Virus... help me!!

[toru310]

I surfed the net download.com and got to know some programs that looks cool problem is I don't know what program to trust can you help me out?
-Windows Defender(not sure if this is a anti virus)
-Spyware Terminator(is this an anti virus not sure)
-And once again cCleaner looks nice
-Spybot search and destroy looks good to.
Is it ok to have all of this installed? oh yeah all of those programs are freeware

Is spybot detected as a virus for some anti virus programs?

I know this questions are all stupid and I'm sorry for that.

[Ledgem]

The questions aren't stupid. Believe me, you're interested in making sure that your computer stays under your own control - your inquiries are the right kind of inquiries to make.

Windows Defender is Microsoft's answer to increasing security concerns. I've heard mixed reviews over it, but overall it seems to be a decent solution. Feel free to get it (make sure it's a Microsoft product, and not some third party trying to mimic the name)

Spyware Terminator I've never heard of, but the site looks OK and it has a number of favorable reviews on download.com...

cCleaner I've already gone over, just make sure that you know it's not a security program.

Spybot is good, and has my personal recommendation. It should not be detected as a virus by antivirus programs as far as I'm aware.

I'll also mention again that Ad-Aware is free and has a good track record - before Spybot came along, all we had was Ad-Aware. Occasionally one program might miss something that the other could detect, or it might not be able to remove something that another would be able to, so thats why it's good to have two. But, just as with virus scanners, if there's an option for real-time protect, make sure that only one is running at a time.

[Phantom-Takaya]

SpySweeper's not so bad either. As I've said in another thread, it's best to install and use the utilities in safe mode. To clarify: Not safe mode with networking. Just safe mode. This way, it will keep the problem isolated and maybe even incapacitated while you scan for it and delete it.

Speaking of which, I'll need to do something similar. I have a feeling something's gotten to my MSN since every time I try to log on, the computer restarts a minute later. Fortunately, it's only MSN that's currently affected.

[toru310]

Then I'll stick with Ad aware and Spybot since their both freeware.

[AndyTran]

1. Go run Adaware and Spybot to get rid of some stray malware
2. Download CleanUp! Here and run it. It'll clear all your temporary internet files.
3. Go to Trendmicro and take a scan Here copy your results and save it somewhere (if notepad doesn't work, just email yourself)
4. Download Hijackthis Here. Scan and save a log file.

Post the Trend Micro results and the Hijackthis scan (since .log is notepad, you probably can't open it. Just the whole file somehwere) here and see what we can do. Though I'd have to say... since your friend can run Linux, pull out an external or an HD enclosure, backup some data and reformat the computer. That's the best way IMO.

[Jinto]

I've an unrelated question. I was looking on the grisoft site, is there no free AVG Anti Virus anymore? (I use the full version for server systems... because there are few anti virus applications that fully support Windows 2003 and are quite affordable too)

It looks like there are only trial versions offered.

[toru310]

Quote:

Originally Posted by Jinto Lin

I've an unrelated question. I was looking on the grisoft site, is there no free AVG Anti Virus anymore? (I use the full version for server systems... because there are few anti virus applications that fully support Windows 2003 and are quite affordable too)

It looks like there are only trial versions offered.

I'm not sure are you finding a free version of AVG anti virus? If so I think theres one in download.com?

[Jinto]

Well I was searching a link for you, but could not find a free version (only trial versions, but I don't know what the trial version can do, maybe they have no time limit).

[toru310]

Thanks and may bad hehe

[Phantom-Takaya]

Alright. Since this thread is already up and I'm the type to want to solve problems myself first, I'll step out of my box and ask for help in here. And since this thread is directly associated to what my computer seems to be suffering, this would be a good place to ask for it.

It seems my computer is suffering from a virus of sorts, but it could be something else. At first, my computer started to show signs of decrease in performance. The CPU in the task bar would indicate that it was processing much more so than normal, thus slowing the computer down. I attempted to stop some of the process, but only come up with a small increase in performance. This led me to believe that either the CPU, RAM or maybe even motherboard was starting to fail. Then MSN (the messenger) started to do something rather strange. Whenever I attempt to log in to it, it would log me in for a minute, then the computer would suddenly restart on it's own. Strangely enough, it was only this program's activation that would cause the computer to restart. I thought it was only hardware failure and that I can tolerate not using MSN until I get the replacement pieces. But after a few days, the computer had suddenly done something strange. mIRC was no longer able to connect, claiming that there was no internet connection available. Internet Explorer also would not allow me to click or type on anything other than the menues, although they would pop-up severely slowly. This was when I started getting the idea that it may be a virus. So, I restarted into safe mode with networking (which is what I'm on now) and it seems all the problems went away. So, I ran my utilities from SpySweeper to SmitFraud Fix to SpyBot to AdAware SE and Norton Anti-Virus. With the utilities, I found a keylogger and immediately deleted it. There were also some registries that were altered as well as some questionable dlls and other files that were removed. After a few hours of that, I restarted the computer to Normal mode, but it seems the virus persisted and reacted to the attempt. Now, mIRC is able to connect, but every other program claims that there is no internet connection detected. So, I'm back on safe mode with networking, scanning and attempting to fix any problems that I may come across, though I'm not 100% sure the next time I restart to Normal Mode, the computer will be restored. So, any suggestions?

[toru310]

Have you checked your firewall? maybe it's missing? or corrupt? That happened to me before when you can't access the internet and then I realized that my firewall is missing..so I had to reformat. Ermm have you tried a combination of AVG anti virus and Hijackthis? Scan with avg and when it detected a virus copy the location and execute Hijackthis to remove it.

I'm no pro but I'm getting there..based on experience..hehe

[Jinto]

I think it is nice that you want to help people... well, don't get me wrong... ^^' ... the advice you offer here is only artly correct.

Quote:

Originally Posted by Migufuchi Fusutsu

Have you checked your firewall? maybe it's missing? or corrupt?

If his Firewall is corrupt, then that can be a reason for not being able to access the internet. If it is missing, than this no reason. If it is wrongly configured, it is again a possible reason. But judging from the experience level Phantom-Takaya shows in his posting, I think he checked this already.

Quote:

Originally Posted by Migufuchi Fusutsu

That happened to me before when you can't access the internet and then I realized that my firewall is missing..so I had to reformat.

I guess you firewall wasn't missing, just broken.

Quote:

Originally Posted by Migufuchi Fusutsu

Ermm have you tried a combination of AVG anti virus and Hijackthis? Scan with avg and when it detected a virus copy the location and execute Hijackthis to remove it.

Usually AVG removes all virii it finds. What Hijackthis does, is to remove registry entries that are suspicious or no longer needed. (it can remove files too, but AVG should be the better tool for that task... yet Hijackthis is a good tool for getting a quick overview of important parts of the registry - and possibly cleaning them)

Quote:

Originally Posted by Migufuchi Fusutsu

I'm no pro but I'm getting there..based on experience..hehe

I'ld rather prefer not to experience all the bad stuff I am offering help for. Once you can prevent all that bad stuff you are a experienced user ^^

@Phantom-Takaya,

can you run Hijackthis and provide the log for further investigation? Also a good thing imo is checking for root kits.

e.g. using http://www.microsoft.com/technet/sys...tRevealer.mspx

[Phantom-Takaya]

Actually, that's also another thing I forgot to point out that the virus reacted to. Right when I started it back to normal mode, Windows quickly informed me that Norton Firewall and Anti-Virus are disabled. I never disable those two. Unfortunately, my attempts to enable them were overriden by the virus. I know one easy way to fix this is to reinstall the OS, but that's a last resort.

I'm going to restart the computer to normal mode to run HijackThis. Maybe I've missed a process or two.

[Phantom-Takaya]

Alright. This is the first scan in normal mode:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:27:19 AM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Installers\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: John's Background Switcher.lnk = C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O15 - Trusted Zone: http://www.torrentmatrix.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6282 bytes



I selected everything had HijackThis "fix" for the sake of it and scanned again. Here's the new results:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:29:54 AM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Installers\HiJackThis_v2.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 3531 bytes

[Jinto]

I found nothing really suspicious there... however...

I'ld disable cisvc.exe (indexing service for faster local search - but very performance demanding). This can be shut off in the windows search dialog (enable/disable file indexing)

The IDriverT thingy you can set to manual start up (afaik it need not start up automatically)

And now I need to know if these programs were installed by yourself (and are running with your consent...):

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe


Now, the root kit analysis (it provides yet another log to examine)

[SeijiSensei]

Anyone know what this was in the initial scan?

O15 - Trusted Zone: http://www.torrentmatrix.com

I visited torrentmatrix.com and got a MySQL error page for too many connections. I notice it wasn't in the second scan after you ran HijackThis. If you don't recall putting this site into your "trusted" sites, I'd be very suspicious of an entry like that.

[Jinto]

Strange, when I visited the site before (and now) everything was alright there. Anyway its not there anymore... and the other stuff seems okay too (if there is not a camouflaged service...)
However the root kit test log would really interest me.

[Ledgem]

I'm with Jinto Lin on the rootkit information. Somewhat related, does anyone have any recommendations on a Linux LiveCD for bailing out Windows? I found one called Helix, yet it seemingly couldn't mount NTFS partitions (I may have been using it wrong). I wanted to use it to scan for viruses completely outside of Windows with ClamWin (other tools would be nice too, but virus/spyware sweeping is the main thing).

After you've cleared the viruses and what not, I'd recommend repairing your Windows install (boot off the CD, skip recovery console, and when you're prompted for where to install, select your Windows partition and hit "r" (repair) - doesn't touch your registry or anything, but sets the critical system files back to normal). If you're having networking issues, there are a number of possible reasons, but one may be that the thing messed with some of the core networking files.

[winry039]

i feel so sorry for you but there nothing i can do

[SeijiSensei]

Quote:

Originally Posted by Ledgem

does anyone have any recommendations on a Linux LiveCD for bailing out Windows?

My usual preference is Knoppix. Versions since 5.01 apparently include the ntfs-3g drivers for full read/write support. The current release version is 5.1.1, though apparently 5.2.0 is being readied.

For North American readers, there are copies available on one of my favorite download sites at the University of Wisconsin.