Nasty Virus need Help Badly!

Discussion in 'Security Software' started by poker_pro, Jan 10, 2005.

  1. poker_pro

    poker_pro Guest

    Hi Good People,

    I have had problems like never b4 on my PC, it seems that when I try to use
    my "search" function it just hangs.the lil hour glass keeps turning and
    turning and the page never fully loads. When I tried to enter my System
    Restore its almos the same kinda thing, it wont let me access the controls to
    shut it off.
    I will leave a Hijack Log and if anyone can answer or help me God Bless you!

    Virus: Trojan.Downloader.Small.VL
    Status: Deletion Failed
    C:\WINDOWS\system32\CISVCS.EXE=>(NSIS o)=>zlib_nsis0004

    Virus: Trojan.PWS.Bispy
    Status: Deletion Failed
    C:\WINDOWS\system32\CISVCS.EXE=>(NSIS o)=>zlib_nsis0005
    and heres my hjt....THANKS SO VERY MUCH!!!!

    the Hijack is as follows!

    Logfile of HijackThis v1.99.0
    Scan saved at 4:43:26 PM, on 1/8/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\DOCUME~1\Admin\LOCALS~1\Temp\A~NSISu_.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\DOCUME~1\Admin\LOCALS~1\Temp\B~NSISu_.exe
    C:\DOCUME~1\Admin\LOCALS~1\Temp\C~NSISu_.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\Program Files\hijack\HijackThis.exe

    R3 - URLSearchHook: CnfSearch Class - {D7CD08F0-D691-11D8-9669-0800200C9A66}
    - C:\WINDOWS\System32\ConfuSearch.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} -
    C:\Program Files\AIM Toolbar\AIMBar.dll
    O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft
    Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
    Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
    -atboottime
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD
    Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Music Match Jukebox] MMJukebox.exe
    O4 - HKLM\..\RunServices: [Music Match Jukebox] MMJukebox.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
    C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM
    Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
    Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
    O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION -
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. -
    C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation -
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program
    Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
    poker_pro, Jan 10, 2005
    #1
    1. Advertisements

  2. poker_pro

    Malke Guest

    You have lots of malware on your computer. Please do not post HijackThis
    logs in the newsgroup. Following the malware removal steps I will give
    you are links to a HijackThis tutorial and places where you can post
    the logs. Do all scans in Safe Mode with updated tools.

    1) Scan in Safe Mode with current version (not earlier than 2003)
    antivirus using updated definitions.

    2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
    programs are free, so use them both since they complement each other.
    There is a new version of CWShredder from Intermute. I would not
    install the other Intermute programs, however. Alternately, there are
    CoolWebSearch malware removal steps at SilentRunners.

    Be sure to update these programs before running, and it is a good idea
    to do virus/spyware scans in Safe Mode. Make sure you are able to see
    all hidden files and extensions (View tab in Folder Options).

    HijackThis is an excellent tool to discover and disable hijackers, but
    it requires expert skill. See below for HijackThis links. A combination
    of HijackThis and About:Buster works well in removing the About:Blank
    homepage hijacker. Again, this is an expert tool and novices should get
    help with it.

    3) If you are running Windows ME or XP, you should disable/enable System
    Restore because malware will be in the Restore Points. With ME, you
    must disable System Restore completely. With XP, you can delete all but
    the most recent (presumably clean) System Restore point from the More
    Options section of Disk Cleanup (Run>cleanmgr).

    4) Make sure you've visited Windows Update and applied all security
    patches. Do not install driver updates from Windows Update.

    5) Run a firewall.

    Links to help with malware:

    Software/Methods:
    http://www.safer-networking.org - Spybot Search & Destroy
    http://www.lavasoftusa.com - Ad-aware
    http://www.majorgeeks.com - good download site
    http://www.intermute.com/spysubtract/cwshredder_download.html
    http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners

    HijackThis:
    http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
    Eshelman
    http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
    forum
    http://www.wilderssecurity.com/
    http://forums.tomcoyote.org/
    http://www.spywareinfo.com/forums/

    General:
    http://forum.aumha.org/ - look under "Security" for various forums
    http://rgharper.mvps.org/cleanit.htm
    http://mvps.org/winhelp2002/unwanted.htm
    http://www.aumha.org/a/parasite.htm - The Parasite Fight
    http://www.spywarewarrior.com/rogue_anti-spyware.htm

    Malke
     
    Malke, Jan 10, 2005
    #2
    1. Advertisements

  3. poker_pro

    poker_pro Guest

    Thanx Malke I will take you up on your advice!
    Question while I have you tho...................... if virus or viruses
    have made changes to the registry can it be repaired and how? Thanx so much
    am off to the forums U have provided!
     
    poker_pro, Jan 10, 2005
    #3
  4. poker_pro

    Malke Guest

    Yes, a good av and good spyware removal tools will fix the changes to
    the registry. If they don't, you can do it manually but it is much
    safer to let the tools do it for you. Fixing the registry manually is a
    last resort.

    Malke
     
    Malke, Jan 10, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.