I have been seeing a failure report (MS) at startup on an application called onoes.exe . It is on the C:\root and in prefetch. I googled it and could find nothing. I have never seen that happen before. Any ideas what this app is? I have deleted the prefetch and moved the file in the mean time.

DR Huard
SoCal

Oh, I also did a registry search for this file, since it was loading at startup, and there was none that I could find. It seems pretty suspicious, that is why I posted here. Thanks.

DR Huard
SoCal

There is not much out there on that fill and most call it suspect.You can copy the file and submit it to Jotti's for a virus check.

Please go to http://virusscan.jotti.org/ , click on Browse, and upload the following file for analysis:

C:\onoes.exe or exact path if that is not it.

Then click Submit. Allow the file to be scanned, and then please copy and paste the results and post them.

Well, after deleting the file and prefetch file, I rebooted and guess what - it's back. Now I am really puzzled, but this behavior does not seem to be that of a legitiment app. Sure could use some help on this.

DR Huard
SoCal

This is the last update for now. I deleted the file and created a text file with the same name and then set it's attributes as "read-only". This stopped the recreation of the file, and there are no errors.
Just tried jotti - what a great resource. I did not know of this site before. The results are:

INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 67bbd86d8c9970dcacea2dd611a37022
Packers detected: SDPROTECTOR
Scanner results
AntiVir Found Worm/RBot.174080
ArcaVir Found Trojan.Rbot.Gen.173218.MX
Avast Found nothing
AVG Antivirus Found IRC/BackDoor.SdBot.VJZ
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Win32.HLLW.MyBot
F-Prot Antivirus Found nothing
Fortinet Found W32/AgoBot.U!bdr
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.gen
NOD32 Found Win32/Rbot
Norman Virus Control Found W32/Spybot.AGXH
UNA Found nothing
VBA32 Found Backdoor.Win32.Rbot.gen

Now if I can just find what keeps recreating this thing.

Thanks.

DR Huard
SoCal

Yep, as suspected.

Please post a Hijack This log so that the files associated with the virus/spyware can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.

Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.

Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Found it!!! This worm created a directory under Program Files(x86) called Outlook which contained the following files:

Outlook.exe Desc- Setup.exe size 205k
v.tmp size 205k
p.zip 198k which contained setup.exe

It then added a registry entry for windows/current version/run under current user to run that outlook.exe

This explains a lot of what I have been seeing on this machine. It was having some outlook issues and any gnutela client I tried to install would reload itself automatically when I closed it. I knew I probably had a virus on this machine but could not find it with Avast!. Well, guess I dump that AV. I sure miss my Norton, but alas, no x64 support except in their corp. Guess I'll try one of those listed on jotti that found this thing.

DR Huard
SoCal

If it comes back again, turn system retore off and restart the computer. Many worm/trojan/virus packets hide in the restore files. Since these files are "protected", no antivirus program can clean/repair/delete them.

Per request here is the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:44:40 AM, on 2/18/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files (x86)\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files (x86)\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files (x86)\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files (x86)\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files (x86)\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files (x86)\Microsoft Office\Office10\msoffice.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files (x86)\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\SysWow64\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files (x86)\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files (x86)\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files (x86)\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files (x86)\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files (x86)\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137482114953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137482108296
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - I:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - I:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegWorks Backup Service (RWBackupSrv) - Unknown owner - I:\Program Files (x86)\RegWorks\BackupSrv.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

I really am not completely up to speed on this so any help, especially with all the "missing file" entries would be greatly appreciated.

DRH

DR Huard
SoCal

The night before last I was also having serious problems with any type of external "drive" such as my xd cards or external hard drive. Though I don't understand all the implications, all the references to I:\ in the hijack log seem to tell me it is all related to the virus.

DR Huard
SoCal

This is Windows2003 and not xp. The system does not have an apparent infection. The WOW64, x86 and missing C:\WINDOWS\System 32 file are normal. WOW64 hides the System32 files. X86 is a standard file.

This is the first 2003 I've looked at with HT as most previous post on other forms are corporate systems and we don't try to repair them,most of the tools i use are for xp through 98.

Try running this tool and see if it will clean the virus.

Download Ewido Security Suite then set it up this way Ewido Setup Instructions reboot into safe mode and run Ewido

When the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop in case you need it later.

Please reboot into normal mode and post the ewido log.

To boot into safe mode shut the compter down, wait 30 seconds, restart and press F8 at about 1 second intervals as the computer reboots. This may take more than one try to get the timing right.

Thanks, I beat you to the Ewido based on some other posts on this forum. I started it running in normal mode, but will run it again in safe mode. I realize this OS identifies as WinXP x64 even though it is also called 2003. I use WinXP x64 since that seems to be what has been most commonly used online. I will post the results later, but I do think that I got the bug when I killed the bogus outlook directory and removed the entry for it from the registry. I believe it came in a file from a p2p. I used to have Norton and it always caught this crap, but this Avast, though highly recommended at planetamd64 really sucks in my opinion since this worm has been around since 2002. Anyway, will keep the forum posted once I have more results. Thanks to all who have and are responding to this post.

DR Huard
SoCal

Tried to run ewido in both normal and safe mode and it gets to scanning memory, around 14% on it's little bar, and then never stops. It ran yesterday for over 18 hours and never moved past that. So much for that. Guess I will give Kapersky a try and see how that fares.

There are no more symptoms of infection, and I think being x64 may have prevented the worm from doing some of it's worst damage. The x64 forums all seem to suggest that most virus' cannot run well on the 64 bit windows since many of the approaches they use are either different, or in the case of 16 bit legeacy stuff, simply not available in x64.

This is a scratch built machine and I am not sure that x64 is worth the hassle, but once I commited to it, I had to keep going.

Any other thoughts or suggestions are always appreciated. drh

DR Huard
SoCal

I had the same problem, starting on Feb. 11, even though I was using Norton Antivirus 2003 with all updates. Even scanning the suspect file with Norton didn't detect it. The symptoms: (1) Task Manager could not be opened with ctrl|alt|delete or from the taskbar; (2) regedit would not run from Start|run (but would run as regedit.exe); (3) Bearshare Pro would keep opening up after I shut it down, and once every 30 min or so would download about 1,500 small 22 byte zip files into the My Downloads|Shared directory, all deceptively named as popular programs or videos (such as Turin Olympics). I would delete them and they would be re-downloaded wihout my knowledge. Each was identified as a trojan carrier using Trend Micro's free online Housecall 6.5 scanner.

Here's what I did. First, I uninstalled Bearshare and then Norton. Then I installed AVG's free antivirus program! It picked up 2 infected files, c:\onoes.exe and c:\progam files\outlook\outlook.exe. It cleaned those files. Then I downloaded Killbox.exe and deleted several files from the C:\Windows\System32 directory using the option Delete on Reboot:
regedit.com
netstat.com
cmd.com
tasklist.com
tracert.com
taskkill.com
ping.com
bszip.dll

These are all phony files that were created at the same time as the first appearance of "onoes.exe"
A helpful forum where I picked all this up (the only one, after I spent an entire day of looking through forums) is in German but Google translates it:
http://translate.google.com/translate?hl=en&sl=de&u=http://board.protecus.de/t22024.htm&prev=/search%3Fq%3DIRC/Backdoor.sdbot.VJZ%26hl%3Den%26lr%3D%26sa%3DG

Worked like a charm, AND using AVG instead of Norton Antivirus, my computer seems to run 4x as fast!

I had this problem too. No antivirus worked and so I decided to download and install Karspersky ( trial version). After a full and complete scan, I asked it to delete the infected files. And it did. When I restarted Windows, I didn´t get any more message of error in IE and the file ONOES.EXE was not in my drive C anymore.

Denise

Does anyone know how to have REGEDIT again? ONOES.EXE disabled it.
Denise

Get norton internet security even the free 15 days and do exactly what it says on this page. I had this onoes.exe and norton completely removed it and all of its components.

http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.f.html#removalinstructions

Thanks very much. I will try Norton Internet Security. I could open REGEDIT if I type REGEDIT.EXE.

I'll just hazard a guess that if you still can't open regedit using Start|run|regedit, then you still haven't fully cleared your system of the virus. See my post above for a list of files you need to make sure are deleted.

I used so many tools to clean the computer after kerspsky deleted onoes.exe that now I can open regedit usng Start/Run/regedit...Anyway, thanks a lot for your attention
Denise

I had the same problems,could not open task manager,could not stop limewire from loading up.Ran the progeamme and it found a few things avast did not find.

ewido anti-malware - Scan report

+ Created on: 20:03:31, 05/03/2006
+ Report-Checksum: A2235130

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{6001CDF7-6F45-471b-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-566670420-568201707-2101076350-1005\Software\DNS -> Adware.Shorty : Cleaned with backup
HKU\S-1-5-21-566670420-568201707-2101076350-1005\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
[568] C:\mousepad.exe -> Hijacker.VB.li : Cleaned with backup

::Report End

i found an easy fix, i had the same probs, run a system restore until the date before oyu seen the problem, worked for me hope it helps