[Resolved] please help with virus removal

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ccvan

Thread Starter
Joined
Oct 9, 2003
Messages
30
Hi, I am a new member so please bear with me. I would very much appreciate any help to identify and remove a virus on Win 2000 Pro with a DSL connection.

This virus is in my office computer, I am sending this post from my home computer. Been having problems for about two months. These are the specifics:
Have run NAV 2003, free McAfree scan, AVG scan, Spybot, House Call and Stinger. Stinger found TROJ ROLEKA.A and Bkdr IRC FLOOD.BI. All the others were "clean" I can't copy and paste, download programs such as HiJack This, can't add or remove programs. Get a svchost.exe has generated error message and many other messages randomly. Get blank screen on some web sites but not others. Can't download the windows updates or patches. Starts to load and then hangs or downloads but won't install. Get access denied messages at various times.

I have read many threads and have tried to find files mentioned in the regedit but they are not there. Have hidden files shown and full extensions shown. I am at my wits end. When I checked all the exe files in Explorer, it seemed to me like there was way too many. When I try to delete files, I get access denied. I don't see any obvious problems in the Task Manager.

I will make every attempt to try anything suggested. I am not a novice but am not sure about regedit files, so I am afraid to delete the wrong thing.

Also, regrettably, I do not have the latest updates installed for WIN2000. It seems my NAV was disabled by the virus because I cannot now get the virus definitions updates. I could until this stated.
 

ccvan

Thread Starter
Joined
Oct 9, 2003
Messages
30
One more item, I have also run all of the scans in safe mode and checked files as directed in other threads about viruses.
 
Joined
Aug 17, 2003
Messages
17,584
Boot the computer from your Win 2000 CD and choose Repair.

Your computer should be clear of virus at this point, but your system files may be damaged. As soon as you get it working, update your AV, and apply all service packs.
 

ccvan

Thread Starter
Joined
Oct 9, 2003
Messages
30
Yes, I have tried safe mode. I will reboot from the CD as suggested and repost. Thank you.
 

ccvan

Thread Starter
Joined
Oct 9, 2003
Messages
30
I repaired the Win2000 and was able to run Panda Active Scan. It found two infected files and said it deleted them but when I tried to see the log, my computer hung and I couldn't get that info. I believe I have the Relaka worm. It has a file named down.com which I found on my computer. I deleted it but I still have all the same problems. I was finally able to dowload HiJack this but I cannot open it. I am getting a lot of windows installer error messages and access denied. I don't know what else to do. Any suggestions???

Thank you
 

ccvan

Thread Starter
Joined
Oct 9, 2003
Messages
30
I finally was able to run HiJack This. The results are attached. I can't copy and paste.
 

Attachments

Joined
Feb 23, 2003
Messages
16,274
Thats all i can see here:


O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - C:\Program Files\Common Files\PFWShared\weaddon.dll
 
Joined
Jul 26, 2002
Messages
46,331
ccvan's log

Logfile of HijackThis v1.97.3
Scan saved at 12:29:36 PM, on 10/12/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
c:\winnt\system32\FireDaemon.EXE
c:\winnt\system32\prx.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - C:\Program Files\Common Files\PFWShared\weaddon.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Anti-Trojan-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .com/docrepo/external/?requester=investments&type=662: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?1043964912136
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4297/mcfscan.cab
 

ccvan

Thread Starter
Joined
Oct 9, 2003
Messages
30
Thanks for your quick reply. Should I delete the one you found?
Since I did the WIN2000 CD repair, I am now getting "preparing to install".....messages than I click cancel and they keep popping up. Also still getting svchost. has generated error, etc. and a new message about the "entry" not available? I would have to get back with the actual wording next time I see it. I also cannot update my virus defininitions with NAV. It says the file is corrupted. I took it out and reinstalled it and get the same message.
 
Joined
Jul 26, 2002
Messages
46,331
It looks like these:

O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe

O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe

are viral.
 

ccvan

Thread Starter
Joined
Oct 9, 2003
Messages
30
When you are ready, please give me instructions and I will try to follow them. Thank you.
 
Joined
Jul 26, 2002
Messages
46,331
Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe

O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe

Restart your computer.
 

ccvan

Thread Starter
Joined
Oct 9, 2003
Messages
30
Hi Again
I removed the items noted. We are definitely on the right track. I can now copy and paste. I still can't send emails, and still getting svchost.exe message, installer messages. When I try to install the service pack and patch I need, I get "cannot find server" messages. Same when I try to get the liveupdate virus definitions from NAV. My control panel appears to be OK now also. Thanks so much...any further suggestions?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top