1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

help hidden virus or somethin

Discussion in 'Virus & Other Malware Removal' started by miffed, Feb 11, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. miffed

    miffed Thread Starter

    Joined:
    Feb 1, 2003
    Messages:
    46
    i have had big problems for a few weeks now and im still getting problems - i had norton installed and when i tried to update it had an error could not connect to internet etc but im online - so i tried my dos virus check with the edisks - they could not find the virus definitions on disk 4 then i uninstalled norton and tried fix it utilities - when i try to update i get same error could not connect (same as norton) so could u please look at my startup list an c if u can c a malicious file or virus

    please help i got a lan party on sunday need to clean by then :)

    well here is start up list

    StartupList report, 11/02/2003, 18:34:26
    StartupList version: 1.51
    Started from : C:\unzipped\startuplist151[1]\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe (why do i have 2 svchost)
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\AOL 7.0\waol.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\unzipped\startuplist151[1]\StartupList.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    LWBMOUSE = C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    Fix-It AV = C:\PROGRA~1\Ontrack\Fix-It\MemCheck.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet (what is this one)

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    [nView]
    NVIEW = rundll32.exe nview.dll,nViewLoadHook

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Download Program Files:

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

    [AV Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PAV.dll
    CODEBASE = http://www.pcpitstop.com/antivirus/PCPAV.CAB

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

    [CSS Web Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\cssweb.dll
    CODEBASE = http://www.freedom.net/onlineviruscheck/cabs/cssweb.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [RavOnline Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\RAVONL~1.OCX
    CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: \??\C:\DOCUME~1\slider\LOCALS~1\Temp\VcCleanUp.exe


    --------------------------------------------------
    End of report, 4,377 bytes
    Report generated in 0.110 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  2. Firejay

    Firejay

    Joined:
    Apr 26, 2002
    Messages:
    2,538
    I don't see anything obvious. But since you have the Startup List file, go back to the Lurkhere website and download Spybot Search and Destroy. Install it, run the updates, then scan your hard drive. Anything that it picks up in RED is most likely a trojon program which needs to be dealt with.

    Also surf out to
    http://housecall.trendmicro.com/

    and do an on-line scan with or without registering to see if it finds anything that Nortons didn't pick up.

    My 2 cents.
     
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    miffed.....you must have run that rig through every on-line scanner there is:D

    there is nothing in your s.u.l of any concern.
    as for you uninstalling norton,take a look here:
    http://www.hackfix.org/software/uninstall/norton.html

    you may hev to uninstall your other a/v as well,then reinstall it.
     
  4. 0tbyn8r

    0tbyn8r

    Joined:
    Feb 14, 2003
    Messages:
    40
    don't know what action you have already taken since the last post but thought you might be interested -

    ypager.exe = PWSteal.BStroj is a password-stealing Trojan horse. It collects user passwords for MSN Messenger or Yahoo! Messenger and sends them to the hacker.

    The Trojan uses the same icon as MSN Messenger or Yahoo! Messenger in an attempt to disguise itself as those programs.

    Details about the fake Yahoo Messenger
    When the Trojan runs, it copies itself as %system%\YUpdater.exe or %system%\YPager.exe.

    It adds the value

    Sys "YUpdater.exe"

    or

    System "YPager.exe"

    to the registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs each time that you start Windows.

    Details about the fake MSN Messenger
    When the Trojan runs, it copies itself as %system%\Msmsngs.exe.

    It adds value

    Sysmsn "msmsngs.exe"

    to the registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs each time that you start Windows.

    Both Trojans display an error message and send your IP address, host name, messenger name, and password to the hacker.


    Go to the Symantec site for more info about this. I know what it's like to battle a trojan. Not much fun. Thinking about a honeypot on one of my machines just to collect the pests. Kind of a cyber bug collection to study.
     
  5. tpb

    tpb

    Joined:
    Feb 27, 2001
    Messages:
    573
    Miffed does not have PWSteal.BStroj.

    Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet is a valid Yahoo Messenger entry.
     
  6. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Indeed!

    About your Norton error, disable the XP firewall if it's running, and try again.
    Also take a look at these Symantec Knowledge Base articles

    Good luck,
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/118264

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice