1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] please help with virus removal

Discussion in 'Virus & Other Malware Removal' started by ccvan, Oct 10, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. ccvan

    ccvan Thread Starter

    Joined:
    Oct 9, 2003
    Messages:
    30
    Hi, I am a new member so please bear with me. I would very much appreciate any help to identify and remove a virus on Win 2000 Pro with a DSL connection.

    This virus is in my office computer, I am sending this post from my home computer. Been having problems for about two months. These are the specifics:
    Have run NAV 2003, free McAfree scan, AVG scan, Spybot, House Call and Stinger. Stinger found TROJ ROLEKA.A and Bkdr IRC FLOOD.BI. All the others were "clean" I can't copy and paste, download programs such as HiJack This, can't add or remove programs. Get a svchost.exe has generated error message and many other messages randomly. Get blank screen on some web sites but not others. Can't download the windows updates or patches. Starts to load and then hangs or downloads but won't install. Get access denied messages at various times.

    I have read many threads and have tried to find files mentioned in the regedit but they are not there. Have hidden files shown and full extensions shown. I am at my wits end. When I checked all the exe files in Explorer, it seemed to me like there was way too many. When I try to delete files, I get access denied. I don't see any obvious problems in the Task Manager.

    I will make every attempt to try anything suggested. I am not a novice but am not sure about regedit files, so I am afraid to delete the wrong thing.

    Also, regrettably, I do not have the latest updates installed for WIN2000. It seems my NAV was disabled by the virus because I cannot now get the virus definitions updates. I could until this stated.
     
  2. ccvan

    ccvan Thread Starter

    Joined:
    Oct 9, 2003
    Messages:
    30
    One more item, I have also run all of the scans in safe mode and checked files as directed in other threads about viruses.
     
  3. kiwiguy

    kiwiguy

    Joined:
    Aug 17, 2003
    Messages:
    17,584
    Boot the computer from your Win 2000 CD and choose Repair.

    Your computer should be clear of virus at this point, but your system files may be damaged. As soon as you get it working, update your AV, and apply all service packs.
     
  4. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Have you tried cleaning it from safe mode as well ?.
     
  5. ccvan

    ccvan Thread Starter

    Joined:
    Oct 9, 2003
    Messages:
    30
    Yes, I have tried safe mode. I will reboot from the CD as suggested and repost. Thank you.
     
  6. ccvan

    ccvan Thread Starter

    Joined:
    Oct 9, 2003
    Messages:
    30
    I repaired the Win2000 and was able to run Panda Active Scan. It found two infected files and said it deleted them but when I tried to see the log, my computer hung and I couldn't get that info. I believe I have the Relaka worm. It has a file named down.com which I found on my computer. I deleted it but I still have all the same problems. I was finally able to dowload HiJack this but I cannot open it. I am getting a lot of windows installer error messages and access denied. I don't know what else to do. Any suggestions???

    Thank you
     
  7. ccvan

    ccvan Thread Starter

    Joined:
    Oct 9, 2003
    Messages:
    30
    I finally was able to run HiJack This. The results are attached. I can't copy and paste.
     

    Attached Files:

  8. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Thats all i can see here:


    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - C:\Program Files\Common Files\PFWShared\weaddon.dll
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    ccvan's log

    Logfile of HijackThis v1.97.3
    Scan saved at 12:29:36 PM, on 10/12/2003
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    c:\winnt\system32\FireDaemon.EXE
    c:\winnt\system32\prx.exe
    C:\WINDOWS\System32\msdtc.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinZip\WINZIP32.EXE
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - C:\Program Files\Common Files\PFWShared\weaddon.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Anti-Trojan-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
    O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .com/docrepo/external/?requester=investments&type=662: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?1043964912136
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4297/mcfscan.cab
     
  10. ccvan

    ccvan Thread Starter

    Joined:
    Oct 9, 2003
    Messages:
    30
    Thanks for your quick reply. Should I delete the one you found?
    Since I did the WIN2000 CD repair, I am now getting "preparing to install".....messages than I click cancel and they keep popping up. Also still getting svchost. has generated error, etc. and a new message about the "entry" not available? I would have to get back with the actual wording next time I see it. I also cannot update my virus defininitions with NAV. It says the file is corrupted. I took it out and reinstalled it and get the same message.
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    It looks like these:

    O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe

    O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe

    are viral.
     
  12. ccvan

    ccvan Thread Starter

    Joined:
    Oct 9, 2003
    Messages:
    30
    When you are ready, please give me instructions and I will try to follow them. Thank you.
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe

    O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe

    Restart your computer.
     
  14. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Good job Flirman..:D
     
  15. ccvan

    ccvan Thread Starter

    Joined:
    Oct 9, 2003
    Messages:
    30
    Hi Again
    I removed the items noted. We are definitely on the right track. I can now copy and paste. I still can't send emails, and still getting svchost.exe message, installer messages. When I try to install the service pack and patch I need, I get "cannot find server" messages. Same when I try to get the liveupdate virus definitions from NAV. My control panel appears to be OK now also. Thanks so much...any further suggestions?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/171125

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice