Need help with a Virus

[Le Québécois]

Hello every body, I hope you're all enjoying your hollydays.
I was until this little virus gave me trouble.
pwsteal.banpaes

Every time I boot my norton find it and deleted it.
If i scan after that norton doesn't find anything!

I've tryed every thing I could think of:
Followed norton web instruction.
End all process I wasn't too sure about.

But NOTHING does it!

Oh almost forgot. Norton detect the virus when I connect the computer to the internet.

 

[mechBgon]

Hi Le Q, I wonder if the virus is hiding in the System Restore files and being restored by Windows when you reboot. Here are instructions on how to disable System Restore and delete the existing System Restore files, if you have not done that already: link Good luck!

 

[Le Québécois]

Nope I didn't try it before you told me...but now I just did...rebooted, re-scan...same thing. Virus still apears at start up!
Oh god..why today when i'm due to pay my VISA card on the 30th!
After Notron gives me the message that a virus has been found and deleted, do you think I can connect safely to my bank?

 

[lobadobadingdong]

sounds like you are getting it from an internet source, are you running spybot, or adaware, or anything like that to make sure you don't have any spyware constantly re-connecting you to the source of the virus?

 

[Le Québécois]

Okay, I've tried every suggestion you gave me and nothing works. I still get the virus alert.

Any other idea guys (and girls)?

 

[dpm]

Hmm. that symantec page is singularly unhelpful about ways the virus spreads, and i can't find any other information on it.

If you only get notified when you connect to the internet, then you need to start checking out that vector. (apologies if I'm stating the obvious, or repeating things you've already done). Check your firewall is updated. Run spybot and Hijack this and see if they flag anything.

In fact, it might help if you posted your Hijackthis log file here, see if any of us could spot anything.

 

[azntiger0586]

info is here

-steals banking info. remove it asap.

-removal information is on the bottom.

Good Luck

 

[Le Québécois]

azntiger0586 :
Nope, this doesn't work either.

dpm :

I've run Ad-aware 6, isn't spybot the same thin?

Now with the Hijackthis....
Fist of all I get an error message when I lunch the program, here it is :

An unexpected error has occurred at procedure: frmMain_LoadSettings()
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.97.7

This message has been copied to your clipboard.

And now with the result running the program:

Logfile of HijackThis v1.97.7
Scan saved at 18:16:55, on 2003-12-30
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\msreg.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Sensiva\Sensiva.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ICQ\ICQ.exe
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\System32\svchostc.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nico\Bureau\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://gamespot.com/gamespot/filters/0,10850,6013054,00.html"); (C:\Program Files\Netscape\Users\morfanos\prefs.js)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [APIMon] C:\WINDOWS\msreg.exe
O4 - HKLM\..\Run: [AxFilter] Rundll32.exe C:\WINDOWS\DOWNLO~1\AxFilter.dll,Rundll32
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sensiva] C:\Program Files\Sensiva\Sensiva.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O11 - Options group: [!IESearch] !IESearch
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2354A44B-3CEB-4829-9940-545B03103538} (PowerPlr Control) - http://218.77.120.250/etv/plugin/PowerPlr.ocx
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50023/QDow.cab
O16 - DPF: {2D0C7226-747E-11D6-83F0-00E04C4A2F90} (Mediachip ADPlayer Control) - http://videoad.sohu.com/video/MCADPlayer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://www.xiliao.com/talk.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.7578125
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {A8A0582B-725E-455E-8D23-6C3B012E8B78} (LiveOcx Control) - http://61.138.223.4/clntocx/3cxplayer1.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {CF85459D-DFA7-4028-A065-3C6D1356DCC8} (CertInstall Control) - http://gd.chinavnet.com/CertInstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85204951-B7BD-4F2F-89E9-FC22A97F0DF5}: NameServer = 206.47.244.89 206.47.244.105



Now keep in mind that I'm not the only one using my computer. My gf is chinese so if you find strange thing, it might be some of her program.

 

[dpm]

Spybot S&D does much the same thing as adaware, but the two are complimentary - they each often find things the other misses.Also, it has a very useful immunize feature, which blocks some of the most common ad/spywares from installing themselves.

Anyway, both adaware and your virus checker are only as good as the definintions they use - have you updated both of them in the last week?

If you haven't already sorted this problem out, then a cursory check through your log reveals a few more problems. As well as the banpaes virus you mentioned, a few more seem to be on your system.

Firstly - svchost.exe is a legitimate windows file. However, quite a few viruses disguise themselves to look like it.

You have running svchosts.exe and svchostc.exe. More than one virus uses these filenames as a disguise, so I can't tell you what you have running, but is likely that you have two viruses such as Backdoor.Sdbot.E and TrojanSpy.Win32.Tofger.h .

These are both trojans - they let a hacker control your pc through irc commands. It is quite possible that it is one of these that reinstalls banpaes automatically when you connect to the internet, to steal your banking info.

There are a few of the other entries that i have not heard of, but this could well be because they are from chinese programs.
I'm a bit concerned about these download entries;

O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50023/QDow.cab

they look like some kind of spyware, but i'm not familiar with them. Sophos says one of them may well be App/Dynade-A, which it seems to imply is malign, but doesn't explain why.

Anyway, your main problem are the trojans, which your virus checker really should have spotted. My best guess is that you haven't updated your definitions for a while and it doesn't know to look for them. If your subscription is expired then I can recommend AVG antivirus, which is available free for home use.

good luck, and let me know if i can be of any more help

 

[Le Québécois]

Both my norton and ad-aware are up to date ( i look for norton update every 2 days or so ).
The only virus found is the one i told you about.

Since my last post I did some search myself and found those two ( svchostc et s ). I didn't know if winxp needed them so i renamed then, not deleted them. I can tell you this about those 2. when i connect to the internet i got 3 additionals running processes, those 2 and one other. Since I changed their names, none of those 3 processes activate when i connect to the net....but I STILL get the danm virus warning!

 

[Le Québécois]

Here is my last Hijackthis log. Oh btw even when my zonealarm is in STOP mode before i connect to the net i still get the virus ( with the ZA lock nothing should be able to pass....)

Logfile of HijackThis v1.97.7
Scan saved at 17:32:14, on 2004-01-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\msreg.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Sensiva\Sensiva.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nico\Local Settings\Temp\Répertoire temporaire 1 pour hijackthis.zip\HijackThis.exe

R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://gamespot.com/gamespot/filters/0,10850,6013054,00.html"); (C:\Program Files\Netscape\Users\morfanos\prefs.js)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [APIMon] C:\WINDOWS\msreg.exe
O4 - HKLM\..\Run: [AxFilter] Rundll32.exe C:\WINDOWS\DOWNLO~1\AxFilter.dll,Rundll32
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sensiva] C:\Program Files\Sensiva\Sensiva.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O11 - Options group: [!IESearch] !IESearch
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2354A44B-3CEB-4829-9940-545B03103538} (PowerPlr Control) - http://218.77.120.250/etv/plugin/PowerPlr.ocx
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50023/QDow.cab
O16 - DPF: {2D0C7226-747E-11D6-83F0-00E04C4A2F90} (Mediachip ADPlayer Control) - http://videoad.sohu.com/video/MCADPlayer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://www.xiliao.com/talk.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.7578125
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {A8A0582B-725E-455E-8D23-6C3B012E8B78} (LiveOcx Control) - http://61.138.223.4/clntocx/3cxplayer1.cab
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
O16 - DPF: {CF85459D-DFA7-4028-A065-3C6D1356DCC8} (CertInstall Control) - http://gd.chinavnet.com/CertInstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85204951-B7BD-4F2F-89E9-FC22A97F0DF5}: NameServer = 206.47.244.89 206.47.244.105

 

[Princeman]

Some low tech suggestions- disconnect that comp from the internet till the prob is fixed.
Plan A-Go to Safe Mode and try to blast the virus with AVG. Search google for tools to remove the bug.
Plan B- Format the c: dirve and reinstall windoze. Make a Ghost Image or Drive Image of the new c drive after you get all your drivers, updates and stuff re-installed, and update Zone Alarm. You make have to make a D partition to store the backup on. Save your data to D. Next time this happens restore your backup. No more virus.

 

[Le Québécois]

Latest news:
I just run this great little online antivirus and heres the logbitdefender

:C:\Documents and Settings\Nico\.jpi_cache\jar\1.0\a.jar-5dde5271-5a90153e.zip=>a.class infected: Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Nico\.jpi_cache\jar\1.0\ar.jar-24c8383a-2694c4f0.zip=>B.class infected: Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Nico\.jpi_cache\jar\1.0\ar.jar-24c8383a-2694c4f0.zip=>V.class infected: Java.Trojan.Exploit.Bytverify
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\3F9BRHK8\actalert[1] infected: Trojan.Downloader.Dyfuca.E
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\3F9BRHK8\actalert[1] deleted
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\3F9BRHK8\winpup[1].exe infected: Trojan.StartPage.AE
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\3F9BRHK8\winpup[1].exe deleted
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\6TZ05K7I\optimize[1].exe infected: Trojan.Downloader.Dyfuca.G
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\6TZ05K7I\optimize[1].exe deleted
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\KJFJ6WHH\istsvc[1].exe infected: Trojan.Downloader.Istbar.N
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\KJFJ6WHH\istsvc[1].exe deleted
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\MBUR6L6R\istbar[1].dll infected: Trojan.Istbar.H
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\MBUR6L6R\istbar[1].dll deleted
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\MBUR6L6R\nem214[1] infected: Trojan.Downloader.Dyfuca.J
C:\Documents and Settings\Nico\Local Settings\Temp\Temporary Internet Files\Content.IE5\MBUR6L6R\nem214[1] deleted
C:\Program Files\Internet Optimizer\optimize.exe infected: Trojan.Downloader.Dyfuca.G
C:\Program Files\Internet Optimizer\optimize.exe deleted
C:\Program Files\Netscape\Users\morfanos\Mail\Inbox=>(message 331)=>[Subject: Undelivered Message: User unknown][Date: Fri, 19 Sep 2003 06:10:22 -0400 (EDT)]=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Netscape\Users\morfanos\Mail\Inbox=>(message 331)=>[Subject: Undelivered Message: User unknown][Date: Fri, 19 Sep 2003 06:10:22 -0400 (EDT)]=>(MIME part)=>cbdjsy.exe infected: Win32.Swen.A@mm
C:\Program Files\Netscape\Users\morfanos\Mail\Inbox=>(message 332)=>[Subject: Latest Network Critical Upgrade][Date: Fri, 19 Sep 2003 06:07:22 -0400 (EDT)]=>(MIME part)=>q818679.exe infected: Win32.Swen.A@mm
C:\Program Files\Netscape\Users\morfanos\Mail\Inbox=>(message 342)=>[Subject: Advice][Date: Tue, 23 Sep 2003 12:15:22 -0500]=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Netscape\Users\morfanos\Mail\Inbox=>(message 362) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Netscape\Users\morfanos\Mail\Inbox=>(message 364)=>[Subject: Undeliverable Mail Returned To Sender][Date: Sun, 28 Sep 2003 18:00:50 +0200 (added]=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Netscape\Users\morfanos\Mail\Inbox=>(message 380)=>[Subject: Mail]=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Netscape\Users\morfanos\Mail\Inbox=>(message 387)=>[Subject: Bug Announcement]=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Netscape\Users\morfanos\Mail\Trash=>(message 94)=>[Subject: Undelivered Message: User unknown][Date: Fri, 19 Sep 2003 06:10:22 -0400 (EDT)]=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Netscape\Users\morfanos\Mail\Trash=>(message 94)=>[Subject: Undelivered Message: User unknown][Date: Fri, 19 Sep 2003 06:10:22 -0400 (EDT)]=>(MIME part)=>cbdjsy.exe infected: Win32.Swen.A@mm
C:\Program Files\Netscape\Users\morfanos\Mail\Trash=>(message 95)=>[Subject: Latest Network Critical Upgrade][Date: Fri, 19 Sep 2003 06:07:22 -0400 (EDT)]=>(MIME part)=>q818679.exe infected: Win32.Swen.A@mm
C:\Program Files\Netscape\Users\morfanos\Mail\Trash=>(message 99)=>[Subject: Advice][Date: Tue, 23 Sep 2003 12:15:22 -0500]=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Netscape\Users\morfanos\Mail\Trash=>(message 115)=>[Subject: Undeliverable Mail Returned To Sender][Date: Sun, 28 Sep 2003 18:00:50 +0200 (added]=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Netscape\Users\morfanos\Mail\Trash=>(message 117) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Netscape\Users\morfanos\Mail\Trash=>(message 118)=>[Subject: Mail]=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Netscape\Users\morfanos\Mail\Trash=>(message 125)=>[Subject: Bug Announcement]=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\WINDOWS\nem214.dll infected: Trojan.Downloader.Dyfuca.J
C:\WINDOWS\nem214.dll deleted
C:\WINDOWS\system32\13593691.exe infected: Trojan.StartPage.AE
C:\WINDOWS\system32\13593691.exe deleted
C:\WINDOWS\system32\98199099.exe infected: Trojan.StartPage.AE
C:\WINDOWS\system32\98199099.exe deleted
C:\WINDOWS\system32\svchostcochon.exe=>(PeX 0.99) infected: Trojan.Dropper.Daemonize.C
C:\WINDOWS\system32\svchostcochon.exe deleted
C:\WINDOWS\system32\svchostsavon.exe=>(PeX 0.99) infected: Trojan.Dropper.Daemonize.C


I have rebooted, manually deledted those corrupted files....and still get the danm virus..so now...im scanning again.

 

[dpm]

Good god. I can't believe that Norton missed all of those.

Your box has been thoroughly, thoroughly compromised, to a scary degree. If it was mine I wouldn't trust it again until I'd formatted and clean installed.

Backup only the most important personal files, format the hard disk(s) (it may also be worthwhile contacting a priest about an exorcism ) and reinstall windows. Have a copy of zonealarm and a virus checker (i would dump norton, and use AVG instead) on hand, on a burnt cd, so that you can install them before you connect to the internet for the first time - i'd physically unplug the network cable until then. Then install all the windows patches you can find, update your definitions, and...

Sit down with anyone who uses the computer, and have a serious talk about how it is to be used from now on. Stress to them how serious this is - they could easily find someone breaking into their bank accounts and stealing their money otherwise. At least some of those bugs were picked up from downloading malicious programs, so you need to be more careful about what sites you visit and what you download.

 

[Hyperlite26]

Hi, I have always had good luck w\ Norton & Symantec's cleaning prog's; However, 2 nights ago my buddy had the jeefo virus and he had been working on it for 7 or 8 hrs to clean using symantec's fixes, but they didnt work.

He was getting ready to format and I told him to hold up a bit. I did some searching & tryed sophos fix utility and it picked up many more of the infected files but not all... problem still there.

A little more searching and I found some 1 else w\ his same problem. Go here and dl their free-trial copy of antivirus software >>>http://www.pandasoftware.com/

It cleaned up his mess right up. I dont know if it will fix yours but its a free dl and worth a shot ;]

If it helps let us know.

 

[Le Québécois]

Sorry guys if i didn't gave you any update....but I got a virus myself ( not the computer ) and i've been doing 102-103 F all week long...


I'm really amaze to see how much Norton seem useless...each time i try a new anti virus ...i find some more virus...now im trying panda...2 memory and 2 files infected so far.....Ill give you update later...

 

[Le Québécois]

Ah..at last....no more virus!
Thx all of you.