VIRUS W32/VB.PC WORM

WE HAVE SEVERAL FILES (EXCEL) THAT HAVE BEEN DUPLICATED WITH THE SAME NAME BUT EXTENCION IS .EXE, SYMANTEC DID NOT DETECTED THE VIRUS, WE DOWNLOADED A TRIAL VERSION OF PANDA AND THIS ONE DETECTS THE VIRUS AND REMOVES IT BUT WHEN WE PUT THE MACHINE ON THE NETWORK THE FILES JUST START TO MULTIPLIY.

camacho, run the other virus and spyware removers I posted above.

Naser72,

I was addressing camacho, not you.  I meant the post I made 09/09/2006 01:20PM PDT

Let him choose by him self the right answer, but don't try to make him ignore other posts, that's what i mean when i ask you "what you mean"

Let's respect each other, it's an open forum not for you and not for me, it's for every one my friend.

None of the above worked, any other hints??? the virus is GETZAC, how do i know whats the virus name, on the file infected i rigth clicked  and on the file and it says  GETZAC on the Version Tab Comany Info. It's not GEDZAC it's GEDZAC.

If you know the location of the virus file, delete it.  You may need to boot to Safe Mode to delete the file.

Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html

If you cannot delete the file, disable it.  Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent" and remove other permissions.  If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".

The same result, i will try an scan with panda and leave it there, there is nothing in the web about this one

Where is the location of the virus file?  Does it cause your computer any problem?  it could be a false positive.  Running a couple virus scanners will tell you whether you have a false positive.

The location is everywere that i have an excel or word document.
It only duplicates files but with an exe  extension
The only one that detects the virus is PANDA none of all the above has detected the problem.

Logfile of HijackThis v1.99.1
Scan saved at 3:21:28 PM, on 9/13/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\AVNT\PavFnSvr.exe
C:\Program Files\Panda Software\AVNT\TPSrv.exe
C:\Program Files\Panda Software\AVNT\WebProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\AVNT\PavSrv51.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\AVNT\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Panda Software\Panda Administrator 3\AdminServer\AdminServer.exe
C:\Program Files\Compacw\Servidor de Licencias\ContPAQ\AppKeyLicenseServerContPAQ.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\System32\svchost.exe
E:\Tress\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PADMINISTRATOR\Binn\sqlservr.exe
C:\Program Files\Panda Software\Panda Administrator 3\Distribution Server\PadFSvr.exe
C:\Program Files\Panda Software\AVNT\PSCTRLS.EXE
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\AVNT\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
E:\Tress\GRUPOT~1\SENTIN~1.EXE
C:\Program Files\Kyocera Mita\FileUtility\SFUSVC.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Kyocera Mita\FileUtility\nsCatCom.exe
C:\hp\hpsmh\bin\smhstart.exe
E:\Tress\Grupo Tress\Servidor\AstaServerLauncherNTS.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Panda Software\AVNT\CPntSrv.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINDOWS\system32\sysdown.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Tress\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
C:\Program Files\Panda Software\AVNT\AVENGINE.EXE
E:\Tress\Grupo Tress\Servidor\Cafetera.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Panda Software\Panda Administrator 3\Console\PASystemTray.exe
C:\Program Files\Panda Software\AVNT\PSCtrlC.exe
C:\Program Files\Panda Software\AVNT\CpIcnMng.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Panda Software\AVNT\avciman.exe
C:\Program Files\Panda Software\AVNT\psimreal.exe
E:\Tress\Grupo Tress\L5Poll\L5Poll.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [DetectaFirewallContPAQ] "C:\Program Files\Compacw\Servidor de Licencias\ContPAQ\DetectaFirewall.exe" /boot
O4 - HKLM\..\Run: [TaskManager] c:\windows\enya.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Common Files\Softwin\Console\bdconsole.exe"
O4 - HKLM\..\Run: [PASystemTray] "C:\Program Files\Panda Software\Panda Administrator 3\Console\PASystemTray.exe"
O4 - HKLM\..\Run: [Panda Controller Client] "C:\Program Files\Panda Software\AVNT\PSCtrlC.exe"
O4 - HKLM\..\Run: [CpnIconMng] C:\Program Files\Panda Software\AVNT\CpIcnMng.exe
O4 - Global Startup: Scanner File Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4846/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = REYNOSA.AD.ARCAUTOMOTIVE.COM
O17 - HKLM\Software\..\Telephony: DomainName = REYNOSA.AD.ARCAUTOMOTIVE.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{62FBD353-6F9B-49D9-81B9-1DBED203F252}: Domain = arcautomotive.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{62FBD353-6F9B-49D9-81B9-1DBED203F252}: NameServer = 10.53.1.8,10.53.1.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = REYNOSA.AD.ARCAUTOMOTIVE.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = arcautomotive.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = arcautomotive.com
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: TPLogon - TPLogon.dll (file missing)
O23 - Service: Panda AdminSecure Administration Server (AdminServer) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\AdminServer\AdminServer.exe
O23 - Service: Servidor de Licencias Compac - ContPAQ (AppKeyLicenseServer_ContPAQ) - Unknown owner - C:\Program Files\Compacw\Servidor de Licencias\ContPAQ\AppKeyLicenseServerContPAQ.exe
O23 - Service: AstaAppManager - Grupo Tress Internacional S.A. de C.V. - E:\Tress\Grupo Tress\Servidor\AstaServerLauncherNTS.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Panda NetworkSecure Service (CPntSrv) - Panda Software International - C:\Program Files\Panda Software\AVNT\CPntSrv.exe
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - E:\Tress\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - E:\Tress\Firebird_1_5\bin\fbserver.exe
O23 - Service: Panda AdminSecure Distribution Server (PadFSvr) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Distribution Server\PadFSvr.exe
O23 - Service: Panda Software Controller - Panda Software - C:\Program Files\Panda Software\AVNT\PSCTRLS.EXE
O23 - Service: Panda AdminSecure Communications Agent (PAVAGENTE) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
O23 - Service: Panda AdminSecure Scheduler (PavAtScheduler) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
O23 - Service: Panda Function Service (PavFnSvr) - Panda Software - C:\Program Files\Panda Software\AVNT\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda Antivirus Service (PavSrv) - Panda Software International - C:\Program Files\Panda Software\AVNT\PavSrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\AVNT\PNMSRV.EXE
O23 - Service: Panda IManager Service (PsImSvc) - Panda Software Internacional - C:\Program Files\Panda Software\AVNT\PsImSvc.exe
O23 - Service: Sentinel3s (Sentinel3Service) - Grupo Tress Internacional, S.A. de C.V. - E:\Tress\GRUPOT~1\SENTIN~1.EXE
O23 - Service: SFUSVC - KYOCERA MITA CORPORATION - C:\Program Files\Kyocera Mita\FileUtility\SFUSVC.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHP) - Hewlett-Packard Company - C:\hp\hpsmh/bin/smhstart.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\AVNT\TPSrv.exe

Here is the log can you find something???
And sorry for the late reponse i was out of the city.

Thanks Amigo war1

1. Go to this folder C:\WINDOWS\system32 and delete sysdown.exe You may need Killbox or Unlocker to remove it.

Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html

2. If the following IP address does not belong to your ISP, have HijackThis remove it

O17 - HKLM\System\CCS\Services\Tcpip\..\{62FBD353-6F9B-49D9-81B9-1DBED203F252}: NameServer = 10.53.1.8,10.53.1.9

Hi Amigo:
Hdere is what i found on the sysshutdown.exe, and it's not a good idea to delete it
Description:
sysdown.exe is a part of Microsoft Windows Server suite. This process allows a server to shut down before management tools are loaded. This program is important for the stable and secure running of your computer and should not be terminated.

camacho,

Yes, sysdown.exe is part of Windows shutdown. I was thinking of a similar spelling trojan.

anything else????

I will split the point with everyone

Cheers