Maybe an unidentified Virus in XP???????

[tuk]

Hi,

This problem just appeared, I cant really think of an recent system changes that could account for this:

Every time I reboot,
On login, just before the desktop appears, a small system message box appears with the following message:

Setting up personalized settings for:

c:\windows\system32\dllhost32.exe s

...after 2-3 mins the desktop appears as normal

on checking the system logs:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 07/01/2007
Time: 13:21:01
User: N/A
Computer: K1
Description:
The EIO service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

There seems to be 1-2 copies of dllhost32.exe in the startup list, if I try to disable them they just appear again on reboot

The longer I spend on this the more suspicious Im becoming that this is something untoward, as I cant seem to find much net, not in the way of a solution anyway

Any Ideas ?

 

[edklite]

sounds like a virus.

can you post a hijackthis logfile?

 

[tuk]

Logfile of HijackThis v1.99.1
Scan saved at 18:12:29, on 07/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Tuk\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153823489417
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155413700406
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03F22BB7-C124-47BF-B718-FD6CA7227A9E}: NameServer = ???.???.???.???
O17 - HKLM\System\CS7\Services\Tcpip\..\{03F22BB7-C124-47BF-B718-FD6CA7227A9E}: NameServer = ???.???.???.???
O17 - HKLM\System\CS8\Services\Tcpip\..\{03F22BB7-C124-47BF-B718-FD6CA7227A9E}: NameServer = ???.???.???.???
O17 - HKLM\System\CS9\Services\Tcpip\..\{03F22BB7-C124-47BF-B718-FD6CA7227A9E}: NameServer = ???.???.???.???
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[edklite]

sounds like your nvidia tray icon loading is hanging you. disable the automatic startup of the try icon and see if that helps

you are also missing xpsp3res.dll

 

[tuk]

you are also missing xpsp3res.dll

What is that?, And why didnt I need it before?

Both the Nvidia Audio and Graphics are loaded ok in the taskbar should i still try and disable them?

 

[edklite]

oh wait I was looking at rundll32 I didn't realize your dllhost32.exe.

that is a virus I believe did you have an upto date antivirus?

your rundll32 keys are for your nvidia card

 

[tuk]

I got ZoneAlarm uptodate, but it doesnt find it

 

[tuk]

SpyBot nailed them:

'bitfrose.LA'

&

'Fake.Wget'

Now that they have been destroyed it boots normaly again

Ta

 

[edklite]

please use a online scanner from the web also to make sure you av is not infected.

good luck

 

[tuk]

Its not over yet,
it appeared again in another user account...not Admin

This time, ZA gave the option to kill it,
I gave a full drive scan with ZA but nothing showed up

What online scanner could u reccomend

 

[edklite]

this one will do

http://www.pandasoftware.com/products/ActiveScan.htm

 

[tuk]

Doesnt seem to work,
says there are problems with objects on page when you choosing the media to be scanned

 

[edklite]

use ie to go there

if thats no help

try this one

http://housecall.trendmicro.com/

or


http://www.kaspersky.com/virusscanner

 

[tuk]

Im using the latest version of IE with full permissions, but I get the warning tab when the media to scan page trys to load

 

[edklite]

the yellow tab for activex? if so go ahead and install it on that page its ok. (only on this site)

 

[tuk]

scanning....

 

[edklite]

take your time, don't do anything else and let it scan

 

[tuk]

Results of a full scan of 'My Computer'

Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Anne\Application Data\Netscape\NSB\Profiles\6t6wly6u.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Anne\Application Data\Netscape\NSB\Profiles\6t6wly6u.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Anne\Application Data\Netscape\NSB\Profiles\6t6wly6u.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Anne\Application Data\Netscape\NSB\Profiles\6t6wly6u.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Anne\Application Data\Netscape\NSB\Profiles\6t6wly6u.default\cookies.txt[.overture.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Anne\Application Data\Netscape\NSB\Profiles\6t6wly6u.default\cookies.txt[server.iad.liveperson.net/hc/21375168]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Anne\Application Data\Netscape\NSB\Profiles\6t6wly6u.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Anne\Application Data\Netscape\NSB\Profiles\6t6wly6u.default\cookies.txt[.xmts.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Anne\Cookies\anne@2o7[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Anne\Cookies\anne@as1.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Anne\Cookies\anne@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Anne\Cookies\anne@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Anne\Cookies\anne@hitbox[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Anne\Cookies\anne@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Anne\Cookies\anne@questionmarket[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Anne\Cookies\anne@server.iad.liveperson[3].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Anne\Cookies\anne@xmts[2].txt
Virus:Bck/Bifrose.VW Disinfected C:\WINDOWS\system32\dllhost32.exe
Hacktool:HackTool/EvID Not disinfected E:\SetupFiles\Network\EvID4226Patch223d-en\EvID4226Patch.exe

dllhost32.exe There she blows, I also found another copy of this file in the prefetch folder which I deleted, anyway ActiveScan says its been deleted

EvID4226Patch.exe Is a program that allows the number of connections to be controlled in XPSP2, I think this is ok

The rest just seem to be ad cookies which I assume are relativeley harmless and easy to delete

So I guess I need to find a replacement for ZA whose scanner plainly missed this virus...any reccomendations?

 

[edklite]

your eventid virus is a false positive, because it changes the tcp limit in the system all anti virus think its a virus, its not.

as far as anti virus this is what you want

http://www.eset.com/products/windows.php

disable your system restore, clean all temp files and recycling bin then install the the 30day free version of nod, get it upto date and then let it do a full scan, make sure you first go into options and set it like this:

also make sure when you scan you use the same profile as the one you configured to be like the above window

its very fast comparing to others, its very lite on your CPU. after 30days if you like it buy an update licence

 

[tuk]

Hi, ok did a full scan with NOD32, amazed at the scan time, just over an hour, where ZA would have take 3-4 hours, and maybe not found certain problems...9 problems were found but only maybe 3-4 of these were genuine, copies of these problems showed up in 'Sys Restore', so just to make sure,

When i look in my restore folder, I see these files:
C:\System Volume Information\

_restore{5852F077-A09D-4809-9484-38284B456F30}
_restore{F87708BC-BF2B-47B4-8D0D-13BF272B73C2} HIDDEN
MountPointManagerRemoteDatabase HIDDEN
tracking.log HIDDEN

When i turn 'Sys Restore' on and off then '_restore{F87708BC-BF2B-47B4-8D0D-13BF272B73C2} HIDDEN'
gets deleted\refreshed

Is this all I have to do to clean out 'System Restore', what about _restore{5852F077-A09D-4809-9484-38284B456F30}, which seems to be some kind of system folder?

 

[edklite]

if it took node to an hour to scan your system, you must have a lot of files and be a big drive. the reason za did not take so long is because you did not have it scan compressed files (which takes longer) which is also one of the reasons why you got a virus from za

once you enable restore the key you see should be the restore point the pc is trying to make since you enabled it. but I'm not a 100% sure.

if you want to speed up nod disable the scanning of archives (compreses files) but remember that if there is a virus on your pc in a compressed file it won't be cleaned

instead schedual nod to run 3 night out of the week, 3 seperate night while you sleep this way you won't notice it and you system will stay clean

other then that make sure you os is upto date with a good firewall and you anit spyware and you should be good to go