Virus help

[galaxyAbstractor]

Ok now I ended up really bad running this file.

I searched it trought with Avast!, nothing. I ran it and avast! gone crazy with over 20 alerts of different trojans. It coldn't delete 1 of them. I belive it is a virus since when I opened up task manager it ran, 75 times.

I could delete most proccesses but now I am stuck with 2. I delete 1, another starts.

The proccess is called 30874.exe and is under /application data/microsoft/dtsc/.

In this folder there are 2 files, the proccess and 's'.

Now 1 autorun things have appeared, 30874.exe. How much I delete it it appears again.

I am running windows defender right now on a full scan. Next, I will run Avast! for a full scan and then spybot search and destroy.

I am afraid it won't be able to delete it. What do you think I should do?

I let my comp be on all the time because I'm too afraid I can't start it again after it (some viruses do this).

There is no info on google about 30874.exe so it is something new (maybe it is me that is 1st with it lol).

And I put zone alarm on total internet lock.

 

[Smith6612]

First of all, Reboot it. Before the Windows Loading screen comes up (with the moving bar), press F8. Select Safe Mode, and then boot into Windows using Safe Mode. Run a Virus scan if you can, and see if Avast can remove the virus. If it can't, boot back into normal mode and then we'll go from there.

 

[galaxyAbstractor]

I finnish windows defender first. it has 100 000 files left (10 min)

 

[Smith6612]

OK, it may not find anything, but let us know what the results are of the Safe Mode scan.

 

[galaxyAbstractor]

also, I have 444.0.exe which seems to be a virus...

 

[Spartan Erik]

I suggest the same thing Smith says: try the spyware/virus scan in safe mode. If it isn't removed then come back here and tell us

 

[tnl2k7]

Your best bet is to format your hard disk and re-install Windows, as you never know which Windows system files may have been damaged by this virus. I'd grab a spare hard disk, copy my files to it and re-install as soon as possible if I were you.

-Luke.

 

[knight3000]

First of all as an IT technician i would recommend to download AVG Antivirus if anything is going to remove it this will its available free.

http://free.grisoft.com

 

[galaxyAbstractor]

Well, I ran the windows defender and got to sleep. When I woke up my comp was restarted... (yeah, I know, my comp is a bit unstable).

I should do the virus scan now in safe mode.

Btw, I did a hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:43:54, on 2008-06-12
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Razer\Copperhead\razerhid.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\xampp\apache\bin\apache.exe
C:\Program\DNA\btdna.exe
C:\Program\WhatPulse\WhatPulse.exe
C:\Program\RocketDock\RocketDock.exe
C:\Program\Razer\Copperhead\razertra.exe
C:\Program\Razer\Copperhead\razerofa.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [razer] C:\Program\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Defender] "C:\Program\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program\DNA\btdna.exe"
O4 - HKCU\..\Run: [WhatPulse] C:\Program\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\vigge_sWe\Application Data\Microsoft\dtsc\30874.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Genväg till RocketDock.lnk = C:\Program\RocketDock\RocketDock.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program\Delade filer\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.0.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UPnPService - Magix AG - C:\Program\Delade filer\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8313 bytes

+ I could kill the 30874.exe proccess after the restart. But it had started 75 times again

 

[Jarryd]

If you like i could look through your hijack this log and actually tell you what to remove, i use to analyze them at spywareinfo forums.

Also...I recommend going to start>run. Then type msconfig, it will load a configuration window, select startup, and see if it is in there, if it is, untick it, reboot, then delete the files and see how that goes, removing it from startup should prevent it from running whenever you reboot.

 

[galaxyAbstractor]

I ran combofix and it deleted the viruses but now everything is messed up
Edit:
lucky me that windows had made an automatic system check just before I downloaded the virus lol.

I could restore to that point without loosing too much data

 

[Jarryd]

Lucky you.

 

[xxll_martin_llxx]

If you like i could look through your hijack this log and actually tell you what to remove, i use to analyze them at spywareinfo forums.

Also...I recommend going to start>run. Then type msconfig, it will load a configuration window, select startup, and see if it is in there, if it is, untick it, reboot, then delete the files and see how that goes, removing it from startup should prevent it from running whenever you reboot.

Would you possibly take a quick browse through mine?

If yes, I will PM it to you??

 

[tnl2k7]

Would you possibly take a quick browse through mine?

If yes, I will PM it to you??

Please create your own thread for this, don't hijack someone else's thread.

-Luke.

 

[xxll_martin_llxx]

Edited for arguing with staff.

 

[Sohail]

You have been temp banned for 5 days for flaming with staff. The moderators are here to make sure everything in the forums are in order and that's what were here for. I don't want to find out that your flaming with staff again or you will be given a permanent ban so please be careful in the future. this is your first and final warning!

 

[dktucson]

Vigge---Umm..before starting ani virus hunt back up everything near amd dear to you off the computer..if the virus is aggressive the payload it may deliver when you attempt to remove it is to hose your windows files.
Also..after that the very next thing to do is DISABLE SYSTEM RESTORE!@!!! VIRUSES HIDE IN RESTORE POINTS!! this is how they seem to magically come back asfter having been supposedly "cleaned"--Combofix is good to run if you are on a 64 bit platform--SDfix if you are on 32bit.
Download Malwarebytes free anti malware program--rename the executeable as some viruses will keep it from running. also try A-Squared free and SuperAntiSpyware. once the system is cleaned install Avira AntiVir

 

[Livewire]

Vigge---Umm..before starting ani virus hunt back up everything near amd dear to you off the computer..if the virus is aggressive the payload it may deliver when you attempt to remove it is to hose your windows files.
Also..after that the very next thing to do is DISABLE SYSTEM RESTORE!@!!! VIRUSES HIDE IN RESTORE POINTS!! this is how they seem to magically come back asfter having been supposedly "cleaned"--Combofix is good to run if you are on a 64 bit platform--SDfix if you are on 32bit.
Download Malwarebytes free anti malware program--rename the executeable as some viruses will keep it from running. also try A-Squared free and SuperAntiSpyware. once the system is cleaned install Avira AntiVir

This thread is almost 1.5 years old. He might not even have the same pc anymore.