So many problems...

**wicked_shorty** · 04-27-2005, 07:02 PM

Hello. Im back!

Thanks so much for your help last time, but now I have another problem.

A few weeks ago I downloaded Norton Personal Internet Protection, I think thats what its called. The virus protection program and firewall. Everything was fine, then I started having problems.

I normally leave my pc online while @ work. Well I noticed in the log, a lot of programs had been given access while I wasnt home. All of a sudden, i was on Windows NT, not XP.

A lot of programs were deleted and even the name of my computer was changed. It used to say Hewlett Packard, etc. So I was able to restore some of the items.

Well it did it again. At times, the cpu usage would speed up to 90 percent. Now everything is screwed up. I cant access anything in Administrative Tools. I cant even get the properties by right clicking. The name of my computer changed now to x86 Family 6 Model 8 Stepping 3. Dont know if this means anything. I cant see a lot of frames. Online, I can see certain web pages, but on others as yahoo mail, I just see a blank page. On some website, I cant even click on links. In my start up, everything is gone, yet it takes my computer forever to start up and the sound that XP makes when u turn on the pc, comes on like a few minutes after starting. Im even having problems with my task bar. When I minimize something, it minimizes and stays above the task bar. I cant move any desk top items and System Restore isnt any help because when I open it, all I see is a blank page. HELP! thanks

Chevy · 04-27-2005, 07:28 PM

First - when you say you "downloaded" the Norton product, does that mean you went to symantec.com, bought it, and downloaded it from there? Or is it from some other source?

If it's not from Symantec, you may have downloaded a nice package of viruses and spyware.

Also, when you say you're on Windows NT instead of XP all of a sudden, I take that to mean the desktop look changed from XP to classic windows?

With a bit of luck, a trip to our Security section, specifically the Hijack This forum, may clean you up. I'm going to move this thread there. Just follow the instructions in the "Before you post" thread and you'll be on your way.

**wicked_shorty** · 04-27-2005, 07:37 PM

I downloaded from download.com. Yes it went to classic. Also on System Properties, It said Windows NT as operating system. Now its back to XP, when I restored some of the folders from the recycle bin, but the name of my pc did not go back to HP. I will run Hijack This and be right back. Thanks

**wicked_shorty** · 04-27-2005, 07:53 PM

Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 6:47:39 PM, on 4/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\YahELite\YahELite.exe
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

End of KRC HijackThis Analyzer Log.
===================================

Um wheres the rest of my programs? I have access to them...

**POADB** · 04-28-2005, 03:49 AM

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

Fix the above.

There is a lot missing. Not an 04 in sight.

Make sure to run the scan in Normal Mode. This time.. Don't analyze the log, until other wise instucted.

**wicked_shorty** · 04-28-2005, 04:56 AM

Logfile of HijackThis v1.99.1
Scan saved at 3:54:50 AM, on 4/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\YahELite\YahELite.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

**POADB** · 04-28-2005, 07:21 AM

Are you still having problems?

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file

*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

04-27-2005, 07:02 PM	#1 (permalink)
wicked_shorty I helped the forums. Join Date: Feb 2005 Location: So. Cali Posts: 11 OS: XP	So many problems... Hello. Im back! Thanks so much for your help last time, but now I have another problem. A few weeks ago I downloaded Norton Personal Internet Protection, I think thats what its called. The virus protection program and firewall. Everything was fine, then I started having problems. I normally leave my pc online while @ work. Well I noticed in the log, a lot of programs had been given access while I wasnt home. All of a sudden, i was on Windows NT, not XP. A lot of programs were deleted and even the name of my computer was changed. It used to say Hewlett Packard, etc. So I was able to restore some of the items. Well it did it again. At times, the cpu usage would speed up to 90 percent. Now everything is screwed up. I cant access anything in Administrative Tools. I cant even get the properties by right clicking. The name of my computer changed now to x86 Family 6 Model 8 Stepping 3. Dont know if this means anything. I cant see a lot of frames. Online, I can see certain web pages, but on others as yahoo mail, I just see a blank page. On some website, I cant even click on links. In my start up, everything is gone, yet it takes my computer forever to start up and the sound that XP makes when u turn on the pc, comes on like a few minutes after starting. Im even having problems with my task bar. When I minimize something, it minimizes and stays above the task bar. I cant move any desk top items and System Restore isnt any help because when I open it, all I see is a blank page. HELP! thanks __________________ *~yvette~*

04-27-2005, 07:28 PM	#2 (permalink)
Chevy Semi-Retired Manager, Microsoft Support Join Date: Jul 2003 Location: Notlob Posts: 5,188 OS: Vista Ultimate My System	First - when you say you "downloaded" the Norton product, does that mean you went to symantec.com, bought it, and downloaded it from there? Or is it from some other source? If it's not from Symantec, you may have downloaded a nice package of viruses and spyware. Also, when you say you're on Windows NT instead of XP all of a sudden, I take that to mean the desktop look changed from XP to classic windows? With a bit of luck, a trip to our Security section, specifically the Hijack This forum, may clean you up. I'm going to move this thread there. Just follow the instructions in the "Before you post" thread and you'll be on your way. __________________ “The man who smiles when things go wrong has thought of someone to blame it on. ” - Robert Bloch

04-27-2005, 07:37 PM	#3 (permalink)
wicked_shorty I helped the forums. Join Date: Feb 2005 Location: So. Cali Posts: 11 OS: XP	I downloaded from download.com. Yes it went to classic. Also on System Properties, It said Windows NT as operating system. Now its back to XP, when I restored some of the folders from the recycle bin, but the name of my pc did not go back to HP. I will run Hijack This and be right back. Thanks __________________ *~yvette~*

04-27-2005, 07:53 PM	#4 (permalink)
wicked_shorty I helped the forums. Join Date: Feb 2005 Location: So. Cali Posts: 11 OS: XP	Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 6:47:39 PM, on 4/27/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\YahELite\YahELite.exe C:\Program Files\HijackThis\HijackThis.exe O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab End of KRC HijackThis Analyzer Log. =================================== Um wheres the rest of my programs? I have access to them... __________________ *~yvette~*

04-28-2005, 03:49 AM	#5 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,216 OS: XP SP2	O1 - Hosts: 64.91.255.87 www.dcsresearch.com Fix the above. There is a lot missing. Not an 04 in sight. Make sure to run the scan in Normal Mode. This time.. Don't analyze the log, until other wise instucted. __________________

04-28-2005, 04:56 AM	#6 (permalink)
wicked_shorty I helped the forums. Join Date: Feb 2005 Location: So. Cali Posts: 11 OS: XP	Logfile of HijackThis v1.99.1 Scan saved at 3:54:50 AM, on 4/28/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\YahELite\YahELite.exe C:\PROGRA~1\MOZILL~1\firefox.exe C:\Program Files\HijackThis\HijackThis.exe O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE __________________ *~yvette~*

04-28-2005, 07:21 AM	#7 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,216 OS: XP SP2	Are you still having problems? Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here. Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool. Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3) 1. Save it to a folder. 2. Reboot into Safe Mode. 3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything. 4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file Note If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files. Once you copy that to a Notepad file...highlight the text and copy it here. __________________