Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Shaun E on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Virus Info.Pls Help! 1

Status
Not open for further replies.
livesfreely

livesfreely

Technical User
May 30, 2003
62
IN
I have two viruses on my pc running win98. The names are:
1. Keylog-LfzMph
2. BackDoor-AMS

I use AVG virus scan which didn't detect them. Since, I knew the computer was infected somehow, I tried different antivirus programs. My last resort was the McAfee online Virus scan. That is the only one that found the viruses, but the free online scan doesn't remove these viruses. I searched the web and couldn't find any information on these viruses. I don't how to remove them. Can someone help me with this?
Virus #2 has an entry in win.ini and system.ini at the run and shell = C:/windows/winsys32.exe
I tried removing these entries, but it didn't work.
I also get a message when I start my pc. Message is(a dialog box)-
connect:WSocketResolveHost:cannot convert host address 'ns1.arpa.net',Error #11001
I don't have any other symptoms, currently.
I hope someone can help me with this. Thanks
 
Sort by date Sort by votes
I should've mentioned. I already tried spybot and ad-aware. Nothing shows up in there.
 
Upvote 0 Downvote

backdor.ams
delete theese
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Kingsoft"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "msi"
 
Upvote 0 Downvote
backdoor.ams

Kill theese files in process viewer.
after regedit .

c:\WINDOWS\SYSTEM\msinet.exe
c:\WINDOWS\SYSTEM\Xdict.exe

Delete the files .
 
Upvote 0 Downvote
SYAR2003

I tried what you said, but i didn't find the above mentioned files in the registry editor or in the system folder. I found:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "C:\WINDOWS\WinSys32.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run- "C:\WINDOWS\WinSys32.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "C:\WINDOWS\win_spool2.exe"

I also tried the above mentioned method for the files i found (before posting for help in this forum), but these files were not in the 'c:\windows\system' folder
Also, I didn't see these files in the process viewer. If by process viewer you mean the box that appears in win98 after ctrl+alt+del
 
Upvote 0 Downvote
Logfile of HijackThis v1.97.7
Scan saved at 11:34:54 PM, on 12/2/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\WINSYS32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MULTI-MEDIA KEYBOARD\MMKEY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\PROGRAM FILES\JUNO6\ZCAST.EXE
C:\PROGRAM FILES\JUNO6\CHKRAS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\CCZIPWIZ\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\WINSYS32.EXE
F1 - win.ini: run=C:\WINDOWS\WINSYS32.EXE
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\d56eucpj.slt\prefs.js)
O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Multi-Media Keyboard] C:\PROGRA~1\MULTI-~1\MMKEY.EXE
O4 - HKLM\..\Run: [WinSys32] C:\WINDOWS\WinSys32.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - O16 - DPF: Yahoo! Chat - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
 
Upvote 0 Downvote
yes win_spool2.exe is related to keylog-lfzmph according to mcafee online virus scan
 
Upvote 0 Downvote
Let hijack this take out theese entrys
Reboot

O4 - HKLM\..\Run: [WinSys32] C:\WINDOWS\WinSys32.exe

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\WINSYS32.EXE
F1 - win.ini: run=C:\WINDOWS\WINSYS32.EXE

Run a new online virus scan and try deleting
the files that the scan finds as infected.

 
Upvote 0 Downvote
I was just wondering...since i don't use the file-sharing or peer-to-peer networks. The symantec website you pointed me to said that this is how the infection is spread. How else could my pc have gotten infected by this virus?
 
Upvote 0 Downvote
Ok I tried removing these entries through hijackthis, but I was unable to delete the winsys32.exe file in c:\windows because it is running. once i restart the computer after using hijackthis these entries come back.
 
Upvote 0 Downvote
Use "ctrl" "alt" "del" to bring up the task manager.
End the winsys32.exe/win_spool32.exe
delete the files
 
Upvote 0 Downvote
wel u need to be made secure when on the internet try a firewall such as zonealarm, get patched up fully from MS
 
Upvote 0 Downvote
I can't see these files in the task manager. Is there any other way to kill processes that are not visible?
 
Upvote 0 Downvote
1stITMAN
Currently I am using the Sygate Firewall. It happened while my brother was using the pc. He turned the firewall off I think. Thanks for your suggestion. I'll make to get the MS patches.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dik
  • Locked
  • Question
Virus
Replies
15
Views
1K
dik
dik
TomSalvato
  • Locked
  • Question
Help with a DOS command that isn't working for me
Replies
7
Views
584
Professor Shadow
Professor Shadow
Keyboy
  • Locked
  • Question
Windows Media Player help
Replies
0
Views
239
Keyboy
Keyboy
gripsz
  • Locked
  • Question
Windows CE .NET 4.2 Help!
Replies
0
Views
215
gripsz
gripsz
NRGeti
  • Locked
  • Question
Help text from old software no longer works in Windows 10 1
Replies
2
Views
262
2ffat
2ffat

Part and Inventory Search

Sponsor

Back
Top