to caz2k and all: vbs malware (scipt) VIRUS

[Wing]

http://win-wing.netfirms.com/flash/xiaobi2.swf
i have a problem, please help me:

Please listen to my story:
I found that, when the Windows was shutting down, it waited until a "close program" window pops. I needed to wait for one minutes or two, and press the "close program" key, it then continued to shut down...

This problem just starts in within a week:
I first downloaded a RealPlayer 8.0 (Simplified Chinese version). It works. But when I tried to uninstall it after 2 days, it didn't let me do this, and it hung...I needed to delete it manually....
...... awhile (maybe less than one day...)
After that I then started ICQLite. This is the first time I had experinced problems because when I expanded ICQLite's window, the window hung for a few seconds, so I needed to use ICQ2Go instead.
Later, I tried to update a new Internet Explorer 6.0 (Chinese version). However when it was restarting it hung again!! And then when it was going to Windows it hung when it stopped with a wallpaper. That time, I could see what the programs are going on, but there is only a program called "mapiserv". It even didn't have "Explorer"... I needed to go to the Safe Mode...
I recovered the IE6.0 and then Windows run again....
Then, I got into the Internet, downloaded Avast, and it found the virus(vb..Ma.........), and deleted two files:
C:\Windows\system\folder.htt
C:\Windows\system32\folder.htt

Lastly, the virus has been closed...However...

I still found that, when the Windows was shutting down, it waited until a "close program" window pops. I needed to wait for one minutes or two, and press the "close program" key, it then continued to shut down...

I found another problem: when I opened Control Panel with Start Menu, it needed to wait for one minutes or two, or even longer!!

When I opened folders in Find, it needed to wait for one minutes or two, or even longer too (I tested with C:\Program files\commom files\ )!!


Please tell me how to fix the shut down problem(s), and can you tell me what the virus will be. Thanks you a lot!!!

Home-technical computer newbie,
Wing
tinylittlewing@hotmail.com
keep talking please...... and reply at urgent......please.........

[raman]

c:\Windows\system32\folder.htt

That could be a false alarm, which was fixed with the update to 308-3.

I do not know if startuplist will work with a chinese Windowsversion, but try it and post the result: http://www.tomcoyote.org/hjt/startuplist.zip

It could be, that your problem has nothing to do with Malware(could be!)

[Wing]

then, my question is going to shorten:

I still found that, when the Windows was shutting down, it waited until a "close program" window pops. I needed to wait for one minutes or two, and press the "close program" key, it then continued to shut down...

I found another problem: when I opened Control Panel with Start Menu, it needed to wait for one minutes or two, or even longer!!

When I opened folders in Find, it needed to wait for one minutes or two, or even longer too (I tested with C:\Program files\commom files\ )!!


Please tell me how to fix the shut down problem(s), and can you tell me what the virus will be. Thanks you a lot!!!

Home-technical computer newbie,
Wing
tinylittlewing@hotmail.com
keep talking please...... and reply at urgent......please.........

[raman]

Difficult to say, it has (maybe) nothing to do with a Virus. Maybe there is a Programm that causes the shutdown problem. Maybe there is a copnflict between two programms(Maybe two active antivirus scanner). We need moe infos. The information Startuplist gives maybe usefull. so with that infos, someone here is able to help you.

[Wing]

The result:

StartupList report, 2003/8/31, AM 10:54:01
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\AALVOL.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\UMSD\UMSD.EXE
C:\WINDOWS\SYSTEM\MAPISVC32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\啟動]
Office 啟動.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
TaskMonitor = c:\windows\taskmon.exe
internat.exe = internat.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Hidserv = Hidserv.exe run
MAGICKB = MagStart.exe
EM_EXEC = c:\mouse\system\em_exec.exe
SM56ACL = sm56hlpr.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
NvColorInit = RUNDLL32.EXE NVQTWK.DLL,NvColorInit
PLoader = c:\program files\umsd\umsd.exe sys_auto_run C:\Program Files\UMSD
mapisvc32 = C:\WINDOWS\SYSTEM\MAPISVC32.exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
Hidserv = Hidserv.exe run
PersFw = "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
avast! = C:\Program Files\Alwil Software\Avast4\ashserv.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 29/8/2003, 18:17:54)

[Rename]
NUL=c:\windows\cookies\chan yi kee@atdmt[2].txt
NUL=c:\windows\cookies\chan yi kee@adserv.internetfuel[2].txt
NUL=c:\windows\cookies\chan yi kee@linksynergy[1].txt
NUL=c:\windows\cookies\chan yi kee@valueclick[1].txt
NUL=c:\windows\cookies\chan yi kee@bluestreak[1].txt
NUL=c:\windows\cookies\chan yi kee@bravenet[2].txt
NUL=c:\windows\cookies\chan yi kee@servedby.advertising[2].txt
NUL=c:\windows\cookies\chan yi kee@advertising[1].txt
NUL=c:\windows\cookies\chan yi kee@gator[2].txt
NUL=c:\windows\cookies\chan yi kee@doubleclick[1].txt
NUL=c:\windows\cookies\chan yi kee@qksrv[1].txt

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

PROMPT $p$g
TEMP=C:\WINDOWS\TEMP
CWBMIX /M=15,15 /W=15,15 /L=15,15 /M=7 /S=15,15 /C=15,15 /I=C
DOSKEY
MEM

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL - {A5366673-E8CA-11D3-9CD9-0090271D075B}

--------------------------------------------------

Enumerating Task Scheduler jobs:

啟動微調應用程式.job
Symantec NetDetect.job
微調磁碟清理程式.job
微調掃瞄程式.job
微調重組程式.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1108/V31Controls/x86/w98/zhtw/actsetup.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37861.8010185185

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT45.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL
CODEBASE = http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

[{4E888414-DB8F-11D1-9CD9-00C04F98436A}]
CODEBASE = https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 6,059 bytes
Report generated in 1.821 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

[raman]

I can not see any specail regarding Malware. One thing you can try is Spybot, but it only delete Spyware(gator e.g.) and will not fix you shutdownproblem.