Virus help

Discussion in 'Off Topic' started by galaxyAbstractor, Jun 11, 2008.

Thread Status:
Not open for further replies.
  1. galaxyAbstractor

    galaxyAbstractor Community Advocate Community Support

    Ok now I ended up really bad running this file.

    I searched it trought with Avast!, nothing. I ran it and avast! gone crazy with over 20 alerts of different trojans. It coldn't delete 1 of them. I belive it is a virus since when I opened up task manager it ran, 75 times.

    I could delete most proccesses but now I am stuck with 2. I delete 1, another starts.

    The proccess is called 30874.exe and is under /application data/microsoft/dtsc/.

    In this folder there are 2 files, the proccess and 's'.

    Now 1 autorun things have appeared, 30874.exe. How much I delete it it appears again.

    I am running windows defender right now on a full scan. Next, I will run Avast! for a full scan and then spybot search and destroy.

    I am afraid it won't be able to delete it. What do you think I should do?

    I let my comp be on all the time because I'm too afraid I can't start it again after it (some viruses do this).

    There is no info on google about 30874.exe so it is something new (maybe it is me that is 1st with it lol).

    And I put zone alarm on total internet lock.
  2. Smith6612

    Smith6612 I ate all of the x10Pizza Community Support

    First of all, Reboot it. Before the Windows Loading screen comes up (with the moving bar), press F8. Select Safe Mode, and then boot into Windows using Safe Mode. Run a Virus scan if you can, and see if Avast can remove the virus. If it can't, boot back into normal mode and then we'll go from there.
  3. galaxyAbstractor

    galaxyAbstractor Community Advocate Community Support

    I finnish windows defender first. it has 100 000 files left (10 min)
  4. Smith6612

    Smith6612 I ate all of the x10Pizza Community Support

    OK, it may not find anything, but let us know what the results are of the Safe Mode scan.
  5. galaxyAbstractor

    galaxyAbstractor Community Advocate Community Support

    also, I have 444.0.exe which seems to be a virus...
  6. Spartan Erik

    Spartan Erik Retired

    I suggest the same thing Smith says: try the spyware/virus scan in safe mode. If it isn't removed then come back here and tell us
    Last edited: Jun 12, 2008
  7. tnl2k7

    tnl2k7 Banned

    Your best bet is to format your hard disk and re-install Windows, as you never know which Windows system files may have been damaged by this virus. I'd grab a spare hard disk, copy my files to it and re-install as soon as possible if I were you.

    -Luke.
  8. knight3000

    knight3000 New Member

    First of all as an IT technician i would recommend to download AVG Antivirus if anything is going to remove it this will its available free.

    http://free.grisoft.com
  9. galaxyAbstractor

    galaxyAbstractor Community Advocate Community Support

    Well, I ran the windows defender and got to sleep. When I woke up my comp was restarted... (yeah, I know, my comp is a bit unstable).

    I should do the virus scan now in safe mode.

    Btw, I did a hijackthis log:

    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:43:54, on 2008-06-12
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Razer\Copperhead\razerhid.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program\ALWILS~1\Avast4\ashDisp.exe
    C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\xampp\apache\bin\apache.exe
    C:\Program\DNA\btdna.exe
    C:\Program\WhatPulse\WhatPulse.exe
    C:\Program\RocketDock\RocketDock.exe
    C:\Program\Razer\Copperhead\razertra.exe
    C:\Program\Razer\Copperhead\razerofa.exe
    C:\Program\Bonjour\mDNSResponder.exe
    C:\xampp\mysql\bin\mysqld-nt.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\xampp\apache\bin\apache.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRAM\MOZILL~1\FIREFOX.EXE
    C:\Program\Trend Micro\HijackThis\HijackThis.exe
    
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [razer] C:\Program\Razer\Copperhead\razerhid.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program\DNA\btdna.exe"
    O4 - HKCU\..\Run: [WhatPulse] C:\Program\WhatPulse\WhatPulse.exe
    O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\vigge_sWe\Application Data\Microsoft\dtsc\30874.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Genväg till RocketDock.lnk = C:\Program\RocketDock\RocketDock.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program\Delade filer\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
    O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
    O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program\MAGIX\Common\Database\bin\fbserver.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.0.exe (file missing)
    O23 - Service: MySql - Unknown owner - C:/xampp/mysql/bin/mysqld-nt.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: UPnPService - Magix AG - C:\Program\Delade filer\MAGIX Shared\UPnPService\UPnPService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    
    --
    End of file - 8313 bytes
    + I could kill the 30874.exe proccess after the restart. But it had started 75 times again
    Last edited: Jun 12, 2008
  10. Jarryd

    Jarryd Community Advocate Community Support

    If you like i could look through your hijack this log and actually tell you what to remove, i use to analyze them at spywareinfo forums.

    Also...I recommend going to start>run. Then type msconfig, it will load a configuration window, select startup, and see if it is in there, if it is, untick it, reboot, then delete the files and see how that goes, removing it from startup should prevent it from running whenever you reboot.
  11. galaxyAbstractor

    galaxyAbstractor Community Advocate Community Support

    I ran combofix and it deleted the viruses but now everything is messed up
    Edit:
    lucky me that windows had made an automatic system check just before I downloaded the virus lol.

    I could restore to that point without loosing too much data
    Last edited: Jun 12, 2008
  12. Jarryd

    Jarryd Community Advocate Community Support

    Lucky you.

  13. Would you possibly take a quick browse through mine?

    If yes, I will PM it to you??
  14. tnl2k7

    tnl2k7 Banned

    Please create your own thread for this, don't hijack someone else's thread.

    -Luke.
  15. Edited for arguing with staff.
    Last edited by a moderator: Jun 12, 2008
  16. Sohail

    Sohail New Member

    You have been temp banned for 5 days for flaming with staff. The moderators are here to make sure everything in the forums are in order and that's what were here for. I don't want to find out that your flaming with staff again or you will be given a permanent ban so please be careful in the future. this is your first and final warning!
  17. dktucson

    dktucson New Member

    Vigge---Umm..before starting ani virus hunt back up everything near amd dear to you off the computer..if the virus is aggressive the payload it may deliver when you attempt to remove it is to hose your windows files.
    Also..after that the very next thing to do is DISABLE SYSTEM RESTORE!@!!! VIRUSES HIDE IN RESTORE POINTS!! this is how they seem to magically come back asfter having been supposedly "cleaned"--Combofix is good to run if you are on a 64 bit platform--SDfix if you are on 32bit.
    Download Malwarebytes free anti malware program--rename the executeable as some viruses will keep it from running. also try A-Squared free and SuperAntiSpyware. once the system is cleaned install Avira AntiVir
  18. Livewire

    Livewire Abuse Compliance Officer Staff Member

    This thread is almost 1.5 years old. He might not even have the same pc anymore.
Thread Status:
Not open for further replies.

Share This Page