Need help fixing virus

G

Guest

Hello,

2 days ago i bumped into a site that contains an exploit :(
xp-firewall or antivir did nothing, norton started to give "automatic rule
confirmation" to explorer, or something like that, about 10 pop-ups very
rapidly
i turned off my pc but it was too late
my pc started to run slower and had constant up&downstream which i could not
turn off with xp-firewall or norton
so i formatted and reinstalled but nothing has changed :(

antivir now recognises the exploit when u open the webpage:
Contains signature of the exploits EXP/MS05-013
located in
Temp Internet files\content.ie5\vklse64k\search[1].htm
-------- Location Website > !!! >
http://crackspider.net/search.shtml?q=hotmetal

can someone tell me how to get rid of this nasty thing ?
cheerz
omi
 
D

David H. Lipman

From: "omi" <[email protected]>

| Hello,
|
| 2 days ago i bumped into a site that contains an exploit :(
| xp-firewall or antivir did nothing, norton started to give "automatic rule
| confirmation" to explorer, or something like that, about 10 pop-ups very
| rapidly
| i turned off my pc but it was too late
| my pc started to run slower and had constant up&downstream which i could not
| turn off with xp-firewall or norton
| so i formatted and reinstalled but nothing has changed :(
|
| antivir now recognises the exploit when u open the webpage:
| Contains signature of the exploits EXP/MS05-013
| located in
| Temp Internet files\content.ie5\vklse64k\search[1].htm
| -------- Location Website > !!! >
| http://crackspider.net/search.shtml?q=hotmetal
|
| can someone tell me how to get rid of this nasty thing ?
| cheerz
| omi

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
G

Guest

thnx for the tool and help

i've been trying multiple things the last days to get rid of the bugs,
without result
i've tried a format of my hd and installed basic winxp and some msi without
updates
installed MultiAV, updated and ran a scan (results below)
i'm still leaking up&downstream :(

now i've done a full update of all systems including norton.
strange thing is that norton has an automatic rule for
"MS Generic Host Process for Win32 Server"
C:\Windows\System32\svchost.exe
Click to expand...
i get a popup from norton every now and than confirming this
When i performed a clean install of windows on a formatted drive
this same svchost.exe is in my start-up menu
at this time it is leaking Mb's up-&downstream
also i have AntiVir witch is the one who discovered the exploit at the
webpage, too late :(
but AVGNT.exe is also leaking Mb's :(

there's a virus somewhere hidden on my pc,
i've rebooted with win-xp cd and deleted an 8Mb sized partition witch has
been created automatically i presume.
formatted C: and installed windows
dang... svchost.exe is acting weird allready
pff if formatting doesn't help
i'm lost :(

need help badly
cheerz
--------------------------------------------------------------------
Sophos Anti-Virus
Version 4.01.0 [Win32/Intel]
Virus data version 4.01, January 2006
Includes detection for 116927 viruses, trojans and worms
Copyright (c) 1989-2006 Sophos Plc, www.sophos.com

System time 15:40:35, System date 04 January 2006
Command line qualifiers are: -f -di -all -remove -mime -mbr -noc -archive
-opt=ISCabinet

IDE directory is: c:\AV-CLS\Sophos

Using IDE file agent-gg.ide
Using IDE file agent-tm.ide
Using IDE file agobotuj.ide
Using IDE file attech-b.ide
Using IDE file bagdl-an.ide
Using IDE file bagdl-ao.ide
Using IDE file bagdl-ap.ide
Using IDE file bagle-ar.ide
Using IDE file bagle-as.ide
Using IDE file bagle-ax.ide
Using IDE file bagle-ex.ide
Using IDE file bagled-v.ide
Using IDE file bagledar.ide
Using IDE file bagledas.ide
Using IDE file bagledba.ide
Using IDE file bancb-jn.ide
Using IDE file bancb-jx.ide
Using IDE file bancb-kb.ide
Using IDE file bancb-lb.ide
Using IDE file bancb-lf.ide
Using IDE file bancb-lz.ide
Using IDE file bancb-mq.ide
Using IDE file bancb-mv.ide
Using IDE file banco-fv.ide
Using IDE file bankdl-z.ide
Using IDE file banke-ik.ide
Using IDE file banlo-bs.ide
Using IDE file banlo-cl.ide
Using IDE file banloadh.ide
Using IDE file bckdr-e.ide
Using IDE file bckdrawr.ide
Using IDE file bloat-a.ide
Using IDE file bobax-n.ide
Using IDE file borobt-x.ide
Using IDE file brepbo-b.ide
Using IDE file bronto-j.ide
Using IDE file bronto-l.ide
Using IDE file bronto-m.ide
Using IDE file chode-q.ide
Using IDE file crutle-a.ide
Using IDE file danmec-a.ide
Using IDE file danmec-e.ide
Using IDE file danmec-f.ide
Using IDE file danmec-g.ide
Using IDE file dash-d.ide
Using IDE file dasher-c.ide
Using IDE file dldr-acm.ide
Using IDE file dloa-abj.ide
Using IDE file dloa-abq.ide
Using IDE file dolebo-a.ide
Using IDE file downl-la.ide
Using IDE file downl-lw.ide
Using IDE file downl-nr.ide
Using IDE file dumad-et.ide
Using IDE file dwnldrqb.ide
Using IDE file erkez-g.ide
Using IDE file fasong-b.ide
Using IDE file feebs-a.ide
Using IDE file feute-bc.ide
Using IDE file feutel-b.ide
Using IDE file funot-a.ide
Using IDE file gina-n.ide
Using IDE file grayb-au.ide
Using IDE file hazif-c.ide
Using IDE file horst-c.ide
Using IDE file icyfox-b.ide
Using IDE file ircbo-au.ide
Using IDE file jupdropa.ide
Using IDE file keylo-bl.ide
Using IDE file loosky-e.ide
Using IDE file loosky-k.ide
Using IDE file loosky-m.ide
Using IDE file mainzz-f.ide
Using IDE file mipbot-a.ide
Using IDE file mytob-fz.ide
Using IDE file mytob-gc.ide
Using IDE file mytob-gf.ide
Using IDE file mytob-gk.ide
Using IDE file nailpola.ide
Using IDE file nosun-a.ide
Using IDE file nuclearo.ide
Using IDE file pccli-ij.ide
Using IDE file perda-i.ide
Using IDE file poebot-t.ide
Using IDE file proto-ag.ide
Using IDE file raker-b.ide
Using IDE file rbot-afv.ide
Using IDE file rbot-alo.ide
Using IDE file rbot-aoh.ide
Using IDE file rbot-azu.ide
Using IDE file rbot-baf.ide
Using IDE file rbot-bal.ide
Using IDE file rbot-bam.ide
Using IDE file rbot-ban.ide
Using IDE file rbot-bba.ide
Using IDE file rbot-bbb.ide
Using IDE file rbot-bcc.ide
Using IDE file rbot-bcq.ide
Using IDE file rbot-bfl.ide
Using IDE file rbot-bfr.ide
Using IDE file rbot-bgh.ide
Using IDE file rbot-bhq.ide
Using IDE file rbot-bht.ide
Using IDE file rbot-bhz.ide
Using IDE file rbot-lt.ide
Using IDE file ritdoo-f.ide
Using IDE file rknu-a.ide
Using IDE file sdbo-agc.ide
Using IDE file sdbo-agd.ide
Using IDE file sdbo-agg.ide
Using IDE file sdbo-agz.ide
Using IDE file sdbo-akz.ide
Using IDE file sdbo-dic.ide
Using IDE file sdbot-tq.ide
Using IDE file sdbt-agt.ide
Using IDE file smal-cam.ide
Using IDE file smallfq.ide
Using IDE file smwg-a.ide
Using IDE file sober-z.ide
Using IDE file spyaks-b.ide
Using IDE file spybo-et.ide
Using IDE file spybotel.ide
Using IDE file stinx-h.ide
Using IDE file stinx-m.ide
Using IDE file sunk-a.ide
Using IDE file surila-i.ide
Using IDE file surila-j.ide
Using IDE file tileb-by.ide
Using IDE file tileb-cb.ide
Using IDE file tileb-cc.ide
Using IDE file tileb-gs.ide
Using IDE file torpig-u.ide
Using IDE file traxg-g.ide
Using IDE file vbbot-i.ide
Using IDE file vixup-u.ide
Using IDE file zapch-ad.ide
Using IDE file zapch-af.ide
Using IDE file zlob-o.ide

Full Scanning

Could not open c:\Documents and Settings\Administrator\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\Administrator\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not open c:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\NetworkService\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not check c:\System Volume
Information\_restore{01460F71-D3F1-4684-B727-CBC37948DA33}\RP67\snapshot\ComDb.Dat (corrupt)
Could not check c:\System Volume
Information\_restore{01460F71-D3F1-4684-B727-CBC37948DA33}\RP68\snapshot\ComDb.Dat (corrupt)
Could not check c:\System Volume
Information\_restore{01460F71-D3F1-4684-B727-CBC37948DA33}\RP69\snapshot\ComDb.Dat (corrupt)
Could not check c:\System Volume
Information\_restore{01460F71-D3F1-4684-B727-CBC37948DA33}\RP70\snapshot\ComDb.Dat (corrupt)
Could not check c:\System Volume
Information\_restore{01460F71-D3F1-4684-B727-CBC37948DA33}\RP71\snapshot\ComDb.Dat (corrupt)
Could not check c:\WINDOWS\Help\sysdm.chm\/$FIftiMain (corrupt)
Could not check c:\WINDOWS\Registration\R000000000003.clb (corrupt)
Could not check c:\WINDOWS\Registration\R000000000006.clb (corrupt)
Could not check c:\WINDOWS\Registration\R000000000007.clb (corrupt)
Could not open c:\WINDOWS\system32\config\system.LOG
Could not check c:\WINDOWS\system32\emptyregdb.dat (corrupt)
Could not open d:\

3 master boot records swept.
24605 files swept in 57 minutes and 33 seconds.
16 errors were encountered.
No viruses were discovered.
Ending Sophos Anti-Virus.
---------------------------------------------------------------------
01/04/2006 17:37:51


Options:
"C:" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML
"C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\Program Files\BearShare\Installer\saveinstwm.exe ... Found potentially
unwanted program Adware-SaveNow.
The file or process has been deleted.
C:\Program Files\Common
Files\Real\WeatherBug\MiniBugTransporter.dll\00017b68.EXE ... Found
potentially unwanted program Downloader-AGT.
The file or process has been deleted.
The archive has been deleted.
C:\Program Files\VVSN\VVSN.exe ... Found potentially unwanted program
Adware-SaveNow.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 58875
Clean: ................. 58806
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 3
Non-critical Error(s): 1
Master Boot Record(s): ......... 3
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:32.20

--------------------------------------------------------------

David H. Lipman said:
From: "omi" <[email protected]>

| Hello,
|
| 2 days ago i bumped into a site that contains an exploit :(
| xp-firewall or antivir did nothing, norton started to give "automatic rule
| confirmation" to explorer, or something like that, about 10 pop-ups very
| rapidly
| i turned off my pc but it was too late
| my pc started to run slower and had constant up&downstream which i could not
| turn off with xp-firewall or norton
| so i formatted and reinstalled but nothing has changed :(
|
| antivir now recognises the exploit when u open the webpage:
| Contains signature of the exploits EXP/MS05-013
| located in
| Temp Internet files\content.ie5\vklse64k\search[1].htm
| -------- Location Website > !!! >
| http://crackspider.net/search.shtml?q=hotmetal
|
| can someone tell me how to get rid of this nasty thing ?
| cheerz
| omi

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
Click to expand...
 
D

David H. Lipman

From: "omi" <[email protected]>

| thnx for the tool and help
|
| i've been trying multiple things the last days to get rid of the bugs,
| without result
| i've tried a format of my hd and installed basic winxp and some msi without
| updates
| installed MultiAV, updated and ran a scan (results below)
| i'm still leaking up&downstream :(

Remove the WeatherBug software. It has introduced adware/sopyware into the computer.


Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d
 
G

Guest

hello david,

last time i tried lavasoft ad-aware it was freeware,
seems like it succes has changed it into payware :(
so this one i can't try

i tried the spybot S&D
still leaking Mb's :(

i also dl'ded some more
so at this time i'm using:
AntiVir
BHODemon
clean mcafee
KASFX
Multi AV
Norton internet security 2005
spybotsd
Sysclean FE

I think i better try and install everything all over again
But as my system gets infected during installation i think i need something
which i can use for booting
i'm not mutch of an expert
but i think i need a tool which i can execute after primary installation of
windows and mainboard msi
without updates or connection to the internet

or maybe better, something i can use for scanning, fixing, deleting files
after the disk is formatted

What's best to use for this kind of thing ?

I've installed windows about 5 times the last 3 days :((


----- Original Message -----
From: "David H. Lipman" <[email protected]>
Newsgroups: microsoft.public.windowsxp.security_admin
Sent: Wednesday, January 04, 2006 7:23 PM
Subject: Re: Need help fixing virus
 
D

David H. Lipman

From: "omi" <[email protected]>

| hello david,
|
| last time i tried lavasoft ad-aware it was freeware,
| seems like it succes has changed it into payware :(
| so this one i can't try
|
| i tried the spybot S&D
| still leaking Mb's :(
|
| i also dl'ded some more
| so at this time i'm using:
| AntiVir
| BHODemon
| clean mcafee
| KASFX
| Multi AV
| Norton internet security 2005
| spybotsd
| Sysclean FE
|


SyscleanFE -- Written by me and is incorporated in the Multi AV Scanning Tool.
clean mcafee -- McAfee Clean Tool and written by me and is incorporated in the Multi AV
Scanning Tool.
KASFX -- Written by Art Kopp, uses a GUI based scanner but uses the same Kaspersky
signatures as the Kaspersky module in the Multi AV Scanning Tool.

Ad-aware SE v1.06 is FREE !

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022-10399602.html?tag=list
 
G

Guest

i had those programs from the website at your sign

so i dl'ded a free copy of adaware
but now i can't update the thing :(
it says "The downloaded definitions could not be read,
please update again"

sigh
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Possible virus in System Volume Information 8
NEED HELP DESPERATELY! - APPLICATION ERRORS 3
Need Solution To Use 2nd Hard Drive 1

Top