Undetected virus?

Discussion in 'Operating Systems' started by HoT-DoG, Aug 22, 2005.

  1. HoT-DoG

    HoT-DoG Member

    Messages:
    32
    Likes Received:
    0
    GPU:
    MSI Geforce 6600GT
    Hi

    I'm having a hard time with this situation:

    I have some files being automatically created on my disk:

    autorun.inf e install.exe

    autorun.inf points to install.exe, so when i open the folder they're in.. install.exe executes.. and what he does.. i dont know!

    They're created at least in the following dir's:
    C:\ ; D:\ ; H:\ ; H:\Games\ ; D:\Programas ; Z:\


    The antivirus is up to date (kaspersky) and ad-ware too.. and when i scan the files they get nothing! Sometimes kaspersky tells me: INSTALL.EXE IS trying to be created, DELETE, and points me to a virus site that doesnt exist..

    I deleted all the files related to them from disk, regedit strings, i booted only with the options i trust, and they still replicate!!

    Im asking for help before i format my disk, so if any of u had this problem and knows how to solve it, i appreciate it!

    Thanks in advance!
     
  2. HoT-DoG

    HoT-DoG Member

    Messages:
    32
    Likes Received:
    0
    GPU:
    MSI Geforce 6600GT
    Logfile of HijackThis v1.99.1
    Scan saved at 20:14:45, on 22-08-2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Executive Software\Diskeeper\DkService.exe
    D:\Program Files\No-IP\DUC20.exe
    D:\WINDOWS\system32\nvsvc32.exe
    D:\PROGRA~1\Serv-U\SERVUD~1.EXE
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\svchost.exe
    D:\Program Files\RealVNC\VNC4\WinVNC4.exe
    D:\Program Files\MessengerPlus! 3\MsgPlus.exe
    D:\Program Files\Motherboard Monitor 5\MBM5.EXE
    D:\Program Files\Microsoft IntelliPoint\point32.exe
    D:\Program Files\D-Tools\daemon.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Serv-U\ServUTray.exe
    D:\WINDOWS\System32\svchost.exe
    C:\Programas\mIRC\mirc.exe
    D:\Program Files\MSN Messenger\msnmsgr.exe
    D:\Program Files\nbpro\nbpro.exe
    D:\Program Files\Opera\Opera.exe
    D:\Program Files\teamspeak2_RC2\TeamSpeak.exe
    D:\Program Files\The All-Seeing Eye\eye.exe
    D:\WINDOWS\system32\mmc.exe
    D:\WINDOWS\system32\RUNDLL32.EXE
    D:\Program Files\Executive Software\Diskeeper\DfrgNTFS.exe
    D:\Program Files\Executive Software\Diskeeper\DfrgNTFS.exe
    D:\Program Files\Executive Software\Diskeeper\DkIcon.exe
    D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
    G:\Rar$EX00.703\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [MBM 5] "D:\Program Files\Motherboard Monitor 5\MBM5.EXE"
    O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ServUTrayIcon] D:\Program Files\Serv-U\ServUTray.exe
    O4 - Startup: Speedtouch Connection.lnk = D:\Program Files\Thomson\SpeedTouch USB\stdialup.exe
    O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{257D37CD-973A-4042-84DF-8AB9326B3D02}: NameServer = 194.65.100.117
    O20 - AppInit_DLLs: MsgPlusLoader.dll,wbsys.dll
    O20 - Winlogon Notify: WB - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dl l
    O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
    O23 - Service: NoIPDUCService - Vitalwerks LLC - D:\Program Files\No-IP\DUC20.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
    O23 - Service: Serv-U FTP Server (Serv-U) - Cat Soft - D:\PROGRA~1\Serv-U\SERVUD~1.EXE
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
    O23 - Service: Task Manager (TskMan) - Unknown owner - D:\WINDOWS\system32\TskMan.exe (file missing)
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - D:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
     
  3. Finchwizard

    Finchwizard Don Apple

    Messages:
    16,442
    Likes Received:
    6
    GPU:
    -
    And you have tried scanning it with Spybot Search and Destroy and Adaware SE to see if its Spyware?

    Make sure they are updated and try again.
     
  4. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    GPU:
    BFG 8800GT OC2 512
    Please extract and run HijackThis from a program folder.

    Reboot and close all running programs before you run HijackThis. Now post the new log.

    Run ActiveScan if any infection is found save the log and post it here.
    http://www.pandasoftware.com/activescan/
     
    Last edited: Aug 23, 2005

  5. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    GPU:
    BFG 8800GT OC2 512
    Make sure your Serv-U program is not a modified version.

    Edit: Looking at some info and this might be your problem as it seems related to the (missing) TskMan.exe process.

    Troj/ServU-BC (sophos name)
    http://www.sophos.com/virusinfo/analyses/trojservubc.html
    http://www.sophos.com/support/disinfection/trojan.html

    O23 - Service: Task Manager (TskMan) - Unknown owner - D:\WINDOWS\system32\TskMan.exe (file missing)

    Have you have any worm or virus problems ?.

    ---

    I can't see any ref. to autorun.inf or install.exe in the log.

    They are often use for CD's (auto run) and as you have DAEMON Tools installed may not be impossible that it is related to a game ?.
     
    Last edited: Aug 23, 2005
  6. HoT-DoG

    HoT-DoG Member

    Messages:
    32
    Likes Received:
    0
    GPU:
    MSI Geforce 6600GT
    thanks for the replys

    A while ago i had the modified "with trojan" serv U, but then i downloaded the official from the website, and the anti virus warnings stopped. and this symptoms are from now.

    And im pretty sure this aint related to any game install.
    I play Medal of Honor online, with anti-cheat, and i noticed this two days ago when the anti cheat found CHEATS/install.exe on my game folder, thats when i found they were "replicating"

    If you're interested and you can do anything with them, i can post the files here /edit install.rar


    I used kaspersky, avast! ad-aware and spysweeper with the lateste definitions and found nothing.
     
    Last edited: Aug 23, 2005
  7. bakuryu

    bakuryu Ancient Guru

    Messages:
    3,270
    Likes Received:
    1
    GPU:
    XFX GeForce 6600LE @ 430/490
    You are infected with a trojan !! :( :(
    NOD32 detects it !! This is what happens when I try to download it !!
    [​IMG]
     
  8. HoT-DoG

    HoT-DoG Member

    Messages:
    32
    Likes Received:
    0
    GPU:
    MSI Geforce 6600GT
    thank you, ill download that program and post the results

    edit

    I installed it, it scanned the computer and "FOUND and Deleted" the install.exe 's that i have.. but nothing more.. so whatever is causing them to replicate.. must still be INSIDE!!!

    /edit
     
    Last edited: Aug 23, 2005
  9. bakuryu

    bakuryu Ancient Guru

    Messages:
    3,270
    Likes Received:
    1
    GPU:
    XFX GeForce 6600LE @ 430/490
    Download NOD32, update.

    Disable System Restore and run an "In Depth Analysis"
     
  10. HoT-DoG

    HoT-DoG Member

    Messages:
    32
    Likes Received:
    0
    GPU:
    MSI Geforce 6600GT
    Well, at least its detected as a virus.

    It finds the virus, Win32/Robobot, it quarantines it, but it keeps on coming!
    i can't seem to find the info or the site to tell me what to do to prevent this from happening!

    Even if i do format the pc, and install windows again, it might happen again, because i don't know how it happens and how to stop it!

    If anybody sees info about this, tell me please, and thanks for the help so far
     

  11. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    GPU:
    BFG 8800GT OC2 512
    You MUST start by updating your OS fully even if you reinstall XP you must update and keep the OS updated. AV's are often no match for worms on unpatch systems keep you OS updated. Also install a firewall or install SP2 and enable the firewall.


    You MUST follow the instructions of disabling System Restore, booting in safe mode AND unplugging from the net. This trojan is a trojan that executes other malware.

    You will want to copy the text from this post and save it as a text file (*.txt) or print it because you will be working offline (in safemode) to resolve your problem and not have access to this forum.


    Follow these STEPS.

    STEP 1

    You must turn off System Restore during this process. You will keep it off until we are done fixing your system.

    STEP 2

    In NOD32 under the NOD32 on demand scanner press "Run NOD32".

    Go to the Profile tab and in the drop down menu pick the "Controle Center Profile - Local"
    Go to the Action tab and set it to delete.
    Go to the Setup and make sure all scanning is enabled.

    Now press the Quite button, NOD32 will inform you that the profile is changed press "Yes" to save the changes.


    STEP 3

    1. Now turn off your computer and remove the network cable/phone line from your machine.
    2. Reboot your computer in Safe Mode


    STEP 4

    Run NOD32 and use the "Local" scan, let it delete any infested files.


    STEP 5

    1. Reconnect your network cable/phone line
    2. Reboot your system into normal mode.


    STEP 6

    Run Hijackthis again and post a new log file.

    Run activescan and post any infestion found
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm
    Online Trojanscanners
    http://scan.sygate.com/pretrojanscan.html
    http://www.windowsecurity.com/trojanscan/

    Online AV
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm
    http://www.ravantivirus.com/scan/
     
  12. SgtSquarenuts

    SgtSquarenuts Member Guru

    Messages:
    173
    Likes Received:
    0
    GPU:
    BFG 6800 Ultra o/c w/c/Koolance Exo
    Yes, reboot in safemode, but why run nod32? He has Kaspersky. It's the highest rated AV prog. 99% effective.
     
  13. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    GPU:
    BFG 8800GT OC2 512
    You did not read all of the thread...did you.

    bakuryu's NOD32 found the worm. HoT-DoG then downloaded NOD32 and that's why he should use it. ;)
     
  14. HoT-DoG

    HoT-DoG Member

    Messages:
    32
    Likes Received:
    0
    GPU:
    MSI Geforce 6600GT
    lol

    Well.. Since i use NOD32, the install.exe files are being stopped from replicating themselves, and it solves part of the problem, but i still don't know where it comes from.

    I installed the autopatcher, with all the updates for windows xp, but i didn't reboot the pc yet... im a 24h downloader :S

    When i do ill tell you if it worked

    tnxs for the help
     
  15. SgtSquarenuts

    SgtSquarenuts Member Guru

    Messages:
    173
    Likes Received:
    0
    GPU:
    BFG 6800 Ultra o/c w/c/Koolance Exo
    Yes I read enough to know why he couldn't find it. Those worms get into everything. He had system restore running and he didn't boot into safemode when he ran Kas. I know what your saying. Go with whatever works to get rid of it.
     

  16. HoT-DoG

    HoT-DoG Member

    Messages:
    32
    Likes Received:
    0
    GPU:
    MSI Geforce 6600GT
    NO!! one thing i must say!

    The first thing i do after installing windows is to turn of the EVIL SYSTEM RESTORE OF DEATH, House of many slowdowns and viruses!!

    Just to make my soul a bit brighter :D
     
  17. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,843
    Likes Received:
    3
    GPU:
    BFG 8800GT OC2 512
    No im not saying "go with whatever works to get rid of it.". Im saying if you have NOD32 installed (which he did when i wrote the instructions) you should use it, period.
     
  18. SgtSquarenuts

    SgtSquarenuts Member Guru

    Messages:
    173
    Likes Received:
    0
    GPU:
    BFG 6800 Ultra o/c w/c/Koolance Exo
    Oh , well excuuuuuse meeeeeeee.
     

Share This Page