A serious problem.

prabs

Skilled
There are 2 instance s of explorer.exe running in my task manager. If you end it (fake one requires lesser ram) pc continues to work fine but then it comes back in the form of svchost.exe. I have 6 svchost.exe running but this one turns into 7th process. The trojan or virus whatever it is tends to take the name of windows processes.

So far I have run:
Aimfix
Avg antispyware scan
A-squared
Smitfraudfix

Avg removed a few trojans and that is it. I thought the problem had been fixed but after a few reboots it is back.

Please advice.
 
I already have nod32 installed version 3.0.642.0. Planning to run a system scan with that tonight.

I have comodo firewall pro.

Is there any software like smitfraud that can just remove the virus in safe mode. I used smitfraud for an earlier problem it worked fine but it isn't meant for this problem.

Edited bit:
33 views already someone please post a solution.
 
ESET NOD32 Antivirus for MSDOS

This is Ms-DOS version of Nod32 . Get Ntfs4dos from here

NTFS4DOS 1.8 (read/write NTFS from DOS) - Freeware Files.com - Security/Privacy Category

the above setup is quite useless because it doesnt directly let u take required program and put it in some bootable iso , instead it prefers writing to floppy directly .

Use this iso image instead:

NTFS4DOS Bootable CD ISO Image (Updated) (download torrent) - TPB)

Push in nod32 antivirus scanner for DOS in the iso image or you can also keep it on hard disk and execute once u boot from CD and mount ntfs partitions . Many malware can still skip removal even from safe mode . This is best way to clean your drive ( else attach it as slave to some other system and scan ) .

You can also put some more dos based antivirus in the iso .

( This is not illegal Ntfs4dos is free for personal use )
 
My laptop was recently infected by the kinza virus, which avg removed quite easily. the only problem being that the harm had already been done. and every time i would start up i would get a message saying that boot.vbs could not be found. I can understand ur frustration, but also hope that you have your data stored in a seperate partition and not in the system's partition (like C: ). even if u can remove the virus i doubt if the damage already done will be repaired and you may have to re-format your C: drive. as far as i have found out, it is quite irritating and bit messy, but in the end, it is the best thing to do. good luck.
 
You can try removing them using a startup scan or connecting your HDD as a slave to another computer, but the issue would be that this will not fix the files which have already been corrupted by the infection.. one way out without losing your current data would be to repair your OS. But even that is a lil buggy and you may have to reinstall all the patches and service packs
 
try using a little program called hijackthis. if you post the log here, we can do something about it. also use process explorer from sysinternals.com instead of task manager, you will get a better picture.
 
@raptor can you guide me through ntfs4dos. Please reply

@pause I ain't planning to format as long as I can fix it. With exams starting on 21 I don't have time to back up 78 gb on dvds. So please don't jinx me by saying format. But thanks for replying.

@patrix I have got 2 hdds with win xp sp2 installed independently. All I have to change my boot options for th hdd I want to boot. Will ur trick work if I boot from my slave hdd. Please reply.

@booo: I will try it right now.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:43 AM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iBall\Ball Mouse\1.2\LWBWHEEL.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\format.com
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = Rediff Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Genuine Microsoft Software
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000018.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iBall\Ball Mouse\1.2\LWBWHEEL.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3678F290-6840-405E-B51F-D48C6F9EBF82}: NameServer = 203.122.63.154,203.122.63.152,10.8.182.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Window Net Dns (MyDNS) - Unknown owner - C:\Program Files\Outlook Express\svchost.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5399 bytes

P.S.: I was formatting a floppy at the time of running Hijac this in cmd. Lwbwheel.exe is a program for my mouse as I use I-ball designer mouse. I apologize for double posting.
 
Try a boot time scan using any AV which supports the same.. (Avast is one AV which has this feature). see if that is removing your virus.
if that is finding viruses but is unable to remove them as the files are in use, then you have no option but in connecting the virus affected hdd as a slave and scanning it.
lets hope the OS is not corrupt and would come up properly after removing the virus.
 
O23 - Service: Window Net Dns (MyDNS) - Unknown owner - C:\Program Files\Outlook Express\svchost.exe (file missing)

that is the problem i believe

try placing a tickmark next to that in the options of hijackthis and say FIX ...and hopefully things should be fine
 
well try a reboot scan using Avast.. but before doing so uninstall ur nod32.. it's quite effective.. after a reboot scan u can run a thorough scan..or vice versa..time consuming but helps..Avira is also good at detecting Trojans..remember that all anti malware softwares are not 100% effecient..good luk..
 
I think you should remove these
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000018.dll
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Window Net Dns (MyDNS) - Unknown owner - C:\Program Files\Outlook Express\svchost.exe (file missing)

Any idea that you installed registry booster... IMO there are no registry boosters.

If you are unable to delete C:\Program Files\Outlook Express\svchost.exe, in hijackthis, go to other tools and click delete on reboot and select this path.
 


@kippu. I ran a scan with A-squared and Avg As and both found it as trojan. Hence Avg As removed it on reboot.

@booo You sure about deleting these files. Will this affect Copernick in anyway. urlsearchhook is under internet explorer. Deleted registry booster from registry. Guard.exe is a part of AVG AS removing it from services in msconfig causes it to stop working. I think guard32.dll is a part of it.

Is Avast better than Nod32? I ran scans with different s/ws and so far I've found over 8 trojans. Please advice on what to do next.
 
guard32.dll is legit, keep it. but usually malware installs their dlls in appinit to load along with explorer.

O20 Type AppInit_DLLs
Name
Path/File guard32.dll
Status Legit
Description Comodo_Firewall

urlsearchhook is definitly a adware thats why the file has been removed but the link to ie still remains.

rule is simple, search the dll/exe name in google. if they are not legit, remove them.

Try installing DRWEB if you can find it. I heard its good. I use kaspersky. but I still prefer cleaning using hijackthis if anything happens just for the sake of satifaction that I removed it completely.

One more thing, open processexplorer and hover the mouse on rundll.exe it will show the dlls being run. search them on the net to find out if they are legit. (rundll.exe is used to run dlls)

OT: Why you want to keep all that crap like desktop search??? they slow down the system.
 
My suggestion is to run the tasklist /SVC command in dos and check whats happening

7819
 
Deleted Urlsearchhook and uninstalled copernick.

result of tasklist:
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 740 N/A
csrss.exe 812 N/A
winlogon.exe 836 N/A
services.exe 880 Eventlog, PlugPlay
lsass.exe 892 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 1044 DcomLaunch, TermService
svchost.exe 1124 RpcSs
svchost.exe 1212 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, Themes, TrkWks,
W32Time, winmgmt, wscsvc, wuauserv, WZCSVC
svchost.exe 1288 Dnscache
svchost.exe 1356 Alerter, LmHosts, RemoteRegistry, SSDPSRV,
WebClient
spoolsv.exe 1584 Spooler
explorer.exe 1800 N/A
LwbWheel.exe 1892 N/A
rundll32.exe 1908 N/A
egui.exe 1916 N/A
cfp.exe 1936 N/A
BlueSoleil.exe 1956 N/A
guard.exe 192 AVG Anti-Spyware Guard
BTNtService.exe 216 BlueSoleil Hid Service
svchost.exe 244 BthServ
cmdagent.exe 232 cmdAgent
ekrn.exe 572 ekrn
nvsvc32.exe 676 NVSvc
wdfmgr.exe 720 UMWdf
wscntfy.exe 2496 N/A
alg.exe 2548 ALG
CyberoamClient.exe 3160 N/A
Opera.exe 2864 N/A
cmd.exe 3332 N/A
tasklist.exe 3388 N/A
wmiprvse.exe 2044 N/A
 
prabs said:

Is Avast better than Nod32? I ran scans with different s/ws and so far I've found over 8 trojans. Please advice on what to do next.
Really don know Bro.. haven tried Nod32...if ur willing to spend time..tht to wth ur exams comin up.. thn i would suggest u to give it a try.. or just sit back finish ur exams:hap2: ..& then create a backup and format C drive..
 
I finally found a temporary solution that will let me use my pc till my exams get over.

1.Unticked 'Launch folder windows in a seperate process' in folder options.

2.Deleted all system restore files by turning off system restore on all drives and restarting it after 2 mins.

3.Set defence+ in comodo to paranoid mode and firewall security level to custom policy mode.

Despite this nod32 found a trojan in G drive's system restore deleted it using nod32 and repeated step 2 and scanned g:\ with nod32.

Didn't see an extra exploreer.exe last night and only six instances of svchost that I normally see. I will format after taking back up later on. Hope my pc can hold on till then.
:yahoo: :yahoo: :yahoo: :yahoo: :yahoo: :yahoo: :yahoo: :yahoo: :yahoo: :yahoo: :yahoo: :yahoo:

:clapping: Thanks everyone. :clapping:
 
Back
Top