Need help from the computer nerds
 

I think that I have a virus. If I leave my computer for an hour or so I can't get online. I then go to the taskmanager and end sys32 and osae and I can go online again. I have heard of the system 32 virus, but my pirated copy of Norton doesn't seem to catch it at all. Now I can't get my computer to start properly, it loads all the way upp til when the desktop should show up and it just shuts off instantly.

Any help would be great appreciated. Even if just how to get the virus off there.

Re: Need help from the computer nerds
 

:(SAFE MODE

look into the registry

lol
that`ll fix it

Re: Need help from the computer nerds
 

wow that was helpful

Re: Need help from the computer nerds
 

What OS?
What method of connecting?
Download HighJackThis and put it in its own directory and run the program, save the log, and post it on here.

Re: Need help from the computer nerds
 

Sounds like you have an SDBot infection.

http://securityresponse.symantec.com...oor.sdbot.html

Re: Need help from the computer nerds
 

This is Windows XP Pro, Wireless network with DSL for connection.

I am not sure that it is that thing you showed me from the symantec website, I have norton, and it misses it.

Re: Need help from the computer nerds
 

http://www.spywareinfo.com/~merijn/downloads.html

get hijack this and post up your log like crx88si said. then we might be able to tell you whats up

Re: Need help from the computer nerds
 

go to symantec and do their housecall virus scanning. its completly free and you dont download anything. it just runs a virus scanner from their web sight. its pretty fast and catches pretty much everything, so give them a try.

Re: Need help from the computer nerds
 

that scan is also good. but if you do that scan rember to copy and paste the list of files to a txt document and put it on your desktop. so when you reboot in safemode youl still have it. and if your doing that tis good to have KillBox. if you cant find it anywhere ill send it to you. its basicly a program that force deletes files when windows is being a bitch about it

Re: Need help from the computer nerds
 

I got the scan but it tells me to ask someone with a clue what to fix and what not to.

Logfile of HijackThis v1.99.1
Scan saved at 1:47:57 PM, on 06/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\WINDOWS\system32\sys32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\?hkdsk.exe
C:\Program Files\nsab\osae.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Creighton Engen\Desktop\HijackThis1991.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.r21.mchsi.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1324122C-B588-FF5A-902C-8FC3BCC494AA} - C:\WINDOWS\system32\cuksutry.dll (file missing)
O2 - BHO: (no name) - {1A913446-868B-DE23-D858-A77F6419D2C3} - C:\WINDOWS\system32\eatsbb.dll
O2 - BHO: (no name) - {26092225-98B8-BC68-BD1C-B7EEFD80B993} - C:\WINDOWS\system32\cuksutry.dll (file missing)
O2 - BHO: (no name) - {26092229-98B8-CD1C-BD1B-BDEEF985B9E9} - C:\WINDOWS\system32\cuksutry.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\SOYO\HW Monitor\Itesmart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Taskmon driver] winampa.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [api driver] sys32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Mpfltw] C:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Eaai] C:\Program Files\nsab\osae.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

Re: Need help from the computer nerds
 

search for a program call ewidos security. download it and install it.

boot into safemode and run it. let it scan all files, and let it fix all errors. sit by it for a few minutes and when a window pops up asking to fix check off the box that says auto fix (or something like that). then go for dinner cuz it's gunna take awhile.

reboot normally... run highjackthis again and repost the log.

Re: Need help from the computer nerds
 

C:\Program Files\AWS\WeatherBug\Weather.exe (not as serious as the others)
C:\WINDOWS\system32\?hkdsk.exe
O2 - BHO: (no name) - {1324122C-B588-FF5A-902C-8FC3BCC494AA} - C:\WINDOWS\system32\cuksutry.dll (file missing)
O2 - BHO: (no name) - {1A913446-868B-DE23-D858-A77F6419D2C3} - C:\WINDOWS\system32\eatsbb.dll
O2 - BHO: (no name) - {26092225-98B8-BC68-BD1C-B7EEFD80B993} - C:\WINDOWS\system32\cuksutry.dll (file missing)
O2 - BHO: (no name) - {26092229-98B8-CD1C-BD1B-BDEEF985B9E9} - C:\WINDOWS\system32\cuksutry.dll (file missing)
O4 - HKLM\..\Run: [RDLL] RunDll16.exe

O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [api driver] sys32.exe
O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Mpfltw] C:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [Eaai] C:\Program Files\nsab\osae.exe (i dont know what this is but get it out of your start up)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab


you have some potentialy nasty ------ ---- on there. reboot hit f8 like crazy, until you have the option to start into safe mode. fix all of thoes with hijack this. also try to find and delete them.

Re: Need help from the computer nerds
 

well I ran the hijacker program and fixed all those items. We will see what happens now.

I am never using Limewire or Kazaa ever again. They are a pain, and virus filled.

Back to newsgroups for me.

Re: Need help from the computer nerds
 

is it workin alright? sometimes thoes fuckers will come back.

Re: Need help from the computer nerds
 

seems good so far. But I will be able to tell in a day or two.

Re: Need help from the computer nerds
 

I heard if you put tubgirl as your background, the virus's will flee and you're computer will be safe. O0

Re: Need help from the computer nerds
 

Um i couldnt find that link anywhere. Anyone have it handy?

Re: Need help from the computer nerds
 

Re: Need help from the computer nerds
 

StartupList report, 6/3/2005, 10:35:56 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Colten\Desktop\startuplist\StartupList.EX E
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\?hkntfs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Colten\Desktop\startuplist\StartupList.ex e

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
MimBoot = C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
A70F6A1D-0195-42a2-934C-D8AC0F7C08EB = rundll32.exe E6F1873B.DLL,D9EBC318C
98D0CE0C16B1 = rundll32.exe D0CE0C16B1,D0CE0C16B1
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
WinampAgent = C:\Program Files\Winamp\winampa.exe
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
Raeo = C:\Documents and Settings\Colten\Application Data\leeu.exe
Rtfeq = C:\WINDOWS\System32\?hkntfs.exe
ProxyWay = C:\Program Files\ProxyWay\proxyway.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\WINDOWS\System32\ogegkc.dll (file missing) - {F863AB78-11C3-3610-B80F-65F3EE514397}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - Colten.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/downlo...22/wmv9VCM.CAB

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/downlo...0C/wmv9dmo.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/Ms...Downloader.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,093 bytes
Report generated in 6.680 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
----------------------------------------------------------------------------------------------