Nasty Virus/Spyware/Malware problem.

[JMEaT]

Somehow my main box has gotten a nasty virus. I've done many searches but keep getting run arounds and was hoping someone had some experience with its removal. Norton can't find anything with system scans in both normal and safe mode but sometimes randomly quarantines files such as "dx9vbs.exe" or something of the like.

Shortly after bootup I get this message:



And these processes are running that don't look familiar:



Any advice would be appreciated! (besides reformat/use Linux etc. etc.)

[AceCombat]

tried any other scanners?

AVG? Spybot? AdAware?

[JMEaT]

All of the above. No spyware detected.

[Asrale]

Download & install "HijackThis" and post the log here.

[Flatlander]

Those are definitely spyware or viruses, based on a quick google. Dunno specifically how to get rid of 'em, other than some general tips:

Boot into Safe Mode w/ Network Support.
Turn off System Restore.
Run Disk Cleanup.
Run several online virus scans:
http://housecall.antivirus.com
http://www.bitdefender.com/scan
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Download, update and run the following:
Ad-Aware: http://www.lavasoft.de
Spybot S&D: http://www.safer-networking.org/en/download/index.html
CWShredder: http://www.intermute.com/spysubtract/cw ... nload.html
SpywareBlaster: http://www.wilderssecurity.net/spywareblaster.html
SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
WinPatrol: http://www.winpatrol.com/
Adware Away: http://www.adwareaway.com/

Reboot, repeat as necessary. Once clean, turn System Restore back on.

[MD-2389]

Download & install "HijackThis" and post the log here.

Hijack This! (right-click, save-as)

Then download this and nuke them without having to use regedit.

[Kyouryuu]

Something about that Windows XP error is very suspicious.

- Windows Security Center doesn't detect Spyware.
- "is bad" doesn't seem very Microsoftian.
- Spyware Activity Detected is in upper caps whereas the rest isn't.
- "Balloon" is misspelled.

I wouldn't be surprised if it was part of the virus.

[Top Gun]

Come to think of it, Kyouryuu, you're right. I've seen the usual security error when your virus protection is off, and it's nothing like that. Could some sort of spyware/malware be causing that, instead of a virus? I know I experienced one on a friend's computer that brought up the "Windows will shut down in 60 seconds" window, which I thought was usually caused by worms.

[Grendel]

Hm, the little shield should be red w/ the X in it too for this kind of problem (like the one in the message..)

[Vindicator]

I wouldn't be surprised if it was part of the virus.

Windows doesnt scan for spyware activity So, as Freud would say, your PC haz izzuesh. Jah.

[DigiJo]

C:\WINDOWS\System32\unlodctl.exe
C:\WINDOWS\System32\nlsfuncs.exe
C:\WINDOWS\System32\openconf.exe

these three files are your problem (have found a ton of references to these, but no virus/trojan name yet), kill the tasks with the taskmanager, then start msconfig and remove the autostarts for this entrys (from services and/or autostarts). then delete this 3 files from the folder manual. now reboot, look if they reapear. good luck hehe.

ah and stop using internet explorer, and stop using online virusscanners, cause the activex-controls of this "services" have full access to your local maschine and are a very high security risk itself.

[JMEaT]

I deleted te 3 files and rebooted. So far so good. There were no entries in my startup to these files.

Here is my HT log:

Code: Select all

Logfile of HijackThis v1.99.0
Scan saved at 9:18:27 AM, on 12/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\ICQPlus\vplus.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\JMEaT\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {ABEC1810-937B-4B27-A51F-E6518ED291A7} - C:\WINDOWS\System32\msrs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.07.02&http://www.toyota.com/vehicles/2004/rav4/ext360.html
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094249939495
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/daimlerchrysler/rrtstreetwise/install.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E665D38E-7EF4-4DBC-9512-86D25E79ED55}: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remotely Possible/32 - Unknown - C:\Remotely Possible\rp32serv.exe (file missing)
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Tyranny]

ah, SCP. Nice tool, saved my ass many a time in Win2K. Was glad to get msconfig back when I upgraded to XP Pro.

I'd also recommend upgrading to SP2 there JMEat. I haven't had any issues with it myself but I vaguely remember a few complaining about it so you might have been one of the ones who reverted back or something *shrug*.

[Asrale]

Checkmark the below lines and "Fix" them:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
O2 - BHO: (no name) - {ABEC1810-937B-4B27-A51F-E6518ED291A7} - C:\WINDOWS\System32\msrs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4249939495
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/part ... nstall.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp ... atools.cab


Just some additional comments:
- line #1 is the default opening page, unless you use FastSearchWeb (which I doubt), that should be removed by HT.
- line #2 is a "browser helper object" for Internet Explorer, unless you have some kind of plugins that you use with IE, that also should be disabled.
- line #3 is an IE toolbar
- line #4 is another IE toolbar
- lines #5-#11 are all downloaded program files, you can safely delete all those, including the World of WarCraft Beta since the full game is out now.

Edit: and OH CRAP I forgot to ask you to send me those files via e-mail. I work for a company called Webroot Software who makes this anti-spyware app called "Spy Sweeper" and those files would've helped me add more functionality to the program. Ahh well. Sucks.

[JMEaT]

Well As, you'll be happy to know they have all 3 returned! I'll mail em to ya.

And I'll try your advice thanks.

[Asrale]

If you haven't already sent the files, well sock 'em to asrale@planetdescent.com, all 3 zipped up plz (no RAR).

[Flatlander]

I work for a company called Webroot Software who makes this anti-spyware app called "Spy Sweeper" and those files would've helped me add more functionality to the program.

Really? Cool - Spy Sweeper rox.

[Asrale]

Yep, it's actually gratifying for me now to see various magazines acclaiming Spy Sweeper; just in the past couple weeks I've read nothing but positive reviews by PC Magazine, Computer Gaming World, Maximum PC...

And I have to admit, being on a team responsible for constantly improving the program feels rewarding.

[Asrale]

Hey JMEaT, I tested the 3 files you sent but nothing happened, they didn't generate any suspicious file/Registry activity. Hmmmm, you got any other files that might be related to this?

Oh and I tested on WinXP Pro, that is what you're using, right? Or Win2K?