A computer in my house has a virus. At least one virus, anyway. audp. Avast is not only unable to detect it, but is unable to scan the file during a boot scan (access denied)
file name: sysvcs.exe

audp is the name this virus uses in the registry under run.

There’s two more files that it gets access denied for, I don’t know if they are viral: gccg.exe and fkpg.exe (I think… It ended too quickly for me to read that last one properly).

Ideas? The virus supposedly downloads other viruses from the internet, so I’ve had to keep the computer offline for some time now. (which reminds me, the offline virus database updates were EXTREMELY hard to find, not being linked to from the web site at all, I had to do alot of very thorough google searches.)

EDIT: The virus also has a file named symsvcsa.exe. This is the one that previously mentioned registry key points to.

Oh, and Avast! deletes the system’s page file every time it does a boot scan.

edit again: there’s also some more software on there that looks suspicious:
winsysban10.exe
winsysupd9.exe
mwinnsai.exe
mdsregm.exe
gimmemygames10.exe
dwdsregt.exe
mpp2pl.exe

Oh, and I just noticed, audp virus has a second key in there, leading to same file, but the key is named ntdll.dll

A google search for sysvcs.exe returns many hits
http://www.liutilities.com/products/wintaskspro/processlibrary/sysvcs/

Download and run this program that specialises in Trojans 4. Ewido Security Suite If using winXP.

If you haven’t already got this software (freeware), download, install, update and run it.

1. Ad-Aware
2. Spybot Search and Destroy
3. Spywareblaster Don’t install this until you are clean.

I’ve done my google searching quite thorough google searching, in fact.

The computer is running Windows 2000 Professional.
It has all those programs installed, as well as AVG Free. None of which can even detect the virus, much less remove it.

EDIT: A new update for AVG has removed:
winsysban10.exe
winsysupd9.exe
gimmemygames10.exe
symsvcsa.exe

And their respective startup entries.

Well having two resident AVs installed at the same time isn’t recommended, rather than twice the protection you get twice the potential for conflict. One AV scans a file or extracts the contents of and archive, the other might well detect something and lock the file so the other can’t deal with it.

So make a decision and get rid of one of the resident AVs and reboot.

Then schedule a boot-time scan from within avast, after that try running Ewido again.

I’m sure that your googling will have shown much of this is adware and spyware.

Sorry I didn’t make it clear enough before, but I have not installed that Windows XP program because Windows 2000 Professional (NT 5.0) != Windows XP (NT 5.1).

As per your instructions, I have uninstalled AVG, and did another boot scan with Avast. It found nothing at all, didn’t alert me of anything at all, despite having the latest definitions and a bunch of mal-programs still there. It did however, delete the system’s page file once again, causing the usual couple of errors in Windows telling me how to re-create the page file…

My googling showed all kinds of things, but not how to remove any of the mal-programs that are and have been there.

I can’t see how avast is deleting the pagefile, avast must first detect a problem/infection in the pagefile and then ask what action you want taken, it doesn’t act autonomously and delete files without your interaction. So how can you identify that it was avast deleted the pagefile ? Have you got your OS setup to delete the pagefile on exit/shutdown ?

So I’m a little baffled by the deletion of the pagefile.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR - Post your hijackthis-Log here for a diagnosis: tomcoyote.org/hjt

It might be possible that Avast is not running correctly (or was a bad install) IF you had AVG on the computer first. Well, it may not matter which one was there first for this to happen.

I do not remember if you can do an Avast repair with W2000 Pro or not. Perhaps David or someone can answer that and give directions if so. If there is no repair option with 2000, then you might need to … uninstall avast > restart > re-install avast > restart again … in order to “set things straight.”

By the way, beatme101 … welcome to the forums.

Restarting the computer without doing a boot scan does not cause the page file to be deleted. The only error that windows gives me after any startup, is the one saying the network connection cannot be established blah blah (network drive stuff).

Well, I’m definitely going to need some help interpreting the result of hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 3:04:23 PM, on 2/23/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\hpsw.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ontrack\ZipMagic\zm32nt.exe
G:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KIDS\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.105:4001
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {19F03362-DD50-4446-B657-084A85E6B897} - C:\WINDOWS\System32\ddod.dll (file missing)
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32nt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{71-17-70-01-ZN}] C:\WINDOWS\SYSTEM32\dwdsregt.exe FI002
O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\Ontrack\ZipMagic\zm32nt.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\mwinnsai.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\rmdsregm.exe
O8 - Extra context menu item: Save Flash - res://C:\PROGRAM FILES\UNH SOLUTIONS\FLASH SAVING PLUGIN\FLASHSBUTTON.DLL/210
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\PROGRAM FILES\UNH SOLUTIONS\FLASH SAVING PLUGIN\FLASHSBUTTON.DLL (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138605988046
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Dkllmhqn.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_14.dll (file missing)
O21 - SSODL: EyTittNho - {3A171702-90BD-BDA8-E24A-E3A466A18E53} - C:\WINDOWS\System32\brm.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\pkcnudt.exe (file missing)

I have done that repair option for Avast (I didn’t even know it existed.), did another boot scan, and Windows once again told me while logging in that the page file has been deleted.

Thanks for the welcome.

Well, I'm definitely going to need some help interpreting the result of hijackthis:

On-line analysis of your log, check those considered, nasty, possibly nasty, etc. using either google or uploading the file for scanning using the paperclicp icon.
http://hijackthis.de/logfiles/b87cb30904ed72c32eed43471eccdf7d.html

Two important points from this:
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft’s windowsupdate site to download the newest version of the service pack.

No active firewall was found on your system or the firewall you use is unknown to us. If you don´t use a firewall you should download and install one. If you have a router/firewall this may not provide outbound protection.

Hi beatme101,

There’s plenty of malware evident in your HijackThis! log.

I’d recommend Trend Micro Sysclean:

If you are not a Trend Micro customer please download the following file.

http://uk.trendmicro-europe.com/enterprise/support/tsc.php

For the TSC package to be effective, you must download and use the latest pattern file. Place the pattern file in the same folder as the Trend Micro System Cleaner Package.

http://uk.trendmicro-europe.com/enterprise/support/pattern.php

Followed by a scan with the following all in safe mode: tap F8 while booting:

Ewido http://www.ewido.net/en/ (Requires Win2000/XP)

 and/or a-Squared [url]http://www.emsisoft.com/en/[/url]

Ad-Aware http://www.majorgeeks.com/download506.html

Spybot Search & Destroy http://www.safer-networking.org/

Then post another HijackThis! log so we can check you are clean.

Good luck!

Thanks for the help everyone. I think it might be clean now. http://hijackthis.de/logfiles/888a57144027d5536a72b8a42eb017d4.html

(EDIT: Hmm. Anyone know what that minisearch.startnow.com is? It doesn’t look like a good thing. And just when I thought it was clean…)

Installed that Ewido program, as it has been pointed ot to me that it DOES in fact work on NT 5.0. It found, and fixed, lots of things (edit: about 30 something). Silly program considering each file as 0.001 objects. Since when is a file a thousandth of an object…

Anyway, I kept scanning with every scanner on there (not AVG, as it has been uninstalled), until none of the scanners could find anything. I have put a firewall, Zone Alarm Pro on there. I will be putting the computer back online later today and update everything, including windows update.

If you didn’t intentionally put the minisearch.startnow.com search on your system, I wouldn’t waste time trying to find out what it is rather, have HJT fix it.

I don’t like the R0 or R1 entries even if they are marked safe, they just don’t seem right.

Are you using a proxy, which would require these R1 entries

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.105:4001 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;

also O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

When I see anything on about:blank I do a double take as in certain cases it is legit and others not, so check this out About:Blank Homepage Hijacker Removal Instructions and Help

I suggest that you try a different browser, IE is like a magnet to browser hijack and other adware/spyware (BHOs, activeX controls). Firefox, Opera, in fact any that doesn’t use the IE core.

From this Google search, I would say that minisearch.startnow.com is probably both spyware and a browser highjacker …

http://www.google.com/search?hl=en&lr=&rls=com.microsoft%3Aen-US&q=StartNow&btnG=Search

So, that needs to go.

I hope this helps you.

Hi Beatme :

 From your HijackThis log, it appears you have NO 
 antiSPYWARE program on your computer; the 
 MessengerPlus 3 program is considered to be the LOP
 spyware. You really should seek help from HijackThis
 Experts; the ONLY one on this site is "doc_esb";
 otherwise, I recommend you go to www.landzdown.com
 and get their guidance .

Hi beatme101,

We seem to have done alright for a bunch of non-experts!

These entries can go. The first two are for malware files which have been deleted; I assume the third is too.

O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Dkllmhqn.dll (file missing)

O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_14.dll (file missing)

O21 - SSODL: EyTittNho - {3A171702-90BD-BDA8-E24A-E3A466A18E53} - C:\WINDOWS\System32\brm.dll (file missing)

Run a scan with HijackThis! and have the program fix these entries. Run another scan to make sure they have gone.

I think StartNow is included in the Ad-Aware definitions: are you sure you have done a scan with Ad-Aware in Safe Mode as instructed?

A scan with CWShredder would also be good as a double check:

http://www.intermute.com/spysubtract/cwshredder_download.html

Get rid of those about:blank entries as David mentioned and check to make sure they don’t reappear: I’m pretty confident one of the programs you ran will have removed the dll that is responsible for about:blank, but it’s worth a double check.

The proxy server stuff is all something I intentionally put in there some time ago while troubleshooting another problem. Internet Explorer isn’t even set to use the proxy any more, I don’t think it will be a problem to leave those.

Have deleted various entries mentioned in this thread, they didn’t return: http://hijackthis.de/logfiles/888a57144027d5536a72b8a42eb017d4.html
CWShredder found nothing on the system.

Messenger Plus is not spyware, but software bundled with it is spyware. They have a cleverly hidden option to choose NOT to install the spyware when installing Messenger Plus, and I used said option. No spyware from that.

Thanks for the help everyone, I still haven’t put it online yet. With the okay (or lack of any word) I shall a bit later today (and update everything right away when it gets online)

When I see something with no button, no name it make me squirm, why would it want to hide it purpose.
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

Other than that I can’t see anything obvious, thought I don’t use win2k so some of the things like.
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
They aren’t on my XP Pro system.

Okay. I fixed that entry.

systray.exe seems to be a regular system file, as it is also on my clean computer (the computer I am using to post this).

I put the computer online, and the very first thing I did was visit windows update. I got an error. Here’s the error:
http://phantom.myvnc.com/images/ss/windowsupdateerror.jpg

Time? The time on the computer is only 5 minuites behind. The date on the computer is correct. What did I miss?

Maybe the date, specially the month and year :

Yeah, I mentioned that. It is correct. Oh, another thing I noticed, shouldn’t it be going to v6 and not v4?