Menacing virus -- seems to be a boot sector plus virus ...

I have a toshiba laptop running under Windows 2000 XP. I believe this virus is repeatedly installed at boot up, as it takes much, much longer to start up than it ever did before. Moreover, once it does boot and I log into windows, my IP address = all zereos and is unable to establish. I am using a cable provider: they were of no help. They said it was my NIC card. Being the cynic that I am, I commenced with my own therapy. However, my solution is primitive and aggravatingly slow. I need to do a windows restore to a previous date, then my internet works. However, once I shut down and boot up again, the problem reappears.

I hope some one on this forum can lend a helping hand.

Thank you.

 

Welcome to the forum. For clarification, are you using Windows 2000 or Windows XP? Also helpful to know what anti-virus program you use.

Given that information and any other detail you care to add and I think we can get you clean of whatever is causing problems.

 

re: menacing virus ....

First of all, thank you for responding Newt,

Here is all additional information I could think of that may or may not be pertinent.

Running Microsoft Windows XP Professional, Version 2002, Service Pack 2, and using Norton AntiVirus 2003, which does not indicate anything untoward the multiple times I've run it since the problem started. I access the internet via an ethernet (telephone-like) cord connected to a modem, which is in turn connected to cable. My provider is comcast cable. Microsofts Security Center options are set to:
(1) firewall "ON ",
(2) Automatic Updates "ON ",
(3) Virus Protection "Not Monitored "

Re: option (3) -- I have this set to not monitored, as I have Norton AntiVirus ostensibly monitoring this task.

I have a Toshiba Satellite with a Intel Pentium 4 CPU 2.53 GHz, 2.52 GHz with 1 GB of RAM and a 60 GB hard Drive.

Thank you again. The fact that someone even responded has already lifted my spirits.

Thank you again Newt.

 

Thank you and yes, the information helps.

The two major possibilities for your symptoms, assuming they are being caused by some sort of malware (probably) and your AV is finding nothing are
- you have picked up one of the many virus infections that can silently disable onboard AV so that it appears to function normally but in fact is not working. For this possibility, run an online virus scan. Several good ones shown in Quicklinks (in my signature).
- you have picked up spyware/adware that is causing the problem. Most AV software and especially any of the age of Norton 2003 simply don't 'see' spyware since it is not technically a virus. For this possibility, download, update, and run Ad-aware SE and Spybot Search & Destroy and let each of the apps remove any bad items they find.

When that is done, download Hijackthis, unzip it to a 'normal' folder (so not a temp folder and not to the desktop or a sub-folder under the desktop). Run a scan and have it generate a log then post the log here. Note that for Hijackthis to give us the needed details you need to run it from normal mode rather than safe or diagnostic mode and if you have used msconfig to block any apps from running at startup, unblock them and reboot so they will all start.

 

Re: Menacing Virus ...

OK Newt ...
I have run House Call and RAV AntiVirus Online. I had to manually the delete the infected files located on the paths provided by each software. [note -- both tools' results did not agree] -- so I deleted aggregately. I ran SpyBot S&D and Ad-Aware Se, each of which found bugs which I subsequently deleted and/or quarantined.

Finally, I ran hijackthis using Scan with Log (deleting nothing), specifically as you instructed from unzip to execute. BTW, you had alluded to the possibility of having altered msconfig. I know I have not modified or tampered with this knowingly but perhaps I may have inadvertently if it "goes my other names ". But, no I have not directly altered anything named precisely msconfig.

Here are the results of Hijack this:
THANK YOU AGAIN NEWT

Logfile of HijackThis v1.99.0
Scan saved at 8:33:44 PM, on 12/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Toshiba\Ivp\netint\netint.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Gary\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {39738E2A-2AD4-4BA0-A761-F0A22779A870} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {3EE4E011-4A15-4B57-A573-4DB21B42ABB7} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {4625A68A-8D50-4278-ADC6-CB69C8394713} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {69432678-2906-2705-1128-068943397621} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://esignaltraining.webex.com/client/latest/event/ieatgpc.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

 

Msconfig is a useful utility provided as part of XP. You can use it to modify what will happen when you boot the PC so settings for diagnostic startup with many things not running or that sort of thing. When you have some time, click on start, on run, key in msconfig and click OK and you can see what it offers. Nice because any changes made with it can be reversed easily. I mentioned it here because some folks have stopped annoying apps from starting by using msconfig so the hijackthis log won't show that they are present so we can suggest removal. Certainly not a problem in this case.

I'm guessing that your PC is running quite a bit better after the cleaning you did. While I could have missed something in your HJT log, the only things that jumped out at me and that I'd suggest removing with a new HJT scan and checking the lines, are

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

And after they are gone, go to add/remove programs and see if MySearch shows up. If so, uninstall it. If not, just delete the C:\Program Files\MySearch folder.

This parasite isn't truly spyware but it is certainly sludgeware (slows your browser's performance) and invites advertising on to the PC.

I much prefer the Google toolbar that you can get free by visiting http://toolbar.google.com/ and downloading theirs.

How are things running for you now?

 

When you get rid of the thing, make sure your System Restore is turned off. That's one of the ways that things sneak back in.