-
June 29th, 2004, 01:52 AM
#1
Junior Member
Unknown Virus
I have had this virus for months now and i just cant seem to get rid of it.. at first i thought it was the downloader.mscache because norton found it for about 20 days in a row a couple months ago but could never delete it.. it doesnt show up on my scan now ever but something is definitly wrong! i've tried the symantic page but those instructions didnt work, so im thinking it isnt that virus. This is what it does...
Everytime i get online it opens dozens of .exe files (i can tell because my internet security alerts me every time) but they have random names, although they are repetitive.. examples are: iz7i3.exe, ry6.exe and so forth.. when i hit control alt delete and check my processes it shows usually 20-30 of these running and they make my computer use 100% of its usuage.. im dumbfounded.. i've used every spyware cleaner i could find, i have norton check daily, i tried "the cleaner", cwshredder and more.. does anyone know what is wrong with my computer!?
i have xp2002 on a gateway.. 2.40ghz.. 512gb ram.. pentium 4.. and internet explorer
-
June 29th, 2004, 02:38 AM
#2
Download SwatIt http://swatit.org/ and then update it. Boot into 'Safe Mode' (press F8 repeatedly while bios screen is loading at setup) and run SwatIt from there. Reboot into normal mode and navigate to Trend Micro Systems 'Housecall' http://housecall.trendmicro.com/hous...start_corp.asp and then run that.
Let us know your results.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
Author Unknown
-
June 29th, 2004, 05:27 PM
#3
Junior Member
I did both, the first did nothing.. the housecall found 4 virus' all trojans.. it said they couldnt be cleaned so i hit the delete button without thinking to write down the information.. all of them were "deleted" (with system restore off) however when i restarted and got on the internet again the same thing happened.. do you want me to run housecall again and write down the names?
-
June 29th, 2004, 05:47 PM
#4
Banned
BEWARE! The return of an old, malicious virus. THE HERPES VIRUS! It attaches itself to your tools, and you cannot get rid of it! Infection is caused by sticking your hardware into an infected slot. BEWARE!
-
June 29th, 2004, 05:50 PM
#5
Originally posted here by SexyBadGirl
BEWARE! The return of an old, malicious virus. THE HERPES VIRUS! It attaches itself to your tools, and you cannot get rid of it! Infection is caused by sticking your hardware into an infected slot. BEWARE!
Probably one of the only circumstances that you'd use a trojan to help prevent you from getting a virus?
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
June 29th, 2004, 05:51 PM
#6
Junior Member
haha i think it'd be easier to get rid of that than this stupid thing
-
June 29th, 2004, 05:52 PM
#7
Junior Member
does anyone know any real options for me.. i really cant stand the 20 minute wait to open a program
-
June 29th, 2004, 06:00 PM
#8
Originally posted here by Timturk20
i restarted and got on the internet again the same thing happened.. do you want me to run housecall again and write down the names?
If I am reading this right, it only happens when you connect to the Internet, right? Under normal operations (not connected) nothing happens? If this is true, it sounds as though your browser has been hijacked. Have you tried Hijackthis, it might be worth a try. And the names of the Trojans you deleted via housecall might be helpful too.
Cheers:
-
June 29th, 2004, 06:11 PM
#9
Junior Member
i deleted some that i was sure didnt belong here.. here is the log file, do you know what else i should get rid of?
Logfile of HijackThis v1.97.7
Scan saved at 1:19:20 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\0qqn.exe
C:\WINNT\System32\0qqn.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\WINNT\System32\33wh.exe
C:\WINNT\System32\lxp2zwl.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W9CD2TEN\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [UBMWERJTB] C:\WINNT\UBMWERJTB.exe
O4 - HKLM\..\Run: [BMZHRJX] C:\WINNT\BMZHRJX.exe
O4 - HKLM\..\Run: [BHOUY] C:\WINNT\BHOUY.exe
O4 - HKLM\..\Run: [HSD] C:\WINNT\HSD.exe
O4 - HKLM\..\Run: [XFPZ] C:\WINNT\XFPZ.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CIPWG] C:\WINNT\CIPWG.exe
O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINNT\wdskctl.exe
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\System32\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt0_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6507559C-CE36-4F65-815F-33C0206E4EC8}: NameServer = 199.224.86.15 199.224.86.16
O17 - HKLM\System\CS1\Services\Tcpip\..\{6507559C-CE36-4F65-815F-33C0206E4EC8}: NameServer = 199.224.86.15 199.224.86.16
-
June 29th, 2004, 06:22 PM
#10
Well at a first look, these look rather odd:
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\0qqn.exe
C:\WINNT\System32\0qqn.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
Now, don't go ahead and delete these yet, I am looking for conformation from some of the other members here. So gang, do these look like they belong to you?
Cheers:
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|