Does this sound like a virus? If so, which?

[Jbroad572]

Well, I was downloading some audio software (not pirated) and I kept trying to open up exe files, but nothing would happen. So, I went to sleep and woke up in the AM and I try to search the web and it will browse but all my text is missing in Firefox and the pages are all distorted. I try opening up other programs and the same things is happening, then I get a pop up stating some .dll fille is missing or corrupt (don't remember exactly). So, I look to see if Symantec Antivirus is running in the system tray and it isn't . So, I reboot, then I get a screen telling me my boot sequence has been changed, I go in to the BIOS and everything looks fine, but everytime I try to start now it just sticks on "Verifying DMI Pool".

What am I to do? I am praying I am not going to lose all of my information, photos, and music. Help me out if you can.
A couple of days ago Symantec caught a trojan horse virus and quarantined it, not sure if somehow it actually got through to my system or not.

 

[daniel49]

what were you downloading exactly and from where?
can you get into safe mode?
list any error messages specifically it will help others help you.
what version norton av?

 

[Calin]

There is a setting in registry that says what program you use to open what files, and what action the program must do (you could have a .ppt with action "Play" and .pps with action "Edit" - powerpoint files).
If you have the .exe there with any other option but run, you'll have that kind of problems.
I think there is some kind of virus there - or let's call it malware. Good luck with recovery

 

[Jbroad572]

Well what steps can you recommend for receovery? At the moment there are no error messages, because I can't boot into windows. When booting up, with my mobo it just sits on "Verifying DMI Pool". Usually after that it will start to boot up. When I get home this afternoon, I will try to clear the cmos and see if that helps me get booted up.

 

[Jbroad572]

Weird... I get home from work clear the cmos and I boot up like normal. I try to start up symantec and it does, but as soon as I go to scan my drives it shuts down. My firewall also didn't start up as usual and i noticed my internet and download speeds are slower than 28.8k. So, I go to do a quick restore, so I boot in safe mode, go to restore, but forgot I disabled it, so I go back to log in normally and now my firewall and symantec antivirus both start up like normal and my download speeds are back to normal. I have the antivrus software running now. Have you ever heard of anything like this? I don't want to relax yet, although everything appears as though it's normal.

 

[mechBgon]

Here are some questions:

1) are you on dial-up, or on broadband

2) if you are on broadband, do you have a router, or no router?

3) if you have a router, are any other computers hooked up to it besides yours, and what brand/model is the router.

4) what precise version of Symantec do you have, and is it, uh, legit in nature or not

5) What version and service pack of Windows do you have

6) Look in the Symantec logs and get me the name of the Trojan that it detected the other day, please. More info = good.

7) Download and run HijackThis from here and post the text in this thread

 

[Jbroad572]

Originally posted by: mechBgon
Here are some questions:

1) are you on dial-up, or on broadband

Broadband

2) if you are on broadband, do you have a router, or no router?
Yes router. Net gear WGR614v4 with latest firmware

3) if you have a router, are any other computers hooked up to it besides yours, and what brand/model is the router.
Sister's laptop is connected, it is WEP protected.

4) what precise version of Symantec do you have, and is it, uh, legit in nature or not

8.1.0.825 with latest downloads

5) What version and service pack of Windows do you have
Windows XP Pro SP1

6) Look in the Symantec logs and get me the name of the Trojan that it detected the other day, please. More info = good.

Name= Trojan Horse... that's all it has

7) Download and run HijackThis from here and post the text in this thread

Logfile of HijackThis v1.99.1
Scan saved at 12:20:14 AM, on 1/1/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ITE\Smart Guardian\ITESmart.exe
C:\Program Files\RivaTuner\RivaTuner.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
Z:\Apps\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Handspring\Hotsync.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\NVIDIA\NETWOR~1\bin\nSvcIp.exe
C:\NVIDIA\NETWOR~1\bin\nSvcLog.exe
C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\FlashFXP\flashfxp.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
Z:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youbettersearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESmart.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner\RivaTuner.exe" /T
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] Z:\Apps\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Handspring\register.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05b521c5d76a9887c206/netzip/RdxIE601.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - <a target=_blank class=ftalternatingbarlinklarge href="https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx">https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx</a>
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\JSB\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

CWShredder or HijackThis closes immediately after opening?
There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them.

Appears to be what was happening, but the crazy thing is now, everything seems to be working fine... let me know what you think.

 

[mechBgon]

Ok, next round:

1) Check your sister's computer for worms and viruses. Kaspersky beta web scanner. Might want to run yours through that too. Let it run overnight if you (or she) have lots of data to scan.

2) If your sister's computer has worms now or in the future, then your router isn't going to protect your computer from hers. So follow the tips here in Step #4, plus make sure you have a firewall on your system. If you don't like typing passwords, then install Microsoft's TweakUI Powertoy and set up auto-logon, but you want strong passwords.

3) Also make a text file with these commands in it, save it, then change it to a .BAT file. Browse to C:\Documents and Settings\All Users\Start Menu\Programs\Startup and drop it in there.

net share admin$ /delete
net share c$ /delete (make more of this line to cover any drive letters your system uses for hard drives)
net share IPC$ /delete
net share print$ /delete

This will delete as many of the administrative shares as practical upon each bootup, to help reduce your attack surface. Worms frequently use administrative shares to spread.

4) As soon as you're certain the system's clean, for gosh sakes upgrade to Service Pack 2 And run it through Microsoft Baseline Security Analyzer and some online port scans: link to resources & pic

5) You can also lock down your router to prevent traffic on the high-numbered ports that worms and backdoors like to use to "phone home." Info on that here for a different Netgear, it's easy to do and will get you some logs to help determine if there's something fishy going on (your computer trying to call out on ports it shouldn't). If you enable the lockdown and get some log output, PM it to me and I'll look at it.

 

[Jbroad572]

Thanks mechBgon, will get on it.

 

[Jbroad572]

I really appreciate your help Mechbgon. Are you sure updating to SP2 will be ok? I had heard a lot of horror stories about it.
Do you think that I should update to another antivirus client? I will probably use the same on my sister's computer as well.

 

[mechBgon]

If you want the safest way of installing Service Pack 2, do it in Safe Mode so you know that none of the other programs (such as antivirus) will interfere. But first you want to be fairly certain that the computers are "clean." I would do it if it were me.

For antivirus protection, everyone has their own opinion on what's best (do a Search for threads with "antivirus" in the title and you'll see). I'm pimping the Kaspersky Personal if $42 per computer isn't too high: http://www.omnicast.net/~tmcfadden/guides/build/kaspersky.html I listed the reasons there.

McAfee is another fairly good one, and VirusScan 9.0 Pro is two licenses per box, but it has some annoying traits like their splash screen, and it's not very configurable, unlike the industrial-strength version that I use at work.