problem with a trojan

Discussion in 'NOD32 version 2 Forum' started by guest, Feb 3, 2006.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    Hi I am having some major issues with a Trojan.
    This is the info NOD32 gives me,

    Time
    2/2/2006 15:52:56 PM
    Module Object
    AMON
    File Name
    C:\WINDOWS\system32\wmsmgs.exe
    Threat
    Win32/Codbot trojan
    Action
    quarantined - deleted
    User
    NT AUTHORITY\SYSTEM
    Information
    Event occurred at an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.


    So I ended that file wmsmgs.exe comes up everytime my pc starts, even though I deleted it from the start up it still starts up and I am not sure which process starts it. Also my pc loads very very very slowly now when I boot up, once in windows and I ctrl+alt+delete and close the wmsmgs.exe process then it is fine. I really need help with this one guys, thanks.
     
  2. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    start computer in safe mode and then scan your pc with nod32
    the virus is in your windows memory
    Q Has Been A
     
  3. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    Sounds like you need to do a Hijack This! scan/log. That program is available here: http://www.merijn.org/files/hijackthis.zip

    Log analysis is not available from Wilders anymore but if you send me the log (via PM) I'll be more than happy to look at it for you. Just do not fix entries without havin the log analyzed.
     
  4. guest

    guest Guest

    shanijee I tried to run in safe mode and run nod32 scan but it said this:
    Error occurred while scanning operating memory. System memory cannot be scanned (the kernel service is not running or an error occurred while loading nod32m1.vxd).
     
  5. guest

    guest Guest

    n8chavez i have sent you the scan log.
     
  6. guest

    guest Guest

    I actually think i deleted the file, but for some reason where time my computer boots up it loads the trojan, but when windows actually starts it doesn't load it because i took it off from start up. so that is why my windows loads soooo slowly because of the trojan, but once in windows my pc seems fine.

    can anyone help me with this tricky one?
    perhaps some NOD32 employee or something
     
  7. guest

    guest Guest

    windows still loads very very slow before i log into my windows account, and also sometimes my system process and system idle process takes 100% of resources when i am not doing much.

    hopefully someone can help me track this thing down because i really don't want to format.
     
  8. Red Dawn

    Red Dawn Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    116
    Have you tried booting into safe mode and instead of using NOD32 to try to get rid of the trojan, use something like ewido or some other trojan scanner to see if it can detect and remove the file properly?
     
  9. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Have you tried looking in your Services. (Control Panel->Administrative Tools->Services) ?
    Perhaps it's something there. ;) Or if you can't manage it, try to scan you PC online with Bit Defender or install ewido. :)
     
  10. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    The System Idle Process is *supposed* to take up 100% of the CPU when the computer is idle. This is by design. It is more or less how Windows says, "Nothing is going on." ;)

    Of course, anything else taking up 100% would be a problem. When looking at the process list in the Task Manager, you can sort by the different categories by clicking on the headers. For example, to sort by CPU usage, click on the header that says "CPU" once to sort it in descending order, and again to sort it in ascending order. This makes it meuch easier to see what it sucking up all the CPU.
     
  11. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    When I'm doing nothing, my pc is doing something. Probably indexing files or something. Quite normal though.
     
  12. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Maybe so, but then those other processes would show CPU usage. System Idle Process accounts for CPU time that has not been assigned to any threads. By its definition, then, when the computer is perfectly idle, it will be at 100%. Since the computer never is truly idle, it hovers in the 97%-99% range when "nothing" is going on.
     
  13. divedog

    divedog Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    265
    Location:
    Seabeck WA
    It should look like this.
     

    Attached Files:

  14. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi:

    Did you turn off system restore, reboot and then run a Scan & Clean?

     
  15. divedog

    divedog Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    265
    Location:
    Seabeck WA
    Have you tried a scan in safe mode with Ewido? Have you tried a Hijack this log?
     
  16. guest

    guest Guest

    ok i think i am going to give this Ewido program a try, can i install it ontop of NOD32 without a problem? because i know security programs often conflict with each other.
     
  17. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    There should be no issue at all but if you do run into problems Please do post about the problem in our ewido anti-malware forum.
     
  18. guest

    guest Guest

    No that Ewido program found nothing, it just found some cookies that's it.
     
  19. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
Thread Status:
Not open for further replies.