# Thread: Help me out, computer issue virus/worm

1. ## Help me out, computer issue virus/worm

I think it is one of those mass mailing worms, Norton didn't find it (even scanned in safe mode).

What happens when I boot up is in the screenshot, Norton scans emails and then I get error messages about email rejected or IP banned etc and what ever emails it is sending, is not to email addresses that I recgonize.

Any program that would be good to download to find and fix this? Preferably a free program

Juju

http://i13.photobucket.com/albums/a2...creenshot2.jpg[/img]

Post the log here if you don't know what it means.

3. Thanks, i'll try it late tonight or tomorrow. At work all day and going to the Piston's game tonight so won't have a chance to get to it till then. And ya, i'll post what I get because i'm sure I won't know what it means! LOL.

Juju

4. Format and reinstall, only way to be sure.

6. Why does everyone want to destroy Juju's computer? lol

7. They just like being meanies.

My husband also chatted with some of his IS folk at work today, so got some advice there too.

I'm trying not to format/reinstall, but if this bugger can't be found, that is what i'm going to have to do. ; ;

8. Originally Posted by Jujubie
They just like being meanies.

My husband also chatted with some of his IS folk at work today, so got some advice there too.

I'm trying not to format/reinstall, but if this bugger can't be found, that is what i'm going to have to do. ; ;
All I have to say if you reformat: save your FFXI macros somewhere......I can't even remember how many times I have had to remake mine. ~_~

9. Originally Posted by Jujubie
They just like being meanies.

My husband also chatted with some of his IS folk at work today, so got some advice there too.

I'm trying not to format/reinstall, but if this bugger can't be found, that is what i'm going to have to do. ; ;
I'm not being mean.. if the virus is even halfass sophisticated it won't be removable. How are you or a virus scanner going to do anything when it has altered windows to not reveal its location, authorize its shutdown, or even let you delete it?

The only way to get access to the files is to take the drive out and put it in another computer or boot from your XP CD in recovery console. Of course this only works if you know which files to look for.. There are some decent rootkit detection programs and methods out there, but you really needa know what you are doing and its always faster/easier/safer to simply reinstall even if you do.

10. I didn't mean you exactly. It does seem to be the only way to go. I just mean the people trying to get her to delete her hard drive without knowing it lol.

11. I have to agree, formatting is always the fastest way to get rid of a pesky pesky virus.

With all the time you spend snooping for files and its alterations and everything, you'll just be like wipe, and go again.

Best thing I can say is if you are determined to delete the files that are causing corruption:

1: disconnect from the internet
2: turn off system restore
3: reboot into safe mode

A ton of virus files hide in system restore, and the only way of checking them is to have it turned off. Also with safemode you're booting windows into a safer enviroment.

If you can eventually find the culprits sometimes they are not deletable, because of virus sophistication, you'll need to either A: boot your machine into a linux OS (landog, knoppix, something along these lines) and then eventually get to your system root. What I'm describing here is kind of difficult, and thats why I recommend Format and Re-Do.

12. post a screen shot of you process(ctrl + alt +del) and it seems your problem is norton just kill(the process in process tab[rename the kernel in norton folder]) it and use other means to get the virus....and i dont know why you using such useless antivirus like norton.....at least use nod32 or AVG,

13. Got the link for AVG from someone today, gonna use that and probably will end up uninstalling Norton.

Thanks for your help guys, i'll try all this stuff tonight and let you know the outcome.

14. Originally Posted by Devek
Originally Posted by Jujubie
They just like being meanies.

My husband also chatted with some of his IS folk at work today, so got some advice there too.

I'm trying not to format/reinstall, but if this bugger can't be found, that is what i'm going to have to do. ; ;
I'm not being mean.. if the virus is even halfass sophisticated it won't be removable. How are you or a virus scanner going to do anything when it has altered windows to not reveal its location, authorize its shutdown, or even let you delete it?

The only way to get access to the files is to take the drive out and put it in another computer or boot from your XP CD in recovery console. Of course this only works if you know which files to look for.. There are some decent rootkit detection programs and methods out there, but you really needa know what you are doing and its always faster/easier/safer to simply reinstall even if you do.
Be smarter than the virus writer.

to the op: Download Autoruns from Sysinternals. This should let you see every program that is configured to run when your computer starts, even programs that attempt to hide themselves from public view and not be visible to normal methods of determing run-at-start programs. If you can't make sense of what the program tells you, screenshot it and post here. You should see a suspicious app running though.

15. I had that before >> I just ctrl alt del, ctrl+click 5-10, end task. Usually closed all of them, and stopped. The virus stopped after a while >>

16. Originally Posted by Jujubie
Got the link for AVG from someone today, gonna use that and probably will end up uninstalling Norton.

Thanks for your help guys, i'll try all this stuff tonight and let you know the outcome.
Norton causes more problems than viruses do.. ask anyone who ever answered the phones at an ISP

17. Originally Posted by divisortheory
That's a really nice little app, thanks. That'll come in handy one day I'm sure.

18. Originally Posted by Devek
Originally Posted by Jujubie
Got the link for AVG from someone today, gonna use that and probably will end up uninstalling Norton.

Thanks for your help guys, i'll try all this stuff tonight and let you know the outcome.
Norton causes more problems than viruses do.. ask anyone who ever answered the phones at an ISP
I had Norton, it went apeshit on me. Kept having a little reminder thing pop up over and over and over and over. Click it off, it'd pop back up. Deleted that shit,

19. Originally Posted by Janice

Post the log here if you don't know what it means.

Here is the log, let me know if you see something. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 9:54:29 AM, on 12/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA FA.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Fraps\FRAPS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\services.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar\$EX48.109\Hijac kThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:3647
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA FA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [WinMedia] C:\361101032253072.exe
O4 - HKCU\..\Run: [Fraps] C:\Fraps\FRAPS.EXE
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resourc ... se8460.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

20. 361101032253072.exe sounds kind of suspicious <_< if I see something I don't recognize I usually run it through google. (Not literally run obviously, but I like getting a bunch of results, usually they say what it does without even clicking on a link and you get a good number of forum posts if it's anything serious.)

Might want to check this out, looks like that one might be your problem.