settings\Owner\Application Data\wtta.exe
Adware:Adware/BroadcastPC No disinfected F:\Program Files\Common Files\Java\bpt.cfg
Adware:Adware/FlashTrack No disinfected F:\Program Files\Common Files\Java\Xcpy1.cfg
Adware:Adware/DelFinMedia No disinfected F:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Spyware:Spyware/BetterInet No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\14D1BD31-C89D-4578-9877-E56AEB\0CE5DFA0-C52E-435E-BD42-2D884F
Spyware:Spyware/Media-motor No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\1B154E71-CA07-4346-9051-5E44F6\5FD74420-41C2-413E-980A-741F6B
Virus:Trj/Notifier.AA Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\1B154E71-CA07-4346-9051-5E44F6\621D573F-D6A3-482B-B501-B02975
Adware:Adware/Sqwire No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\1B29476C-F73C-43C9-92B4-99C533\7C819A60-9707-4026-883A-A56503
Spyware:Spyware/Media-motor No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\224B446D-5FCA-4E24-B632-93D737\8A06BB9A-261F-4930-A478-93133D
Adware:Adware/TopSpyware No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\24D46A9F-56D8-4039-AC19-DE9AAA\A253CE59-8729-4EB8-9F03-2B311B
Virus:Trj/Idly.A Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\281845F4-0C96-4FDA-B668-9DD932\DA92CC21-B284-443C-835A-745374
Adware:Adware/BroadcastPC No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\2A960050-1A51-479E-9BF3-C7C802\7BC3B6E3-AFAA-42E5-AECB-75781C
Adware:Adware/BroadcastPC No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\2A960050-1A51-479E-9BF3-C7C802\867E9A6D-7F3E-475F-B67B-832683
Adware:Adware/BroadcastPC No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\38ED7AB2-A338-4FF3-A523-88AA3D\72FC95BD-2E17-41A8-9EB2-0886BE
Adware:Adware/Twain-Tech No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\3F64A42C-ABBA-4953-82E0-AD4C8D\64CD3856-EE79-48F5-91BF-1484F0
Adware:Adware/FlashTrack No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\42FA539C-87CE-475D-AB3D-5B7117\E482419C-223D-418E-81F6-9BA018
Adware:Adware/FlashTrack No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\42FA539C-87CE-475D-AB3D-5B7117\E788245E-D61A-4EDD-98B8-E71F65
Virus:Trj/Downloader.CKQ Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\44EB7497-4F37-4FA5-B1F4-F40CA0\2E4A51F4-1E41-4E0D-A20E-013C34
Adware:Adware/TopSpyware No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\44EB7497-4F37-4FA5-B1F4-F40CA0\8D18769A-693D-4C4B-A12E-B7BB21
Virus:Trj/Downloader.CKQ Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\44EB7497-4F37-4FA5-B1F4-F40CA0\AD846435-757E-44A2-BF52-D15FBB
Adware:Adware/KeenValue No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\46DC875A-E0B1-48EC-B768-CE2CCE\ED035809-428F-4EA0-B25D-C4C676
Spyware:Spyware/MarketScore No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\4C7BCCA0-F4A3-447F-80F1-2980A4\04FBBDFD-7C55-412D-B445-FA52A7
Spyware:Spyware/MarketScore No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\4C7BCCA0-F4A3-447F-80F1-2980A4\C7EDD84E-E451-449E-9789-60360D
Virus:Trj/Clicker.AD Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\63D57226-68FC-4C29-864C-32D0C2\5A578C69-F223-4B27-9316-DFEB0B
Adware:Adware/Transponder No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\87045C99-F4A0-44BC-9EDB-919BC7\B6BC4A26-D903-4D0D-92DD-CC1925
Adware:Adware/DelFinMedia No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\89C9A9F5-BA7B-4297-BD6D-6CBA6F\DC89A51F-1FF6-49C9-A2DF-681355
Adware:Adware/DelFinMedia No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\89C9A9F5-BA7B-4297-BD6D-6CBA6F\E03E9B78-B8CC-490B-8F45-69636A
Adware:Adware/KeenValue No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\8B5191DF-5DB9-4F03-B563-9DE078\B7B650F9-0C7C-426C-9070-2ED4A0
Adware:Adware/IEPlugin No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9121719D-2B55-4773-99DC-09FDA5\CF9709D2-81CF-4979-AA20-71544A
Adware:Adware/IEPlugin No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9121719D-2B55-4773-99DC-09FDA5\F3E9F281-C078-4C49-B511-FC2EAE
Spyware:Spyware/Wast No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9123A2F6-4881-48CE-ACE2-020F27\3D24AFA8-E433-47F8-97D5-ECE4B5
Adware:Adware/Twain-Tech No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9123A2F6-4881-48CE-ACE2-020F27\D4A5E0EC-A2A0-4976-AC6E-2A4D9F
Adware:Adware/IPInsight No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9123A2F6-4881-48CE-ACE2-020F27\FADE546C-1492-493F-8937-05C211
Spyware:Spyware/BargainBuddy No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\A1C42C4D-776D-41E9-BE00-2ABDC0\1129D46A-EF62-4D28-9D91-DD7E78
Spyware:Spyware/BargainBuddy No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\A1C42C4D-776D-41E9-BE00-2ABDC0\3D61FA6E-13A1-434C-8B3A-56D9B4
Spyware:Spyware/BargainBuddy No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\A1C42C4D-776D-41E9-BE00-2ABDC0\6F6DC273-C49F-40D8-9EBE-ED910D
Virus:Trj/Agent.QW Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B9E684E5-9116-4DFB-89DA-56368B\C9A72EF3-1500-4601-B41D-B8AEF1
Adware:Adware/PortalScan No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\CB08D3F6-808B-4692-97F5-ABB68F\9DE7D085-D016-4669-A82E-7693B5
Adware:Adware/PurityScan No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\D01BE892-A7C5-4277-8182-E48AB4\2B82B024-028F-493A-946D-35F4C6
Spyware:Spyware/BetterInet No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\E7F5DDEE-20CC-431F-9E85-244DF9\19B06F4A-560C-4B5E-939E-CAFAE1
Spyware:Spyware/BetterInet No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\E7F5DDEE-20CC-431F-9E85-244DF9\7BC2AFBF-2C09-4E87-BC7C-D146A3
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\0194D884-BC6D-4627-9917-1F8BE8
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\0194D884-BC6D-4627-9917-1F8BE8[whInstaller.ini]
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\0194D884-BC6D-4627-9917-1F8BE8[whAgent.inf]
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\0194D884-BC6D-4627-9917-1F8BE8[WhAgent.exe]
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\0194D884-BC6D-4627-9917-1F8BE8[whInstaller.exe]
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\0194D884-BC6D-4627-9917-1F8BE8[WhSurvey.exe]
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\0194D884-BC6D-4627-9917-1F8BE8[Webhdll.dll]
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\0194D884-BC6D-4627-9917-1F8BE8[whiehlpr.dll]
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\14F05126-FFA3-4DE1-A3F2-D1EA9A
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\1656D3C2-E561-4217-B8ED-26ABF0
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\5C4DC3F6-1126-458A-9978-16D769
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\9AAFC9E2-BA3A-4978-9F52-4E2152
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\C275D4BD-37A9-4677-9152-94E16E
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\C5D56BFB-FDF0-41EC-967B-9BD7FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA-6057-49C7-BFD2-1251C1\E355E1B6-290B-4C8E-91E5-BB8301
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3-9C88-4F40-8319-73C45B\393BD360-59BF-425C-8238-FA6B10
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3-9C88-4F40-8319-73C45B\430E4C70-7AEB-4AC7-8547-F96FDF
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3-9C88-4F40-8319-73C45B\94F6AF40-0C32-4F99-8F16-5F0716
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3-9C88-4F40-8319-73C45B\A7A7551E-260E-4E21-869E-DDCDD0
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3-9C88-4F40-8319-73C45B\B1306C50-EE0C-4852-94C8-9B02B0
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3-9C88-4F40-8319-73C45B\B4F8F77E-1230-4514-BE7D-85C8AE
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3-9C88-4F40-8319-73C45B\CD3FFB7F-9059-4431-82CC-79F1ED
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3-9C88-4F40-8319-73C45B\DBAA16CF-6A7A-47BE-B789-783F98
Adware:Adware/nCase No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FF80430A-2BB5-4275-AC61-F50355\21BBA4B9-CF22-4616-9170-9DF9BD
Adware:Adware/nCase No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FF80430A-2BB5-4275-AC61-F50355\52FBD542-84B5-4DE1-9E92-E7E287
Virus:Trj/Hpt.C Disinfected F:\RECYCLER\S-1-5-21-3113207943-3856378107-2071102810-1008\Dc1.exe
Adware:Adware/KeenValue No disinfected F:\updaterInstall_108.exe
Spyware:Spyware/Wast No disinfected F:\WINDOWS\ast_4_mm.exe
Virus:Trj/Casicon.A Disinfected F:\WINDOWS\casicon.exe
Adware:Adware/Coupons No disinfected F:\WINDOWS\cpbrkpie.ocx
Spyware:Spyware/Media-motor No disinfected F:\WINDOWS\Downloaded Program Files\mm63.INF
Adware:Adware/BHO No disinfected F:\WINDOWS\ei25.exe
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\inf\bi2.inf
Spyware:Spyware/BetterInet No disinfected F:\WINDOWS\inf\ceres.inf
Spyware:Spyware/AdClicker No disinfected F:\WINDOWS\loads.exe
Adware:Adware/nCase No disinfected F:\WINDOWS\msbbhook.dll
Adware:Adware/PortalScan No disinfected F:\WINDOWS\mwsvm.bin
Virus:Trj/Downloader.CA Disinfected F:\WINDOWS\nhiqirsgt.exe
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\sahagent-mediamotor1001.exe
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\sahagent-mediamotor1002.exe
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\sahagent-mediamotor1003.exe
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\SAHUninstall.exe
Adware:Adware/Twain-Tech No disinfected F:\WINDOWS\SET5A.tmp
Adware:Adware/MyDailyHoroscopeNo disinfected F:\WINDOWS\setup_silent_17253.exe
Adware:Adware/MyDailyHoroscopeNo disinfected F:\WINDOWS\setup_silent_17304.exe
Adware:Adware/Transponder No disinfected F:\WINDOWS\system32\bvvggv.exe
Possible Virus. No disinfected F:\WINDOWS\system32\c14b2s.dll
Adware:Adware/BrowserAid No disinfected F:\WINDOWS\system32\D0CE0C16B1.DLL
Adware:Adware/PurityScan No disinfected F:\WINDOWS\system32\devabu.dll
Adware:Adware/CWS.Flsmngr No disinfected F:\WINDOWS\system32\flsmngr.dll
Virus:Trj/Lowzones.CL Disinfected F:\WINDOWS\system32\glopjcey.exe
Adware:Adware/Twain-Tech No disinfected F:\WINDOWS\system32\hueeqq.exe
Virus:Trj/Casicon.A Disinfected F:\WINDOWS\system32\icon\icon.exe
Virus:W32/Bagz.M.worm Disinfected F:\WINDOWS\system32\mbvfhaaa.exe
Adware:Adware/nCase No disinfected F:\WINDOWS\system32\msbb321.dll
Adware:Adware/DelFinMedia No disinfected F:\WINDOWS\system32\nsvsvc\nsv.ocx
Possible Virus. No disinfected F:\WINDOWS\system32\qmgrmm32.exe
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\system32\sahagent1014.exe
Virus:Trj/Prutec.L Disinfected F:\WINDOWS\system32\winsmx.exe
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\system32\xmltok.dll
Adware:Adware/PurityScan No disinfected F:\WINDOWS\system32\XPLORE~1.EXE
Spyware:Spyware/Media-motor No disinfected F:\WINDOWS\unstall.exe
Virus:Trj/Downloader.CA Disinfected F:\WINDOWS\ypopoqzbk.exe

0
 
LVL 4

Expert Comment

by:Diane258
ID: 13982540
Ok, do you want to waste time doing the uninstall and virus scans or do you want your computer up and running?

First, let me state that it was not a wise idea to boot into--> windows<-- on the "clean" machine..as the act of just it booting can cause it to get a virus from the second hdd.

If there are any files(NON EXE FILES) you want to keep copy them off to the other computer. if you move the HDD put it back into the other computer

Then go to the HDD makers website and download the HDD check utility. they should have a bootdisk option.

Run the utility and select the "wright 0's to drive" option.

after that put in the windows xp cd and reinstall.

after that reinstall all the programs you want.

OR

you can call up Mcafee and say you think you have a load of new virus on your machine, and ask them if you can send them the hdd so they can update their virus scanners. you may or may not get your drive back..but if you have new virus on your machine they might offer you as much as $1000 for the HDD.

0
 

Author Comment

by:ccjcic
ID: 13982572
This is the second computer I have seen this on! The last computer I saw this on I had to do a reinstall but I was determined this time not to have to do it. But I dont know what else to do I guess.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 32

Expert Comment

by:r-k
ID: 13982685
ccjcic:

Tip for the future - rather than post the entire HijackThis log here, please post instead at http://www.hijackthis.de/ and click analyze and then "save this log". That way it's easier to work with and you can just post the link here.

I did that for you in this case, and you can view at:

 http://www.hijackthis.de/logfiles/66c9fe61f0c7934ccfc5b4aa9a06e54a.html

Here are some general tips that may help you in such difficult cases:

(1) First, in order to view the files in the System Information Folder, you should make sure that you un-selected "Hide protected operating system files" in Explorer -> Folder options.

(2) If you identify a file that keeps re-creating itself, then just right-click on it and change permissions so that no one (not even system or administrator) has any permission to access it. That effectively renders the file harmless after the next reboot. You should do this after clearing any of the bad entries found by Hijackthis.

Comment for Diane258:

I agree with your advice in general, but I am curious why you think that attaching the drive as a slave drive to another XP system could be harmful just by booting. The only such possibility I am aware of is you were using Win/2000 and accidentally made the bad drive a master drive rather than slave.
0
 

Author Comment

by:ccjcic
ID: 13982703
Yeah Ive Tryed those 2 tips. Ive tryed everything I know! ha. This has got to be the most pesky virus I have ever seen.
0
 

Author Comment

by:ccjcic
ID: 13982709
Sorry for posting my entire log here.
0
 
LVL 32

Expert Comment

by:r-k
ID: 13982775
"Ive Tryed those 2 tips"

If you removed all permissions from a file, then it cannot run the next time, and cannot be recreated under the same name. It can, however, be recreated under a different name.

I assume you are facing the latter situation. That means that you have not identified all the bad files, because you have to either delete all bad files, or remove all permissions from them, and then reboot once in order to render them ineffective.

Did you really remove all the Registry entries identified by HiJackThis as bad or questionable?

You also have to terminate all processes that are known to be bad before the reboot. If you're getting an "access denied" error, get Taskman+ from:

 http://www.diamondcs.com.au/index.php?page=taskman
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13982797

Download and run Stinger in Safe Mode:

http://vil.nai.com/vil/stinger/

Also try at least 2 of these online virus scanners:

Panda ActiveScan
http://www.pandasoftware.com/activescan 

Bitdefender
http://www.bitdefender.com/scan/Msie/index.php 

McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp 

Symantec Security Check
http://security.symantec.com/sscv6/ 

Pc-Cillin (Trend Micro Housecall)
http://housecall.antivirus.com/housecall/start_pcc.asp 

PcPitstop
http://pcpitstop.com/antivirus/default.asp 

RAV
http://www.ravantivirus.com/scan/ 

Zee
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13982799

After the above:

First of all, download NOW this Winsock fix (FREE):
http://downloads.subratam.org/WinsockFix.zip
If you lose internet access after the cleanup, run this tool.

After that, download the fully functional trial version of Spy Sweeper:
http://www.webroot.com/downloads/?WRSID=595f27d74dd2795a56af83b763c321e1
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').

Download Ad-Aware (FREE) from here:
http://lavasoft.element5.com/support/download/
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').

Also excellent is SpyBot Search & Destroy (FREE) available here:
http://www.spychecker.com/download/download_spybot.html
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').
You should also apply the 'immunize' function, since it blocks roughly 1900 known 'bad' runs/apis/apps.

Even if Ad-Aware and SpyBot S&D are similar, they do clean different things. You should have both of them and use REGULARLY.

You can also install 'preventive' software that will help you control these nasties:

SpywareBlaster (FREE):
http://www.javacoolsoftware.com/spywareblaster.html
Prevents the installation of Active-X based spyware, malware, dialers, etc
Currently protects you against 3500+ nasties.
Advantage: no system resources used!!!
Just download, install and UPDATE.

All of them extremely useful but you must keep them UPDATED.

Suggestion: Make sure you can see all files and folders and run Ad-aware and Spybot S&D in Safe Mode.

Zee
0
 

Author Comment

by:ccjcic
ID: 13982951
Ok heres an Update on whats going on. Here is a new Log file.

http://www.hijackthis.de/logfiles/e88d7c26ca0b422637e0989cbdcb719a.html

I ran Avg,adaware,spybot,counterspy in safe mode
I have one big problem with that log above.
I have a problem with this running process

C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

I didnt even open internet explorer. I didnt do anything I restarted the computer and just ran hijack this. So my guess is this isnt IE! So I clicked on it in winpatrol and clicked delete this file on Reboot then I restarted and this is the log I got after I deleted iexplore.exe

http://www.hijackthis.de/logfiles/b36ae7ec01f5dcf4331d23cd754841b8.html

I also cleared up many of the nastys that it was reporting or any unknowns. Still the same results! still cant run AVG adaware etc...
One thing I did notice is that a random file name utilaux.exe showed up in the windows task manager but it did not show up in the hijack this log or in winpatrol. After I clicked kill task in windows task manager and refreshed winpatrol and ran another hijack this log it showed up! but it had been running the whole time! but I had to kill it and then it restarted and then it showed up?? This thing is crazy!
0
 
LVL 32

Expert Comment

by:r-k
ID: 13983010
Something is indeed messing with your system.

Is that iexplore.exe file really deleted? That is is the correct location of Internet Explorer, so if you still have the file you can right-click on it and get the Version Info in Properties. Make sure it is from Micosoft. My guess is that it is/was legit but something else launched it.

You might also try RootkitRevealer from sysinternals:

 http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

0
 
LVL 4

Expert Comment

by:Diane258
ID: 13983047
Ok, ccjcic , format(wright 0's to the drive not format c: )/reinstall or talk to Mcafee

If the virus is as bad as you say it is then they might be willing to pay for it.

Also, certian windos processes will "read" data form the secondary HDD "execute" information in others, mostly the partition information,Drive volume information, and sometimes a few system files (for the NTFS) but some viruses can still hide in there and infect the other drive.
0
 
LVL 32

Expert Comment

by:r-k
ID: 13983068
"Also, certian windos processes will "read" data form the secondary HDD "execute" information in others, mostly the partition information,Drive volume information, and sometimes a few system files (for the NTFS) but some viruses can still hide in there and infect the other drive."

Can you provide any more information on this, either a specific example or a link to a web site that describes it. I am just very curious because I never heard this before. Thanks!
0
 

Author Comment

by:ccjcic
ID: 13983084
What is the best way to get into contact with mcafee?
0
 

Author Comment

by:ccjcic
ID: 13983093
iexplore.exe is not deleted it came back
0
 
LVL 32

Expert Comment

by:r-k
ID: 13983101
"iexplore.exe is not deleted it came back"

What does the Version tab show? Is it the Microsoft file? what version?
0
 

Author Comment

by:ccjcic
ID: 13983125
ok it did come back now its gone! internet explorer is totally gone now! but Im sure that was not internet explorer though. I ran that root kit reveal and funny thing is I had to rename it in order to get it to run! it didnt find anything. Ive never seen a virus like this.
0
 
LVL 32

Accepted Solution

by:
r-k earned 2000 total points
ID: 13983146
Ok, I think we're still making progress. It doesn't seem like a rootkit, so that's good.

(1) Were you able kill any suspect process using taskman+

(2) What you have does not seem like a browser hijacker, but something that starts every time you log in. Suggest trying the following:

Get and install the utility Autoruns from:

 http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

When you first run it, it will show a bunch of startups.

Select "View" from the menu bar. Then select all the options within View one by one, from
"Show Appinit..." to "Hide Microsoft Entries". Then click on Refresh.

This will give you a new, shorter list of Startups.

Examine them carefully and uncheck the box next to any that seem suspicious or unncessary. Then reboot, and hopefully the bad stuff will not start because you unchecked it.

After rebooting, run Autouns as above, and make sure the items you unchecked are still unchecked. Then you can delete or move the suspect files.

0
 
LVL 4

Expert Comment

by:Diane258
ID: 13983322
http://www.mcafee.com/us/

you should be able to find contact info there.

be shure to say that you think you have some new viruses.
0
 
LVL 12

Expert Comment

by:kneH
ID: 13984074
>>iexplore.exe is not deleted it came back

To sort that.
Place a textfile in the internet explorer directory.
Rename it to iexplore.exe
attrib iexplore.exe +r +h +s

won't be able to come back now.
0
 

Author Comment

by:ccjcic
ID: 14009959
Thanks everyone for the help I ended up just doing a reinstall of windows. But if I ever see this virus again I will figure out what is going on!
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 14010437

You're welcome.

Just sorry we couldn't help you a little further.

Cheers,

Zee
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question