think i have a virus :eek:

hi

i have just come across this forum and before i get into detail i have read the stickied post and installed all recommended progs and run them .. !

Basically my ms word is acting funny ie crashing when select any drawing tool or txt box and my photo shop couldnt load some jpegs the other day saying not enough ram but i know my computer has enough (448 MB, 2.66 Ghz P4)

Thus i figured a virus of some sort could be consuming memory..

Norton didnt find anything, so I downloaded AVG free edition and it said it found 2 virus' :

/Temp Internet Files/Content.IECH63G927/Loader[1].cab:/loader.exe
Trojan Horse Donloader.small.8.BD
Infected Embedded Object

And

/Temp Internet Files/Content.IECH63G927/Loader[1].cab

I was able to quarantine the second file but when I try to heal or quarantine the second it states that it is unable to perform the action.

I have since run trendmicro scan and the rav scan and both didnt find a virus..

I also ranspybot, stinger and adaware but to no avail

any ideas ?

many thanks

mark

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal


After doing ALL of the above if you still have a problem:

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

• Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

hi
thanks for the reply

here is the log file

 

Are these part of your ISP? Are you familiar with them?




Please look in Add or Remove Programs for the following and Uninstall them if found:

VVSN

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see it, try to END it:

VVSN.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/

O15 - Trusted Zone: http://ad.searchsquire.com
O15 - Trusted Zone: http://search.searchsquire.com
O15 - Trusted Zone: http://update.searchsquire.com
O15 - Trusted Zone: http://www.searchsquire.com
O15 - Trusted Zone: http://*.searchsquire.com
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com

O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/fs5/ax/ActiveXWebCam.cab
O16 - DPF: {D6EE6053-B507-11D1-8F3E-444553540000} (IdaAxCtl Class) - https://www.realuser.com/ax/idaax.cab

O21 - SSODL: XmLdrLocation - {0C887F38-5178-43DA-B9F0-B856141FCDA4} - C:\WINDOWS\System32\olescn32.dll
O21 - SSODL: URLREWIN - {EB9BDABE-1BD2-445B-9A13-BA9C7D2E3CA9} - C:\WINDOWS\System32\netknl.dll

O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-max-nt (file missing)
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\SONY\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)


Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\VVSN ←–– Delete this whole folder if it exist!

C:\WINDOWS\web\related.htm

C:\WINDOWS\System32\olescn32.dll

C:\WINDOWS\System32\netknl.dll


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing ALL of the above,
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

hi

thanks for your detailed reply

I have attached the new log file

The ms word still locks up tho...

many thanks

mark

ps: I am also unsure as to what the following is:
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7750B34-1651-4A24-9511-FB6364F034BE}: NameServer = 128.16.6.8,128.16.5.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E749514D-2E7E-4ED3-8292-737BB65EE03C}: NameServer = 128.16.6.150,128.16.5.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{F638BEB0-B592-4BFA-AD90-41ECA5FD877E}: NameServer = 212.74.114.129 212.74.114.193

 

I forgot to add in my last post, I notice your running AVG & Norton. You need to pick one. Uninstall the one you dont want, because running both will cause conflicts.

Are you on a network?

I notice that this one isnt there anymore, did you fix it?

 

no i am not on a network anymore - I used to be though at university

just as I speak i uninstalled NAV, theb AVG immediately sound there was a virus in /system32/mspn32.exe

Trojan horse/backdoor.SdBot.165.E !!

 

Delete this file!

C:\WINDOWS\system32\mspn32.exe

Also, have HJT fix these entries if your not on a network anymore.

O17 - HKLM\System\CCS\Services\Tcpip\..\{A7750B34-1651-4A24-9511-FB6364F034BE}: NameServer = 128.16.6.8,128.16.5.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E749514D-2E7E-4ED3-8292-737BB65EE03C}: NameServer = 128.16.6.150,128.16.5.31

Reboot and post a new HJT log just to be sure.

 

ok

here is the new log file

last night avg also found:

Trojan Horse Dropper.Juntador.AA in \System32\msfwe1.exe

I also got rid of norton internet security and installed zone labs and this keeps telling me that winregs326a.exe . windowsp.exe and svchost.exe keep trying to access the net... are any of those files dodgey?

thanks again for your help!

mark

 

windowsp.exe = SDBOT WORM

msfwe1.exe = RDBOT WORM

First, lets try to run a few more things.

TrendMicro Online Scan
Symantec Online Scan
Panda Online Scan
RAV AntiVirus Online Scan
ComputerAssociates Online Scan
Bit Defender Online Scan
Command On Demand Online Scan
Freedom Online Scan
AhnLab Online Scan
PCPitStop Online Scan

After doing these online scans (skip the ones youve done already) procede to the next part:

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.