W32.Beagle Problems

Discussion in 'adware, spyware & hijack cleaning' started by Taurendur, Jun 18, 2004.

Thread Status:
Not open for further replies.
  1. Taurendur

    Taurendur Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    5
    Hello

    for a while, I've been finding files from the W32.Beagle Virus. Norton keeps alerting me that it's on my computer, but never does anything about it: "Action taken: Clean failed : Quarantine failed : Access denied"

    I downloaded the McAfee stinger and it registered something like 300 Virus notifications. I tried manually deleting some, but couldn't see them, in the C:\_RESTORE\TEMP folder (couldn't see the TEMP folder). I tried turning off system restore and running stinger, but the same thing happened (couldn't clean or quarantine, access denied).

    I can't tell if the virus has hurt my computer, but it's there. Is there anything to be done?

    I'm running Windows ME Plus

    Thanks so much

    Andrew
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Taurendur,

    Please follow instructions here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    One thing I don't understand is how the scaner was able to find the _RESTORE folder after you turned System Restore off, unless you did not reboot.

    Regards,

    Pieter
     
  3. Taurendur

    Taurendur Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    5
    I ran ad-aware and then Hijack This, and these are the results

    Logfile of HijackThis v1.97.7
    Scan saved at 11:12:03 PM, on 6/25/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\THOTKEY.EXE
    C:\WINDOWS\SYSTEM\CBA\PDS.EXE
    C:\WINDOWS\SYSTEM\CBA\XFR.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\MSGSYS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\S3TRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\LTCM000C.EXE
    C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\DSLAUNCH.EXE
    C:\WINDOWS\SYSTEM\PROMON.EXE
    C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
    C:\TOSHIBA\IVP\ISM\PINGER.EXE
    C:\WINDOWS\SYSTEM\TWARNMSG.EXE
    C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/Toshiba/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://toshiba.my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
    O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINDOWS\dslaunch.exe
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
    O4 - HKLM\..\Run: [TWarnMsg] TWarnMsg.exe
    O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
    O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
    O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
    O4 - HKLM\..\RunServices: [Intel PDS] C:\WINDOWS\system\cba\pds.exe
    O4 - HKLM\..\RunServices: [Intel File Transfer] C:\WINDOWS\system\cba\xfr.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\SYSTEM\i11r54n4.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {11111111-2222-3333-4444-555555555555} - https://www.taxsimple.com/citrix/federal.CAB
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27f1a1d75c685f41ed22/netzip/RdxIE601.cab
     
Thread Status:
Not open for further replies.