Virus Problem! Huge

[stevegarbz]

Hello, I have a virus problem. The virus slows down my computer A LOT, and it also makes my anti-virus all messed up. I have Norton Anti-Virus and running on WinXP. Whenever I try to do a system scan, it will just close out of it. Or if I try to do anything that involves security or privacy, it will uncheck the box or exit out of it. I have tried a few online virus scans already such as Panda ActiveScan and Symantec Virus Scan, although the Symantec one does not work. I opened a MS-DOS file and everything on my computer exited. I was watching it and all of a sudden my anti-virus icons exit the taskbar, and nothing works. I really have no clue on what to do on this one. I looked on the Symantec site looking for the virus, but there is just too many, and I do not even know the name of this virus, so that makes another problem for me. PLEASE help me with this. I cannot reformat my computer because I'm flooded with web design work at the moment, and backing up everything will be a lot of CD's. Also, my network settings were changed, too. No secure pages ( https:// ) will be shown to me, it comes up as "This page cannot be displayed." I need help with this problem and will give a reward to the person that can help me FIX this problem. Thanks.

Also, none of the system scans work in safe mode either. Everything that works regularly is the same for safe mode.

I have a program calling "HijackThis" and it found a file called fservice.exe. I have tried to delete it and it just comes back. I was already at the TechTV boards about this and a guy told me to delete that file. If anyone can help me please CONTACT me ASAP.

REFORMATION IS NOT AN OPTION

AIM = stevegarbz

MSN doesn't work - virus disabled it.

Yahoo - If you have that and you ABSOLUTELY NEED to use that, post here and I will get it.



PLEASE help me with this problem. I will reward the person with anything that they want. ( cash, website, web hosting, etc. )

 

[stevegarbz]

HijackThis LOG

Logfile of HijackThis v1.97.7
Scan saved at 4:07:48 PM, on 4/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\system32\fservice.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [msc] C:\WINDOWS\System32\Microsoft.NET\msconfig.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 3.8\THGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_stp.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37996.6514930556
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Don't say "just delete them with all browsers closed." because it does not work.

 

[David Lindon]

OK, search the registry for the fservice.exe file. It will be in the start up menu as that is how it is getting there. Delete it from the registry and let me know if it helps.

 

[stevegarbz]

I already did that multiple times, it just comes back, even if I do it in safe mode.

 

[Lord Kalthorn]

Would it be worth reinstalling the computer? I don't know what sort of stuff you have on it but that would be the surest way of doing it.

 

[tagar]

The virus you have is the Prorat Trojan
Trendmicro calls it BKDR_PRORAT.13
Symantec calls it Backdoor.Prorat

Try TrendMicro's online scanner Housecall:
http://housecall.trendmicro.com/
See if it fixes the problem

 

[At0m1x]

Did it fix it?

 

[bluto]

Virus Alert

Dear Internet Customer

We are sending this Virus Alert to update you on two critical viruses that are circulating on the Internet:
The SASSER Virus and the NETSKY Virus.

SASSER VIRUS INFORMATION (NETSKY VIRUS INFORMATION IS BELOW)

A. SASSER KEY MESSAGE:
All customers using Windows 2000 or Windows XP should immediately run Windows Update at http://windowsupdate.microsoft.com

B. SASSER VIRUS OVERVIEW:
This virus is spreading rapidly across the Internet. Unlike viruses sent via Email attachments, this 'worm' virus can infect computers by taking advantage of a security vulnerability in Windows 2000 and Windows XP. It can be spread from computer to computer with no user intervention.

C. SASSER - SYMPTOMS OF INFECTION:
If your computer has been infected, the SASSER virus will cause your computer to frequently restart. While your computer is rebooting, you may also see pop-up systems messages regarding "NT Authority\System" or "LSA Shell". Your computer will attempt to infect other computers without your knowledge.

D. SASSER - HOW TO KEEP YOUR COMPUTER FROM BEING INFECTED

1. Run Windows Update:
All customers using Windows 2000 and Windows XP users should run Windows Update at http://windowsupdate.microsoft.com and follow the on-screen instructions to patch their systems and avoid infection.

2. Update your virus protection software:
If you already have virus protection software installed on your computer, you should update it immediately. If you do not have virus protection software installed on your computer, Rogers, in conjunction with McAfee, is offering an Internet Security Solution which includes virus protection. You can get more information from: http://www.rogers.com/mcafee

E. SASSER - HOW TO REMOVE IT IF YOU THINK YOUR COMPUTER HAS BEEN INFECTED

1. Download and run McAfee's Free Virus Removal Tool - Stinger
If you believe that your computer has been infected, McAfee has released a stand-alone virus removal tool which can detect and can remove this virus. Their free 'Stinger' virus removal tool can be downloaded from their Website:
http://vil.nai.com/vil/stinger/

NOTE: Stinger can only remove the virus, it does not protect your computer from future infection by this virus or any other virus. For more details on Virus Protection offered by Rogers and McAfee please visit http://www.rogers.com/mcafee

2. Run Windows Update:
After removing the virus, you should install the Microsoft update to be protected from the SASSER virus:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

3. Update your virus protection software:
If you already have virus protection software installed on your computer, you should update it immediately. If you do not have virus protection software installed on your computer, Rogers, in conjunction with McAfee, is offering an Internet Security Solution which includes virus protection. You can get more information from: http://www.rogers.com/mcafee

F. SASSER - ADDITIONAL DETAILS
To get additional details on the SASSER Virus, please visit: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125008

------------------------------------------------------------

NETSKY VIRUS INFORMATION (SASSER VIRUS INFORMATION IS ABOVE)

A. NETSKY KEY MESSAGE:
Customers should be very cautious when opening Email attachments. We recommend using an updated Virus Protection software package to avoid being infected by this or other viruses. If you receive an infected Email message, immediately delete it and empty your Deleted Items folder.

B. NETSKY VIRUS OVERVIEW:
This virus arrives as an infected Email attachment and can infect your computer if the attachment is opened. The virus affects computers running Windows Operating Systems. Once infected, your computer can send out infected Email messages (without your knowledge) to others within your Email address book.

The name of the infected attachment, body of the Email message and the From: line all vary greatly (See below).

TYPICAL SUBJECT LINES FOR EMAIL MESSAGES INFECTED WITH THE NETSKY VIRUS:
- Correction
- Hurts
- Privacy
- Password
- Wow
- Criminal
- Pictures
- Text
- Money
- Stolen
- Found
- Numbers
- Funny
- Only
- love?
- More
- samples
- Picture
- Letter
- Question
- Illegal

TYPICAL BODY TEXT OF EMAIL MESSAGES INFECTED WITH THE NETSKY VIRUS:
- Please use the font arial!
- How can I help you?
- Still?
- I've your password.
- Take it easy!
- Why do you show your body?
- Hey, are you criminal?
- Your pictures are good!
- The text you sent to me is not so good!
- True love letter?
- Do you have no money?
- Do you have asked me?
- I've found your creditcard.
- Check the data!
- Are your numbers correct?
- You have no chance...
- Wow! Why are you so shy?
- Do you have more samples?
- Do you have more photos about you?
- Do you have written the letter?
- Does it hurt you?
- Please do not sent me your illegal stuff again!!!

TYPICAL EMAIL ATTACHMENT NAMES INFECTED WITH THE NETSKY VIRUS:
- corrected_doc.pif
- hurts.pif
- document1.pif
- passwords02.pif
- image034.pif
- myabuselist.pif
- your_picture01.pif
- your_text01.pif
- your_letter.pif
- your_bill.pif
- my_stolen_document.pif
- visa_data.pif
- pin_tel.pif
- your_text.pif
- loveletter02.pif
- all_pictures.pif
- your_letter_03.pif
- your_picture.pif
- abuses.pif

C. NETSKY - SYMPTOMS OF INFECTION:
Your computer can only be infected with the NETSKY virus if you opened one of the attachments detailed above. Once infected, your computer will begin sending out copies of the virus Email message without your knowledge, so it is difficult to detect.


D. NETSKY - HOW TO KEEP YOUR COMPUTER FROM BEING INFECTED

1. Delete infected messages and empty your Deleted Items folder.

2. Update your Virus Protection software:
If you already have virus protection software installed on your computer, you should update it immediately. If you do not have virus protection software installed on your computer, Rogers, in conjunction with McAfee, is offering an Internet Security Solution which includes virus protection. You can get more information from: http://www.rogers.com/mcafee

E. NETSKY - HOW TO REMOVE IT IF YOU THINK YOUR COMPUTER HAS BEEN INFECTED

1. Download and run McAfee's Free Virus Removal Tool - Stinger
If you believe that your computer has been infected, McAfee has released a stand-alone virus removal tool which can detect and remove this virus. Their free 'Stinger' virus removal tool can be downloaded from their Website:
http://vil.nai.com/vil/stinger/

NOTE: Stinger can only remove the virus, it does not protect your computer from future infection by this virus or any other virus. For more details on Virus Protection offered by Rogers and McAfee please visit http://www.rogers.com/mcafee

2. Update your virus protection software:
If you already have virus protection software installed on your computer, you should update it immediately. If you do not have virus protection software installed on your computer, Rogers, in conjunction with McAfee, is offering an Internet Security Solution which includes virus protection. You can get more information from: http://www.rogers.com/mcafee

F. NETSKY - ADDITIONAL DETAILS
To get additional details on the NETSKY Virus, please visit: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=124873

Thank you.

 

[bluto]

OK, search the registry for the fservice.exe file. It will be in the start up menu as that is how it is getting there. Delete it from the registry and let me know if it helps.

I must add this Dave,
Export the current registry first.
You might also try a Restore point.The good old days.

 

[sean82007]

okay delete the fservice.exe from the registry, go to start, run and type in msconfig and then go to start up uncheck the fservice.exe program. and delete it from the start up folder. people may have already posted this before but i dont wanna read all of that