Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log for my unknown and very rare virus...


  • This topic is locked This topic is locked
9 replies to this topic

#1 cavalier1516

cavalier1516

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 28 February 2005 - 12:56 AM

Here's whats goin on:

Yesterday, I connected to the internet (I have dial-up), but my little connection icon didn't show up. I was, however connected to teh internet (although NOT to my homepage, it had been replaced with "about: blank". the name of the virus that is doing this is scpStelth.cih ver.2.018.). This has happened before, in fact, I haven't seen the original "Connected" icon in over a year (so i can't see how good or bad of a connection I've got), I assume because of a virus. I recently bought a new modem (old one crapped out), and the new modem produced its own icon, so lately I've been able to tell. As I said though, this icon dissappeared too.
I ignored it, figuring I'd deal with it later, and attempted to run Star Wars Galaxies. This is why I have no idea where this virus came from. The only time I've been connected to the internet in the last month and a half is when I play Star Wars Galaxies. However, I kept getting a client error (again, I assume because of this virus), and couldn't log on.

The virus shows up in the Task Manager as rpcss_pl.exe, but cannot be removed. It changes my IE homepage, hides or removes my connected icon, does not allow me to right click and "Open in a new window", and disables my keyboard anytime I try to play games i have installed. It probably does more that I haven't even found out yet. My friend found (I think by running one of my scanning programs) the name of the virus (I don't remember, and im runnning adaware, so it should show up in that, and then I'll try to post the name of it), Googled it, and only ONE result was found, and it was some German website. Also, it seems to attack HijackThis.
Also, the virus i have will not let me click on links like that (have to copy and paste or type it) , and has disable my windows search feature, and cause my internet to disconnect if left idle for more than a couple minutes.
ALSO, my Windows Media Player has stopped working, and when I tried to use Sbybot S&D to delete some stuff it picked up, I got an error: "Fehler beim setzen der Daten fu 'SpyBotSnD'". Did I mention that the 1 site that appeared when my friends Googled this virus was a german website? This virus is dismatling my computer.

These are some other viruses/spyware I have and cannot seem to get rid of:
TR/Rameh (as it shows up on Antivir XP, in an archive, so it cannot be removed)
Heuristic/Java.Downloader (again, found by Antivir xp, in an archive, so it cannot be removed)
Huntbar (as it shows up in Spybot Search & Destroy, I know where it is in the registry but cannot delete it)

I also have a few programs on my add/remove programs list and a few folders that I can't seem to delete or get rid of (these were like this long before I ever met this virus). But, I'll worry about these IF I ever fix this virus, because if I don't, I'm gonna have to reformat.


ANYWAY


I have HijackThis v1.99.1, I believe that's the latest version. When I run it, I get an error, and it tells me "Your host file has invalid line breaks and HijackThis is unable to fix this. 01 items will not be displayed." then i click ok to finish the scan.

Here it is:


Logfile of HijackThis v1.99.1
Scan saved at 5:07:47 AM, on 2/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\rpcss_pl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccmain.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe
C:\Documents and Settings\Brandon.WHEATONPC\My Documents\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn6.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted Zone: http://www.paypal.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28177.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...351/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0CC02FA-690A-4A5C-8FEC-A6EE87C3433A}: NameServer = 199.176.228.2 199.176.228.3
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Edited by cavalier1516, 28 February 2005 - 05:21 AM.


BC AdBot (Login to Remove)

 


m

#2 cavalier1516

cavalier1516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 28 February 2005 - 05:10 AM

**updated the log file. I will run HJT and post that file in the morning, after I've run all my virus hardware.**

#3 cavalier1516

cavalier1516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 28 February 2005 - 05:04 PM

dang, this forum gets a lot of traffic. just need to keep my post on the front page. but somebody, help me out please.

Oh yeah, and here's my new HJT log after running a few new virus scans.




Logfile of HijackThis v1.99.1
Scan saved at 5:07:59 PM, on 2/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\rpcss_pl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wauctlxp3.exe
C:\Documents and Settings\Brandon.WHEATONPC\My Documents\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn6.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted Zone: http://www.paypal.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28177.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...351/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0CC02FA-690A-4A5C-8FEC-A6EE87C3433A}: NameServer = 199.176.228.2 199.176.228.3
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Edited by cavalier1516, 28 February 2005 - 05:08 PM.


#4 cavalier1516

cavalier1516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 01 March 2005 - 05:11 PM

no help?

#5 cavalier1516

cavalier1516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 01 March 2005 - 06:53 PM

I understand that no one can help me on this, because as I said, this virus is completely obscure and unknow.

By the way, it has attacked Window Washer 5 (which now crashes after I wash up). And scans no longer detect it, although it's still there.

It looks more and more likely that I'll be reformatting this weekend, assuming this virus even allows me to do that.










Deutschland vor allem.

#6 demandango

demandango

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 01 March 2005 - 06:55 PM

in my experience, the experts here do not skip the posts, be patient and you will be answered imo. sometimes it takes a few days, but i have found you do not need to keep your post at the top, they will get to it in order.

#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:02:30 PM

Posted 02 March 2005 - 02:25 PM

Hello cavalier1516. I'll be glad to help, but first, a couple of ground rules. When you post information, post only what I ask for. Do not try and do things on your own, or we might end up breaking your system, and I don't want that to happen. Do not bump up your thread. I will respond to you when I have time. None of use here get paid for our time, and we all have real lives outside of BC, so please do not bump your post. If you don't follow instructions, I will simply lock your thread, and you can go elsewhere for help. I hope I am clear. :thumbsup:

First thing you need to do is get all of your window updates. You are way behind on those, and it isn't a wonder that you are infected.

Then post a fresh HJT log. As soon as I have time, I will get to you.

#8 cavalier1516

cavalier1516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 02 March 2005 - 03:21 PM

Where can I download the windows updates? My automatic windows update is disabled (half of the 'updates' that used to want to download ended up being spyware), and I ca't seem to find where on the microsoft website to download updates for windows (there's a section on there called "Windows Updates", but it doesn't seem like that's what im looking for).




also, microsoft antispyware has stopped working now, so has the 'Help & Support' option on my start menu, and every couple of minutes, an error window that says: TODO <File Description> keeps popping up.

Edited by cavalier1516, 02 March 2005 - 04:18 PM.


#9 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:02:30 PM

Posted 02 March 2005 - 06:22 PM

Odds are that you have something running that is sucking up system resources...I have sort of a nagging feeling that you may be having a hard drive about to go belly up though. Not for sure, just a feeling.

Post me a fresh HJT log, and I will see what I can do to get you running at least a little better. :thumbsup:

#10 bakauata

bakauata

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 05 March 2005 - 10:07 AM

I also got this rpcss_pl.exe problem which brought my pc to an almost critical condition - blue screen a few minutes after entering windows XP.
Following someones lead on some forum I can't find again (even though there's very little on the web about rpcss_pl.exe). I managed to delete the file. Dont't ask EXACTLY what I did 'cause I don't remember.
I do remember the rpcss_pl.exe file was ivisible to windows explorer but HJT seemed to have deleted it on reboot.
I do remenber that I either screwed up my registry or decided the virus had and so replaced it with an older backup I had. Some entries were not replaced though.
Well, now my machine is back on my side but I get this on my HJT report:
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe (file missing)
I am unable to deactivate (or delete) this service form msconfig or the registry since I get a message saying it's an esencial service (well it says so in spanish).
I'm not really concerned about the solution to this 'cause I've decided to say byebye to windows and turn to Linux.
I hope this helps you though.
If I remember any other details I'll post'em.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users