Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Unknown Virus

Status
Not open for further replies.
glenmac

glenmac

Technical User
Joined
Jul 3, 2002
Messages
947
Location
CA
I've picked up a virus that I can't find and was wondering if any of you have seen it before. What this thing is doing is making it impossible to view folders on my machine. When I open a folder it is blank including the mycomputer folder. At the bottom of the window it says how many objects are in the folder and how much space it is using but nothing is visible in the window. When I try to close an open folder it won't close either. I have to go to task manager to close it. After I get it closed my system runs normally again. While a folder is open it's using 100% of my CPU as viewed in task manager. I've run Norton ,AVG and PCcilin virus checkers and they all give me a clean bill of health. I'm running Windows 2000 server. All help would be greatly appreciated.

Glen
 
Sort by date Sort by votes
ok, download these programmes and run them after you get updates for them.

AdAware 6.18


Download and run SpyBot.search & destroy Remove what it highlights in red


then get these two and run CWshredder first

CWshredder & hijack this


then post a hijack this log here for inspection.

pech
 
Upvote 0 Downvote
Ran both spybot and adaware as well. Turned out that I finally couldn't boot to the server so I had to load a ghosted image. Still don't know what it was that wrecked my OS but it's a bad one. thanks for the post though. BTW I think I got it from a site called So please beware of this site. If it's not their fault I do appologize but after visiting the site all the bad stuff started happening.

Glen
 
Upvote 0 Downvote
Are you sure the image you loaded was before you got the virus/trojan?
sorry to be paranoid...
run hijackthis and post a log here for more peace of mind
 
Upvote 0 Downvote
K here's my Log
Logfile of HijackThis v1.97.7
Scan saved at 7:12:30 AM, on 24/02/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmprint.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\qttask.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\anvshell.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\WINNT\System32\mdm.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows DEC] windec.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Windows System Controller] dllhostx86.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\RunServices: [Windows DEC] windec.exe
O4 - HKLM\..\RunServices: [Windows System Controller] dllhostx86.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - O16 - DPF: {11111111-1111-1111-1111-111111111111} - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - O16 - DPF: {2513AB48-1AEF-4E55-8329-927FF97C9DCE} (AuroraPlugin Class) - O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {A9EF28A2-55D1-480B-A403-84928D59F556} (DFRun Class) - O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {D53B810F-6219-11D4-95B6-0040950375E7} - O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} - O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} -

I've eliminated windec.exe but am curious about internat.exe



Glen
 
Upvote 0 Downvote
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
Google searches suggest that lines with the rdxie content should be removed.

I see several lines that reference gator, I dont know if this would cause the kinds of problems you are having.

I also see a couple of dialer lines, but I thought spybot and adaware deleted these.
 
Upvote 0 Downvote
Upvote 0 Downvote
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} -
Get rid of that too!
And internat.exe is EITHER a virus or the app for dual language support. Check before you delete.
Check here
And this very dodgy
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
They don't look like a legit comapny.

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - And that is sus too.
 
Upvote 0 Downvote
thanks folks for your quick and helpfull replys!. This is what I have now (Ithink it's clean enough)
Logfile of HijackThis v1.97.7
Scan saved at 6:46:18 PM, on 24/02/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmprint.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\qttask.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\anvshell.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - O16 - DPF: {11111111-1111-1111-1111-111111111111} - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {1A4DA620-6217-11CF-BE62-0080C72EDD2D} (MarqueeCtl Object) - O16 - DPF: {2513AB48-1AEF-4E55-8329-927FF97C9DCE} (AuroraPlugin Class) - O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} -



Glen
 
Upvote 0 Downvote
Seems okay now, but to be sure that the virus got flushed completely, you should turn off and then turn back on system restore.
This is entirely your choice though as you may want to keep any restore points you have. But if you have restore points then you have versions of hijacked reg entries etc etc...
 
Upvote 0 Downvote
I am not really sure you had a virus at all. Sounds like windows explorer went FUBAR. It's microsoft and it happens.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

RodneyMcSnow
  • Locked
  • Question Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
387
ChrisHirst
ChrisHirst
diembi
  • Locked
  • Question Question
McAfee can stop my not virus process?
Replies
0
Views
232
diembi
diembi
RodneyMcSnow
  • Locked
  • Question Question
computer says windows 2012 has detected a virus
Replies
2
Views
270
kjv1611
kjv1611
Enkrypted
  • Locked
  • Question Question
SBS 2003 Exchange Virus Scan registry setting
Replies
0
Views
216
Enkrypted
Enkrypted
Leefp2
  • Locked
  • Question Question
Blueseek virus
Replies
0
Views
232
Leefp2
Leefp2

Part and Inventory Search

Sponsor

Back
Top