Help! Unable to clear virus...

technoboy

19 Feb 08, 11:47

I scanned and realised I have this virus, and I deleted it.

Then I tried scanning again, and it comes back up... Anyone can help?

ndmmxiaomayi

19 Feb 08, 12:20

Something could be loading under Internet Explorer that is causing problems.

Do the following:

1. Download HijackThis from here and install it -
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

2. Click on Open Misc Tools section

3. Under System Tools, click on Open Process Manager

4. Scroll down and find this process - C:\Program Files\Internet Explorer\iexplore.exe

5. Tick the Show DLLs box

6. Click on Diskette button to save a log file. Then post back this log.

technoboy

19 Feb 08, 13:56

Ok, here's the log (I use firefox most of the time though, don't use IE for most of my surfing):

Process list saved on 1:55:46 PM, on 19/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid]    [full path to filename]        [file version]    [company name]
656    C:\WINDOWS\System32\smss.exe        5.1.2600.2180    Microsoft Corporation
732    C:\WINDOWS\system32\winlogon.exe        5.1.2600.2180    Microsoft Corporation
776    C:\WINDOWS\system32\services.exe        5.1.2600.2180    Microsoft Corporation
788    C:\WINDOWS\system32\lsass.exe        5.1.2600.2180    Microsoft Corporation
940    C:\WINDOWS\system32\Ati2evxx.exe        6.14.10.4124    ATI Technologies Inc.
964    C:\WINDOWS\system32\svchost.exe        5.1.2600.2180    Microsoft Corporation
1132    C:\WINDOWS\System32\svchost.exe        5.1.2600.2180    Microsoft Corporation
1176    C:\WINDOWS\system32\svchost.exe        5.1.2600.2180    Microsoft Corporation
1280    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe        10.1.0.1    Intel Corporation
1336    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe        10.1.0.33    Intel Corporation
1928    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe        103.5.6.3    Symantec Corporation
2040    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe        103.5.6.3    Symantec Corporation
356    C:\WINDOWS\system32\spoolsv.exe        5.1.2600.2696    Microsoft Corporation
420    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe        9.4.0.1120    Logitech
508    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe        1.14.0.0    Apple, Inc.
708    C:\Acer\Empowering Technology\admServ.exe        1.5.28.78    Avocent Inc.
1420    C:\WINDOWS\system32\Ati2evxx.exe        6.14.10.4124    ATI Technologies Inc.
1648    C:\WINDOWS\Explorer.EXE        6.0.2900.3156    Microsoft Corporation
1820    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe        5.0.1.1200    Broadcom Corporation.
1896    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe        4.5.0.2307
1940    C:\WINDOWS\system32\CTsvcCDA.exe        1.0.1.0    Creative Technology Ltd
1960    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe        2.1.0.1815    Cyberlink
1976    C:\Program Files\Symantec AntiVirus\DefWatch.exe        10.0.2.2000    Symantec Corporation
540    C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe        2.1.0.1815    Cyberlink
1228    C:\Program Files\Internet Explorer\IEXPLORE.EXE        6.0.2900.2180    Microsoft Corporation
1052    C:\WINDOWS\System32\svchost.exe        5.1.2600.2180    Microsoft Corporation
1408    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE        7.0.9466.0    Microsoft Corporation
1732    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe        10.1.0.1    Intel Corporation
2064    C:\Program Files\CyberLink\Shared Files\RichVideo.exe        1.0.0.1321
2092    C:\Program Files\Symantec AntiVirus\SavRoam.exe        10.0.2.2000    symantec
2176    C:\WINDOWS\system32\svchost.exe        5.1.2600.2180    Microsoft Corporation
2304    C:\Program Files\Symantec AntiVirus\Rtvscan.exe        10.0.2.2000    Symantec Corporation
2536    C:\WINDOWS\system32\5.exe
2588    C:\WINDOWS\AGRSMMSG.exe        2.1.47.0    Agere Systems
2676    C:\WINDOWS\WY Server.exe
2744    C:\WINDOWS\system32 undll32.exe        5.1.2600.2180    Microsoft Corporation
2832    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe        1.11.0.0    ATI Technologies Inc.
2872    C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe        4.5.0.2307
2932    C:\WINDOWS\RTHDCPL.EXE        2.0.2.8    Realtek Semiconductor Corp.
2952    C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE        1.0.6.523    Dritek System Inc.
2984    C:\Acer\Empowering Technology\eRecovery\Monitor.exe        1.3.7.6    acer Inc.
3004    C:\Acer\Empowering Technology\admtray.exe        1.6.23.36    Avocent Inc.
3020    C:\Acer\Empowering Technology\ePower\ePower_DMC.exe        0.0.5.3    Acer Incorporated
3056    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe        7.12.13.0    Synaptics, Inc.
3112    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe        7.12.13.0    Synaptics, Inc.
3124    C:\Program Files\Common Files\Symantec Shared\ccApp.exe        103.5.6.3    Symantec Corporation
3132    C:\PROGRA~1\SYMANT~1\VPTray.exe        10.0.2.2000    Symantec Corporation
3200    C:\WINDOWS\system32\LVCOMSX.EXE        9.4.0.1120    Logitech
3428    C:\Program Files\Acer\OrbiCam\CameraAssistant.exe        9.4.0.1117    Acer
3528    C:\WINDOWS\system32\ElkCtrl.exe        8.5.0.1137    Logitech Inc.
3536    C:\WINDOWS\system32 undll32.exe        5.1.2600.2180    Microsoft Corporation
3564    C:\Program Files\QuickTime\QTTask.exe        7.3.0.80    Apple Inc.
3652    C:\Program Files\iTunes\iTunesHelper.exe        7.5.0.20    Apple Inc.
3680    C:\WINDOWS\system32\NotifyPhoneBook.exe
3688    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe        6.0.30.5    Sun Microsystems, Inc.
3720    C:\Program Files\MSN Messenger\msnmsgr.exe        8.1.178.0    Microsoft Corporation
3784    C:\WINDOWS\system32\ctfmon.exe        5.1.2600.2180    Microsoft Corporation
904    C:\WINDOWS\system32\wuauclt.exe        7.0.6000.381    Microsoft Corporation
1788    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe        5.0.1.1200    Broadcom Corporation.
1008    C:\WINDOWS\system32\wbem\unsecapp.exe        5.1.2600.0    Microsoft Corporation
4044    C:\Program Files\iTunes\iTunes.exe        7.5.0.20    Apple Inc.
576    C:\Program Files\iPod\bin\iPodService.exe        7.5.0.20    Apple Inc.
4036    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe        1.11.0.0    ATI Technologies Inc.
3648    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe        1.11.0.0    ATI Technologies Inc.
3992    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE        11.0.8202.0    Microsoft Corporation
4680    C:\Program Files\Mozilla Firefox\firefox.exe        1.8.20080.20121    Mozilla Corporation
5208    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe        2.0.0.2    Trend Micro Inc.

DLLs loaded by process C:\Program Files\Internet Explorer\IEXPLORE.EXE:

[full path to filename]        [file version]    [company name]
C:\WINDOWS\system32 tdll.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\kernel32.dll        5.1.2600.3119    Microsoft Corporation
C:\WINDOWS\system32\USER32.DLL        5.1.2600.3099    Microsoft Corporation
C:\WINDOWS\system32\GDI32.dll        5.1.2600.3159    Microsoft Corporation
C:\WINDOWS\system32\IMM32.DLL        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\ADVAPI32.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\RPCRT4.dll        5.1.2600.3173    Microsoft Corporation
C:\WINDOWS\system32\Secur32.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\LPK.DLL        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\USP10.dll        1.420.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\msvcrt.dll        7.0.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\AVICAP32.dll        5.1.2600.0    Microsoft Corporation
C:\WINDOWS\system32\WINMM.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\VERSION.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\MSVFW32.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\SHELL32.dll        6.0.2900.3241    Microsoft Corporation
C:\WINDOWS\system32\SHLWAPI.dll        6.0.2900.3268    Microsoft Corporation
C:\WINDOWS\system32\COMCTL32.dll        5.82.2900.2982    Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll        6.0.2900.2982    Microsoft Corporation
C:\WINDOWS\system32\ws2_32.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\WS2HELP.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\wsock32.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\mpr.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\msacm32.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\wininet.dll        6.0.2900.3268    Microsoft Corporation
C:\WINDOWS\system32\CRYPT32.dll        5.131.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\MSASN1.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\OLEAUT32.dll        5.1.2600.3266    Microsoft Corporation
C:\WINDOWS\system32\ole32.dll        5.1.2600.2726    Microsoft Corporation
C:\WINDOWS\system32\uxtheme.dll        6.0.2900.2180    Microsoft Corporation
C:\WINDOWS\system32\msctfime.ime        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\mswsock.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\hnetcfg.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\System32\wshtcpip.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\DNSAPI.dll        5.1.2600.2938    Microsoft Corporation
C:\WINDOWS\System32\winrnr.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\WLDAP32.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\wshbth.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32\SETUPAPI.dll        5.1.2600.2180    Microsoft Corporation
C:\WINDOWS\system32 asadhlp.dll        5.1.2600.2938    Microsoft Corporation

ndmmxiaomayi

19 Feb 08, 14:06

Is IE running when you run the HijackThis scan?

technoboy

19 Feb 08, 14:07

Nope, only Firefox...

ndmmxiaomayi

19 Feb 08, 14:12

I think you are better off reformatting your computer. Something is loading IE silently. As it's a backdoor (according to Symantec), passwords may have been stolen. Change all your passwords from a clean computer or after you've reformatted.

technoboy

19 Feb 08, 14:17

Holy sh!t ! So there is no way to clear it? Oh gosh...

technoboy

19 Feb 08, 14:22

Holy sh!t ! So there is no way to clear it? Oh gosh...

ndmmxiaomayi

19 Feb 08, 14:24

Clear the files? Yes.

But be ultra sure that your system is fine? No.

With Windows, there's no such thing as guarantee. What viruses can modify is beyond our eyes. Even with monitoring software, we can only reverse a % of what the virus has done.

With backdoors, it may be worse. God knows what has been modified.

technoboy

19 Feb 08, 14:27

Thanks Mayi! Guess I'll have to reformat my computer after my exams then... Can't afford to lose my information during this period...

ndmmxiaomayi

19 Feb 08, 14:28

You can back them up somewhere else.

technoboy

19 Feb 08, 20:30

Before I finish my exams and reformat my computer, should I just delete the file? I've found this site:

http://www.symantec.com/security_response/writeup.jsp?docid=2003-040217-2506-99&tabid=m3

And when I followed the instruction until the end process part, this comes out:

Should I end all the svchost.exe processes? Sorry to trouble you again Mayi or someone else replying to me. Thanks!

ndmmxiaomayi

20 Feb 08, 00:24

NO.

Anyhow end svchost.exe will crash your computer.

Kindly see the sticky and post back the required log in a link please.