# [Solved] A Virus has disabled my Anti-Virus



## cutaia (Jun 13, 2004)

Hello,
I've never used these forums before, so I hope I am in the correct place to be asking this question.
I believe I have a virus, and it really seems to be causing problems for me. I am running Windows XP and this is what has been going on:

1. Initial loading of Windows is taking about 5 times as long as it should, and browsing the Internet (I'm on dial-up) seems to be much slower too.
2. When I turn on the computer I get the following message: "You (or a program) have requested information from light.merked.us. Which connection do you want to use." If I click cancel, another one simply shows up. (Sometimes instead of light.merked.us, it will say "error.merked.us" or "pimphouse._something_._something_")
3. Before all this started happening my anti-virus (Norton) "detected" a virus called Blaster.F.Worm. It then tried to repair it, and failed. It then tried to isolate it and then said "Access Denied." After that, I tried running Norton again, and it came back showing no viruses. To be safe, I downloaded two programs supposedly designed to get rid of the Blaster Worm and it's variants (One from Norton, one from Microsoft), and was told by both that Blaster Worm was not found.
4. Most disturbingly to me, my Norton Anti-virus now seems to have been affected. If I open it, it says that "Auto-Protect" has been turned off, and "E-mail scanning" reads "error." 5 seconds later Norton closes itself down. I can get into the options and try and turn auto-protect on before it closes down, but that doesn't seem to work. It still remains off.

If anyone has any idea what virus would be doing this, or how I can get rid of it, it would be greatly, greatly appreciated.
Thanks in advance.


----------



## ~Candy~ (Jan 27, 2001)

Hi and welcome. Please download hijack this, scan and post a scan log.
http://www.spywareinfo.com/~merijn/downloads.html


----------



## cutaia (Jun 13, 2004)

Alright...I hope I did this right (Not that I have any idea what all of this means.  ):

Logfile of HijackThis v1.97.7
Scan saved at 1:45:22 PM, on 6/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\wserv32.exe
C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\AIM 5.5\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\pure zero\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\LLOYD\EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P27 "\\LLOYD\EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087064562237
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.6628125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63F5BBA2-7CB9-4738-AA93-105CCFFFAF48}: NameServer = 209.244.0.3 209.244.0.4


----------



## ~Candy~ (Jan 27, 2001)

You did fine, I don't read the logs either, but I'm sure someone will be along. As this is Sunday, it may be slow today, so if you've received no response by tomorrow morning, post BACK to this thread, asking for someone to have a look, which will get it back to the top, also notifiy me, and I'll scrounge someone up if necessary


----------



## cutaia (Jun 13, 2004)

Alright...I'll do that.

Thanks for your help.


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe

O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe

O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe*

Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\WINDOWS\System32\*wserv32.exe* file
The C:\WINDOWS\System32\*smsc.exe* file

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Owner\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

Empty the Recycle Bin

Now navigate to the C:\Windows\System32\drivers\etc folder. Locate the *HOSTS* file. Open the HOSTS file in notepad by clicking on it to open it. It will ask you what program you want to use to open it. Tick "Select the program from a list" and click OK. In the menu of programs that opens find and select notepad and click OK. The HOSTS file will open in notepad. Look for a list like this:

*127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com*

Delete all those lines leaving only this one:

*127.0.0.1 localhost*

Now close the file and answer Yes to confirm the changes.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

When you are sure you are clean turn it back on and create a restore point.

Go here and do an online virus scan:

http://housecall.trendmicro.com/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

*IMPORTANT!:* I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" *ASAP!*. This will patch numerous security holes in IE and Windows. This worm got on your machine by taking advantage of one of those vulnerabilities.


----------



## ~Candy~ (Jan 27, 2001)

Wow, Mark must have already been working on it


----------



## cutaia (Jun 13, 2004)

One problem with getting to safe mode: The person who gave me this computer had it set to a much higher resolution than my monitor can handle. The first time I turned the computer on it was all static-y like a tv with the vertical hold off. I was lucky enough to get the "non-safe mode" resolution down, (trust me...sheer luck), but it appears that everytime I go to safe mode, it's still wrong. Is there any way to change safe mode's resolution before I get to it? Or will I just have to go through the trial and error again to fix it?


----------



## cutaia (Jun 13, 2004)

Also, thanks for helping me out so quickly.


----------



## ~Candy~ (Jan 27, 2001)

Safe mode resolution will always STINK. You just have to live thru it for the short amount of time you will be there


----------



## cutaia (Jun 13, 2004)

I don't mean it just looks bad. I mean that when I open safe mode it's so messed up that I can't even make anything out. I wouldn't be able to find anything...let alone do all the stuff he's recommended.


----------



## ~Candy~ (Jan 27, 2001)

Hmm.........I don't think I've ever seen it so bad where you can get around and see what you are doing. The icons will be very large compared to what you more than likely have set in normal mode.

Edited for typo only.


----------



## Flrman1 (Jul 26, 2002)

Any progress here?


----------



## cutaia (Jun 13, 2004)

Alright...it's been awhile...but here's an update.

The resolution thing wasn't that the resolution was too low...it's that it was too high (1024x768). We were using an old monitor that (apparently) just couldn't handle it. The reason it took me so long to get back to this board was I tried the whole safe mode thing out, and ended up sans-computer for a couple of days. In any case, we got another monitor back from a friend, and we're back on track.

I did all the stuff that you said, and everything went smoothly. When I ran that online virus scan it found something about "sasser." I've heard that's bad. It wasn't able to fix it, but I did have it delete the file. I then ran the check again and it came back clean.

Everything seems to be working well now, but just to be sure, would you mind taking a look at a new highjackthis log? Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 12:23:53 AM, on 6/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\pure zero\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\LLOYD\EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P27 "\\LLOYD\EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087064562237
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.6628125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63F5BBA2-7CB9-4738-AA93-105CCFFFAF48}: NameServer = 209.244.0.3 209.244.0.4

If everything looks good there, I suppose I'll turn System Restore back on, and get these Windows Updates done.

Thanks alot for your help. I'm totally going to donate a little cash to this site.


----------



## Flrman1 (Jul 26, 2002)

Looks good! :up:


----------



## cutaia (Jun 13, 2004)

Fantastic! Thanks alot for all your help.


----------



## Flrman1 (Jul 26, 2002)

You're Welcome!


----------

