A Digital Age Deserves A Digital Leader

virus

virus

Postby Vermin87 » Mon Sep 26, 2005 2:16 am

uh oh...first virus ive gotten that you cant just delete.... Im not sure exactly what is causing it, but im getting these popups from a website called www.security2k.net and then there are some files in my system32 folder i cant get rid of:
nvctrl.exe
mssearchnet.exe
HP31B4.tmp
ld7455.tmp

Theres also a trojan called:
Trojan.Desktophijack.B

The nvctrl.exe and mssearchnet.exe are in my task manager, but when i delete them, they reappear right away, so I can't manually delete them because they're still running. I searched for both of them online and tried a number of things to fix it but nothing has worked so far.
I have used Panda Active Scan, Hijackthis, Ad-Ware SE Personal, Ewido Security Suite, and smitRem. Here is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:12:39 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\csrss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\system32\rundll32.exe
G:\Program Files\JussPress\JussDrop\JussDrop.exe
G:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
G:\WINDOWS\system32\CTHELPER.EXE
G:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
G:\WINDOWS\System32\CTsvcCDA.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\System32\nvsvc32.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\WINDOWS\system32\wdfmgr.exe
G:\WINDOWS\System32\MsPMSPSv.exe
G:\WINDOWS\System32\alg.exe
G:\WINDOWS\system32\mssearchnet.exe
G:\WINDOWS\system32\nvctrl.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Documents and Settings\Verent\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbc.yahoo.com/
O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - G:\WINDOWS\system32\hp31B4.tmp
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [UpdReg] G:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] G:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SBDrvDet] G:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Launch Ai Booster] "G:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [JussDropUtility] G:\Program Files\JussPress\JussDrop\JussDrop.exe /s
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] G:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] G:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = G:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - G:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: CWShredder Service - InterMute, Inc. - G:\Documents and Settings\Verent\Desktop\cwshredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - G:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe

Can anyone help me out?
Nothing has worked online, but its been different solutions for different people, so Im hoping my case requires a certain way of fixing the problem and thats why I cant get rid of them.
PRO Level 2
Posts: 48
Joined: Mon Jun 13, 2005 4:29 am
Location: California

Postby kd1966 » Mon Sep 26, 2005 2:53 am

I notice you have a bit of Symantec stuff running..................... have you been to their website for more info on this trojan/virus? I have, and in a nutshell, this is their recc's:

# Disable System Restore (Windows Me/XP).
# Update the virus definitions.
# Run a full system scan and delete all the files detected.
# Delete any values added to the registry.

Only thing I personally would add to this procedure is to go to TrendMicro.com and do their free antivirus scan and the rest of your scans in the safemode, except that I don't believe Norton AV will scan in safe mode [I also run Spybot, AdawareSE, and Ewido in safemode.......... and Avast! AV or NOD32}

I am very leery about giving HJT advice in a forum, as you are giving us a great deal of "trust" and nobody knows just how knowledgeable anyone is................. I hope you get your virus/trojan removed; I hope you consider a different AV and security solution in the future...........
PRO PLATINUM
User avatar
Posts: 6831
Joined: Tue Aug 09, 2005 2:00 am
Location: USA - GSO - NC

Postby Vermin87 » Mon Sep 26, 2005 3:06 am

thanks!!! i got it removed.
PRO Level 2
Posts: 48
Joined: Mon Jun 13, 2005 4:29 am
Location: California

Postby kd1966 » Mon Sep 26, 2005 3:13 am

Excellent!! Are you by chance running a firewall other than the XP?
PRO PLATINUM
User avatar
Posts: 6831
Joined: Tue Aug 09, 2005 2:00 am
Location: USA - GSO - NC

Postby Vermin87 » Mon Sep 26, 2005 3:26 pm

yeah...my school requires a firewall to be installed or else it doesnt let us onto the network. bleh...but so far it hasnt been very restricting. thats good and bad i guess!
PRO Level 2
Posts: 48
Joined: Mon Jun 13, 2005 4:29 am
Location: California

Postby kd1966 » Mon Sep 26, 2005 3:27 pm

Yeah, mostly bad.................. but since it's a school, they probably wouldn't react too kindly if you replaced it with another..................lol
PRO PLATINUM
User avatar
Posts: 6831
Joined: Tue Aug 09, 2005 2:00 am
Location: USA - GSO - NC

Return to Security & Virus

Who is online

Users browsing this forum: No registered users and 1 guest

cron
cron