Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Not even removed by reformating


  • Please log in to reply

#1
Virus Hunter BT

Virus Hunter BT

    New Member

  • Member
  • Pip
  • 2 posts
Lets begin where I went wrong. So I opened internet explorer....

I have the following programs installed and up to date

Ewido
SB S&D
Ad-Adaware
CWShredder
Hijack This
Microsoft Malicious Software removeal tool Sept. & Oct. versions
Defender Pro
Defender Pro System Utilities
Cleanup
About Buster
PV
TDS-3 (Now outdated since it went under)
Spyware Blaster

I Have just reformated by drive for the 3rdish time and I seem to keep getting this virus back. Some viruses i get are (most are files rather than the virus name):

libsysmgr (Cleaned)
mspathfinder (Cleaned)
syslog32 (Cleaned)
i.exe (Cleaned but keeps comming back)
Several TFTP#### viral files (such as TFTP1116)
Several erase_me#### files
o.exe(Cleaned)
MSAOL32DLL.exe (cleaned)
c.bat (Cleaned)
.pif(unknown)
hosts (May be cleaned)

Get the idea?
I have also downloaded firefox and am switching back to it. My HJT log is posted below but appears clean. I have a good understanding of computers and viruses and actually help people out for a hobby, but I just can't seem to figure this one out. Any Ideas?



Logfile of HijackThis v1.99.1
Scan saved at 12:15:04 AM, on 10/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUpKiller.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUpKiller.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -noauth
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A0849F8-0245-4409-A151-61A851045A57}: NameServer = 207.217.126.81 207.217.77.82
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe

I'll also put a silent runners log up soon. The only one that looks odd it that 017 entry. Upon futher inspection, however, it really looks legit now so, eh, ignore the last paragraph. :tazz: :)

Ps: My system freezes up a lot but usually only when i'm on the net...

Edited by Virus Hunter BT, 26 October 2005 - 10:19 PM.

  • 0

Advertisements


#2
Virus Hunter BT

Virus Hunter BT

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
:tazz: Really do need help here!

Sorry, impatient...

Ok, Uhhh, been a while so i'll reupdate the HJT log, it's getting much worse

ohh, eh, right. I can't run HJT anymore. It freezes on netscape mozilla homepage....

Also, add system32/i.exe to that list of pain in the harddrive viruses along with the
following suspisious files
usbdr.exe
zxusbdr.exe
msgconfig.exe
Rpcmon.exe
lsass.exe (and not the good one)

I'll try to run HJT asap

Please HElp Me :)

HAHA! Got the log. here it is...


Logfile of HijackThis v1.99.1
Scan saved at 9:47:48 AM, on 11/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUpKiller.exe
C:\Program Files\Defender Pro Anti Spam\dpantispam.exe
C:\Program Files\Defender\Defender Pro Firewall\KAVPF.exe
C:\WINDOWS\System32\CTPdeSrv.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [103] "C:\Program Files\Defender Pro Anti Spam\admin" "-hide"
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize
O4 - HKLM\..\Run: [Microsoft Configure 32] msgconfig.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msgconfig.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUpKiller.exe
O4 - HKCU\..\Run: [DefenderProAutoRun] "C:\Program Files\Defender Pro Anti Spam\dpantispam" -D "C:\Program Files\Defender Pro Anti Spam\conf"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Defender Pro Firewall.lnk = ?
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)

Edited by Virus Hunter BT, 28 November 2005 - 08:52 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP