This Virus is Killing me.

[DMWCSD]

Can anyone help me. I am a computer technician. This is the first time tht I have ever run into such a problem with an infected computer. I have Sophos anti-virus, which finds this Trojan/Small-CB virus. Then I have a version of Microsoft Antispyware, and Ad-Aware installed. The spyware programs find hundreds of infected files and registry keys every time I run a scan after the computer has been plugged into the network. I updated to Windows Xp sp2, and now I cant log onto the computer with any account other than the local administrator. When I do log in, and browse the documents and settings folder, I open the profile of the user whos computer is having a problem, and I get an error message saying that I cannot connect to the location and i have to select work offline. Remember I never accessed the internet, merely the user profile folder. I cant rename this particular folder, unless I boot into safe mode, in which case the folder acts normally, and if I rename another folder in the documents and settings location to the name of the original folder that was giving me difficulty the message begins to pop up there.

Can anyone give me any help?

 

[DMWCSD]

Also I do have the firewall turned on, with no exceptions allowed.

 

[aquias]

Let's make certain you're clean prior to ensuring we get you those files.

If you're behind a corporate firewall, disable the XP firewall first off. Then tackle these next steps.

1. Connect to Trend Micro and run their virus/spyware housecall and see if this picks up anything.
2. Ensure MS Beta is up to date and run this.
3. Download and run Spybot S&D.
4. Lastly, run Hijack this and post your log back over here.

 

[DMWCSD]

where can I get this Hijack?

a new troj/bettinet-A has just been detected. I guess I am just going to keep a running tab of all of the problems with this computer.

 

[aquias]

http://www.spywareinfo.com/~merijn/downloads.html

This is the homepage for Hijack this.

 

[eyec]

dont forget to turn of restore points until you are sure you are clean, then turn them back on after a clean re-boot.

 

[DMWCSD]

Logfile of HijackThis v1.99.1
Scan saved at 9:18:11 AM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SCTray.Exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\WINDOWS\n20050308.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TEMP\Sophos\Setup\Loader\setup.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X7V77W46\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.dell.com/

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SocketComm] SCTray.Exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\Run: [wij86r5x] C:\Program Files\wij86r5x\wij86r5x.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteyca32.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\ezStub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall-beta.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?325

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = westwood.com
O17 - HKLM\Software\..\Telephony: DomainName = westwood.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = westwood.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\sGgnb.dll
O23 - Service: Sweep for Windows NT Network (SWEEPNET) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sweep for Windows NT Update (SWEEPUPDATE) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

[erikhertzel]

Remove the following:

C:\WINDOWS\n20050308.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe (this is the trojan)
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\Run: [wij86r5x] C:\Program Files\wij86r5x\wij86r5x.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteyca32.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\ezStub.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
010 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?325

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = westwood.com
O17 - HKLM\Software\..\Telephony: DomainName = westwood.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = westwood.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\sGgnb.dll

You will probably need LSPFix from Cexx.org to complete the mission after deleting this stuff.

Erik

 

[DMWCSD]

Thanks for all of your help, but unfortunately I was unable to resolve the problem, and time ran out for trying to find solutions. My boss instructed me to Format the drive and load everything over.

Oh well. Thanks everyone.