Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus Problems [RESOLVED]


  • This topic is locked This topic is locked

#16
Gazza G

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Those two files were a game I downloaded from file planet.... I liked that :tazz: I'll clear them up now.

Also, I've got no more problems. The intell32 one has stopped, which happened everytime I tried to connect to the net.

The only other effect from the backgrounds being changed is still behind my login screen - the background is still black. Do you know where I can change this? In display, it only changes the background for when I'm logged on. I tried logging onto this PC and not the domain,but that didn't work.

Other than that, I believe everythings back to normal. May I say a HUGE thankyou for helping me with this ;) :) :(
  • 0

Advertisements


#17
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Those two files had a virus in it, at least according to the scan.

Let's try this again just to be safe :tazz:

Download smitRem.zip at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.
Unzip the file to it's own folder on the desktop.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Open the smitRem folder and double click on the RunThis.bat file to start the tool. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log and post it along with a new HijackThis log, the contents of the smitfiles.txt log and the Ewido log (if you ran it).
  • 0

#18
Gazza G

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
I won't bother posting the smitrem log - there's nothing in it :tazz: No files before or after. Also ewido didn't pick anything up. There's no 'Security Info' in display, and again, Pandascan isn't working for me. However, all problems have gone ;)
  • 0

#19
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is that login background still a problem? We might have to ask that in the Windows forum if nothing else is detected.

OK, for Panda, try resetting Internet Explorer's security settings. Go to Internet Explorer->Tools->Internet Options->Security->Custom Level->Reset. Click OK and OK. Close Internet Explorer and open it again. Try Panda scan.

Did you run that mwav program yet? I want to see what that program finds if anything.
  • 0

#20
Gazza G

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
I did run mwav, and posted the log on the 1st page of this topic, but didn't label it, sorry.

Here it is again:

Noticed this while it was scanning...

Mon Aug 01 01:04:39 2005 => ERROR!!! Invalid Entry "C:\WINNT\System32\r_server.exe" /service in SYSTEM\CurrentControlSet\Services\r_server...




Mon Aug 01 02:31:18 2005 => ***** Checking for specific ITW Viruses *****
Mon Aug 01 02:31:18 2005 => Checking for Welchia Virus...
Mon Aug 01 02:31:18 2005 => Traces of "Welchia" found and cleaned !!! <===
Mon Aug 01 02:31:18 2005 => Checking for LovGate Virus...
Mon Aug 01 02:31:18 2005 => Checking for CodeRed Virus...
Mon Aug 01 02:31:19 2005 => Checking for OpaServ Virus...
Mon Aug 01 02:31:19 2005 => Checking for Sobig.e Virus...
Mon Aug 01 02:31:19 2005 => Checking for Winupie Virus...
Mon Aug 01 02:31:19 2005 => Checking for Swen Virus...
Mon Aug 01 02:31:19 2005 => Checking for JS.Fortnight Virus...
Mon Aug 01 02:31:19 2005 => Checking for Novarg Virus...
Mon Aug 01 02:31:19 2005 => Checking for Pagabot Virus...
Mon Aug 01 02:31:19 2005 => Checking for Parite.b Virus...
Mon Aug 01 02:31:19 2005 => Checking for Parite.a Virus...
Mon Aug 01 02:31:19 2005 => Checking for Adware.SeekSeek Virus...
Mon Aug 01 02:31:19 2005 => ***** Scanning complete. *****
Mon Aug 01 02:31:19 2005 => Total Objects Scanned: 55168
Mon Aug 01 02:31:19 2005 => Total Virus(es) Found: 7
Mon Aug 01 02:31:19 2005 => Total Disinfected Files: 0



File C:\Documents and Settings\steven cutler\Desktop\Smaz\BOR\Mario V1.1.exe infected by "P2P-Worm.Win32.Franvir" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\steven cutler\Desktop\Smaz\BOR\mario.zip infected by "P2P-Worm.Win32.Franvir" Virus! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\FilePlanetDownloadCtrl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\System32\r_server.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\System32\raddrv.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\System32\ACrd10SM.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Sony Shared\OpenMG\ekb\newekb021224.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\FilePlanetDownloadCtrl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{000C0A0A-0000-0000-C000-000000000046}" refers to invalid object "pj8od8.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{000C0A18-0000-0000-C000-000000000046}" refers to invalid object "pj8od8.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{000C0A19-0000-0000-C000-000000000046}" refers to invalid object "pj8od8.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0E6178B0-2533-11d4-8A2B-0090271D4F88}" refers to invalid object "C:\Program Files\Yahoo!\Messenger\messmod.dll". Action Traces of "Welchia" found and cleaned !!!


I have removed the two mario files. And the background still hasn't changed. I don't know where to reset it though? There must be some control menu for it somewhere. And I posted it in the OS forums, but no-one replied. I can have another check in a minute. Also, I'll try Pandascan now.
  • 0

#21
Gazza G

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Still no luck with pandascan. Isn't there another one, Trend Micro? I could try that?
  • 0

#22
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Nope, my apologies for that. I was even looking at it too :tazz:

Yes, that's the mwav log.

Run TrendMicro, that should work. Make sure you use this one since it's Java. The regular one also uses ActiveX and it probably won't work either.

I'm asking other helpers to look at this ActiveX problem right now. Ask me again later to see if there are any replies. I will post them if I get a response.

Run this program also to do some cleaning:

*Download RegSeeker http://www.hoverdesk.net/freeware.htm and install it.
*Click on 'Clean The Registry' in the left panel.
*Check all boxes (make sure the backup box in the lower left corner is selected!).
*After it runs, click 'Select All' on the bottom. Then right-click on any selected item in the window and select 'Delete Selected Items'.
*Click 'Quit RegSeeker'.

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run RegSeeker again. Do the same thing again if anything is found. You may have to run RegSeeker 5 - 6 times, but you want it showing none to very few items.

*Make sure to reboot between each use of the program.
  • 0

#23
Gazza G

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Ok, I ran the program twice, rebooting inbetween. First time there was around 300 objects, I removed them all. Microsoft word etc. worked, so I rebooted and did it again, this time with around 30 objects. I removed them all, then went to go to the net, but the net wasn't working. So I restored the removed scans, rebooted and it still wasn't working. I switched the machine off for a while, went back on and it's working now.

I can't work on this again tonight, I'm out for the night. I'll try again tomorrow though :tazz:
  • 0

#24
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Try fixing them all again when you have time. If the net doesn't work, run this program:
Download WinsockFix http://www.greyknigh.../WinsockFix.zip and unzip it. Then double-click on WinsockFix.exe to run it.
  • 0

#25
Gazza G

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Ok, I ran the program again, and deleted the 600 items it found. I then tried to get on the net, and it wasn't connecting again. So I went to the WinsockFix that I had downloaded in advance ( :tazz: ), only to find that WinZip wasn't working. I clicked the file, which was still zipped, and it came up with the windows installer. Then it said it couldn't find the install files for it (Winzip). So I restored the objects deleted again, and I'm going to try it again soon (I'm on my main PC now, not laptop).

I'm having problems using this, so do I need to use it? Is there a particular kind of entry you were looking for? I can try to find any and remove them individually if so. However, I'd rather try to avoid it, so I know that everything works.

Also, I'm going to upgrade to SP4, but read that you should wait until the viruses have gone before upgrading as it may cause problems. Is it ok for me to upgrade to it now, or should I wait? I was also hoping it may reset the background colour for the login screen, but I'm not sure.
  • 0

Advertisements


#26
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I just want you to run RegSeeker because there were some obsolete/junk registry entries there. It's good to run this since it will weed out the useless entries. There it is. I knew I had it there :tazz: You can get the self extracting file for WinsockFix here. Just click Install and extract it somewhere. No Winzip program needed ;)

Upgrade to SP4 if you want to. It shouldn't have any big problems that I know of. I only heard problems for Windows XP SP2 installs.

I sent my reply back to you via PM. See if that solution will fix up the problem you have with the background. Like I said in the PM, I don't think that's your background at all. Might be related to bios setting.
  • 0

#27
Gazza G

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
As for the PM, my laptop is Sony, not Compaq. Also, it's the standard windows login screen. Where it's usually green/blue, it's not black. I'll reboot now, and take a screenshot for you.
  • 0

#28
Gazza G

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Ok, I logged off, took a screenshot, logged on but it didn't work - didn't copy. So I found a picture of the login screen on the net, and changed the background colour...

The one on the left is how it should be, the blue one, but the one on the right is how it is at the moment, black.

Attached Thumbnails

  • win2000pro.jpg
  • win2000pro2.jpg

Edited by Gazza G, 02 August 2005 - 05:01 PM.

  • 0

#29
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, I'm stumped on this one :tazz:

I see that you have already posted this in the Windows forum and still didn't get a reply yet. Try replying to your own post and then add that you have screenshots. Attach there what you gave me here. See if anyone will respond then.

Are you still having any virus problems now?

If not, I will close this topic and mark it resolved.
  • 0

#30
Gazza G

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
No problems!!!

Thanks for the help! :tazz:

I'll post it in my thread now.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP