DescentBB

The Descent Bulletin Board
https://descentbb.net/

Nasty Virus/Spyware/Malware problem.

https://descentbb.net/viewtopic.php?t=5192

Page 1 of 1

Nasty Virus/Spyware/Malware problem.

Posted: Mon Dec 27, 2004 8:25 pm
by JMEaT
Somehow my main box has gotten a nasty virus. I've done many searches but keep getting run arounds and was hoping someone had some experience with its removal. Norton can't find anything with system scans in both normal and safe mode but sometimes randomly quarantines files such as "dx9vbs.exe" or something of the like.

Shortly after bootup I get this message:

Image

And these processes are running that don't look familiar:

Image

Any advice would be appreciated! (besides reformat/use Linux etc. etc.) :)

Posted: Mon Dec 27, 2004 8:37 pm
by AceCombat
tried any other scanners?

AVG? Spybot? AdAware?

Posted: Mon Dec 27, 2004 8:39 pm
by JMEaT
All of the above. No spyware detected.

Posted: Mon Dec 27, 2004 9:04 pm
by Asrale
Download & install "HijackThis" and post the log here.

Posted: Mon Dec 27, 2004 9:10 pm
by Flatlander
Those are definitely spyware or viruses, based on a quick google. Dunno specifically how to get rid of 'em, other than some general tips:

Boot into Safe Mode w/ Network Support.
Turn off System Restore.
Run Disk Cleanup.
Run several online virus scans:
http://housecall.antivirus.com
http://www.bitdefender.com/scan
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Download, update and run the following:
Ad-Aware: http://www.lavasoft.de
Spybot S&D: http://www.safer-networking.org/en/download/index.html
CWShredder: http://www.intermute.com/spysubtract/cw ... nload.html
SpywareBlaster: http://www.wilderssecurity.net/spywareblaster.html
SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
WinPatrol: http://www.winpatrol.com/
Adware Away: http://www.adwareaway.com/

Reboot, repeat as necessary. Once clean, turn System Restore back on.

Posted: Mon Dec 27, 2004 10:48 pm
by MD-2389
Asrale wrote:Download & install "HijackThis" and post the log here.
Hijack This! (right-click, save-as)

Then download this and nuke them without having to use regedit.

Posted: Tue Dec 28, 2004 1:13 am
by Kyouryuu
Something about that Windows XP error is very suspicious.

- Windows Security Center doesn't detect Spyware.
- "is bad" doesn't seem very Microsoftian.
- Spyware Activity Detected is in upper caps whereas the rest isn't.
- "Balloon" is misspelled.

I wouldn't be surprised if it was part of the virus.

Posted: Tue Dec 28, 2004 1:46 am
by Top Gun
Come to think of it, Kyouryuu, you're right. I've seen the usual security error when your virus protection is off, and it's nothing like that. Could some sort of spyware/malware be causing that, instead of a virus? I know I experienced one on a friend's computer that brought up the "Windows will shut down in 60 seconds" window, which I thought was usually caused by worms.

Posted: Tue Dec 28, 2004 2:08 am
by Grendel
Hm, the little shield should be red w/ the X in it too for this kind of problem (like the one in the message..)

Posted: Tue Dec 28, 2004 5:28 am
by Vindicator
Kyouryuu wrote:I wouldn't be surprised if it was part of the virus.
Windows doesnt scan for spyware activity :P So, as Freud would say, your PC haz izzuesh. Jah.

Posted: Tue Dec 28, 2004 5:41 am
by DigiJo
C:\WINDOWS\System32\unlodctl.exe
C:\WINDOWS\System32\nlsfuncs.exe
C:\WINDOWS\System32\openconf.exe

these three files are your problem (have found a ton of references to these, but no virus/trojan name yet), kill the tasks with the taskmanager, then start msconfig and remove the autostarts for this entrys (from services and/or autostarts). then delete this 3 files from the folder manual. now reboot, look if they reapear. good luck hehe.

ah and stop using internet explorer, and stop using online virusscanners, cause the activex-controls of this "services" have full access to your local maschine and are a very high security risk itself.

Posted: Tue Dec 28, 2004 8:22 am
by JMEaT
I deleted te 3 files and rebooted. So far so good. There were no entries in my startup to these files.

Here is my HT log:

Code: Select all

Logfile of HijackThis v1.99.0
Scan saved at 9:18:27 AM, on 12/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\ICQPlus\vplus.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\JMEaT\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {ABEC1810-937B-4B27-A51F-E6518ED291A7} - C:\WINDOWS\System32\msrs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.07.02&http://www.toyota.com/vehicles/2004/rav4/ext360.html
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094249939495
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/daimlerchrysler/rrtstreetwise/install.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E665D38E-7EF4-4DBC-9512-86D25E79ED55}: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remotely Possible/32 - Unknown - C:\Remotely Possible\rp32serv.exe (file missing)
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Posted: Tue Dec 28, 2004 9:26 am
by Tyranny
ah, SCP. Nice tool, saved my ass many a time in Win2K. Was glad to get msconfig back when I upgraded to XP Pro.

I'd also recommend upgrading to SP2 there JMEat. I haven't had any issues with it myself but I vaguely remember a few complaining about it so you might have been one of the ones who reverted back or something *shrug*.

Posted: Tue Dec 28, 2004 9:38 am
by Asrale
Checkmark the below lines and "Fix" them:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
O2 - BHO: (no name) - {ABEC1810-937B-4B27-A51F-E6518ED291A7} - C:\WINDOWS\System32\msrs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4249939495
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/part ... nstall.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp ... atools.cab


Just some additional comments:
- line #1 is the default opening page, unless you use FastSearchWeb (which I doubt), that should be removed by HT.
- line #2 is a "browser helper object" for Internet Explorer, unless you have some kind of plugins that you use with IE, that also should be disabled.
- line #3 is an IE toolbar
- line #4 is another IE toolbar
- lines #5-#11 are all downloaded program files, you can safely delete all those, including the World of WarCraft Beta since the full game is out now. :)

Edit: and OH CRAP I forgot to ask you to send me those files via e-mail. I work for a company called Webroot Software who makes this anti-spyware app called "Spy Sweeper" and those files would've helped me add more functionality to the program. ;) Ahh well. Sucks. :P

Posted: Tue Dec 28, 2004 3:15 pm
by JMEaT
Well As, you'll be happy to know they have all 3 returned! I'll mail em to ya.

And I'll try your advice thanks. :)

Posted: Tue Dec 28, 2004 3:26 pm
by Asrale
If you haven't already sent the files, well sock 'em to asrale@planetdescent.com, all 3 zipped up plz (no RAR).

Posted: Tue Dec 28, 2004 4:29 pm
by Flatlander
Asrale wrote:I work for a company called Webroot Software who makes this anti-spyware app called "Spy Sweeper" and those files would've helped me add more functionality to the program.
Really? Cool - Spy Sweeper rox.

Posted: Tue Dec 28, 2004 11:25 pm
by Asrale
Yep, it's actually gratifying for me now to see various magazines acclaiming Spy Sweeper; just in the past couple weeks I've read nothing but positive reviews by PC Magazine, Computer Gaming World, Maximum PC...

And I have to admit, being on a team responsible for constantly improving the program feels rewarding. :)

Posted: Mon Jan 03, 2005 10:37 pm
by Asrale
Hey JMEaT, I tested the 3 files you sent but nothing happened, they didn't generate any suspicious file/Registry activity. Hmmmm, you got any other files that might be related to this?

Oh and I tested on WinXP Pro, that is what you're using, right? Or Win2K?
All times are UTC-06:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited