Oye! I`m suffering from VIRUS

Status
Not open for further replies.

sr_ultimate

Journeyman
Hi this is probably my 3`rd or 4`th post on digit I have BIG problem

here , it`s been 2 months since I have this , I run AVG virus scan it

detescts W32.Parite.B and VBS/Redlof and when I searched other forums

they said its W32.Blaster.Worm and for removal I have to go to symantec

or McAfee website ,but my computer opens the pages , I downloaded

Stinger from Mc Afee and searched but no use . Now see the

Problem

1. My Xp hangs in the middle or restarts .

2. When Computer is started they show many programs want to

connect to the net like :
*in.geocities.com/sreejithrk86/network.jpg

3. My computer`s look changes , i.e some of the icons are almost

disgusting .
*in.geocities.com/sreejithrk86/desktop.jpg

4. When I try to install 98 at start it says Boot record VIRUS

(Y/N) ,when press Y it continues with the installation, then the same

message appears at the installation stage but this time system hangs

5. I cannot install Norton or McAfee as system starts running

DAMN slow .

6. AVG Antivirus do not stand after restart that is it has to be

reinstalled again if PC is restarted.
*in.geocities.com/sreejithrk86/avg.jpg

7. System Hangs when i install Xp sp II

What I have done

1. When I run AVG antivirus it finds W32.Parite and VBS/redlof

and removes them but the problem persists.

This is how my Task manager looks like :
*in.geocities.com/sreejithrk86/task.jpg

Please tell me some way if you can`t help it this way tell me if
changing the harddisk work?
 

Kl@w-24

Slideshow Bob
Run 'msconfig' and disable th entry 'svchostt.exe' in th Startup tab. This is probably th infected file. Search for th file and delete it. Now run 'Regedit' and search for 'svchostt.exe' and delete all entries related to it. IMPORTANT : Backup ur registry before u do this!!
Also, disable any entries u do not recognise as programs that u hv installed. And, go to [Control Panel]>>[Internet Options] and in th Connections tab, select th 'Never Dial A Connection' radio button. This way, Windows will not ask u to connect to th internet even if some prog requests it.
 
OP
S

sr_ultimate

Journeyman
1. How Am I supposed to back up the registry?
2. How am I gonna search ,`cause when I search it says " A file required to run the search companion is not working.
3. what about the boot sector Virus.
 

Kl@w-24

Slideshow Bob
[1]Start Regedit and Click on th File menu. Click on Export, give a filename and select th option 'All' in Export Range.

[2]If u can't search, don't worry. Th file is most likely to be in C:\WINDOWS or C:\WINDOWS\SYSTEM32\ Go to those directories and look for th file.

[3]Boot using th Windows XP CD. Press 'r' when setup asks if u want to use th Recovery Console. At th Recovery Console, type fixboot. It will write a new boot-sector to ur drive. Also, type fixmbr to fix ur Master Boot Record. Do this only if there is no other OS installed alongwith XP.
 

icecoolz

Cyborg Agent
Backing up registry:

Start->run
type : regedit

From the window that opens up goto File-> export . Select the location you want to export the file to and save it with some name.

This will back up your registry.

Boot Sector VIRUS should be removed by NAV or McAfee...install it..run it...even if it is slow...let it remove the virus...and then uninstall it...
 

JAK

What the Heck !
Hmm...

First make a Mcafee/ Norton Boot Disk with latest Virus Defn on a friends computer
Make a Cold Boot(shut down and turnoff all power to the CPU)
Now bootup with the Floppy and Run a Full scan and hope fully it will get rid of ur Boot sector Virus and any other virus and then try to boot up in windows and see if things are back to normal.... :wink:

after getting back in windows i wud recomment doin another full scan of ur system using some reliable antivirus with latest Virus definitions.... :wink:
 

IG

Journeyman
is svchost somekind of absolutely required service by windows...cos my xp pro also has several instances running at the same time...
 

FunkyB

Broken In
hey guys hold on...! ! ! svchost.exe is a windows core process which always runs multiple instances and if u try to stop it, the system will hang up...it is not the infected file...try using norton by attachin ur HDD to another comp and run a full scan...obviously update norton first. u shud get the names of the virus after the scan and then just go to www.symantec.com and download the respective virus removal tools...scan...and u shud be up and runnin soon...best of luck...;)


oops...soory wildy...hey me am just a non-techie dude ;)...just thought was helpin...thanx for the info...hopefully i havnt got him into any trouble...
 

Wildstyle

Broken In
IG & FunkyB: You guys should do your homework before posting! You see, svchost.exe may be a key Windows component, but there *is* a virus out there that makes an infected copy of this file. None other than the Welchia worm. Don't you guys ever read Digit?????? That's where this issue was announced in the Virus alert column.

Here's some info on symptoms & removal (provided that in sr_ultimate's case it is Welchia and not some other variant):

*www.pchell.com/virus/welchia.shtml

Do as it_waaznt_me thingy, dude. Paste the log the HijackThis creates on your computer and that way we might solve your problem.
 

IG

Journeyman
point taken.

i had an lsass shutdown an few hours back but my av says there is no infection.the problem did not repeat .heres my hijackthis logfile

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
F:\Softwares\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.rediff.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mistakes Are Always Perfect
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKCU\..\Run: [Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /Startup
O4 - HKLM\..\RunOnce: [Windows Monitor] winmon.exe
O4 - HKCU\..\RunOnce: [ Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /ErIEIndex
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E26C00-3490-44C1-9274-0D43D65F02C7}: NameServer = 202.144.10.50 202.144.13.50
 

aadipa

Padawan
sr_ultimate said:
1.My Xp hangs in the middle or restarts.
May be virus but it can also be faulty hardware. Check processor temp. and check ur RAM

sr_ultimate said:
2. When Computer is started they show many programs want to
connect to the net like :
*in.geocities.com/sreejithrk86/network.jpg
Go to Internet Options by right clicking IE icon on desktop

under connections tab, select, Never dial a connection.

If u have any other browser set as default browser, change the settings these too for not to dial any connection.

sr_ultimate said:
3. My computer`s look changes , i.e some of the icons are almost disgusting .
*in.geocities.com/sreejithrk86/desktop.jpg
I bet this to be a virus.

sr_ultimate said:
4. When I try to install 98 at start it says Boot record VIRUS (Y/N) ,when press Y it continues with the installation, then the same message appears at the installation stage but this time system hangs
This is Virus protection offered by BIOS.
Whenever Master Boot Record (MBR) of ur HDD changes, u will get this warning.
U can disable this from BIOS.


sr_ultimate said:
5. I cannot install Norton or McAfee as system starts running DAMN slow .
6. AVG Antivirus do not stand after restart that is it has to be reinstalled again if PC is restarted.
*in.geocities.com/sreejithrk86/avg.jpg
This is due to Virus.


No need to change ur harddisk.

I think one of ur CD from which u install ur applications have these virii
As batty said give ur HijackThis log file.

btw to stop Redlof follow this

First, start msconfig
under startup tab, deselect Kernel.dll as this is virus file.

Now, Go to folder options and select "Show Hidden and Operating system protected files"
Now search for desktop.ini and folder.htt
delete all these files.
Again check for kernel.dll's entry in msconfig
now restart windows. Redlof is removed.

Check again with good antivirus.


About stinger, download latest version of it on some other machine which is not infected with any virus. Now copy it to floppy and then make the floppy read only by seting the switch/ Burn it to cd.
Now run stinger from this read only source.



Best Of Luck....
 

Kl@w-24

Slideshow Bob
@FunkyB and IG, see th filename :

*in.geocities.com/sreejithrk86/task.jpg

It's 'svchostt.exe'. Viruses deliberately use filenames that resemble system files. In this case, th filename is similar to 'svchost.exe'. So, it's not a system process, but a virus.
 

Kl@w-24

Slideshow Bob
@IG, check this file : C:\WINDOWS\System32\winmon.exe. Is it something u installed ? It is also registered as a service. Check its properties (date created, modified) and also see its description in services ([Start]>>[Run]>>'services.msc).
 

it_waaznt_me

Coming back to life ..
Re: point taken.

IG said:
C:\WINDOWS\System32\winmon.exe

You got a virus ... Here is the removal info ..

To proceed with your HijackThis log, Run HijackThis again and put a CheckMark next to these entries and Click on Fix Checked.
Please make sure that all Internet Explorer and Windows Explorer windows are closed.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mistakes Are Always Perfect Lol ..Dont remove it :)
O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKCU\..\Run: [Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /Startup
O4 - HKLM\..\RunOnce: [Windows Monitor] winmon.exe
O4 - HKCU\..\RunOnce: [ Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /ErIEIndex

And btw .. You sure you posted the whole log ..? I dont see any DPF info here .. And not the version info too ..
 
OP
S

sr_ultimate

Journeyman
OK now my whole computer is not working , I`m in Cyber cafe , My computer says disk error , while rebooting XP it has to restart but after restarting it again says boot failure , that means it does not boot now !!!!!!!!!!!!!!!1


MAN I`m Dead
 

FunkyB

Broken In
@ Kl@w-24
enlightened and humbled...thankfully my task manager seems to show nothin suspicious...

hey can u guys help me out too...we hav a 128k PPPoE net con in office...it was an 'always on' type con. but recently Calcutta Telephones has introduced a dialer as an authentication interface. the prob is...that the con works fine on the machine that it is directly connected to but we cant share it...even after enabling ICS on WinXP Pro and disabling the inbuilt firewall nothin works. also...before the dialer, the main machine was assigned a static ip, now it has dynamic ip...any suggestions or links where i can get more info...do i hav to install a proxy server, and if i hav to which one is the best? we hav about 12 machines on lan right now and want to share the con with only 2...help plz...
 
Status
Not open for further replies.
Top Bottom