Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

blood hound virus


  • This topic is locked This topic is locked

#16
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Here's what you're infected with (thanks jonnyrotten): http://securityrespo...w32.donk.s.html

There are removal instructions in that link:

Click Start > Run.
a. Type regedit

b. Then click OK.


c. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


d. In the right pane, delete the following values, if present:

"Microsoft System Checkup"="ntsysmgr.exe"
"Microsoft System Checkup"="libsysmgr.exe"

e. Navigate to the keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices


f. In the right pane delete the value:

"NT Logging Service"= "syslog32.exe"


g. Exit the Registry Editor.


h. Restart the computer in Normal mode. For instructions, read the section on returning to Normal mode in the document, "How to start the computer in Safe Mode."


Removal tool here: http://securityrespo...moval.tool.html
  • 0

Advertisements


#17
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Since you can't access the Symantec site, here's the removal tool (attatched).

Attached Files


  • 0

#18
jimfro

jimfro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
i ran the symantec fix but it said the virus wasn't found on my computer.....i deleted those files from the reg in safe mode but when i restarted the comp and looked at the processes running in taskmanger i saw the libsysmgr.exe file still running, and of course it cant be stopped or deleted.....lsass.exe is running there too, and microsofts.exe....i can remember reading that they are associated with viruses too...is this right....
  • 0

#19
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Doesn't appear it blocks Panda's free online virus scan. Let's try that:
http://www.pandasoft...n_principal.htm
  • 0

#20
jimfro

jimfro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
here is the scan results and its ugly...

Incident Status Location

Virus:W32/Sdbot.BCW.worm No disinfected Operating system
Virus:W32/Sdbot.BCW.worm No disinfected C:\!Submit\11-27-2004\libsysmgr.exe
Virus:W32/Sdbot.BCJ.worm No disinfected C:\WINNT\system32\msgfix.exe
Virus:W32/Sdbot.BCJ.worm No disinfected C:\WINNT\system32\payload.dat
Virus:W32/Sdbot.BCW.worm No disinfected C:\WINNT\system32\libsysmgr.exe
Virus:W32/Sdbot.BCJ.worm No disinfected C:\WINNT\system32\mircosofts.exe
Virus:W32/Sdbot.BCW.worm No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\kspd32a.exe
  • 0

#21
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Working on a fix...
  • 0

#22
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
End the following running processes:
libsysmgr.exe
msgfix.exe
libsysmgr.exe
mircosofts.exe
kspd32a.exe

To end the process:
1. Press Ctrl+Alt+Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to alphabetically sort the processes.
5. Scroll through the list and look for any of the file names listed in step 1 of the "Technical Details" section. This file name can vary.
6. If you find the file, click it, and then click End Process.
7. Exit the Task Manager.

Delete these files:
C:\!Submit\11-27-2004\libsysmgr.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\payload.dat
C:\WINNT\system32\libsysmgr.exe
C:\WINNT\system32\mircosofts.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\kspd32a.exe

Remove the registry entries:
Click Start > Run.
Type regedit
Then click OK.

Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the following values, if present:
"Microsoft System Checkup"="libsysmgr.exe"

Navigate to the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the values:
"Configuration Loader" = "msgfix.exe"

Cross your fingers and restart. <_<
  • 0

#23
jimfro

jimfro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
nothing seems to be working...i am doing all that you advise but there seems to be no end...here is the latest hjt log

Logfile of HijackThis v1.98.2
Scan saved at 9:05:00 PM, on 11/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...5c667d265bce627
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...tupDownloader.c
  • 0

#24
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts

nothing seems to be working

Really? It seems your log is almost clean. <_<

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...5c667d265bce627

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :D

You may have to uninstall and reinstall Norton to get it working correctly.
  • 0

#25
Aminda

Aminda

    New Member

  • Member
  • Pip
  • 8 posts
Hey guys, I've some serious trouble. I formatted my computer just 2 day ago, 'cause it had some problems. I haven't been able to find out what's going on, but I thought formatting and installing the system again would be a good idea. Well, it didn't help.

I'm puzzled. Programs which run under DOS won't work and also commands like regedit or msconfig - ot to speak of my buddy, hijackthis. They all open for a second and then they get closed. The weirdest thing is that I've tried to end this libsys process but it keeps showing up the moment I press the "yes" button for deleting. I also tried deleting the libsys application in my system32 folder, but it didn't work: "the aplication is being used by another program."

I'm stuck! Help! <_<
  • 0

Advertisements


#26
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi Aminda:

Welcome to GTG. :D

Please follow the instructions below and make a new post in the Hijack This section. Posting your problem in someone else's thread is very confusing. :D

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results. <_<
  • 0

#27
Aminda

Aminda

    New Member

  • Member
  • Pip
  • 8 posts
I wish you read my post with attention. I can NOT run hijackthis. I've used the program before, but the problema is that the virus is closing it 1 second after I open it. Any suggestions?
  • 0

#28
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I do apologize. <_<

I also forgot to ask you to start your own thread. Posting your questions in someone else's thread makes it difficult to differentiate between the two posters and their questions. Thanks. :D
  • 0

#29
igon

igon

    New Member

  • Member
  • Pip
  • 2 posts
Hi!
It seems Aminda and jimfro have similar problems. Till now I has them too:
I can't start regedit, DOS-program, IE, Outpost Firewall, my outgoing modem
traffic was tremendous.

But now I haven't this problems!!!

What I did: (My OS - Windows2000 Professional)
1.In Control Panel/Administrative Tools I started Services
2.There I found process with name "NT login service" and STOPPED it.
3.After about 20 sec I tryid to start regedit - successfully, DOS-program and
IE - too.
4.In regedit I give search string "libsysmgr.exe" and in founded items
changed value "libsysmgr.exe" to, say, "libsysmgr.exe1"
5.After rebooting my computer there wasn't any problem <_<

I rid of my problems using method "Probes and Mistakes" and not sure I did it
correctly - but it works!!!

If it help you - I'll be glad.

BTW, from now on I haven't any working "NT login service" - is this
dangerous?

PS: I beg Your pardon for bad English - it's not my native language
  • 0

#30
igon

igon

    New Member

  • Member
  • Pip
  • 2 posts
libsysmgr.exe reside not only in %SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
but in %SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices too, and start as Service.

Because it's important to change ALL exemplars of this string.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP