virus..

ok well, im back again… i have this weird virus… its really annoying because after 1 hour and 30 minutes, the computer shuts down… its not blasterworm, ive already had that and that has that pop up that shows “please save and exit out of everything. shutting down in 30 sec” or something like that… so i have no clue what to do… ive scanned it 2 times… first time i had 5-7 trojans… both times, it had a long list of things that couldnt be scanned… so yeah… well im gonna go scan it on boot time so please leave messages…

try command on demand http://www.commandondemand.com/eval/cod/index.cfm

ok ive tried that… still nothing happens… the computer restarted on me just a minute ago… and its REALLY annoying… >:( please give additional help!

Just click on the link in my signature and follow the instructions on the page you get to see. That should clean your system and don’t forget to keep your system up to date, because with blaster as well as sasser there was a patch released by Microsoft before the worms where released!

Hi,

what are the results of the boot-time scan ?
did you also use Onlinescanners from Trend, RAV & Bitdefender ?
Read “VirusRemoval” below for more info/advice

This does sound more like hardware problem to me, but you could post a Hijackthis-Log here for hints/diagnosis on possible malware…
:wink:

What Win do you have, anyway ?
is it fully patched/updated ??

ok well, ive been trying to update my windows… because i was informed by my friend that it had patches for new worms… but before, i just clicked X and ignore it… so, i DO use hijack this… and heres my logfile! (my computer had problems with internet, but i got a new router and updated it… so it works… a bit better… but it still d/c me from internet… i called my ISP many times and then i called the router company… so yeah)

Logfile of HijackThis v1.97.7
Scan saved at 10:49:15 PM, on 7/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\scvhost.exe
C:\WINDOWS\System32\msoffice2.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Eyeball\EYEBAL~1\EyeballChat.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Pop Blocker\updatedl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis1977\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eskimobob.com/frames.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.7
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.7
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.7
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [Windows Firewalll] scvhost.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM..\RunServices: [Windows Firewalll] scvhost.exe
O4 - HKLM..\RunServices: [Microsoft Windows Update] msoffice2.exe
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Eyeball Chat] “C:\PROGRA~1\Eyeball\EYEBAL~1\EyeballChat.exe” -min
O4 - HKCU..\Run: [Windows Firewalll] scvhost.exe
O4 - HKCU..\Run: [Microsoft Windows Update] msoffice2.exe
O4 - HKLM..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra ‘Tools’ menuitem: MaxSpeed (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra ‘Tools’ menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

THERE IT IS… please post help! malware stuff… LOTS IN IT

  1. Did you do as I suggested? ???
  2. Is dc’ing now your only problem?

This is what the HJT analazyer would have told you:

You are using a old version of Hijackthis, please update.
Analyzing HijackThis log created on : 10:49:15 PM, on 7/24/2004
You are using : Windows XP (WinNT 5.01.2600)
Good things database version : version: 7
Bad things database version : version: 7

================================================================================

All items in the log file which are not shown here
as to be deleted or safe to keep need to be investigated.

This website has a link to a tutorial on the hijackthislog:
http://members.home.nl/acred/cleaning.htm

Also use www.google.com to find out more on items not listed here.

================================================================================
THESE ITEMS SHOULD BE REMOVED:

o16 - dpf: {d27cdb6e-ae6d-11cf-96b8-444553540000} (shockwave flash object) - http://active.macromedia.com/flash2/cabs/swflash.cab

================================================================================
THESE ITEMS ARE SAFE TO KEEP:

\windows\system32\smss.exe
\windows\system32\winlogon.exe
\windows\system32\services.exe
\windows\system32\lsass.exe
\windows\system32\svchost.exe
\windows\system32\svchost.exe
\windows\system32\spoolsv.exe
\program files\alwil software\avast4\aswupdsv.exe
\program files\alwil software\avast4\ashserv.exe
\windows\system32\drivers\cdac11ba.exe
\windows\system32\svchost.exe
\windows\wanmpsvc.exe
\windows\explorer.exe
\progra~1\alwils~1\avast4\ashdisp.exe
\progra~1\alwils~1\avast4\ashmaisv.exe
\program files\real\realplayer\realplay.exe
\program files\msn messenger\msnmsgr.exe
\windows\system32\ctfmon.exe
\windows\system32\wuauclt.exe
\program files\internet explorer\iexplore.exe
\unzipped\hijackthis1977\hijackthis.exe
\program files\internet explorer\iexplore.exe
o2 - bho: (no name) - {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\sdhelper.dll
o4 - hklm..\run: [avast!] c:\progra~1\alwils~1\avast4\ashdisp.exe
o4 - hklm..\run: [ashmaisv] c:\progra~1\alwils~1\avast4\ashmaisv.exe
o4 - hklm..\run: [quicktime task] “c:\program files\quicktime\qttask.exe” -atboottime
o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
o8 - extra context menu item: e&xport to microsoft excel - res://c:\progra~1\micros~2\office10\excel.exe/3000
o9 - extra button: aim (hklm)
o12 - plugin for .spop: c:\program files\internet explorer\plugins\npdocbox.dll

Do you notice that you have sVChost.exe and sCVhost.exe running? Well the last one is the Gaobot worm. Click on the link in my signature and follow the instructions to clean your system.

That msoffice32.exe under windows updates is some form of gaobot. End the process imediately then delete it from your windows/system32 folder. It should be 140kb (like all other gaobot variants).

We use a free command line program called fport on client machines when cleaning viruses.

Anybody see ??\windows\system32\winlogon.exe
running on the following ports:
TCP: 3761, 49114,49115
UDP: 123, 137, 3943
I can telnet into one of them. I can’t find it in the registry anywhere. This machine had a bunch of trojans before also.

msoffice32.exe is related to the Winur worm.

Would this mean I’ve got the Gaobot worm? My computer doesnt want to shut down ever hour and a half. ???

Watchthisspace

A couple of things I want you to do.

  1. Disable auto-reboot http://www.tweakxp.com/tweak433.aspx If you get the BSOD, write down the error and take it to www.google.com and http://support.microsoft.com/default.aspx?scid=fh;EN-US;KBHOWTO to find out what it means and how to solve it.

  2. Click on the link in my signature and follow the steps there to make sure your system is clean

  3. Tell us what the temperatures of your system are. Everest can tell you http://www.lavalys.com/products/download.php?pid=1&lang=en&pageid=3

  4. Check the system and event log. Solve all errors there using the same two sites I gave you under 1

Let us know the results

Sorry that was a typo :-[ i meant my computer doesnt shutdown every 1hour 30min
And I have 2 Svchost.exe running as well

I looked in that folder and I couldn’t find it at all. I have 2 computers connected through a router to the net, and both computers seem to have msoffice2.exe in their processes, which hinder us from stayed connected to the internet. I can’t find the file when I search for it, but when I do end the process, both computers go online with no problems.

I also ran AVG AntiVirus to scan my machine, but it finds nothing.

Any help would be greatly appreciated.

Tool712, run hijackthis and remove it. Follow the instructions on the page in my signature.