Avatar of camacho_marco
camacho_marco
 asked on

VIRUS W32/VB.PC WORM

ANY ONE KNOWS HOW TO REMOVE THIS VIRUS?????    W32/VB.PC WORM
I CAN NOT FIND NOTHING ON THE NET
OS Security

Avatar of undefined
Last Comment
camacho_marco

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
war1

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
camacho_marco

ASKER
WE HAVE SEVERAL FILES (EXCEL) THAT HAVE BEEN DUPLICATED WITH THE SAME NAME BUT EXTENCION IS .EXE, SYMANTEC DID NOT DETECTED THE VIRUS, WE DOWNLOADED A TRIAL VERSION OF PANDA AND THIS ONE DETECTS THE VIRUS AND REMOVES IT BUT WHEN WE PUT THE MACHINE ON THE NETWORK THE FILES JUST START TO MULTIPLIY.

SOLUTION
Naser Gabaj

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
war1

camacho, run the other virus and spyware removers I posted above.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
war1

Naser72,

I was addressing camacho, not you.  I meant the post I made 09/09/2006 01:20PM PDT
Your help has saved me hundreds of hours of internet surfing.
fblack61
Naser Gabaj

Let him choose by him self the right answer, but don't try to make him ignore other posts, that's what i mean when i ask you "what you mean"

Let's respect each other, it's an open forum not for you and not for me, it's for every one my friend.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
camacho_marco

ASKER
None of the above worked, any other hints??? the virus is GETZAC, how do i know whats the virus name, on the file infected i rigth clicked  and on the file and it says  GETZAC on the Version Tab Comany Info. It's not GEDZAC it's GEDZAC.
war1

If you know the location of the virus file, delete it.  You may need to boot to Safe Mode to delete the file.

Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html

If you cannot delete the file, disable it.  Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent" and remove other permissions.  If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
camacho_marco

ASKER
The same result, i will try an scan with panda and leave it there, there is nothing in the web about this one
war1

Where is the location of the virus file?  Does it cause your computer any problem?  it could be a false positive.  Running a couple virus scanners will tell you whether you have a false positive.
camacho_marco

ASKER
The location is everywere that i have an excel or word document.
It only duplicates files but with an exe  extension
The only one that detects the virus is PANDA none of all the above has detected the problem.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
camacho_marco

ASKER
Logfile of HijackThis v1.99.1
Scan saved at 3:21:28 PM, on 9/13/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\AVNT\PavFnSvr.exe
C:\Program Files\Panda Software\AVNT\TPSrv.exe
C:\Program Files\Panda Software\AVNT\WebProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\AVNT\PavSrv51.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\AVNT\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Panda Software\Panda Administrator 3\AdminServer\AdminServer.exe
C:\Program Files\Compacw\Servidor de Licencias\ContPAQ\AppKeyLicenseServerContPAQ.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\System32\svchost.exe
E:\Tress\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PADMINISTRATOR\Binn\sqlservr.exe
C:\Program Files\Panda Software\Panda Administrator 3\Distribution Server\PadFSvr.exe
C:\Program Files\Panda Software\AVNT\PSCTRLS.EXE
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\AVNT\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
E:\Tress\GRUPOT~1\SENTIN~1.EXE
C:\Program Files\Kyocera Mita\FileUtility\SFUSVC.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Kyocera Mita\FileUtility\nsCatCom.exe
C:\hp\hpsmh\bin\smhstart.exe
E:\Tress\Grupo Tress\Servidor\AstaServerLauncherNTS.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Panda Software\AVNT\CPntSrv.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINDOWS\system32\sysdown.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Tress\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
C:\Program Files\Panda Software\AVNT\AVENGINE.EXE
E:\Tress\Grupo Tress\Servidor\Cafetera.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Panda Software\Panda Administrator 3\Console\PASystemTray.exe
C:\Program Files\Panda Software\AVNT\PSCtrlC.exe
C:\Program Files\Panda Software\AVNT\CpIcnMng.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Panda Software\AVNT\avciman.exe
C:\Program Files\Panda Software\AVNT\psimreal.exe
E:\Tress\Grupo Tress\L5Poll\L5Poll.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [DetectaFirewallContPAQ] "C:\Program Files\Compacw\Servidor de Licencias\ContPAQ\DetectaFirewall.exe" /boot
O4 - HKLM\..\Run: [TaskManager] c:\windows\enya.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Common Files\Softwin\Console\bdconsole.exe"
O4 - HKLM\..\Run: [PASystemTray] "C:\Program Files\Panda Software\Panda Administrator 3\Console\PASystemTray.exe"
O4 - HKLM\..\Run: [Panda Controller Client] "C:\Program Files\Panda Software\AVNT\PSCtrlC.exe"
O4 - HKLM\..\Run: [CpnIconMng] C:\Program Files\Panda Software\AVNT\CpIcnMng.exe
O4 - Global Startup: Scanner File Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4846/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = REYNOSA.AD.ARCAUTOMOTIVE.COM
O17 - HKLM\Software\..\Telephony: DomainName = REYNOSA.AD.ARCAUTOMOTIVE.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{62FBD353-6F9B-49D9-81B9-1DBED203F252}: Domain = arcautomotive.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{62FBD353-6F9B-49D9-81B9-1DBED203F252}: NameServer = 10.53.1.8,10.53.1.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = REYNOSA.AD.ARCAUTOMOTIVE.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = arcautomotive.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = arcautomotive.com
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: TPLogon - TPLogon.dll (file missing)
O23 - Service: Panda AdminSecure Administration Server (AdminServer) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\AdminServer\AdminServer.exe
O23 - Service: Servidor de Licencias Compac - ContPAQ (AppKeyLicenseServer_ContPAQ) - Unknown owner - C:\Program Files\Compacw\Servidor de Licencias\ContPAQ\AppKeyLicenseServerContPAQ.exe
O23 - Service: AstaAppManager - Grupo Tress Internacional S.A. de C.V. - E:\Tress\Grupo Tress\Servidor\AstaServerLauncherNTS.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Panda NetworkSecure Service (CPntSrv) - Panda Software International - C:\Program Files\Panda Software\AVNT\CPntSrv.exe
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - E:\Tress\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - E:\Tress\Firebird_1_5\bin\fbserver.exe
O23 - Service: Panda AdminSecure Distribution Server (PadFSvr) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Distribution Server\PadFSvr.exe
O23 - Service: Panda Software Controller - Panda Software - C:\Program Files\Panda Software\AVNT\PSCTRLS.EXE
O23 - Service: Panda AdminSecure Communications Agent (PAVAGENTE) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
O23 - Service: Panda AdminSecure Scheduler (PavAtScheduler) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
O23 - Service: Panda Function Service (PavFnSvr) - Panda Software - C:\Program Files\Panda Software\AVNT\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda Antivirus Service (PavSrv) - Panda Software International - C:\Program Files\Panda Software\AVNT\PavSrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\AVNT\PNMSRV.EXE
O23 - Service: Panda IManager Service (PsImSvc) - Panda Software Internacional - C:\Program Files\Panda Software\AVNT\PsImSvc.exe
O23 - Service: Sentinel3s (Sentinel3Service) - Grupo Tress Internacional, S.A. de C.V. - E:\Tress\GRUPOT~1\SENTIN~1.EXE
O23 - Service: SFUSVC - KYOCERA MITA CORPORATION - C:\Program Files\Kyocera Mita\FileUtility\SFUSVC.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHP) - Hewlett-Packard Company - C:\hp\hpsmh/bin/smhstart.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\AVNT\TPSrv.exe

camacho_marco

ASKER
Here is the log can you find something???
And sorry for the late reponse i was out of the city.

Thanks Amigo war1
war1

1. Go to this folder C:\WINDOWS\system32 and delete sysdown.exe You may need Killbox or Unlocker to remove it.

Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html

2. If the following IP address does not belong to your ISP, have HijackThis remove it

O17 - HKLM\System\CCS\Services\Tcpip\..\{62FBD353-6F9B-49D9-81B9-1DBED203F252}: NameServer = 10.53.1.8,10.53.1.9
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
camacho_marco

ASKER
Hi Amigo:
Hdere is what i found on the sysshutdown.exe, and it's not a good idea to delete it
Description:
sysdown.exe is a part of Microsoft Windows Server suite. This process allows a server to shut down before management tools are loaded. This program is important for the stable and secure running of your computer and should not be terminated.
war1

camacho,

Yes, sysdown.exe is part of Windows shutdown. I was thinking of a similar spelling trojan.
camacho_marco

ASKER
anything else????
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
camacho_marco

ASKER
I will split the point with everyone

Cheers