help hidden virus or somethin

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

miffed

Thread Starter
Joined
Feb 1, 2003
Messages
46
i have had big problems for a few weeks now and im still getting problems - i had norton installed and when i tried to update it had an error could not connect to internet etc but im online - so i tried my dos virus check with the edisks - they could not find the virus definitions on disk 4 then i uninstalled norton and tried fix it utilities - when i try to update i get same error could not connect (same as norton) so could u please look at my startup list an c if u can c a malicious file or virus

please help i got a lan party on sunday need to clean by then :)

well here is start up list

StartupList report, 11/02/2003, 18:34:26
StartupList version: 1.51
Started from : C:\unzipped\startuplist151[1]\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe (why do i have 2 svchost)
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\AOL 7.0\waol.exe
C:\WINDOWS\System32\devldr32.exe
C:\unzipped\startuplist151[1]\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LWBMOUSE = C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
Fix-It AV = C:\PROGRA~1\Ontrack\Fix-It\MemCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet (what is this one)

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[nView]
NVIEW = rundll32.exe nview.dll,nViewLoadHook

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

[AV Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PAV.dll
CODEBASE = http://www.pcpitstop.com/antivirus/PCPAV.CAB

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[CSS Web Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cssweb.dll
CODEBASE = http://www.freedom.net/onlineviruscheck/cabs/cssweb.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[RavOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\RAVONL~1.OCX
CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: \??\C:\DOCUME~1\slider\LOCALS~1\Temp\VcCleanUp.exe


--------------------------------------------------
End of report, 4,377 bytes
Report generated in 0.110 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Apr 26, 2002
Messages
2,538
I don't see anything obvious. But since you have the Startup List file, go back to the Lurkhere website and download Spybot Search and Destroy. Install it, run the updates, then scan your hard drive. Anything that it picks up in RED is most likely a trojon program which needs to be dealt with.

Also surf out to
http://housecall.trendmicro.com/

and do an on-line scan with or without registering to see if it finds anything that Nortons didn't pick up.

My 2 cents.
 
Joined
Feb 14, 2003
Messages
40
don't know what action you have already taken since the last post but thought you might be interested -

ypager.exe = PWSteal.BStroj is a password-stealing Trojan horse. It collects user passwords for MSN Messenger or Yahoo! Messenger and sends them to the hacker.

The Trojan uses the same icon as MSN Messenger or Yahoo! Messenger in an attempt to disguise itself as those programs.

Details about the fake Yahoo Messenger
When the Trojan runs, it copies itself as %system%\YUpdater.exe or %system%\YPager.exe.

It adds the value

Sys "YUpdater.exe"

or

System "YPager.exe"

to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs each time that you start Windows.

Details about the fake MSN Messenger
When the Trojan runs, it copies itself as %system%\Msmsngs.exe.

It adds value

Sysmsn "msmsngs.exe"

to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs each time that you start Windows.

Both Trojans display an error message and send your IP address, host name, messenger name, and password to the hacker.


Go to the Symantec site for more info about this. I know what it's like to battle a trojan. Not much fun. Thinking about a honeypot on one of my machines just to collect the pests. Kind of a cyber bug collection to study.
 

tpb

Joined
Feb 27, 2001
Messages
573
Miffed does not have PWSteal.BStroj.

Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet is a valid Yahoo Messenger entry.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top