|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
04-16-2008, 02:34 PM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2008
Posts: 13
OS: xp
|
Too many viruses to choose from.
Hello,
I'm new to the forum and appreciate any help that can be given. Several weeks ago, my '07 Norton Inetrenet Security had expired on my home pc and noticed explorer ran slow and we were recceiving pop-ups & re-directs. I went ahead and downloaded Norton 360 on-line and tried to run a scan, quickly to realize I couldn't update and several functions were disabled. I called Norton for tech support & they informed me that I had trojan.PSguard_desktop_hijack after allowing them remote access to my pc and they could not remove it unless I paid a fee. I argued to get more help without shelling out moer than the $70 I just paid for the subscription, but to no avail. At the same time, I lost my task manager function (ctrl+alt+del), & 'control panel' vanished from the start menu, and I was now getting bombarded with re-directs when I went on-line every time I entered a 'search'. From the forum I was able to activate task manager & control panel function and I blocked the websites that I was re-directed to for some breathing room. I then subscribed to Spyware Dr. which removed several things and appears to running fine but is having scans & updates turned off, which I can manually reset. I tried following the 5 steps recommended prior to posting, and as it mentioned, several tasks could not be completed. I attached the Deckard/HJT log and as recommended I'll list the known viruses I have encountered. I also tried running most on-line virus scans to figure out what virus I may have; and although most of them were able to run, as soon as it finished, all the programs 'terminated' prior to letting me view the results of what viruses were detected. On a certain scan I briefly saw a file detected for sasser.a & several java errors 'B' through 'H'. Running the same scans in safe mode didn't make a difference. After an incomplete running of a tool from F-secure for the sasser.a virus, I was able to run updates on 360 but the function to 'clean Internet Temp files' & 'clean windows temp files' is set to 'never run' and when I do it manually it ends up incomplete and 'skipped'. On my desktop, there appears an icon called 'sticky keys' where the clock is, bottom right that I don't recall downloading or can remove by conventional methods. Is this part of the virus? 360 has only detected & removed a trojan called downloader. That trojan continues attempts on my pc, but it is blocked by 360. Spyware Dr. has detected & quarantined: Trojan.PWS.Bancos ad.yieldmanager.com application.nircmd trojan.generic trafficmp.com mediaplex.com fastclick.net casalemedia.com atdmt.com ads.pointroll.com/ads adrevolver.com I'm certain I am missing some viruses, but I couldn't get all the names when I looked in my scanned history for full log reports on the 360. The Spyware Dr. seems more effective and I am wondering if it is worth paying an additional $10 for the full antivirus program and getting a refund for the 360. Again, thanks for any help with figuring out what is wrong with my pc. Regards, Lossi44 |
|
     
|
|
04-17-2008, 07:55 AM
|
#2 (permalink) |
|
Registered User
Join Date: Apr 2008
Posts: 13
OS: xp
|
Re: Too many viruses to choose from.
If it helps, I'll post my Deckard HJT log instead of having it as an attachment.
Deckard's System Scanner v20071014.68 Run by Quiroz Family on 2008-04-12 09:39:13 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Quiroz Family.exe) --------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:39:25 AM, on 4/12/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\System32\alg.exe H:\dss.exe H:\HIJACK~1\QUIROZ~1.EXE C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\pxcydvvf.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 11046 bytes -- Files created between 2008-03-12 and 2008-04-12 ----------------------------- 2008-04-11 20:01:49 0 d-------- C:\Program Files\MSXML 6.0 2008-04-05 11:11:09 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec> 2008-04-04 19:14:32 0 d-------- C:\Program Files\RegCure 2008-04-04 18:54:07 0 d-------- C:\WINDOWS\BDOSCAN8 2008-04-04 18:05:53 0 d-------- C:\Program Files\Panda Security 2008-04-04 16:03:11 0 d-------- C:\fsaua.data 2008-04-04 15:57:53 0 d-------- C:\Documents and Settings\Quiroz Family\.housecall6.6 2008-04-04 14:56:55 68096 --a------ C:\WINDOWS\zip.exe 2008-04-04 14:56:55 49152 --a------ C:\WINDOWS\VFind.exe 2008-04-04 14:56:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-04-04 14:56:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-04-04 14:56:55 98816 --a------ C:\WINDOWS\sed.exe 2008-04-04 14:56:55 80412 --a------ C:\WINDOWS\grep.exe 2008-04-04 14:56:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-03-24 22:26:15 0 d--h----- C:\WINDOWS\system32\GroupPolicy 2008-03-24 19:55:29 0 d--hs---- C:\Documents and Settings\LocalService\UserData 2008-03-24 19:50:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia 2008-03-24 19:46:24 0 dr------- C:\Documents and Settings\LocalService\Favorites 2008-03-24 16:57:59 0 d-------- C:\Documents and Settings\Quiroz Family\Application Data\AVG7 2008-03-24 16:57:59 0 d-------- C:\Documents and Settings\All Users\Application Data\AVG7 2008-03-23 21:41:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-23 12:53:06 0 d-------- C:\N360_BACKUP 2008-03-23 10:37:26 0 d-------- C:\WINDOWS\LMI1A8.tmp 2008-03-23 10:12:04 0 d-------- C:\Program Files\Norton 360 2008-03-23 10  20 0 d-------- C:\Program Files\Symantec2008-03-23 07:58:20 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-23 07:53:53 0 d-------- C:\Program Files\Spyware Doctor 2008-03-23 07:53:53 0 d-------- C:\Documents and Settings\Quiroz Family\Application Data\PC Tools -- Find3M Report --------------------------------------------------------------- 2008-04-10 13:56:52 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-04-08 00:18:24 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-04-08 00:16:43 0 d-------- C:\Program Files\FinePixViewer 2008-04-08 00:13:12 0 d-------- C:\Program Files\Common Files 2008-03-23 09:23:01 0 d-------- C:\Documents and Settings\Quiroz Family\Application Data\Adobe 2008-03-11 09:12:19 0 d-------- C:\Documents and Settings\Quiroz Family\Application Data\Move Networks 2008-03-05 18:36:41 38 --a------ C:\WINDOWS\popcinfo.dat 2008-03-02 11:05:11 0 d-------- C:\Program Files\Common Files\Adobe 2008-02-20 20:10:59 0 d-------- C:\Program Files\Resume Workshop -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cryptographic Service"="C:\WINDOWS\System32\pxcydvvf.exe" [] "PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.exe" [] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [06/03/2004 01:51 AM] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 01:50 AM] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/15/2007 12:43 AM] "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 06:54 PM] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM] "RegistryMechanic"="" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=1 (0x1) "HideStartupScripts"=0 (0x0) "disableregistrytools"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp psc 700 series) - 1.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp psc 700 series) - 1.lnk backup=C:\WINDOWS\pss\HPAiODevice(hp psc 700 series) - 1.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk backup=C:\WINDOWS\pss\Personal Coach.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Quiroz Family^Start Menu^Programs^Startup^V CAST Music Monitor.lnk] path=C:\Documents and Settings\Quiroz Family\Start Menu\Programs\Startup\V CAST Music Monitor.lnk backup=C:\WINDOWS\pss\V CAST Music Monitor.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "ImapiService"=3 (0x3) *Newly Created Service* - COMHOST -- End of Deckard's System Scanner: finished at 2008-04-12 09:41:38 ------------ |
|
|
|
|
04-20-2008, 08:41 AM
|
#3 (permalink) |
|
Registered User
Join Date: Apr 2008
Posts: 13
OS: xp
|
Re: Too many viruses to choose from.
Bump.
It's been 3 days and I am curious as to why I haven't received any help. Can someone please inform me if I need to post additional data. I tried to cover the 5 steps the best I could prior to posting. It will be appreciated. Lossi |
|
|
|
|
04-27-2008, 12:08 PM
|
#6 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 18,662
OS: WinXP and Win98se
|
Re: Too many viruses to choose from.
Hello lossi,
Our apologies for the delay, but fact is that we're overwhelmed with people requesting assistance and there are only so many of us volunteering our time.  Before we continue, I see you also ran ComboFix after your initial scan with dss.exe, therefore we do not have an accurate assessment of the current state of your system. Please post the C:\ComboFix.txt along with a new log from HijackThis.exe for review. |
|
|
|
|
04-28-2008, 07:58 AM
|
#7 (permalink) |
|
Registered User
Join Date: Apr 2008
Posts: 13
OS: xp
|
Re: Too many viruses to choose from.
Ried - Thanks for replying. I imagined you guys/gals were busy or shorthanded, or both. To my best recollection, I only ran the DSS/HJT scan on 4/12/08, my last saved combofix scan is from 4/5/08. I haven't done anything with the PC since. The other issue I recall is that the last time I tried to run combofix, the program ran but never gave me the log or the option to remove any items from the log list. Let me know if I should try again please, thanks again. Here is the latest Combofix log I do have:
ComboFix 08-04-03.5 - Quiroz Family 2008-04-05 10:04:45.1 - NTFSx86 NETWORK Running from: G:\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\MyWay C:\Program Files\MyWay\myBar\History\search C:\Program Files\MyWay\myBar\Settings\prevcfg.htm C:\WINDOWS\Fonts\acrsecB.fon C:\WINDOWS\Fonts\acrsecI.fon . ((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 ))))))))))))))))))))))))))))))) . 2008-04-04 19:58 . 2008-04-04 19:55 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2008-04-04 19:14 . 2008-04-04 19:38 <DIR> d-------- C:\Program Files\RegCure 2008-04-04 18:54 . 2008-04-04 19:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-04-04 18:05 . 2008-04-04 18:05 <DIR> d-------- C:\WINDOWS\LastGood 2008-04-04 18:05 . 2008-04-04 18:07 <DIR> d-------- C:\Program Files\Panda Security 2008-04-04 16:03 . 2008-04-04 16:03 <DIR> d-------- C:\fsaua.data 2008-04-04 15:57 . 2008-04-04 23:05 <DIR> d-------- C:\Documents and Settings\Quiroz Family\.housecall6.6 2008-03-24 23:26 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys 2008-03-24 23:26 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat 2008-03-24 23:26 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf 2008-03-24 22:26 . 2008-03-24 22:26 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-03-24 19:55 . 2008-03-24 19:55 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData 2008-03-24 16:57 . 2008-03-24 16:57 <DIR> d-------- C:\Documents and Settings\Quiroz Family\Application Data\AVG7 2008-03-24 16:57 . 2008-03-24 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7 2008-03-23 21:41 . 2008-03-23 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-23 12:53 . 2008-03-23 12:54 <DIR> d-------- C:\N360_BACKUP 2008-03-23 10:37 . 2008-03-23 20:57 <DIR> d-------- C:\WINDOWS\LMI1A8.tmp 2008-03-23 10:12 . 2008-03-23 20:22 <DIR> d-------- C:\Program Files\Norton 360 2008-03-23 10:09 . 2008-03-23 11:58 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-03-23 10:09 . 2008-03-23 11:58 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2008-03-23 10:06 . 2008-03-23 11:58 <DIR> d-------- C:\Program Files\Symantec 2008-03-23 07:58 . 2008-04-05 08:17 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-23 07:54 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-03-23 07:54 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-03-23 07:54 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-03-23 07:54 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-03-23 07:53 . 2008-04-04 14:58 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-03-23 07:53 . 2008-03-23 07:53 <DIR> d-------- C:\Documents and Settings\Quiroz Family\Application Data\PC Tools 2008-03-11 09:11 . 2008-03-11 09:12 <DIR> d-------- C:\Documents and Settings\Quiroz Family\Application Data\Move Networks . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-05 02:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-04-05 02:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-03-23 18:58 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-03-23 18:58 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-03-22 21:10 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys 2008-03-02 18:05 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-21 03:10 --------- d-----w C:\Program Files\Resume Workshop 2008-01-09 22:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe 2005-12-04 20:21 335,328 ----a-w C:\Documents and Settings\Quiroz Family\Application Data\GDIPFONTCACHEV1.DAT 2004-09-15 08:54 31,465 ------w C:\Program Files\2wconfig.dll 2004-09-15 08:52 393,216 ------w C:\Program Files\2PortalMon.exe 2004-09-15 08:51 290,816 ------w C:\Program Files\Uninstaller.exe 2004-09-15 08:51 163,840 ------w C:\Program Files\GoHomePortal.exe 2004-09-15 08:50 622,592 ------w C:\Program Files\WebWorks.exe 2004-09-15 08:50 180,224 ------w C:\Program Files\WCAG.exe 2004-09-15 08:50 167,936 ------w C:\Program Files\WirelessConsoleApp.exe 2004-09-15 08:49 135,168 ------w C:\Program Files\WebSec.dll 2004-09-15 08:48 364,544 ------w C:\Program Files\RGWProv.dll 2004-09-15 08:47 266,240 ------w C:\Program Files\NetAPI.dll 2004-09-15 08:47 139,264 ------w C:\Program Files\Endec.dll 2004-09-15 08:42 9,158 ------w C:\Program Files\Language.ini 2004-09-15 08:42 368,726 ------w C:\Program Files\PRISMAPI.dll 2004-09-15 08:42 3,157 ------w C:\Program Files\2wconfig.ini 2004-09-15 08:42 27,478 ------w C:\Program Files\SysTrayMenu_256.bmp 2004-09-15 08:42 208,993 ------w C:\Program Files\CardPres.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 14:16 49152] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cryptographic Service"="C:\WINDOWS\System32\pxcydvvf.exe" [ ] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248] "PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.exe" [ ] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 01:51 172032] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50 204800] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720] "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 18:54 116072] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048] "RegistryMechanic"="" [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2004-07-10 19:32:43 200704] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3acm"= l3codecx.acm "MSVideo8"= VfWWDM32.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp psc 700 series) - 1.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp psc 700 series) - 1.lnk backup=C:\WINDOWS\pss\HPAiODevice(hp psc 700 series) - 1.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk backup=C:\WINDOWS\pss\Personal Coach.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Quiroz Family^Start Menu^Programs^Startup^V CAST Music Monitor.lnk] path=C:\Documents and Settings\Quiroz Family\Start Menu\Programs\Startup\V CAST Music Monitor.lnk backup=C:\WINDOWS\pss\V CAST Music Monitor.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] --a------ 2004-12-14 02:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2007-07-17 18:54 116072 C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray] --a------ 2003-02-24 04:00 184320 C:\Program Files\Creative\Shared Files\CAMTRAY.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] --a------ 2007-08-27 08:49 1838592 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01] --a------ 2003-07-14 12:30 98304 C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2004-08-29 12:23 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] --a------ 2004-08-29 12:23 131072 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2003-10-06 14:16 741376 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral] --a------ 2003-01-09 09:21 253952 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] --a------ 2003-01-13 10:19 757760 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility] --a------ 2003-01-13 14:05 69632 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-04-13 03:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2006-08-09 15:41 4617720 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser] --a------ 2003-07-11 14:51 57344 C:\Program Files\Yahoo!\browser\ybrwicon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "ImapiService"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= *Newly Created Service* - CATCHME *Newly Created Service* - COMHOST *Newly Created Service* - TMCOMM . Contents of the 'Scheduled Tasks' folder "2008-01-31 17:57:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-04-01 03:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Quiroz Family.job" - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK: "2008-04-05 02:20:02 C:\WINDOWS\Tasks\RegCure Program Check.job" - C:\Program Files\RegCure\RegCure.exe "2008-04-05 02:19:58 C:\WINDOWS\Tasks\RegCure.job" - C:\Program Files\RegCure\RegCure.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-05 10:16:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-04-05 10:25:09 ComboFix-quarantined-files.txt 2008-04-05 17:25:06 Pre-Run: 4,843,790,336 bytes free Post-Run: 4,862,861,312 bytes free . 2008-03-12 13:51:41 --- E O F --- |
|
|
|
|
04-28-2008, 08:28 AM
|
#8 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 18,662
OS: WinXP and Win98se
|
Re: Too many viruses to choose from.
Thanks lossi,
These logs are a bit too old to provide me with an accurate assessment of your system. Please delete your existing ComboFix.exe as it is outdated. Before we go any further, get the Recovery Console installed on this system. The Windows recovery console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System  Download the file & save it as it's originally named, next to ComboFix.exe.  Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-------------------------------------------------------- It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html Answer Yes, when prompted to install an ActiveX component.
**Note** To optimize scanning time and produce a more sensible report for review:
--------------------------------------------------------------- Run a new scan with HijackThis.exe and save the log. --------------------------------------------------------------- Please include the following in your next reply: C:\ComboFix.txt Kaspersky report new HijackThis log Update on system behavior |
|
|
|
|
04-28-2008, 09:42 AM
|
#9 (permalink) |
|
Registered User
Join Date: Apr 2008
Posts: 13
OS: xp
|
Re: Too many viruses to choose from.
Ried, thanks for the instructions, I will begin this evening when I get home. I ran HJT & combofix from a flash drive because the bug in my system doesn't allow me to execute the programs/software (including kaspersky) successfully before. I will download combofix again to my flashdirve for a current version as well as the service pack. Hopefully I can post the requested logs by tonight.
|
|
|
|
|
04-29-2008, 11:16 AM
|
#10 (permalink) |
|
Registered User
Join Date: Apr 2008
Posts: 13
OS: xp
|
Re: Too many viruses to choose from.
Ried, my pc is slow and something is working when it is not in use. Like the sound of a scan but never ending and I can't figure out what it is. I have to reboot to get it to stop. I can browse the internet slower than normal, but it really slows down if I open more than one page. Also, Norton 360 is not running updates and unable to fix the errors it recognizes is wrong with it. The processes are either stopped or skipped for deleting files or scanning the system. I have updated spyware dr. but the updates are not recognized when I try to activate it after having disabled it. I get the following message when I do so: Spyware Doctor --------------------------- This functionality is not available until the database is updated. In order to update the database, run Smart Update and download the latest updates. Updates will be downloaded automatically if "Download and Install Updates" option is selected in settings. --------------------------- OK Here are the logs and thanks for the help: 1) Updated combofix log: ComboFix 08-04-27.3 - Quiroz Family 2008-04-28 21:47:18.1 - NTFSx86 Running from: H:\ComboFix.exe Command switches used :: H:\winxpsp1_en_hom_bf.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 ))))))))))))))))))))))))))))))) . 2008-04-11 20:07 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2008-04-11 20:01 . 2008-04-11 20:01 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-04-11 19:25 . 2006-11-12 23:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2008-04-11 19:25 . 2006-11-12 23:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2008-04-11 19:25 . 2006-11-12 23:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2008-04-09 19:55 . 2008-04-09 19:55 <DIR> d-------- C:\Deckard 2008-04-08 00:10 . 2008-04-08 00:13 1,593 --a------ C:\WINDOWS\VPNUnInstall.MIF 2008-04-04 19:58 . 2008-04-04 19:55 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2008-04-04 19:14 . 2008-04-04 19:38 <DIR> d-------- C:\Program Files\RegCure 2008-04-04 18:54 . 2008-04-04 19:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-04-04 18:05 . 2008-04-08 00:26 <DIR> d-------- C:\Program Files\Panda Security 2008-04-04 16:03 . 2008-04-04 16:03 <DIR> d-------- C:\fsaua.data 2008-04-04 15:57 . 2008-04-04 23:05 <DIR> d-------- C:\Documents and Settings\Quiroz Family\.housecall6.6 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-29 04:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-29 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-04-25 22:01 --------- d-----w C:\Program Files\Spyware Doctor 2008-04-22 21:52 --------- d-----w C:\Program Files\Norton 360 2008-04-10 20:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-04-08 07:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-08 07:16 --------- d-----w C:\Program Files\FinePixViewer 2008-03-24 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7 2008-03-24 23:57 --------- d-----w C:\Documents and Settings\Quiroz Family\Application Data\AVG7 2008-03-24 04:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-23 18:58 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-03-23 18:58 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2008-03-23 18:58 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-03-23 18:58 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-03-23 18:58 --------- d-----w C:\Program Files\Symantec 2008-03-23 14:53 --------- d-----w C:\Documents and Settings\Quiroz Family\Application Data\PC Tools 2008-03-22 21:10 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-12 20:10 633,344 ------w C:\WINDOWS\system32\gpprefcl.dll 2008-03-11 16:12 --------- d-----w C:\Documents and Settings\Quiroz Family\Application Data\Move Networks 2008-03-07 04:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf 2008-03-07 04:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys 2008-03-07 04:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat 2008-03-02 18:05 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2005-12-04 20:21 335,328 ----a-w C:\Documents and Settings\Quiroz Family\Application Data\GDIPFONTCACHEV1.DAT 2004-09-15 08:54 31,465 ------w C:\Program Files\2wconfig.dll 2004-09-15 08:52 393,216 ------w C:\Program Files\2PortalMon.exe 2004-09-15 08:51 290,816 ------w C:\Program Files\Uninstaller.exe 2004-09-15 08:51 163,840 ------w C:\Program Files\GoHomePortal.exe 2004-09-15 08:50 622,592 ------w C:\Program Files\WebWorks.exe 2004-09-15 08:50 180,224 ------w C:\Program Files\WCAG.exe 2004-09-15 08:50 167,936 ------w C:\Program Files\WirelessConsoleApp.exe 2004-09-15 08:49 135,168 ------w C:\Program Files\WebSec.dll 2004-09-15 08:48 364,544 ------w C:\Program Files\RGWProv.dll 2004-09-15 08:47 266,240 ------w C:\Program Files\NetAPI.dll 2004-09-15 08:47 139,264 ------w C:\Program Files\Endec.dll 2004-09-15 08:42 9,158 ------w C:\Program Files\Language.ini 2004-09-15 08:42 368,726 ------w C:\Program Files\PRISMAPI.dll 2004-09-15 08:42 3,157 ------w C:\Program Files\2wconfig.ini 2004-09-15 08:42 27,478 ------w C:\Program Files\SysTrayMenu_256.bmp 2004-09-15 08:42 208,993 ------w C:\Program Files\CardPres.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Cryptographic Service"="C:\WINDOWS\System32\pxcydvvf.exe" [ ] "PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.exe" [ ] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 01:51 172032] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50 204800] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 18:54 116072] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048] "RegistryMechanic"="" [] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acroba |
