[Resolved] possible virus

[sweetcheekies]

Okay guys this is not for me again

This is also a sort of emergency situation.. a friend of mine who runs his job from his puter.. may possibly have a bad virus.. i cant find out anything on it..
this is a bit of a sketchy description of whats going on..

when he tries to start up his puter. he is getting bad file messages.. and every time he starts up he is getting more.. they are saying things like DRUG ABUSE< CRACK, alcohol abuse.. some have peoples names like PETE, Paul etc.. they all are drug or basically alcohol related..

he runs win 98 with netscape and he has IE 5 i believe.. he can get to the start page and it brings up his icons etc.. he cant access anything.. and like i said every time he restarts he gets more bad files..

any one got any clue as to what to do?

sweet..

and if i can get some help ASAP that would be totally appreciated.. as i said he is in a dire situation.. thanks

 

[eddie5659]

Hiya

First off, has he done a scan?

http://housecall.antivirus.com/housecall/start_corp.asp

Plus, go here and download Startup Log. Install and run it, allow the DOS window to close, then copy/paste the list here:

http://home.earthlink.net/~rmbox/Reticulated/Toys.html

Regards

eddie

 

[Lem0njell0]

Can he get into Safe mode?
If he can , get into msconfig and see if there is anything starting up that shouldn't be .....I couldn't find anything on Symantec website ....but if you can find a name in startup then Symantec will have a fix or directions to fix it.

 

[sweetcheekies]

okay we removed all that wasnt needed.. he has alot of spyware stuff on there.. how can he remove it when he cant access the internet to get the prog to do so?

nothing else was outta the ordinary

sweet

 

[eddie5659]

Hiya

The removal of the spyware will also need to be done via the registry as well. What was in there?

Go here and download AddAware www.lavasoftusa.com
Its a 800KB zip, so it can go on a disk. Run in Deep Registry scan and remove all except any references to Web3000 or new.net. If you're unsure, copy/paste the list

As for the startup log, this is 24kb, again can fit on a disk.

We really need to see the startup and what files you found in the MSCONFIG.

Regards

eddie

 

[sweetcheekies]

i cant give u the msconfig because he is on his at home and i am here .. I have checked them and the only things he needs on his puter are there.. the basics.. like load profile .. scheduling agent.. nothing in the list was there from anything unusual .. eg.. his ATI settings stuff.. the TOTAL norm stuff...

he cant get to the internet to do anything.. i am going to go there and run the adaware thing and some other programs .. if any thing else comes up let me know and i will post back here in a bit


thank you

sweet

 

[eddie5659]

Okay

Well, I'm off in a few mins as its nearly 02:40 here and I have work soon, but all we need for the moment is the Log File. I assume that he dosen't have an uptodate Virus scanner, so the log will tell us some stuff.

eddie

 

[sweetcheekies]

okay we got him online i am at his house now.. we are running housecalls to see what can be found there... he has norton antivirus 2001 and ran it and nothing showed... this is on his start up log.. this is obviously where the prob is
here is some and i will post with the last half

---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 13/01/2002 23:09:48.54
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.54) - Release Date 12/12/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"ATIGART"="c:\\ati\\gart\\atigart.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Creative Launcher"="C:\\Program Files\\Creative\\Launcher\\CTLauncher.EXE"
"Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Machine Debug Manager"="C:\\WINDOWS\\SYSTEM\\MDM.EXE"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

SET BLASTER=A240 I2 D1 H7 P330 T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM


4247,hair care,,
4248,fragrance,,
4249,Skin-So-Soft,,
4250,ANEW,,
4251,age-defying,,
4252,nail care,,
4253,nail polish,,
4254,auto insurance california,,
4255,eye color,,1
4256,eye shadow,,
4257,skinsosoft,,
4258,avon lady,,
4259,21st century auto insurance,,
4260,football wagering,,1
4261,sport book wagering,,
4262,football betting,,
4263,nfl betting line,,1
4264,sport wager,,
4265,sport wagering,,
4266,sport wagering online,,
4267,football bet,,1
4268,bet on sport,,
4269,baseball bet,,
4270,gamble on football,,
4271,gamble on college football,,
4272,gamble on sport,,
4273,ncaa gamble,,
4274,online sport wagering,,
4275,wagering on sport,,
4277,ncaa wager,,
4278,wager on sport,,
4279,gamble on professional football,,
4280,gambling sport,,
4281,college football gambling,,
4282,pro football gambling,,
4283,nfl bet,,1
4284,bet on football,,1
4285,bet football,,
4286,bet sport,,
4287,bet on nfl,,
4288,bet football online,,
4289,bet baseball,,
4290,football betting line,,1
4291,baseball betting,,
4292,sport book betting,,
4293,sport betting online,,1
4294,online football betting,,
4295,college football betting,,
4296,internet sport betting,,
4297,betting football,,
4298,nfl betting pick,,
4299,nfl football betting,,1
4300,betting on baseball,,1
4301,basketball betting,,
4302,betting on nfl,,
4303,sport betting odds,,
4304,pro football betting,,

 

[sweetcheekies]

here is the last half

4305,college football betting line,,
4306,off shore sport betting,,
4307,offshore sport betting,,1
4308,betting on football,,
4309,football betting online,,
4310,ncaa football betting,,
4311,offshore sport book,,
4312,online sport book,,
4313,internet sport book,,
4314,sport book gambling,,
4315,casino sport book betting,,
4316,online sport betting,,1
4317,betting on sport,,
4318,betting sport,,
4319,nfl point spread,,1
4320,football spread,,1
4321,football point spread,,
4322,college football point spread,,
4323,college football spread,,
4324,nfl odds,,
4325,football odds,,
4326,sport odds,,1
4327,college football odds,,
4328,nfl football odds,,1
4330,sport wagering odds,,
4331,nfl pick,,
4332,football pick,,1
4333,free football pick,,
4334,college football pick,,
4335,free nfl pick,,
4336,nfl football pick,,
4337,nfl free pick,,1
4338,nfl weekly pick,,
4339,sport pick,,
4340,pro football pick,,
4341,free college football pick,,
4342,free nfl football pick,,
4343,free sport pick,,
4344,football nfl pick,,
4345,nfl game pick,,1
4346,auto insurance california online,,
4347,auto insurance in california,,1
4348,auto insurance in california online,,
4349,automobile insurance california,,
4350,buy auto insurance online california,,
4351,ca auto insurance,,
4352,ca car insurance,,
4353,ca insurance,,
4354,absoluteagency,,
4355,absoluteagency.com,,
4359,california auto insurance online,,
4360,california auto insurance quote,,
4361,california auto insurance quote online,,
4362,california automobile insurance,,
4363,california automobile insurance rate,,
4364,california car insurance,,
4365,california car insurance company,,
4366,california car insurance quote,,
4367,california insurance,,
4368,car insurance california,,
4369,california insurance services,,
4370,california insurance rate,,
4371,car insurance in ca,,
4372,car insurance in california,,
4373,car insurance quote in california,,
4374,insurance california,,
4375,online california insurance,,
4376,on line california insurance quote,,
4377,online insurance quote california,,
4378,mini-dish,,
4379,mini-dish.com,,
4380,www.mini-dish.com,,
4381,www.ing.com,,
4382,ing.com,,
4383,nutrisystem.com,,

4563,radio city christmas spectacular,,
4564,urbanq.com,,
4565,orbitz,,
4573,wire transfer,,1
4574,british pounds,,
4575,c2it,,
4576,cash transfer,,
4577,cash2india,,
4578,dinero seguro,,
4579,citi,,
4580,citibank,,
4581,citibank.com,,
4582,illuminations.com,,
4583,hsn.com,,
4584,britney spears concert,,
4585,AndyTheMan,,
4586,nutri system diet,,
4587,nutrisystem diet,,
4588,over weight,,
4589,alcohol abuse,,
4590,alcohol addiction rehabilitation,,
4591,alcohol counseling,,
4592,alcohol detoxification,,
4593,alcohol program,,
4594,alcohol programs,,
4595,alcohol rehab,,
4596,alcohol rehabilitation,,
4597,alcohol residential treatment,,
4598,alcohol treatment,,
4599,alcoholic anonymous,,
4600,alcoholic rehab,,
4601,alcoholic retreat,,
4602,alcoholics anonymous,,
4603,alcoholism detox,,
4604,alcoholism outpatient therapy,,
4605,alcoholism programs,,
4606,alcoholism rehab,,
4607,alcoholism rehab facilities,,
4608,alcoholism residential treatment,,
4609,alcoholism therapeutic community,,
4610,alcoholism therapy,,
4611,alcoholism treatment,,
4612,cocain addiction treatment,,
4613,cocaine abuse,,
4614,cocaine addiction,,
4615,cocaine addiction treatment,,
4616,cocaine recovery,,
4617,cocaine treatment,,
4618,crack addiction,,
4619,crack addiction rehabilitation,,
4620,crack addiction treatment,,
4621,crack cocaine,,
4622,crack rehabilitation,,
4623,crack treatment,,
4624,detox,,
4625,detoxification,,
4626,drug abuse,,
4627,drug abuse rehabilitation,,
4628,drug abuse treatment,,
4629,drug abuser,,
4630,drug addict,,
4631,drug addiction,,
4632,drug addiction rehabilitation,,
4633,drug addiction treatment,,
4634,drug program,,
4635,drug programs,,
4636,drug recovery programs,,
4637,drug rehab,,
4638,drug rehabilitation,,
4639,drug rehabilitation center,,
4640,drug treatment,,
4641,prescription drug abuse,,
4642,prescription drug addiction,,
4643,rehab,,
4644,rehab for alcohol dependency,,
4645,rehab for alcohol problems,,
4646,rehab for drug


==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
Ÿ


-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\SCIENCE.SCR

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
CTSYN=C:\WINDOWS
windir=C:\WINDOWS

File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -




anyone have any ideas?

I will post back if we find a virus with housecalls when its done


sweet

okay and house callls has found the magisrate b virus

i will see what i can do about it but in themeantime any info on it?

 

[eddie5659]

Hiya

Not going to repost it, but whats that in?

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

Seems like you have a trojan on there. As soon as the scan is finished, lets see if it picks up anything.

Oh, and you may want to edit some of that list before someone takes offence, like number 3972

Editing that file may be a start, but lets see what I can find first.

Was that Magistrate or Magistra?

If its the later, use HouseCall, but also look at this:

http://www.symantec.com/avcenter/venc/data/[email protected]


eddie

 

[sweetcheekies]

okay housecalls found PEMAGISTR.B i have downloaded the cleaner for it .. but hard to work it seems.. can someone walk me through it?

sweet

 

[sweetcheekies]

still trying .. not a easy virus to get rid of.. this one is ugly lol


i will keep posting back with whats going on. i have something else i got from SOPHOS called swmagisb hopefully it cleans it.. cause i dont know how to work the fix_magistrb.com thing that house calls says to use...


if any one knows let me know thanks

sweet

 

[ezymony]

HOLEY MOLEY...... hope this guy dont have a wife she aint gonna be happy......lol

 

[sweetcheekies]

okay uhmm i am running outta ideas here.. I have updated norton antivirus 2001 it found some virus' the pe magistr.b and it supposedly fixed them.. but he is still getting the list ( see above) when he starts up. What can i do.. I have removed the files that is showed were infected... 3d flowers.scr etc..

so if i am right i think the virus is still possibly in the registry? but where and what can i do


sweet

 

[sweetcheekies]

okay i have ran housecalls again and norton.. i am not getting the virus alert anymore but the start log is the same.. I am getting all that crap on it.. what is it from and how can i get rid of it? i need a walk through please

sweet