Author Topic: Problem - Not sure if it's a virus  (Read 4641 times)

0 Members and 1 Guest are viewing this topic.

Staind

  • Guest
Problem - Not sure if it's a virus
« on: July 13, 2004, 10:06:30 PM »
Hi, I have windows XP pro and recently after I restarted the computer windows loaded up to half my desktop icons missing (My computer/my network places/Internet explorer/Firefox), Windows XP Tutorial popping up saying I should view it, and half of my programs on the start menu missing.  Also, I think my mouse drivers are gone or screwed up -> although hardware profiling says they're there, the mouse speed and agility is set so that it's almost uncontrollable. This is not normal.

I ran a scan with Avast!, Mcafee online scanner both of which found nothing.  Also, I tried restarting to last known good configuration which didn't help at all.  I would use system restore but it is disabled.

If anyone has any suggestions on what to do , please tell me.

PS. Microsoft released 5 new critical updates today.

Note: I've also noticed a new folder in my Documents and Settings called; Steve.STEVEN. This has not been there before.
« Last Edit: July 13, 2004, 10:14:41 PM by Staind »

lee16

  • Guest
Re:Problem - Not sure if it's a virus
« Reply #1 on: July 13, 2004, 10:20:45 PM »
http://housecall.trendmicro.com/housecall/start_corp.asp (virus scanner)

http://www.ravantivirus.com/scan/indexie.php (virus scanner)

It might be a trojan, so try these spyware scanners spy sweeper > http://www.webroot.com/wb/downloads/index.php <,

adware > http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button <

spybot > http://www.safer-networking.org/en/mirrors/index.html <

Bazooka spyware scanner > http://www.kephyr.com/spywarescanner/supportus.phtml <

i no i gave alot of scanners, im just trying to provide some variety for you

Edit: i can't find any info on this steven.STEVEN folder from google but if you want to just scan the files inside it try this scanner > http://www.kaspersky.com/scanforvirus <

--lee
« Last Edit: July 13, 2004, 10:27:10 PM by lee16 »

whocares

  • Guest
Re:Problem - Not sure if it's a virus
« Reply #2 on: July 13, 2004, 10:29:41 PM »
Note: I've also noticed a new folder in my Documents and Settings called; Steve.STEVEN. This has not been there before.
Hi,


did you maybe accidently login under a slightly different name ?

what user-profiles are in Docs&Settings ?
do you experience those symptoms under all profiles ??

maybe post a hijackthis-Logfile: http://hjt.klaffke.de/en ;)

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Problem - Not sure if it's a virus
« Reply #3 on: July 13, 2004, 10:32:08 PM »
Thanks for Critical updates notification. I don't know why is that stupid Auto Update in Windows if it doesn't update anything ::) I always have to download manually. It worked once a long time ago,but not anymore ???
Visit my webpage Angry Sheep Blog

Staind

  • Guest
Re:Problem - Not sure if it's a virus
« Reply #4 on: July 13, 2004, 10:32:46 PM »
Hijack this:
(No I have not intentionally created a new user name, I am not sure why that would've been created.)

Logfile of HijackThis v1.97.7
Scan saved at 4:27:40 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Steve.STEVEN\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Anti-Keylogger 5.0] C:\Program Files\Anti-Keylogger\ak5_load.exe => doesn't exist anymore so I ended it
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38076.8247685185
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4375/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{91FE6F8D-84AB-4E83-A2A0-968ABBD03846}: NameServer = 206.47.244.52,206.47.244.91

=> I thought about logging in as someone else, but under user accounts the only option is Steve. There is no Steve.STEVEN option.

Quote
do you experience those symptoms under all profiles ??
Sorry missed this, the answer is no I don't.
« Last Edit: July 13, 2004, 10:39:08 PM by Staind »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Problem - Not sure if it's a virus
« Reply #5 on: July 13, 2004, 10:34:11 PM »
Did you recently reinstalled Windows in any way?
Visit my webpage Angry Sheep Blog

Staind

  • Guest
Re:Problem - Not sure if it's a virus
« Reply #6 on: July 13, 2004, 10:37:20 PM »
No. The only program I have installed in the last 24 hours is MusicMatch Jukebox (I wanted to see if it was better at handling CDs than Winamp).  Which I uninstalled recently.

whocares

  • Guest
Re:Problem - Not sure if it's a virus
« Reply #7 on: July 13, 2004, 10:51:44 PM »

1)
C:\Documents and Settings\Steve.STEVEN\


2)
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab


Hi,

@1)
"steve" is the user name (probably default admin-user)
"STEVEN" is the Computername

--> So it's User.COMPUTER here,
this might indeed happen if you reinstall/ overinstall windows..
or something crumbled up your profiles..

if you can't manage to repair the profile manually, you might want to try copying one profile that's working and then set the name accordingly..
This can however go badly wrong, if you don't know what you're doing !!
(And be sure to give the new profile/user ADMIN-rights..


@2) the log seems clean to me, apart from the quoted entires which are unknown or suspicious. If you don't need them, fix them (they will be reloaded next time you visit the site, if necessary..) ;)

P.S.:
KAV says:
alaunch.cab tagged as not-a-virus:RiskWare.Downloader.SpyGame.
« Last Edit: July 13, 2004, 10:54:40 PM by whocares »

Staind

  • Guest
Re:Problem - Not sure if it's a virus
« Reply #8 on: July 13, 2004, 11:13:03 PM »
Quote
--> So it's User.COMPUTER here,
this might indeed happen if you reinstall/ overinstall windows..
or something crumbled up your profiles..

if you can't manage to repair the profile manually, you might want to try copying one profile that's working and then set the name accordingly..
This can however go badly wrong, if you don't know what you're doing !!
(And be sure to give the new profile/user ADMIN-rights..
brief summary on how to do this?

Staind

  • Guest
Re:Problem - Not sure if it's a virus
« Reply #9 on: July 14, 2004, 07:39:07 AM »
Ok, here's what I did. Created a new user account, logged into that account. Deleted my old steve account and steve.STEVEN, folder from the Documents and Settings. Although now everything appears to be back to default, programs are still installed and it's taking no time at all to set it back up the way I liked.

Thanks for all your support, especially to Rejzor who helped me for a couple of hours.