Thread: Need help fixing virus
View Single Post
  #3  
Old 01-05-2006, 05:44 AM
omi
 
Posts: n/a
Default Re: Need help fixing virus
thnx for the tool and help

i've been trying multiple things the last days to get rid of the bugs,
without result
i've tried a format of my hd and installed basic winxp and some msi without
updates
installed MultiAV, updated and ran a scan (results below)
i'm still leaking up&downstream

now i've done a full update of all systems including norton.
strange thing is that norton has an automatic rule for
"MS Generic Host Process for Win32 Server"
> C:\Windows\System32\svchost.exe
i get a popup from norton every now and than confirming this
When i performed a clean install of windows on a formatted drive
this same svchost.exe is in my start-up menu
at this time it is leaking Mb's up-&downstream
also i have AntiVir witch is the one who discovered the exploit at the
webpage, too late
but AVGNT.exe is also leaking Mb's

there's a virus somewhere hidden on my pc,
i've rebooted with win-xp cd and deleted an 8Mb sized partition witch has
been created automatically i presume.
formatted C: and installed windows
dang... svchost.exe is acting weird allready
pff if formatting doesn't help
i'm lost

need help badly
cheerz
--------------------------------------------------------------------
Sophos Anti-Virus
Version 4.01.0 [Win32/Intel]
Virus data version 4.01, January 2006
Includes detection for 116927 viruses, trojans and worms
Copyright (c) 1989-2006 Sophos Plc, www.sophos.com

System time 15:40:35, System date 04 January 2006
Command line qualifiers are: -f -di -all -remove -mime -mbr -noc -archive
-opt=ISCabinet

IDE directory is: c:\AV-CLS\Sophos

Using IDE file agent-gg.ide
Using IDE file agent-tm.ide
Using IDE file agobotuj.ide
Using IDE file attech-b.ide
Using IDE file bagdl-an.ide
Using IDE file bagdl-ao.ide
Using IDE file bagdl-ap.ide
Using IDE file bagle-ar.ide
Using IDE file bagle-as.ide
Using IDE file bagle-ax.ide
Using IDE file bagle-ex.ide
Using IDE file bagled-v.ide
Using IDE file bagledar.ide
Using IDE file bagledas.ide
Using IDE file bagledba.ide
Using IDE file bancb-jn.ide
Using IDE file bancb-jx.ide
Using IDE file bancb-kb.ide
Using IDE file bancb-lb.ide
Using IDE file bancb-lf.ide
Using IDE file bancb-lz.ide
Using IDE file bancb-mq.ide
Using IDE file bancb-mv.ide
Using IDE file banco-fv.ide
Using IDE file bankdl-z.ide
Using IDE file banke-ik.ide
Using IDE file banlo-bs.ide
Using IDE file banlo-cl.ide
Using IDE file banloadh.ide
Using IDE file bckdr-e.ide
Using IDE file bckdrawr.ide
Using IDE file bloat-a.ide
Using IDE file bobax-n.ide
Using IDE file borobt-x.ide
Using IDE file brepbo-b.ide
Using IDE file bronto-j.ide
Using IDE file bronto-l.ide
Using IDE file bronto-m.ide
Using IDE file chode-q.ide
Using IDE file crutle-a.ide
Using IDE file danmec-a.ide
Using IDE file danmec-e.ide
Using IDE file danmec-f.ide
Using IDE file danmec-g.ide
Using IDE file dash-d.ide
Using IDE file dasher-c.ide
Using IDE file dldr-acm.ide
Using IDE file dloa-abj.ide
Using IDE file dloa-abq.ide
Using IDE file dolebo-a.ide
Using IDE file downl-la.ide
Using IDE file downl-lw.ide
Using IDE file downl-nr.ide
Using IDE file dumad-et.ide
Using IDE file dwnldrqb.ide
Using IDE file erkez-g.ide
Using IDE file fasong-b.ide
Using IDE file feebs-a.ide
Using IDE file feute-bc.ide
Using IDE file feutel-b.ide
Using IDE file funot-a.ide
Using IDE file gina-n.ide
Using IDE file grayb-au.ide
Using IDE file hazif-c.ide
Using IDE file horst-c.ide
Using IDE file icyfox-b.ide
Using IDE file ircbo-au.ide
Using IDE file jupdropa.ide
Using IDE file keylo-bl.ide
Using IDE file loosky-e.ide
Using IDE file loosky-k.ide
Using IDE file loosky-m.ide
Using IDE file mainzz-f.ide
Using IDE file mipbot-a.ide
Using IDE file mytob-fz.ide
Using IDE file mytob-gc.ide
Using IDE file mytob-gf.ide
Using IDE file mytob-gk.ide
Using IDE file nailpola.ide
Using IDE file nosun-a.ide
Using IDE file nuclearo.ide
Using IDE file pccli-ij.ide
Using IDE file perda-i.ide
Using IDE file poebot-t.ide
Using IDE file proto-ag.ide
Using IDE file raker-b.ide
Using IDE file rbot-afv.ide
Using IDE file rbot-alo.ide
Using IDE file rbot-aoh.ide
Using IDE file rbot-azu.ide
Using IDE file rbot-baf.ide
Using IDE file rbot-bal.ide
Using IDE file rbot-bam.ide
Using IDE file rbot-ban.ide
Using IDE file rbot-bba.ide
Using IDE file rbot-bbb.ide
Using IDE file rbot-bcc.ide
Using IDE file rbot-bcq.ide
Using IDE file rbot-bfl.ide
Using IDE file rbot-bfr.ide
Using IDE file rbot-bgh.ide
Using IDE file rbot-bhq.ide
Using IDE file rbot-bht.ide
Using IDE file rbot-bhz.ide
Using IDE file rbot-lt.ide
Using IDE file ritdoo-f.ide
Using IDE file rknu-a.ide
Using IDE file sdbo-agc.ide
Using IDE file sdbo-agd.ide
Using IDE file sdbo-agg.ide
Using IDE file sdbo-agz.ide
Using IDE file sdbo-akz.ide
Using IDE file sdbo-dic.ide
Using IDE file sdbot-tq.ide
Using IDE file sdbt-agt.ide
Using IDE file smal-cam.ide
Using IDE file smallfq.ide
Using IDE file smwg-a.ide
Using IDE file sober-z.ide
Using IDE file spyaks-b.ide
Using IDE file spybo-et.ide
Using IDE file spybotel.ide
Using IDE file stinx-h.ide
Using IDE file stinx-m.ide
Using IDE file sunk-a.ide
Using IDE file surila-i.ide
Using IDE file surila-j.ide
Using IDE file tileb-by.ide
Using IDE file tileb-cb.ide
Using IDE file tileb-cc.ide
Using IDE file tileb-gs.ide
Using IDE file torpig-u.ide
Using IDE file traxg-g.ide
Using IDE file vbbot-i.ide
Using IDE file vixup-u.ide
Using IDE file zapch-ad.ide
Using IDE file zapch-af.ide
Using IDE file zlob-o.ide

Full Scanning

Could not open c:\Documents and Settings\Administrator\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\Administrator\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not open c:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not check c:\System Volume
Information\_restore{01460F71-D3F1-4684-B727-CBC37948DA33}\RP67\snapshot\ComDb.Dat (corrupt)
Could not check c:\System Volume
Information\_restore{01460F71-D3F1-4684-B727-CBC37948DA33}\RP68\snapshot\ComDb.Dat (corrupt)
Could not check c:\System Volume
Information\_restore{01460F71-D3F1-4684-B727-CBC37948DA33}\RP69\snapshot\ComDb.Dat (corrupt)
Could not check c:\System Volume
Information\_restore{01460F71-D3F1-4684-B727-CBC37948DA33}\RP70\snapshot\ComDb.Dat (corrupt)
Could not check c:\System Volume
Information\_restore{01460F71-D3F1-4684-B727-CBC37948DA33}\RP71\snapshot\ComDb.Dat (corrupt)
Could not check c:\WINDOWS\Help\sysdm.chm\/$FIftiMain (corrupt)
Could not check c:\WINDOWS\Registration\R000000000003.clb (corrupt)
Could not check c:\WINDOWS\Registration\R000000000006.clb (corrupt)
Could not check c:\WINDOWS\Registration\R000000000007.clb (corrupt)
Could not open c:\WINDOWS\system32\config\system.LOG
Could not check c:\WINDOWS\system32\emptyregdb.dat (corrupt)
Could not open d:\

3 master boot records swept.
24605 files swept in 57 minutes and 33 seconds.
16 errors were encountered.
No viruses were discovered.
Ending Sophos Anti-Virus.
---------------------------------------------------------------------
01/04/2006 17:37:51


Options:
"C:" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML
"C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\Program Files\BearShare\Installer\saveinstwm.exe ... Found potentially
unwanted program Adware-SaveNow.
The file or process has been deleted.
C:\Program Files\Common
Files\Real\WeatherBug\MiniBugTransporter.dll\00017 b68.EXE ... Found
potentially unwanted program Downloader-AGT.
The file or process has been deleted.
The archive has been deleted.
C:\Program Files\VVSN\VVSN.exe ... Found potentially unwanted program
Adware-SaveNow.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 58875
Clean: ................. 58806
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 3
Non-critical Error(s): 1
Master Boot Record(s): ......... 3
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:32.20

--------------------------------------------------------------

"David H. Lipman" wrote:

> From: "omi" <omi@discussions.microsoft.com>
>
> | Hello,
> |
> | 2 days ago i bumped into a site that contains an exploit
> | xp-firewall or antivir did nothing, norton started to give "automatic rule
> | confirmation" to explorer, or something like that, about 10 pop-ups very
> | rapidly
> | i turned off my pc but it was too late
> | my pc started to run slower and had constant up&downstream which i could not
> | turn off with xp-firewall or norton
> | so i formatted and reinstalled but nothing has changed
> |
> | antivir now recognises the exploit when u open the webpage:
> | Contains signature of the exploits EXP/MS05-013
> | located in
> | Temp Internet files\content.ie5\vklse64k\search[1].htm
> | -------- Location Website > !!! >
> | http://crackspider.net/search.shtml?q=hotmetal
> |
> | can someone tell me how to get rid of this nasty thing ?
> | cheerz
> | omi
>
> There are anti virus News Groups specifically for this type of discussion.
>
> microsoft.public.security.virus
> alt.comp.virus
> alt.comp.anti-virus
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Reply With Quote