also @ TechSpot: Blizzard talks Diablo 3 facts, nerfing and buffs for legendary items

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

I think my computer has trojan viruses, not that great at computers...please help

Discussion in 'Virus and Malware Removal' started by newgirl, Dec 2, 2004.

Thread Status:
Not open for further replies.

  1. newgirl Newcomer, in training

    Hey Everyone!

    I'm, new here, like the title says, I'm not great at computers. Anyways lately my computer's been very slow, and I notice in the task manager there's all these weird things that are taking up a bunch of space, and some pop up called gizm0luvsu comes outta nowhere. I'm in university (live in rez) and my computer's connected to a bunch of ppl so I probably do have a virus of some sort. My anti-virus program doesn't seem to pick it up. I have Windows 2000 Professional Edition is that helps....So here's my HijackThis log...any help would be GREATLY appreciated

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINNT\system32\netinfo.exe
    C:\WINNT\system32\bcvsrv32.exe
    C:\WINNT\system32\updatesp2.exe
    C:\WINNT\system32\netinfo.exe
    C:\WINNT\system32\updatesp2.exe
    C:\WINNT\system32\netinfo.exe
    C:\WINNT\system32\netinfo.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\taskmgr.exe
    C:\Documents and Settings\ccrsb\Start Menu\Programs\HijackThis.exe


    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [sp2update] updatesp2.exe
    O4 - HKLM\..\Run: [Bcvsrv32] bcvsrv32.exe
    O4 - HKLM\..\Run: [Microsoft Synchronization Manager] netinfo.exe
    O4 - HKLM\..\RunServices: [Bcvsrv32] bcvsrv32.exe
    O4 - HKLM\..\RunServices: [sp2update] updatesp2.exe
    O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] netinfo.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Microsoft Synchronization Manager] netinfo.exe
    newgirl, Dec 2, 2004
    #1

  2. howard_hopkinso Newcomer, in training

    howard_hopkinso, Dec 3, 2004
    #2

  3. RealBlackStuff Newcomer, in training

    After you have done as advised in my topic17297 post,
    run HJT standalone in safe mode and let it fix:

    C:\WINNT\system32\bcvsrv32.exe
    C:\WINNT\system32\updatesp2.exe .... (ALL instances)

    O4 - HKLM\..\Run: [sp2update] updatesp2.exe
    O4 - HKLM\..\Run: [Bcvsrv32] bcvsrv32.exe
    O4 - HKLM\..\RunServices: [Bcvsrv32] bcvsrv32.exe
    O4 - HKLM\..\RunServices: [sp2update] updatesp2.exe
    RealBlackStuff, Dec 3, 2004
    #3

  4. newgirl Newcomer, in training

    Thank you guys so much for your help...hijackthis is saying no suspicious items found and netinfo and those other exe's aren't in my task manager anymore....hopefully they won't come back.
    newgirl, Dec 3, 2004
    #4

  5. JDarrk Newcomer, in training

    Update32.exe is spyware!!!!!!!!!!!!!!!!!!!!!

    After finding the process updatesp2.exe running on my friend's computer and breaking out the tools I found this information reguarding the process. I did a google search and found nothing except this website so I'm assuming it's a new piece of malware. I analyze programs and remove malware and viri by hand so what follows is a short analysis of this application. I just got done doing battle with a flavor of haxdoor so I'm a little tired. I won though. :)

    A handle to each of these files:

    File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat

    File C:\Documents and Settings\Administrator\Cookies\index.dat

    File C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat

    The process is reading the contents of the temporary internet files folder. It could be looking for other applications to execute that are downloaded automatically from websites.
    The process is reading the cookies on the computer. It's tracking your movements on the web.
    The process is also looking at the websites you have visited by using the IE history.

    This process has the following registry keys open:

    Key HKLM
    Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
    Key HKCU
    Key HKCU\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Internet Settings
    Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
    Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5

    It's monitoring your internet settings. Not sure why but it can't be good.

    This entry was found and edited before I posted it. You can guess what's under those astericks:

    Mutant \BaseNamedObjects\My loving C***

    A base named object is used so other programs can use the handles to objects (such as folders or devices) using this process. It's sharing your information with other programs. The other programs would have to be written by the same author. This just shows the disposition of the developer and proves this is not legitimate software.

    This software did not have any open tcp or udp connections and was not listening on any ports so I asume it would not be classified as a trojan although the registry keys above suggest it is network capable and could transmit information. This malware does not restart itself after you kill the process and does not appear to have the capability to turn itself on or reinstall itself. On this system (windoes 2000) it is located in C:\Windows\System32 and should be the same in XP as well as 98. To get rid of it it should be sufficent to use the task manager or msconfig to shut it off and delete the file. If you use msconfig you'll have to reboot. On 2000 and XP the task manager can be accessed using CTRL+SHIFT+ESC. Click on the processes tab find updatesp2.exe and right click. Kill that sucka and delete it. If it won't delete click start->run and type "attrib -r -s -h C:\windows\system32\updatesp2.exe". Then try to delete it. Happy hunting.

    Follow Up:

    This program does communicate information over the internet. I found an entry in zonealarm. My friend let it do it. :(
    JDarrk, Dec 18, 2004
    #5

  6. JDarrk Newcomer, in training

    Norton detected updatesp2.exe as w32.randex.
    JDarrk, Dec 22, 2004
    #6
Thread Status:
Not open for further replies.