Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Ok. This one's a real bugger. The main thing is,it's eating up a whole bunch of proccessor usage doing something (No clue what). Whenever I open my task manager is automatically closes within a second. I was able to take a screenshot and that's how I got the file name. The file is located in the windows/system32 folder. So like any smart kid I ran my comp in safe mode and deleted the file. I rebooted in regular mode and it's back. I tried opening my msconfig using the run tool but it also won't open when this virus is active. Any help would be great as I'm running out of options. Please e-mail me rather than posting here. Thank you.
I searched google for that and didn't find any matches. Could it be eZula.exe?
If so, that's a known adware/spyware thing. You can get rid of it with Spybot Search & Destroy.
http://www.safer-networking.org/
0 
Download, unzip and run HijackThis. When the scan is finished, click save log. Copy and paste the log in a reply.
0
Logfile of HijackThis v1.96.4
Scan saved at 7:11:25 AM, on 09/09/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\System32\VZZRPNA.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Winamp3\studio.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darcy\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reallifecomics.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Appmon2 driver] VZZRPNA.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [Appmon2 driver] VZZRPNA.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37844.661712963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E7927AA-F9CB-40C5-8CB0-F97D50A8677B}: NameServer = 206.47.244.43 198.235.216.111Well here's the log file. I can only see one thing on here that looks suspicious, but I'm not "that" computer knowledgable in the first place.
C:\WINDOWS\System32\VZZRPNA.exe
I've never seen this one running before, when I check the task manager. But as I can't open it, I wouldn't be able to until now. Any suggestions as to what to do now?
0
OK. I've had a bit of a breakthrough here. But I'm not through yet. I checked out that file name I didn't recognize. It's in it's location as a hidden file. So I checked out the stats on it, and whaddya know......it, and the original file I found running in the task manager, have the same "internal name" (no clue what an internal name is) wuaumgr.exe is this name. I've also when checking though the same folder, C:/Windows/System32 found about 4/5 other hidden files of the same type, all bearing this internal name wuaumgr.exe I'm guessing there's a big connection here, but I have no clue what to do with it. Any help would be great.
0
Ok. Way off with the number there. Make it about 30+ of these hidden files of the same type. in the properties of all of them they say that they are applications and their description is: Generic Host Process for Win32 Services. This sounds a little fishy to me. I used to think these names actually meant something, but now that I can see them all, they just look like random letters in a row (7 to be exact)designed to disguise them as some system file. Anyways, that's all the info I've got. Keep the help commin'
0
It appears to be a W32.Spybot.worm infection.
Boot into safe mode and run HT again, place a check next to the following items and click fix checked.O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Appmon2 driver] VZZRPNA.exe
O4 - HKCU\..\RunOnce: [Appmon2 driver] VZZRPNA.exeDelete the following:
C:\Program Files\DownloadWare folder
VZZRPNA.EXEReboot to Windows.
0
Ok. I understand how that might work, but the thing is. the virus created over 30 of those files just like VZZRPNA.exe all with seemingly randon characters. I don't think checking that stuff in HT will help, but I will try it, after you explain to me what exactly I'm doing.
0
Hi Darcy, Using HijackThis will remove the registry 'Run' entries for VZZRPNA.exe and enable you to delete the file.
If the registry entries are not removed first, you will receive an access denied error message.
0
Only delete VZZRPNA.exe and then go here and run an online virus scan.
W32.Spybot doesn't create a bunch of files..
We need to identify those other files before you attempt to delete them.
0
ok, lol. Ya, it found 129 infected files, and 1 virus body in my system 32 folder. (Where the virus is). It's all those weird random names system files. And then I came across the odd file out. It happened to be called a quake 3 demo. Nothing out of the ordinary, till I checked it out and saw it was 50 kb, and I have my virus. anyways. I dispatched of the "demo" and all the related random system files, except the one that is currently running the virus, which will soon also be gone by the use of safe mode. Thankyou very very very much to whoever showed me that online virus scanning program. I also found about 3 other e-mail viruses in the deleted e-mail folder. I'm just lucky my parents have no frickin clue how to open attachments. one of them is the infamous Win32.Sobig. thingy. Anyways, thanks for your help. I'll post if I have any troubles after I delete this last file.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
