This Virus Has Me Miffed

Hey guys,

First and foremost, thanks for all the help you've given everyone, and for any help I receive in advance. Here's a brief history of all the things I've done to try and fix the problems on my computer. I reinstalled XP about two weeks ago, and as soon as I connected to the net, I got all of these alerts saying there was spyware on my computer, all of which were telling me to go to these ridiculous URLs. They eventually caused my computer to shut down because of an error caused with the LSA shell. When I sent an error report to microsoft.com, it said I had a variant of the sasser virus, so I downloaded the sasser fix from the symantec site, which solved the shutdown problem. I also updated my antivirus software, downloaded the service pack 2 for XP, and ran ad aware and spybot.

I thought all was well and good, until I realized that whenever I hit ctrl+alt+delete to bring up the task manager, the task manager wouldn't show up. Then I tried running tasklist through the run toolbar, but tasklist closes within a second of opening. Also, programs would crash very easily, with simple things like just trying to save an image. Installing new programs was nearly impossible as well. Whenever I went to right-click on the connection icon to disconnect from the internet, the program would not disconnect. I'd shut down my computer, come back to it later and restart, then go online, and my anti-virus software would catch a registry file from a LowZones virus. This would happen EVERY time connected to the internet! No matter how many times my anti-virus software caught the file and I deleted it, it would always be back. It can't be because of system restore, because I made sure to turn that off. None of these symptoms would come up until I attempted to connect online.

I got so annoyed by the whole thing that I reformatted the drive in an attempt to get rid of the virus, but it survived the reformat! I had to go through the whole process all over, just to keep my computer from crashing because of an LSA error. I still have all of the symptoms I mentioned in the last paragraph, in addition to my anti-virus software catching an occassional spybot file. Oh, and also, whenever I restart my computer, my computer immediately tries to connect online to receive information from sites.

I followed the read me file you posted in the forum, and still have the problems. I need help... desperately. Is this some sort of blended threat? My anti virus has diagnosed the files as sasser, spybot, and LowZones. Please help!

 

I forgot to mention that the name of the file found by my symantec anti virus whenever I sign online is "kans.reg", without the quotes. It tries to appear in "C:\temp". The virus name is "Trojan.LowZones!reg", again, without the quotes. Please help.

 

As requested, I have attached the Hijack This log to this thread. I followed all of the steps you mentioned beforehand in the other thread, except for the last online scan because it refused to open, no matter how lond I waited.

Here are a couple more notes about the virus. As you mentioned, the "kans.reg" file was stored in a temp file. There is a file called update.htm in the same folder that it tries to redirect my browser to, but my anti-virus software stops that. No matter how many times I erase them, they reappear. Also, every now and then, the software also detects a "TFTP....." file, with the letters followed by random numbers. I did a search for 0 byte TFTP files by typing tftp*.* in the search toolbar and found a couple of them, and also a couple of other ones that I didn't erase because there weren't 0 bytes, and I was being cautious. I looked in the WINDOWS\Prefetch folder and found a couple of suspicious files. One was a TFTP file, as well as a few files named "ERASEME.....", with the letters followed by random numbers as well.

Thanks for all the help again!

 

I did as you instructed and posted the log. When trying to stop the Net Functions Library, an error occurred saying that it could not be stopped because it did not end in a timely fashion, or something to that nature. I was able to disable it at startup and delete it using Hijack This!. As for the Windows Process Moniter, it didn't even give me the option to stop it, but I was able to disable it at startup and delete it as well. The lines you mentioned in the previous reply no longer appear in the log.

However, I did already encounter a problem that leads me to believe that the virus still lingers. While I was trying to post this log the first time around, firefox froze while I was uploading the log file. Then when I went to bring up the task manager, I hit ctrl+alt+delete, and the task manager window didn't come up. Both were things that were happening before.

Thanks again for all your help, and I'm eagerly awaiting the next set of instructions.

 

Yeah, the problems bringing up task manager are constant. Also, the tasklist window shuts down immediately when I try to bring it up with the run toolbar.

 

My anti-virus software just caught a file named "eraseme_37458.exe", so I guess this stupid thing is still in there. I did a search for files titles eraseme, and found a couple more. Should I erase these?

 

What's happening?!?!?!?!?! As I was online, my anti-virus software caught ANOTHER "kans.reg" file. When I took another Hijack This! log, winmon.exe was back, and there was another suspicious file. What's going on?! I thought I got rid of these. I feel like the more I do, the worse things get.

 

I did everything you instructed me to do. All seems well right now. Task manager now seems to be working fine, and no weird freezes. The only odd thing left is that tasklist still won't open.

Also, right before I was going to submit this, I got a message from my firewall that said this:

Generic Host Process for Win32 Services (svchost.exe) is being contacted from a remote machine [207.217.77.82] using local port 1129. Do you want to allow this program to access the network?

I chose no, but didn't set this to do it all the time. It seemed fishy to me, but I don't know if I'm being too cautious.

 

When I was talking about tasklist, I meant typing tasklist in the run window. It closes immediately. Everything else seems to fine, but I did get another odd message from my firewall that I denied:

NDIS User mode I/O Driver (ndisuio.sys) has receive a packet from the remote machine. Do you want to allow this protocol driver to access the network?

This alert came up as soon as XP booted up.

I also attached my HJT log again.

 

Wait, is tasklist SUPPOSED to close so quickly? If so, my mistake.