Help; I am normally a Mac user. I have Virtual PC running Windows 2000 Professional on my Mac and I downloaded some zip files and stupidly opened them, and now I am infected. I began noticing pop-ups, and my computer slowed down; so I began to try to sort through it.
Anyway I am so glad you guys are here! I did some reading on this forum, and I hope I've done a few things right to prepare.
I did an online virus scan with ETrust Antivirus webscanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx (I tried Kaspersky but it took too long-12 hrs and it was only 72% done!) and it said I had WormsWin.32.AlcanF and Worm Win.32.AlcanD. It talks about them here
http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=43266 and here:
http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=47335 It also said I had a third Backdoor IRC Trojan; I forgot the name of it. But, although it would find the files, it wouldn't delete them! I forced it to delete some of them, then I manually went in and removed the others, and tried to remove some registry entries; evidently not enough, because upon reboot it was all still there.
At least some of the infected files are in two invisible folders: C:\Program Files\winupdates (contains three-four infected files; a.tmp , a.zip which contains a movie.exe inside it, and winupdates.exe ), and this one is also invisible and all files infected: C:\Program Files\MsUpdates\ (contains three-four more infected files; a.tmp, a.zip and MSUpdate.exe - the a.zip file has a movie.exe file inside of it as I found when I moved it to the Mac desktop), and C:\xz.exe - those were from the ETrust online scan. I may have more; I am unsure as the online scan seemed faulty. I pulled the a.tmp file over to my Mac desktop and it opens as a "text" file (not really; looks more like a script of some sort) and makes reference to MSVBVM60.DLL. Other dlls it references are kernel32.dll, advapi32.dll, bszip.dll, wininet.dll, VBA6.DLL and there is a reference to a well-known website, imdb.com and a command about msupdate.azip.
I went into C:\WINNT\system32\ and deleted the following which the worm had created itself -- and now they are back again. I only knew they were bad by reading about them at
this link; apparently they hijack my system.
%System%\cmd.com
%System%\netstat.com
%System%\ping.com
%System%\regedit.com
%System%\taskkill.com
%System%\tasklist.com
%System%\tracert.com
But when I rebooted, everything came back! I looked at the Properties of the above files and all of them are set to execute c:\system root\system32\AUTOEXEC.NT and c:\system root\system32\CONFIG.NT.
There is a suspicious looking folder (key date: Jan 6 2006) under C:\WINNT\system32\ called apptmgmt with a very suspicious-looking folder in it called S-1-5-21-52315564-243925014-1286765776-500
I had a dialer I think I got rid of, Bullseye Network, but I'm not sure. I doubt it! At one point I had a file called MC-110-12-000014.EXE and I manually deleted it but don't think I got rid of all the references. Then I have a persistent file called xz.exe that keeps showing up on reboot even though I deleted it and related files.
Also it has definitely hijacked my taskmanager. I cannot get to it; meaning I get a message when I attempt to run it from the Start/Run menu that "Another program is currently using this file." And when I attempt online virus scans it quits IE Explorer on me. I also am suspicious because I have three different Task manager files! I have C:\WINNT\TASKMAN.EXE 35 KB, and C:\WINNT\system32\taskman.exe 35KB and C:\WINNT\system32\TASKMGR.EXE 86 KB.
Kaspersky's partial scan didn't like my svchost.exe file; but I thought that it was supposed to be there in Windows 2000 in the system32 folder; what I am confused about is that from the Hijack This log it looks like there may be two of them running. I am also suspicious because my system32 folder was "hidden" from me and I don't know when that happened. There is both a "System32" and a "system32" folder listed in Hijack This log, but I can only see the system32 folder (lowercase) when I enable seeing system folders.
I read a bit around here, and I have ready in case you ask me to have them Evido's Security/Malware Suite ready to install; I will go ahead and download it and wait to hear from you for further instructions before installing. The Hijack this log below is before I downloaded Evido. I also have Windows Cleanup 4.0 but haven't run it yet (some of my games use Download folders as a default); I also downloaded pzpnetwork.zip and BFU.zip, unzipped them and put their contents in a folder called BFU. In case you ask me to have them. But I'm not going to do anything as I've been reading more and you give very custom answers to each problem. I got some ideas from
this thread even though it isn't mine; it seemed to have some good places to start!
Connectix is the name of the company that made Virtual PC, so I believe/hope those log entries (the ones specific to Connectix) are okay.
I have been fighting this for a few days. Any help would be appreciated! I am worn out. I am very afraid it has been logging my passwords, etc. and sending to unknown websites.
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> Thanks in advance!
Here is my Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 3:29:55 AM, on 1/9/2006
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\CNTX\VPCSRVC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\VPCMap.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\CNTX\VPCUSrvc.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\MsUpdate\MsUpdate.exe
C:\WINNT\System32\scvhost.exe
C:\HJT\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VPCUserServices] C:\WINNT\CNTX\VPCUSrvc.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [MsUpdate] C:\Program Files\MsUpdate\MsUpdate.exe /auto
O4 - HKLM\..\Run: [ms-update] scvhost.exe
O4 - HKLM\..\RunServices: [ms-update] scvhost.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/downloads/kws/kav...can_unicode.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/...b?1136184893562O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cabO23 - Service: Virtual PC Services Application (1-vpcsrvc) - Connectix - C:\WINNT\CNTX\VPCSRVC.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Virtual PC Shared Folder Mapper (VPCMap) - Connectix - C:\WINNT\System32\VPCMap.exe
