Hi, Ive just overcome a problem/virus which was tormenting my computer however, due to the way I stopped it I know its still on my system but unable to load.

Scanned Computer with:
AVG, Avast, Pc-Cillin online, nod32 30 trial, antivir, spybot s&d, ad-aware se and pandasoftware online.
Result: NO VIRUS! (some spyware and other nastys: REMOVED)

The Virus/Problem:
browsing became very slow, and the entire of windows was unstable, explorer.exe would crash, and Id even see drwsn.exe come up and crash all for no reason.
when checking the taskmanager, i found i had firefox.exe loaded even though the browser was not active. when ending task on it, it would simply reload.
checking other fourms i found a very flacky fourm with someone with the same problem, and someone recommended switching the default browser to something else and restarting. I did this and the process loaded up now with the name iexpore.exe.

fustrated, due to the fourm continueing with out a formable solution I started to go my own way and attack the thing head on.

My Solution:

I started by going into the system32 folder arranging icons by modified, then opening them one by one in notepad.exe to sift though the data looking for anything suspicus. very quickly, I come accross a file called msnmsg without any extention, when I opened this, it contained every last bit of information of what I was doing, on my computer, right down to browsing my computers system32 folder.
1st I decided to delete the file. but as soon as I hit refresh, it was back. next I simply made the file "read only" and contiued to work.
To my supprise it had stopped the logging. it seemed like as long as the file was there (in read only mode) it couldnt write to it or attempt to renew it.
when I saw this I restarted my pc.
Once the computer had restarted, I attempted to get into taskmanager but i couldnt. guessing that the virus had locked me out, I decided to open system mechanic and lock then unlock the taskmanager, as soon as i hit apply I tryed again, and i was in however I still had the iexplore.exe there, and it still reloaded when clicking end task.

I then went back into system mechanic, opened process manager, clicked on options, expert mode, clicked on ok. right clicked on explorer.exe clicked stop process. then I quickly clicked iexpore.exe and clicked on "stop process and provent from starting" it took a few Attempts but evetully stopped the process from loading even after restarting the computer.

So, why am I telling you all this?
well, its still somewhere on my computer, and I would like to get rid of it, as I dont know if it could still be active, just merged with another task or something.

when it was loaded, I could not find it anywhere in my Adminisrative Controls/Services or in System Mechanics Startup Manager.

HijackThis Log file (since stopping the service):

Logfile of HijackThis v1.99.1
Scan saved at 14:52:08, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\ABIT\ABIT uGuru\uGuru.exe
D:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
D:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Documents and Settings\Chiller1\Desktop\hijackthis\HijackThis.exe
D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\Program Files\Alwil Software\Avast4\setup\avast.setup

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] D:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] D:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] D:\Documents and Settings\Chiller1\Desktop\hijackthis\HijackThis.exe /startupscan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153772128671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - D:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - D:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

Hope you can Help

Recommended Answers

All 9 Replies

You MUST have only one active antivirus installed
(anti-virus now, you can have as many anti-spyware programs as you like) so choose one and uninstall the rest. More than one active AV can cause serious conflicts and cause system crashes, as well as false positives. I recommend keeping Anitvir.

Your log is clean.

Run ActiveScan online virus scan:
When the scan is finished, save the results from the scan

Post the log here with a new HIjackthis log.

I know I have a lot of virus checkers installed at the min, but I only have one which is allowed to fully load. I no longer have Nod32 on my system, however I had problems during the uninstall, im guessing thats why they are still in my log.

Pandasoftware Results:

Incident Status Location

Spyware:Cookie/Xiti Not disinfected D:\Documents and Settings\Chiller1\Application Data\Mozilla\Firefox\Profiles\yz9ejld3.default\cookies.txt[.xiti.com/]
Spyware:Cookie/WebtrendsLive Not disinfected D:\Documents and Settings\Chiller1\Application Data\Mozilla\Firefox\Profiles\yz9ejld3.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\Chiller1\Application Data\Mozilla\Firefox\Profiles\yz9ejld3.default\cookies.txt[.com.com/]
Spyware:Cookie/QkSrv Not disinfected D:\Documents and Settings\Chiller1\Application Data\Mozilla\Firefox\Profiles\yz9ejld3.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Toplist Not disinfected D:\Documents and Settings\Chiller1\Application Data\Mozilla\Firefox\Profiles\yz9ejld3.default\cookies.txt[.toplist.cz/]
Possible Virus. Not disinfected D:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
Spyware:Cookie/Doubleclick Not disinfected D:\Program Files\iolo\System Mechanic 6\Undo\Manual\{2F41DF96-4279-4340-89C4-795D0A29DA03}\{43C151AB-037A-4820-9331-217C5ABB7A5E}.txt[{43C151AB-037A-4820-9331-217C5ABB7A5E}.txt]
Spyware:Cookie/Com.com Not disinfected D:\Program Files\iolo\System Mechanic 6\Undo\Manual\{2F41DF96-4279-4340-89C4-795D0A29DA03}\{47DBE927-9DDC-4F09-AA1F-D59469C268C8}.txt[{47DBE927-9DDC-4F09-AA1F-D59469C268C8}.txt][.com.com/]
Spyware:Cookie/Statcounter Not disinfected D:\Program Files\iolo\System Mechanic 6\Undo\Manual\{2F41DF96-4279-4340-89C4-795D0A29DA03}\{47DBE927-9DDC-4F09-AA1F-D59469C268C8}.txt[{47DBE927-9DDC-4F09-AA1F-D59469C268C8}.txt][.statcounter.com/]
Spyware:Cookie/Atlas DMT Not disinfected D:\Program Files\iolo\System Mechanic 6\Undo\Manual\{2F41DF96-4279-4340-89C4-795D0A29DA03}\{767E1473-CC35-4B8A-A0FF-042EA9381CAE}.txt[{767E1473-CC35-4B8A-A0FF-042EA9381CAE}.txt]
Spyware:Cookie/2o7 Not disinfected D:\Program Files\iolo\System Mechanic 6\Undo\Manual\{2F41DF96-4279-4340-89C4-795D0A29DA03}\{ED0C0FF1-369F-47EC-B8A4-7157FB5DA5E3}.txt[{ED0C0FF1-369F-47EC-B8A4-7157FB5DA5E3}.txt]

EDIT: Accidental Post in Wrong Thread.

Only found cookies.

I must have sorted whatever it was :)

Thanks for your help!

I hope if anyone else gets this problem, and they stumble accross this post, that the way I got rid works for them too!

Hi, I'm facing the same problem. firefox.exe is running in the task manager even though I had never started the application. When I would kill it, it would magically come back to life. With a program named "Active Ports" I found the process is sending something to IP address SpyBot search and destroy, Ad-Aware and AVG Anit-virus didn't find anything. hijackthis.exe does not show anything in the startup path that wasn't there before I had this problem. I run this tool on a regular basis and know what each line item belongs too. There was nothing new. RootkitRevealer flagged some registry key names with embedded nulls. These were new, I hadn't seen these before but it didn't appear to be related. Eventually I got the thing to stop reloading by renaming firefox.exe to 0firefox.exe, uninstalling firefox then running ccleaner to fix the registry. I'm sure whatever it is that is doing this is still on my HD but I haven't been able to find it yet. I did not find the file "MSNMSG" in the system32 folder like the other person said. If anyone has any questions or insight to this then feel welcome to write me directly at ullus [at] wi-on [dot] com

And I too just discovered the same issue. I do have a little more info I can add. First, the file I found in my system32 folder is named "server" with no extension. I presume there must be several different names for the file that holds the keylogging info. I also found the file "Server.exe" in system32 and I am pretty sure this file is a part of the trojan. I only discovered this because I was playing with a new router and as I was watching the logging that it does I saw one of my systems make a connection to every few minutes. Thankfully this is just a system I'd setup to run some tests on and it has no really private information on it.

I saw that IP is related to a dynamic IP service called no-ip.com so I sent an email to abuse_at_no-ip.com with a screenshot of a netstat showing that internet explorer connects to that IP and send this info.

HOPEFULLY they will help catch this identity thief!

I meant to also say that you should simply look in your system32 folder for the newest files as the logged information will either be the newest file or close to it since it is constantly being written to with every keystoke you enter. I would suggest that you save this file and make sure to change ALL passwords that you find in there as well as take steps to protect your financial information if the file contains any credit card or bank pin numbers.

I've just disabled any add-ons that involve Netscape functions and so far I haven't had a recurrence. It seems to be fixed but we'll see after the next restart if I have to go back to this again.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.