Unknown Virus
Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Unknown Virus

  1. #1
    Junior Member
    Join Date
    Jun 2004
    Posts
    8

    Unknown Virus

    I have had this virus for months now and i just cant seem to get rid of it.. at first i thought it was the downloader.mscache because norton found it for about 20 days in a row a couple months ago but could never delete it.. it doesnt show up on my scan now ever but something is definitly wrong! i've tried the symantic page but those instructions didnt work, so im thinking it isnt that virus. This is what it does...

    Everytime i get online it opens dozens of .exe files (i can tell because my internet security alerts me every time) but they have random names, although they are repetitive.. examples are: iz7i3.exe, ry6.exe and so forth.. when i hit control alt delete and check my processes it shows usually 20-30 of these running and they make my computer use 100% of its usuage.. im dumbfounded.. i've used every spyware cleaner i could find, i have norton check daily, i tried "the cleaner", cwshredder and more.. does anyone know what is wrong with my computer!?

    i have xp2002 on a gateway.. 2.40ghz.. 512gb ram.. pentium 4.. and internet explorer

  2. #2
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Download SwatIt http://swatit.org/ and then update it. Boot into 'Safe Mode' (press F8 repeatedly while bios screen is loading at setup) and run SwatIt from there. Reboot into normal mode and navigate to Trend Micro Systems 'Housecall' http://housecall.trendmicro.com/hous...start_corp.asp and then run that.

    Let us know your results.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  3. #3
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    I did both, the first did nothing.. the housecall found 4 virus' all trojans.. it said they couldnt be cleaned so i hit the delete button without thinking to write down the information.. all of them were "deleted" (with system restore off) however when i restarted and got on the internet again the same thing happened.. do you want me to run housecall again and write down the names?

  4. #4
    Banned
    Join Date
    Nov 2003
    Posts
    182
    BEWARE! The return of an old, malicious virus. THE HERPES VIRUS! It attaches itself to your tools, and you cannot get rid of it! Infection is caused by sticking your hardware into an infected slot. BEWARE!

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by SexyBadGirl
    BEWARE! The return of an old, malicious virus. THE HERPES VIRUS! It attaches itself to your tools, and you cannot get rid of it! Infection is caused by sticking your hardware into an infected slot. BEWARE!
    Probably one of the only circumstances that you'd use a trojan to help prevent you from getting a virus?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    haha i think it'd be easier to get rid of that than this stupid thing

  7. #7
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    does anyone know any real options for me.. i really cant stand the 20 minute wait to open a program

  8. #8
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Timturk20
    i restarted and got on the internet again the same thing happened.. do you want me to run housecall again and write down the names?
    If I am reading this right, it only happens when you connect to the Internet, right? Under normal operations (not connected) nothing happens? If this is true, it sounds as though your browser has been hijacked. Have you tried Hijackthis, it might be worth a try. And the names of the Trojans you deleted via housecall might be helpful too.

    Cheers:
    DjM

  9. #9
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    i deleted some that i was sure didnt belong here.. here is the log file, do you know what else i should get rid of?

    Logfile of HijackThis v1.97.7
    Scan saved at 1:19:20 PM, on 6/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\wuauclt.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\0qqn.exe
    C:\WINNT\System32\0qqn.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
    C:\WINNT\System32\33wh.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W9CD2TEN\HijackThis[1].exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [UBMWERJTB] C:\WINNT\UBMWERJTB.exe
    O4 - HKLM\..\Run: [BMZHRJX] C:\WINNT\BMZHRJX.exe
    O4 - HKLM\..\Run: [BHOUY] C:\WINNT\BHOUY.exe
    O4 - HKLM\..\Run: [HSD] C:\WINNT\HSD.exe
    O4 - HKLM\..\Run: [XFPZ] C:\WINNT\XFPZ.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [CIPWG] C:\WINNT\CIPWG.exe
    O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
    O4 - HKLM\..\Run: [wdskctl] C:\WINNT\wdskctl.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\System32\toolbar.dll/SEARCH.HTML
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt0_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6507559C-CE36-4F65-815F-33C0206E4EC8}: NameServer = 199.224.86.15 199.224.86.16
    O17 - HKLM\System\CS1\Services\Tcpip\..\{6507559C-CE36-4F65-815F-33C0206E4EC8}: NameServer = 199.224.86.15 199.224.86.16

  10. #10
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Well at a first look, these look rather odd:

    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\wuauclt.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\0qqn.exe
    C:\WINNT\System32\0qqn.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe

    Now, don't go ahead and delete these yet, I am looking for conformation from some of the other members here. So gang, do these look like they belong to you?

    Cheers:
    DjM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •