Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Virus alert (no, I haven't got the flue)

Started by Aminda , Dec 03 2004 02:08 PM

Please log in to reply

#1
Aminda

Posted 03 December 2004 - 02:08 PM

New Member

Member
8 posts

Hey guys, I've some serious trouble. I formatted my computer just 2 day ago, 'cause it had some problems. I haven't been able to find out what's going on, but I thought formatting and installing the system again would be a good idea. Well, it didn't help.

I'm puzzled. Programs which run under DOS won't work and also commands like regedit or msconfig - ot to speak of my buddy, Hijackthis, which I was using frequently. They all open for a second and then they get closed. The weirdest thing is that I've tried to end this libsys.exe process but it keeps showing up the moment I press the "yes" button to end it. I also tried deleting the libsys application in my system32 folder, but it didn't work: "the aplication is being used by another program."

I'm stuck! Help! <_<

#2
admin

Posted 03 December 2004 - 07:46 PM

Founder Geek

Community Leader
24,639 posts

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log as a new topic in the Hijack This forum. It will get a better response there from the people most qualified to analyze logs.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide. Also see this post.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

#3
Aminda

Posted 04 December 2004 - 05:10 AM

New Member

Topic Starter
Member
8 posts

As I wrote in my previous post, I can not open Hijackthis. I have the program and if I try to open it, it opens for a second but then closes instantly. The computer also blocks the critical updates download and the tredmicro online scan. First of all I need to solve the problem with Hijackthis closing.

#4
coachwife6

Posted 04 December 2004 - 07:43 AM

SuperStar

Retired Staff
11,413 posts

Hi Aminda. Thanks for starting your own post. <_<

I don't think admin. was aware of your other post and did not realize you couldn't open Hijack This.

Igon gave a fix for your problem when you posted on someone else's post. Did you try that out?

Let us know if it helped.

#5
coachwife6

Posted 04 December 2004 - 07:49 AM

SuperStar

Retired Staff
11,413 posts

I also found this on another forum:

Extract the zip file to C:/hjt for example then go to the folder right click on Hijackthis and rename it (don't use the word Hijack when renaming the file). Then try to open it.

If that does not work download and run SMARTKILLER tool: »www.safer-networking.org/files/delcwss..

This tool is a "Might Help, CAN'T HURT" type so dont worry if it doesnt fix the issue

http://www.dslreport...05261~mode=flat

#6
Aminda

Posted 05 December 2004 - 11:45 AM

New Member

Topic Starter
Member
8 posts

Thanks for the tip! It workede with renaming. Here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 7:44:40 PM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\libsysmgr.exe
C:\WINDOWS\system32\cool.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Winamp\winamp.exe
C:\Kituri\Coolweb.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://messenger.yahoo.com/
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\fmxcbso.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.micro...b?1102068303929
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101837078551
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA778AE1-D6B2-4A51-AC5D-9511918E2CBB}: NameServer = 82.78.35.1,193.231.236.17

#7
coachwife6

Posted 05 December 2004 - 02:12 PM

SuperStar

Retired Staff
11,413 posts

Run this scan:

http://www.pandasoft...n_principal.htm

Copy the results. They should be similar to the following exe files.

Reboot into safe mode - lightly tapping F8. Make sure all files are showing.

End the following running processes :
libsysmgr.exe
syslog32.exe
libsysmgr.exe
fmxcbso.exe

To end the process:
1. Press Ctrl+Alt+Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to alphabetically sort the processes.
5. Scroll through the list and look for any of the file names listed in step 1 of the "Technical Details" section. This file name can vary.
6. If you find the file, click it, and then click End Process.
7. Exit the Task Manager.

Delete these files:

C:\WINDOWS\System32\libsysmgr.exe
C:\WINDOWS\system32\cool.exe
C:\Kituri\Coolweb.exe
C:\WINDOWS\System32\fmxcbso.exe
C:\WINDOWS\System 32\syslog32.exe

REboot.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\fmxcbso.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe

O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.micro...b?1102068303929
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...nst_current.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

REboot.

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

Automatically save log-file
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

Scan Within Archives
Scan Active Processes
Scan Registry
Deep Scan Registry
Scan my IE favorites for banned URL’s
Scan my Hosts file
Under Click here to select drives + folders, choose:
All of your hard drives

-> Click on the Advanced button on the left and select:

Include additional process information
Include additional file information
Include environment information
Include additional object details

-> Click the Tweak button and select:

Under the Scanning Engine:
- Unload recognized processes during scanning
- Include basic Ad-aware settings in logfile
- Include additional Ad-aware settings in logfile
Under the Cleaning Engine:
- Let Windows remove files in use at next reboot

-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

Use Custom Scanning Options

-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

-> Reboot your computer.

If you would please, rescan with HijackThis and post a fresh log in this same topic. We need the new version of Hijack This. You have an old version. Look for 1.98.2 at the top. The old version doesn't catch all the bad stuff.

#8
Aminda

Posted 06 December 2004 - 11:49 AM

New Member

Topic Starter
Member
8 posts

Logfile of HijackThis v1.98.2
Scan saved at 7:46:59 PM, on 12/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
C:\Kituri\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://messenger.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101837078551
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA778AE1-D6B2-4A51-AC5D-9511918E2CBB}: NameServer = 82.78.35.1,193.231.236.17

Looks alright to me...But still, I often have virus alerts coming in. Cam you recomand a strong firewall or a good program for preventing infection through LAN?

#9
Aminda

Posted 07 December 2004 - 10:34 AM

New Member

Topic Starter
Member
8 posts

libsys.exe is back! :cry:

#10
Yarnouth

Posted 07 December 2004 - 10:40 AM

Visiting Staff

Member
508 posts

Where

#11
Aminda

Posted 09 January 2005 - 12:54 PM

New Member

Topic Starter
Member
8 posts

This is my new log. :tazz:

Logfile of HijackThis v1.99.0
Scan saved at 8:50:48 PM, on 1/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HyperTechnologies\Deep Freeze\_$Df\FrzState.exe
C:\WINDOWS\System32\wdfmgr.exe
D:\Yahoo Messenger\Installed\Messenger\YPager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\System32\libsysmgr.exe
C:\Program Files\HijackThis\Searchfriend.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\wudqg.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\YAHOOM~1\INSTAL~1\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\YAHOOM~1\INSTAL~1\MESSEN~1\YPager.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68118EF3-A4A4-412F-B83E-7131655D3CC2}: NameServer = 82.78.35.1,193.231.236.17
O17 - HKLM\System\CS1\Services\Tcpip\..\{68118EF3-A4A4-412F-B83E-7131655D3CC2}: NameServer = 82.78.35.1,193.231.236.17
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Pfogfkcj.dll
O21 - SSODL: mtklefap - {4F1833E6-A9A2-402F-FCAF-3DCB5B171DE5} - C:\WINDOWS\System32\tjmjz32.dll
O21 - SSODL: mtkle - {3DEEE93B-ABF2-4A3F-92A2-1A8E99969931} - C:\WINDOWS\System32\qvpzvg32.dll
O23 - Service: DFServEx - Hyper Technologies Inc. - C:\Program Files\HyperTechnologies\Deep Freeze\DfServEx.exe
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe

#12
coachwife6

Posted 09 January 2005 - 02:03 PM

SuperStar

Retired Staff
11,413 posts

Before you start, you need to read this thread:

You have this deepfreeze and dfservex.exe.

http://forum.hackint...opic.php?p=5384

I'll try the regular method of removing malware, but not sure if it will work after reading the above thread.

Reboot into safe mode and stop (ctrl-alt-del) these processes in task manager:
libsysmgr.exe
syslog32.exe
remove these files:

C:\WINDOWS\System32\libsysmgr.exe
C:\WINDOWS\System 32\syslog32.exe
C:\WINDOWS\System32\wudqg.exe
C:\WINDOWS\System32\Pfogfkcj.dll
C:\WINDOWS\System32\tjmjz32.dll
C:\WINDOWS\System32\qvpzvg32.dll
C:\Program Files\HyperTechnologies\Deep Freeze

Reboot

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\wudqg.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe

O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Pfogfkcj.dll
O21 - SSODL: mtklefap - {4F1833E6-A9A2-402F-FCAF-3DCB5B171DE5} - C:\WINDOWS\System32\tjmjz32.dll
O21 - SSODL: mtkle - {3DEEE93B-ABF2-4A3F-92A2-1A8E99969931} - C:\WINDOWS\System32\qvpzvg32.dll

O23 - Service: DFServEx - Hyper Technologies Inc. - C:\Program Files\HyperTechnologies\Deep Freeze\DfServEx.exe
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Reboot and post a new log.