Viiirus Question

[HellThrone]

DO NOT USE THE ACTUAL WORD OR I CANNOT LOOK AT THE PAGE. I would gladly like it if anyone uses the actual word instead of viirus that a mod edits the post and fixes it.
I've been living with this viirus for a few weeks and its pissing me off.

What it does is it lets me play all new programs to the viirus once, then if they're over a certain size they cannot be used again. This means I can reinstall a game and be able to play it once before it doesnt work anymore. When I log onto my desktop, black boxes show up with the paths to all the files too big that are used at startup, but go away after about a fourth of a seccond later. Anything with the actual word other than viirus will not let it be veiwed. Does anyone know anything abuot this viirus and/or how to fix it.

 

[Star Ally]

Try scanning your computer with an antiviirus software. If you don't have one, go here http://housecall.trendmicro.com/housecall/start_corp.asp

 

[TrongaMonga]

Well, he said you couldn't write viirus... Should I edit both your and mine post?



-edit-
I already have taken the liberty in doing so.

-Dark Blade

 

[Korittke]

it says viirus in both of the posts..

 

[TrongaMonga]

Is it possible that a viirus can forbid you to see a page if the word viirus is in it?

Because, well, Wing Zero created a thread before this very one named viirus...

So, how the hell was he able to see this whole forum in the first place?

 

[x42bn6]

Grab this from this url: http://www.spychecker.com/download/download_hijackthis.html and grab the log on your system scan. Then throw it here.

Kind of hard to do a search for that word and find a result. :|

 

[HellThrone]

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\documents and settings\ross watson\local settings\temp\z6g.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\eudir.exe
C:\WINDOWS\System32\wininit32.exe
D:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ross Watson\Local Settings\Temporary Internet Files\Content.IE5\STINWPIJ\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50099
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50099
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50099
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\CxtPls\CxtPls.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {B891CC66-3C13-4F87-B93B-4C970E1219DC} - C:\WINDOWS\lbbho.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Ross Watson\Local Settings\Temp\8I.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [hyn] C:\WINDOWS\hyn.exe
O4 - HKLM\..\Run: [yrib] C:\WINDOWS\yrib.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\QuickTime 4\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [z6g] C:\documents and settings\ross watson\local settings\temp\z6g.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [SysInit] wininit32.exe -drivers
O4 - HKLM\..\Run: [bOQ] C:\documents and settings\ross watson\local settings\temp\bOQ.exe
O4 - HKLM\..\Run: [WinExec32] C:\WINDOWS\WinExec32.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [os8g36R] jscshare.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [SysInit] wininit32.exe -drivers
O4 - HKCU\..\Run: [Cuckoo Clock] "D:\GAMES\WARCRAFT III\WARCRAFT CLOCK\CUCKOO.EXE"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ZBrmRWd6V] eudir.exe
O4 - HKCU\..\Run: [SysInit] wininit32.exe -drivers
O4 - HKCU\..\Run: [WinExec32] C:\WINDOWS\WinExec32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Games\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50099/QDow_AS2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38042.530150463
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47C096BA-7333-4B32-9C80-892B9B3CB7B2}: NameServer = 192.168.1.1

 

[x42bn6]

Fix these things, and get a v1rus remover for W32/Sdbot.

C:\WINDOWS\System32\wininit32.exe
O4 - HKLM\..\Run: [SysInit] wininit32.exe -drivers
O4 - HKCU\..\Run: [SysInit] wininit32.exe -drivers

(Symantec)

The following instructions pertain to all current and recent Symantec antiv1rus products, including the Symantec AntiV1rus and Norton AntiV1rus product lines.


Disable System Restore (Windows Me/XP).
Update the v1rus definitions.
Do one of the following:
Windows 95/98/Me/2000/XP: Restart the computer in Safe mode.
Windows NT: End the Trojan process.
Run a full system scan and delete all the files detected as Backdoor.Sdbot.
Edit the changes that the Trojan made to the registry.

For details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a v1rus, worm, or Trojan infects a computer, System Restore may back up the v1rus, worm, or Trojan on the computer.

Windows prevents outside programs, including antiv1rus programs, from modifying System Restore. Therefore, antiv1rus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a v1rus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antiv1rus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. To update the v1rus definitions
Symantec Security Response fully tests all the v1rus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent v1rus definitions:

Running LiveUpdate, which is the easiest way to obtain v1rus definitions: These v1rus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major v1rus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the V1rus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater v1rus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the V1rus Definitions (Intelligent Updater).

The Intelligent Updater v1rus definitions are available: Read "How to update v1rus definition files using the Intelligent Updater" for detailed instructions.


3. To restart the computer in Safe mode or end the Trojan process
Windows 95/98/Me/2000/XP
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."

Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for any of the file names listed in step 1 of the "Technical Details" section. This file name can vary.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

4. To scan for and delete the infected files
Start your Symantec antiv1rus program and make sure that it is configured to scan all the files.
For Norton AntiV1rus consumer products: Read the document, "How to configure Norton AntiV1rus to scan all files."
For Symantec AntiV1rus Enterprise products: Read the document, "How to verify that a Symantec Corporate antiv1rus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with Backdoor.Sdbot, click Delete.

5. To edit the registry

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start > Run.
Type regedit, and then click OK.
Navigate to each of the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete any of the following values that you find, or any value that refers to the file, which is detected as the Trojan:

"Configuration Manager"="Cnfgldr.exe"
"System Monitor"="Sysmon16.exe"
"MSSQL"="Mssql.exe"
"Configuration Loader" = "aim95.exe"
"Internet Config" = "svchosts.exe"
"System33" = "%System%\FB_PNU.EXE"
"Configuration Loader"="cmd32.exe"
"Windows Explorer"="Explorer.exe"
"Configuration Loader"="IEXPL0RE.EXE"
"Configuration Loader"="%System%\iexplore.exe"
"Sock32"="sock32.exe"
"Configuration Loader"="MSTasks.exe"
"Windows Services"="service.exe"
"Registry Checker" = "%System%\Regrun.exe"
"Internet Protocol Configuration Loader" = "ipcl32.exe"
"syswin32" = "syswin32.exe"
"MachineTest"="CMagesta.exe"
"Yahoo Instant Messenger" = "Yahoo Instant Messenger"
"Fixnice" = "vcvw.exe"
"Windows Configuration" = "spooler.exe"
"Microsoft Video Capture Controls" = "MSsrvs32.exe"
"Microsoft Synchronization Manager" = "svhost.exe"
"Microsoft Synchronization Manager" = "winupdate32.exe"
"Quick Time file manager" = "quicktimeprom.exe"

Exit the Registry Editor.

(Replaced your bad word with v1rus)

 

[Star Ally]

Doesn't Trend Micro do that for you?

 

[K0r34n Jja Shik]

DO NOT USE THE ACTUAL WORD OR I CANNOT LOOK AT THE PAGE.
I've been living with this virus for a few weeks and its pissing me off.

Wtf??????????????????????????

 

[HellThrone]

Okay that's weird because other times id post it on forums it wouldnt let me see it.. Still don't type the real word, I just got lucky

a good example is if i go to downloads.com or google or any of that and get on the same page with the word viirus it wont work, that way i cant dl a viirus protector..

 

[x42bn6]

Perhaps you didn't listen to me.

Hit Ctrl-Alt-Del (and hit Task Manager for Windows 2000/XP, then go to processes) and end the process wininit32.exe.
Then delete the file in C:\WINDOWS\System32\wininit32.exe (or C:\WINNT\System32\wininit32.exe).
Then remove the entries in the registry as stated in 5).

 

[HellThrone]

oh i see what ya put, its just a little complex and i think i might have to get my bro over here to figure it all out..
also i cant search for viirus deleters or any of that.

yeah it wont let me go to the sites of Symantec or norton.

 

[Star Ally]

Try going to McAfee but I don't think that'll work either...

 

[sorcsskull]

i hate symantec and nortan.. i have then on my comp down stairs which is now a pos cause it got a viiirus and it wont let u turn on/off system restor (ive tried several time) it kicks my internet connection most of the time .. and none of the symantec/nortan/trend micro will get rid of this dangd viiirus!! (not sure what virus its like m.mbeagle or somethin like that .. it jacks your nortan to ****

 

[HellThrone]

it wont let me go to ANY viirus site. Any suggestions on how i can do this manually?

 

[x42bn6]

FOLLOW MY INSTRUCTIONS!

-.-;

 

[HellThrone]

well i decided i'd actually try and guess what.. YOU ARE AWSOME x42bn6!!!!!!!!!!!!!!

 

[WildfireFX]

get avast! anti-v1rus. It is free, if you register it gives you a key to enter. Avast found things my Nortan didn't so I recommend it. They update it like every day too.

http://www.avast.com/eng/download/index.html

 

[x42bn6]

well i decided i'd actually try and guess what.. YOU ARE AWSOME x42bn6!!!!!!!!!!!!!!

It's nice to be appreciated.