HELP!! VIRUS?!?

Soldato
Joined
22 Jul 2006
Posts
7,702
Oh noes! I think i have got a virus and i am not too sure how to get rid of it!

Basically mum, dad & sister have been using my computer whilst i was away last week, and when i got back it was running so slow.

I ran spybot which came up with like a gazillion bit of spyware, i also ran Prevx1 which also came up with 11 bit of spyware. These are all in the vaults so should been deleted.

I ran AVG and came up with some viruses, deleted them, however now i cant get windows firewall to turn back on, saying the service is unavailable - in services the windows firewall / internet sharing option has been removed?

Also from time to time a box comes up that says the computer is going to be shut down and rebooted in 60seconds, a bit like the blaster worm did.

Now it says something about services.exe, this was found in virus scan however doesnt seem to get deleted or cured.

Is it time to reformat HDD or anyother way around this problem?

Many Thanks
 
Last edited:
You could try a free trial of a different antivirus, like Kasperspy or Nod32...

They may find the problems that the other dont. Also have a check in your startup and see if there is any thing suspicious... Try booting in safe mode to see if that helps, and disable your internet connection, while in normal mode to see if that stops the reboot.
 
Logfile of HijackThis v1.99.1
Scan saved at 15:30:56, on 08/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Truman\LOCALS~1\Temp\Rar$EX00.532\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Truman\Desktop\Yinstall.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154556384484
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: scsiusr4 - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
 
think i managed to delete that one, i have no idea why my firewall has decided to go away?

Its not even listed in services?
 
WWS|Griff said:
http://www.sophos.com/security/analyses/trojcosiamk.html

Relates to -

O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

Yup that's all I can see.

GinG said:
think i managed to delete that one, i have no idea why my firewall has decided to go away?

Its not even listed in services?

Do yourself a favour, get rid of AVG and download the free verison of Avast! instead http://www.avast.com/eng/avast_4_home.html

Better than AVG and based on the Kaspersky engine: ie: better all-round and good with trojans.

Also download SpywareBlaster, update it, and enable all protection. http://www.download.com/SpywareBlaster/3000-8022-10196637.html

Rich. :)
 
TBH if you are chasing viruses and don't know whats where and how it happened you are better off formatting if you can easily manage it. It takes 1 day to format and set everything back up again, but you're prolly spending more effort trying to track down the sodding viruses than you are just formatting, then you'll end up with doubt that you didn't get them all. (Could just be me though, mcafee is there to tell me I have a virus - then I format rather than let it handle it ;)).
 
Pulseammo said:
TBH if you are chasing viruses and don't know whats where and how it happened you are better off formatting if you can easily manage it. It takes 1 day to format and set everything back up again, but you're prolly spending more effort trying to track down the sodding viruses than you are just formatting, then you'll end up with doubt that you didn't get them all. (Could just be me though, mcafee is there to tell me I have a virus - then I format rather than let it handle it ;)).

lol... there's rarely ever a need to reformat when you get a virus unless it's the 1% of Grade A's monsties that completely screws uo your computer. And even then it means you're not careful and using good protection.

Reformatting is FAR more work than needed... trust me.
 
Richdog said:
lol... there's rarely ever a need to reformat when you get a virus unless it's the 1% of Grade A's monsties that completely screws uo your computer. And even then it means you're not careful and using good protection.

Reformatting is FAR more work than needed... trust me.

I agree, I can think of one virus that I've managed to get on my PC and that was years ago. However, peace of mind is always quite nice, especially for the types that end up opening up backdoors and download more viruses. If he had mcafee or a good virus scanner installed then fair enough I'd let them do their job, but it sounds like whatever is on his system has gone and removed the service that allows the windows firewall to run.

Anything that attacks a firewall or antivirus is instant grounds for a format on a home system if it can be easily backed up, theres no reason not to imo. Of course thats not always feasible I agree on that. Its up to him though what he does.
 
Richdog said:
If you're after top protection and peace of mind then I definately wouldn't be running Mcafee either personally. :)

Ok, fair enough, given that Kaspersky is better than Mcafee, but I don't see what your point is? Avast is most certainly not Kaspersky, at least the free version isn't, and its a heck of a lot worse than Mcafee. User diligence is better than any AV anyway.

The problem here is its a bit late now for a "buy kaspersky" if some virus has already removed a bunch of windows services, what then? Will it lead to a repair install and a nice stable system?

Edit: Doesn't NOD32 have a worse detection rate than mcafee?
 
Back
Top Bottom