Argh Virus?

[Munkey]

Sorry for going a bit AWOL.

I was already using NOD32, which disappointed me, and the heavy duty spyware scanners that I whipped out couldn't find a thing either.

In the end I had to do a full system format and re-install. A very, very, very annoying virus.

Hopefully whoever made it will be shot.

 

[Kryten]

Here's hoping.

 

[Sar]

Ah, thats an easy one. Either a hardware fault or more likely, driver issue, so time to start upgrading (or downgrading) some drivers to see what the cause is. That is almost certainly not an infection.

That was just one of em though.

That said I think it was the beatpack server I installed for Beatmaker that I have bought for my iPod Touch. Since I uninstalled that there's been no problems (touch wood).

Just finishing off a 6 hours 100% full scan with Kaspersky, which found a few trojans, which are now gone, so fingers crossed should be clean as a nun's mind from now!

 

[old.Osy]

should be clean as a nun's mind from now!

That's your problem right there.

And to be also ontopic, there is no Joanne D'Arc of anti-spyware or anti-viruses. What I always do is use a combination of the most renown tools, properly updated to the latest definitions of signatures.

Even for the simple user, staying away from most ad-ware/spyware triggers should be easy... it's the other 10% that are crafted with more brains, and trick you into executing something, or clicking on something you should not.

Ad-Aware by Lavasoft - This tool used to be Joanne D'Arc, but they've gone a bit choo-choo, and lost that title. Still a decent tool though.

Spybot Search & Destroy - Poorly updated as of late, so it fails against the most recent things out there, but for the more common stuff like sircam or smit, it should be A-Ok.

You have to reach a balance between how much security you employ, and the stress you, the end-user have to suffer because of it.
To be honest, if you know you can't be arsed to think or examine something before opening, then maybe you should set your security application to prompt you each time to touch a key.

I for example use just Windows Firewall, and I don't keep my antivirus memory resident. It's installed in case I want to manually scan something. I rarely use it.

A good antivirus resource is this.

 

[Bahumat]

Bahumat : don't suppose it's just a "STOP" bluescreen, error code "0x0c000008 something something somethin" is it?
Had another one of those today, torn between a hardware error and viral infection - was infected with zlob and conficker (linked) anyway but cleaned and it was still at that. Didn't get time to format and rebuild but that's a job for next week.

Yeah it's one of those horrible 0x0000008 errors. If I boot into safe mode with networking I cant run his McAfee scan. It says it needs to be 'fixed'. I think it just needs updating but when you press Fix it gives an error saying "unable to fix".

I'm going to try going back in via safe mode and removing those weird files. Will run malwarebytes again & those weird nod32 programs listed above.

if that dont work I'll backup his music and re-load it

 

[Wazzerphuk]

I think I'm free of it for now. Looks like SUPERAntiSpyware did do the job after all. Yays. I bet it pops up again though...

 

[Munkey]

I'll keep a note of that program if this happens again. Fingers crossed it wont.

 

[Wazzerphuk]

It's still here. Gah.

 

[old.Osy]

Wazzer, mind posting a HiJack log ?

Link here

 

[Wazzerphuk]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:43:55, on 17/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Windows Sidebar\sidebar.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Kontiki\KService.exe
H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
H:\WINDOWS\system32\PnkBstrA.exe
H:\WINDOWS\system32\PnkBstrB.exe
H:\Program Files\Windows Sidebar\sidebar.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\mIRC\mirc.exe
H:\Program Files\Winamp\winamp.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVP] "H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Sidebar] H:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Antispyware] H:\Program Files\Antispyware\Antispyware.exe -boot
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: Add to Banner Ad Blocker - H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - H:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: H:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,H:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,H:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - H:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: KService - Kontiki Inc. - H:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - H:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - H:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - H:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)

--
End of file - 6757 bytes

FYI I don't use IE.

 

[MYstIC G]

Try this: Download Spyware Doctor - Free spyware remover

It's in Google Pack if necessary

 

[old.Osy]

Well your HiJack log is clean, nothing in there that would indicate spyware being present.

Maybe it is attached to some other software you have installed, and it basically runs on demand (ergo, when you use that particular software).

Alternatively, use procmon to see the inner things in realtime, and troubleshoot the damn thing down.

 

[Bahumat]

Luckily my brothers laptop is a Dell so I backed up his music and ran the Factory System Restore