Help Please! Have a Virus but can't afford to pay s/o to fix it!

Viruses and worms
1

Hello,

I am at a loss. I have a labtop (Windows XP) that seems to have a virus, but I don’t’ know which one :-(EEK!). I don’t even know for sure that it is a virus, but I’d be an idiot to think its anything else. What is happening is that my computer sporadically opens and closes a whole bunch of programs at once and won’t stop (like exorcist or “Carrie” :o)! This happens about five minutes or so after I start using the computer and is usually a lot worse when I’m using the internet. I also lose control of the mouse at this time and it usually continues for a few seconds and then freezes up! ( Double Eek! :-X) When I run my Macafee it tells me that it can’t find any viruses. Very Strange, however, I know that Macafee is not always going to catch everything so I’m FAR from in the clear (I at least know that)…

Been calling around places to get price quotes to have them fix it and the prices are outrageous! Upwards of $250 for a one time fix! Booo! I have a hardware warranty with Dell and they told me that I could do system restore with them for Free if all else fails. I’m hoping to avoid that why I am writing here. I heard about this site from Yahoo.com postings I have to be perfectly honest, I don’t know how this all works, but I read on the post that all you had to do was post here and someone(s) would help. Guess it just seems too good to be true, LOL.

I appreciate any advice anyone can give me!!! ( I should warn you, I’m kind of computer - illiterate, LOL).

Desperate and broke,

~R

2

Hi moneygirl88,

Download this tool, and take a full scan with it, and inform us here of all what it finds, before fixing it:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

Now download HijackThis from here: http://www.spychecker.com/download/download_hijackthis.html
Place onto your desktop, close all other programs, run a scan, and attach the logfile txt to your next posting, then we can have a look what further steps are to be taken,

polonus

3

I will try and do this this afternoon. the problem is though, now the virus has gotten so bad, it won’t let me go on the internet. CAn I download this things to a jump drive and then set it up on my labtop and and send you the info. that way? I really need help. I don’t have my labptop with me now to test this out, but I will this afternoon. ???

thanks!

MG

4
CAn I download this things to a jump drive and then set it up on my labtop and and send you the info.

I think you should be able to do it this way. Give it a try and let us know the results.

5

ok, trying that now…

6

Okay I did them both… and THANK YOU SO MUCH for even responding to my post. I need all the help I can get :stuck_out_tongue: :-\ :slight_smile:

When I ran “CUREIT” , it said it found a virus by the name of “oeapi.vbs” ??? (tried to look that one up here on th forum, but got nothing for it, ever heard fo it?). I don’t know if that was the main culprit but it asked me if I wanted to delete it and I said yes. It says it was deleted. (if this truly worked, don’t I need to turn off my system restore thingy or something like that to make sure the virus is permanently delted? Someone told me this once but I can’t remember how to do it).

For the Hijack, I ran it and saved the log file, ths is what it said (seems kind of short, no?):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:47 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Documents and Settings\Renese\Desktop\cureit.exe
C:\DOCUME~1\Renese\LOCALS~1\Temp\RarSFX0_start.exe
C:\DOCUME~1\Renese\LOCALS~1\Temp\RarSFX0\setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe


End of file - 1874 bytes

7

It definitely doesn’t look right.

Try this. Rename hijackthis.exe to whatever.exe then run it by double clicking it and see what you get.

8

okay, ran it again after renaming it “Whatever.exe” and it actually looks a little shorter!.. I did just do a system reinstallation though and I don’t really have anything on my computer, so could that have something to do with it???

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:34 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe


End of file - 1716 bytes

9

Hi oldman,

Moneygirl88 got herself infected through a flash disk or a memory stick with VBS.Agui.A, which is a worm that spreads in such a way. This computer threat leaves a picture of a sexy blond lady and changes the standard VBS script icon into a standar JPEG icon on the infected computer. Vulnerable systems are: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP.

© VirusAlert scale

Innovation: 9
Vector: 35
Logistics: 15
Damage: 15

Scalel: 18/100

Type: TRICKY

To recognize an infection of this type:
When the worm arrives on the infected system, it immediately looks for this file:

%Windir%\SYSTEM32\OeApi.vbs

When not found, it will be created by the worm.

The worm than opens up the following picture:

%Windir%\SYSTEM32\Christina.jpg

Then the worm creates the following registry entry, to be able to load at every start up of Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"System" = “%Windir%\SYSTEM32\OeApi.vbs”

The worm then tries to spread copies of itself to all removable disks like USB sticks. The following file is being created every three minutes:

[DRIVE LETTER]\Christina Aguilera.vbs

The worm then copies the following values to the following registry subkeyl:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon

Then the worm tries to insert values for the just mentioned registry key, taking care of changing the standard VBS script icon into the standard JPeg icon::

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vbsfile\DefaultIcon

Finally the worm stops running its code around midnight.

polonus

10

okay, this sounds really bad… how scared should I be? Did I infect myself through my USB??? I use that thing all the time but none of my other computers (particular) desktops seem to have this issue… oh poo… I’m nervous… Did CUREIT get rid of it forever, or is there more to do! I"m ready/willing to work at it! eek!

11

Hi moneygirl88

CureIt should have fixed this, but you should scan and disinfect your removable disks or pen drive(s) as well, I think your hijackthis log file is incomplete, post it anew as an attachment through cut and paste where it says Attach:
U can use the following tool to turn the vbs file associations back on, download and unzip unto your desktop and then run this tool: http://www.dougknox.com/xp/fileassoc/xp_vbs_file_association.zip

And be careful not to accept usb sticks from strangers or be careful where you plug them, you easily can get infected,

pol

12

Yes follow polonus on this.

Regarding the renaming of hijackthis.exe, I can see from the last log that it is still running as hijackthis.

C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe [b]C:\Program Files\Trend Micro\HijackThis\HijackThis.exe[/b]

You have to go into windows explorer, go the file indicated in the path above. Rename it there and double click it afterwards to run it.

13

Oldman

I think I got it this time… I think , but it’s still short…

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:21 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Trend Micro\HijackThis\whatever.exe

O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe


End of file - 1714 bytes

14

Polonus,

I saved that file onto my labtop… what exactly will it help do? (in regards to the vbs).

I don’t know how to get this log to be longer. I open it and it has an option that says “Do a system scan and save logfile”. That’s the one I want to hit, right? When I do that, it processes for about 2 seconds and then spits out a log in notepad and asks me where I want to save it. Oh poo, I really want to get this right… any other suggestions? :-\ ???

15

Hi moneygirl88,

You did rename it this time, but put it in the posting window again, while I told you to cut and paste the complete hjt log file on your desktop, then go to Attach: you find that in bold text under Additional Options under the normal window where you write your posting, right click Browse… go to your Desktop and then Attach the hjt log file there, you can attach 200 KB per post, after that oldman will give it a glimpse, whenever he comes online again. As according to the tool it restores all the file associations that were changed from vbs to jpg back again to vbs as it should be, before the virus started to play around with it, that is the general idea of this tool being run, and that is ultimately what we wanna do, won’t we?

polonus

16

Sure, I just want to know what is I’m downloading. Don’t want to create any further issues, you know? … Okay, it’s attached below. Please recall that I don’t have internet access on my labtop so what I am doing is saving their logs onto my USB Drive and then attaching it here on this computer I am using (also, I scanned the USB drive for any viruses and that sucker was on there! deleted it!). I don’t know if that has anything to do with it, but even as I view it directly from my labtop the log seems short… but… we’ll… I appreciate all your help!

I just have one last question while I wait for Oldman’s response… Does this virus cause the kind of symptoms that I was having? (touchpad going nuts/freezing up/trouble getting on the internet). I mean does it cause that? I guess I’m just scared the nightmare is not over… :stuck_out_tongue:

I 'm also still having trouble downloading my network drivers, but I will try and post for help seperately as that is a different issue… I’m just all messed up, LOL…

thanks! thanks!

17

If no joy, let’s try it with this. We may be able to restore the file association, plus it will show us what’s running on your computer. I’d like to get to the point where this can be done on the infeced computer, as this thing is gonna jump and then you will have two.

Please download the program indicted below. Please read these insructions before running the program.

Make sure that DSS.exe is located on your Desktop.

Click on your START button, then choose Run. A little box will appear.
Now copy and paste all the following in bold (including the “” marks) into the run box and click OK.

“%userprofile%\desktop\dss.exe” /daft

This will start DSS in a different way. A small window will appear.
Click on the Scan button.
If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
Click the Fix button.
Re-scan and save a logfile. By default, it will save as daft.txt.

Now you can run the program by double clicking it.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

18

Hi moneygirl88,

I am not going to interfere with what oldman is proposing, you follow his instructions meticulously, and you are best advised to follow his instructions, what you could do also is to scan the computers and your usb sticks etc. again with this free tool to be sure that VBS-Aguilera virus has left with all traces of it:
http://security.symantec.com/sscv6/vc_scan.asp?

polonus

19

Okay, thanks so much Polomon!

Oldman,

Thanks so much for you help. I have followed your instructions, and placed the dss.exe on the desktop, run it from the run option under the Start button and Scanned. It beeped and then said “All associations Okay!” … (I also made sure to turn my System Restore option off as I was told this has a tendecy to had viruses in old versions or something like that).

20

Hey pol, you got this under control. I was just throwing another option out to see if we can make the HJT log look like it should. :wink:

@moneygirl88, you happy, we happy ;D