I think my computer has trojan viruses, not that great at computers...please help

Status
Not open for further replies.
Hey Everyone!

I'm, new here, like the title says, I'm not great at computers. Anyways lately my computer's been very slow, and I notice in the task manager there's all these weird things that are taking up a bunch of space, and some pop up called gizm0luvsu comes outta nowhere. I'm in university (live in rez) and my computer's connected to a bunch of ppl so I probably do have a virus of some sort. My anti-virus program doesn't seem to pick it up. I have Windows 2000 Professional Edition is that helps....So here's my HijackThis log...any help would be GREATLY appreciated

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\netinfo.exe
C:\WINNT\system32\bcvsrv32.exe
C:\WINNT\system32\updatesp2.exe
C:\WINNT\system32\netinfo.exe
C:\WINNT\system32\updatesp2.exe
C:\WINNT\system32\netinfo.exe
C:\WINNT\system32\netinfo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\ccrsb\Start Menu\Programs\HijackThis.exe


O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [sp2update] updatesp2.exe
O4 - HKLM\..\Run: [Bcvsrv32] bcvsrv32.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] netinfo.exe
O4 - HKLM\..\RunServices: [Bcvsrv32] bcvsrv32.exe
O4 - HKLM\..\RunServices: [sp2update] updatesp2.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] netinfo.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] netinfo.exe
 
Hello and welcome to Techspot.

Take a look at this thread by RBS it will help you.

https://www.techspot.com/vb/topic17297.html

Regards Howard
santa2.gif
 
After you have done as advised in my topic17297 post,
run HJT standalone in safe mode and let it fix:

C:\WINNT\system32\bcvsrv32.exe
C:\WINNT\system32\updatesp2.exe .... (ALL instances)

O4 - HKLM\..\Run: [sp2update] updatesp2.exe
O4 - HKLM\..\Run: [Bcvsrv32] bcvsrv32.exe
O4 - HKLM\..\RunServices: [Bcvsrv32] bcvsrv32.exe
O4 - HKLM\..\RunServices: [sp2update] updatesp2.exe
 
Thank you guys so much for your help...hijackthis is saying no suspicious items found and netinfo and those other exe's aren't in my task manager anymore....hopefully they won't come back.
 
Update32.exe is spyware!!!!!!!!!!!!!!!!!!!!!

After finding the process updatesp2.exe running on my friend's computer and breaking out the tools I found this information reguarding the process. I did a google search and found nothing except this website so I'm assuming it's a new piece of malware. I analyze programs and remove malware and viri by hand so what follows is a short analysis of this application. I just got done doing battle with a flavor of haxdoor so I'm a little tired. I won though. :)

A handle to each of these files:

File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat

File C:\Documents and Settings\Administrator\Cookies\index.dat

File C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat

The process is reading the contents of the temporary internet files folder. It could be looking for other applications to execute that are downloaded automatically from websites.
The process is reading the cookies on the computer. It's tracking your movements on the web.
The process is also looking at the websites you have visited by using the IE history.

This process has the following registry keys open:

Key HKLM
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key HKCU
Key HKCU\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Internet Settings
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5

It's monitoring your internet settings. Not sure why but it can't be good.

This entry was found and edited before I posted it. You can guess what's under those astericks:

Mutant \BaseNamedObjects\My loving C***

A base named object is used so other programs can use the handles to objects (such as folders or devices) using this process. It's sharing your information with other programs. The other programs would have to be written by the same author. This just shows the disposition of the developer and proves this is not legitimate software.

This software did not have any open tcp or udp connections and was not listening on any ports so I asume it would not be classified as a trojan although the registry keys above suggest it is network capable and could transmit information. This malware does not restart itself after you kill the process and does not appear to have the capability to turn itself on or reinstall itself. On this system (windoes 2000) it is located in C:\Windows\System32 and should be the same in XP as well as 98. To get rid of it it should be sufficent to use the task manager or msconfig to shut it off and delete the file. If you use msconfig you'll have to reboot. On 2000 and XP the task manager can be accessed using CTRL+SHIFT+ESC. Click on the processes tab find updatesp2.exe and right click. Kill that sucka and delete it. If it won't delete click start->run and type "attrib -r -s -h C:\windows\system32\updatesp2.exe". Then try to delete it. Happy hunting.

Follow Up:

This program does communicate information over the internet. I found an entry in zonealarm. My friend let it do it. :(
 
Status
Not open for further replies.
Back