Unknown virus

Discussion in 'malware problems & news' started by madcatz, Jul 15, 2003.

Thread Status:
Not open for further replies.
  1. madcatz

    madcatz Registered Member

    Joined:
    Jul 15, 2003
    Posts:
    1
    Dear all,
    I Believe I have picked up a virus. Here's what it does. I am running XP. When I start up my computer it is very slow. I opened up task manager and noticed that my proccesser usage is at 100% 98% of this is related to system32exe. The only way I can stop this is to end the process in task manager. Obviously I want to get rid of this. I have downloaded a program called Hyjack this and below is a log of what it reported. It's a long read as unfortunatly this site will not accept the format it is saved in can anyone offer me some guidance. I am no computer wiz so asimplified explaination would be highly appreciated. I look forward to some help Thankyou.

    Logfile of HijackThis v1.95.0
    Scan saved at 22:58:35, on 15/07/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Documents and Settings\Owner.Julies.002\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.searching-4u.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.searching-4u.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searching-4u.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searching-4u.com/search_page.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://broadband.blueyonder.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.searching-4u.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searching-4u.com/search_page.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://uk4.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searching-4u.com/search_page.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll (file missing)
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
    O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F05} - c:\Program Files\Flt\Flt.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem211.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Money Viewer (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/en/oneclick/uninstbb.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
    O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.gvc.co.uk/sunsetview/level1/level2/svideo3.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi madcatz,

    First of all, we are quite used to the posting of HijackThis logs, it's one of the best tools available to pin-point startup entries related to infections. :)

    Now, once you've killed off the system32.exe in the task manager, have you tried to delete the file (program) itself? Your HijackThis log shows it sitting in this location: C:\WINDOWS\System32\System32.exe

    Since that is not a valid WinXP file, deleting it is a good first step. Next, with HijackThis, you can click in the box at the beginning of a found startup item, specifically in this case the [ ] F0 entry:

    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

    by just checking that one item and pressing the [Fix checked] button, it should repair that item and prevent it from starting on the next reboot.

    Can you do both (delete the file and repair the entry) and reboot to see if that addresses the problem?

    There may be other items in your HijackThis log worth fixing, but, this is a good first step and I'm not the expert on fixing things like BHO's and other hijacks.

    Oh, and by the way, Welcome to Wilders!!

    Best Wishes,
    LowWaterMark
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi MadCatz,

    In addition to the entry LWM pointed out I would recommend selecting and fixing the following (for these, you want to make sure that all other windows/programs are closed first)

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.searching-4u.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.searching-4u.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searching-4u.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searching-4u.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.searching-4u.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searching-4u.com/search_page.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.searching-4u.com/search_page.php
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll (file missing)
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
    O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F05} - c:\Program Files\Flt\Flt.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem211.dll
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/en/oneclick/uninstbb.cab
    O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB

    Then do a reboot and delete the following

    C:\WINDOWS\nem211.dll

    c:\Program Files\Flt (the entire directory)

    C:\Program Files\NewDotNet\newdotnet4_88.dll

    Once this is done, please rescan with HijackThis and repost the log so we can be sure we got everything.

    Thx,

    Dan
     
  4. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    KwBot worm, I'm betting... :doubt:
     
  5. controler

    controler Guest

    Could be Mc afee running it's scan
     
  6. akcom

    akcom Registered Member

    Joined:
    Jul 14, 2003
    Posts:
    9
    system32.exe sounds too trojan'ish to be an antivirus, and if i remember correctly, kwbot uses the filename xms32.exe (not related the programmer of optix)
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi All,

    At minimum, the following are candidates for the system32.exe

    Kitro.A

    Mari

    KwBot.C

    There are likely more as well.

    Regards,

    Dan
     
Loading...
Thread Status:
Not open for further replies.