Solve : Symantec...."scanning message 1 of 1"? – InterviewSolution

InterviewSolution

1.	Solve : Symantec...."scanning message 1 of 1"?
Answer» I have Norton Antivirus 2007. Yesterday for the first time ever, I noticed that the small Symantec box in the lower right of my screen gradually started FLAGGING with... scanning message 1 of 1 although I am not sending any messages. Suddenly my whole screen was INUNDATED with hundreds, perhaps thousands of em as they would disappear and reappear replenishing themselves. I couldn't get to the Symantec main window or anything else for that matter. The only way I could shut down was to unplug. When I booted back up I stayed at my desktop until the same thing occurred, and again I unplugged and restarted, only this time I went directly to Norton Antivirus Settings while I could still get there and turned off outgoing email scanning, and set the change for permanently. This seems to work fine for me although I know that something is wrong. What sort of problems am I asking for by running like this ? I ran several full scans and came out clean. There's no further indication of any sort of problem any where that I know of. I would appreciate any comments or suggestions Download HijackThis to your desktop. Double-click on the file you just downloaded. Click on the "Install" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Please do not change the default install location. Upon install, HijackThis should open for you. Now close HijackThis to rename it to analyze. Important Rename the Hijackthis.exe file to analyze.exe. This is important because some forms of malware can hide from HijackThis. Right click the HijackThis.exe file in C:\Program Files\Trend Micro\HijackThis Choose Rename. Type in analyze and press the enter key. Right click the analyze.exe file and send to desktop to CREATE a shortcut. Next click on the "Do a system scan and save a log file" button. HijackThis will scan and then a log will open in notepad. In the top left of the notepad window click "File" > "Save As" name it hijackthis and then save it to the Desktop. Please save the log as a text (.txt) file. In your post, add the log as an Attachment. * Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. ** Don't use the Analyse This button. It's findings are dangerous if misinterpreted.Thanks evil, I'll check back with you later and tell you how it goes. I don't have time to play with it at this moment...ThanksIf you are not monitoring your internet connection and are away from the computer, I would physically disconnect it from the internet. (remove the cable from the wall) If you are on an always on connection and this is happening, your ISP will cut you off for spamming.Sorry for the delay evil... Here's the log... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:27:11 PM, on 11/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes : C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exeg Process R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://refdesk.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\AcO8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147904416968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147904410343 O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Pml DRIVER HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe --* Please download Combofix by sUBs. Place it on your Desktop. combofix.exe * Double click combofix.exe & follow the prompts. Enter 1 and press enter at the prompt. * When finished, it shall produce a log for you. Attach that log in your next reply. Combofix will create a backup to anything removed in C:\qoovox Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Next post please add: Combofix log New HijackThis logcombofix log....... ComboFix 07-11-08.3 - Compaq_Owner 2007-11-11 16:58:46.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.582 [GMT -10:00] Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\WINDOWS\alexaie.dll C:\WINDOWS\alxie328.dll C:\WINDOWS\alxtb1.dll C:\WINDOWS\btgrab.dll C:\WINDOWS\dlmax.dll C:\WINDOWS\pynix.dll C:\WINDOWS\susp.exe C:\WINDOWS\Temp\1186997838.exe D:\Autorun.inf . (((((((((((((((((((((((((((((((( C:\WINDOWS\alxie328.dll C:\WINDOWS\alxtb1.dll C:\WINDOWS\btgrab.dll C:\WINDOWS\dlmax.dll C:\WINDOWS\pynix.dll C:\WINDOWS\susp.exe C:\WINDOWS\Temp\1186997838.exe D:\Autorun.inf )))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_ICF -------\ICF -------\LEGACY_ICF -------\ICF ((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 ))))))))))))))))))))))))))))))) . 2007-11-11 16:38 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-11 14:33 d-------- C:\Program Files\Trend Micro 2007-11-11 08:32 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-10-30 19:55 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll 2007-10-30 19:55 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll 2007-10-30 19:55 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys 2007-10-30 19:55 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys 2007-10-30 19:55 39,856 --a------ C:\WINDOWS\system32\drivers\symids.sys 2007-10-30 19:55 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys 2007-10-30 19:55 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys 2007-10-30 19:55 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys 2007-10-30 19:55 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-08 21:08 14,336 ----a-w C:\WINDOWS\system32\svchost.exe 2007-11-06 00:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-10-31 05:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat 2007-10-31 05:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf 2007-10-03 21:51 --------- d-----w C:\Program Files\Norton AntiVirus 2007-10-03 21:49 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-10-03 21:49 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2007-10-03 21:49 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-10-03 21:49 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-10-03 21:49 --------- d-----w C:\Program Files\Symantec 2007-09-20 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-09-19 00:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat 2007-09-19 00:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat 2007-09-19 00:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat 2007-09-19 00:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf 2007-09-19 00:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf 2007-09-19 00:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf 2007-09-19 00:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys 2007-09-19 00:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys 2007-09-19 00:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2006-12-03 06:13 160 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat . (((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-21 20:01] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59] "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 15:22] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-21 19:31] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 11:00] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 06:24] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45] C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP DIGITAL Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk backup=C:\WINDOWS\pss\Status Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] AGRSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor] ALCXMNTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv] c:\windows\system\hpsysdrv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] C:\HP\KBD\KBD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower] Rundll32.exe SiSPower.dll,ModeAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer] VTTimer.exe . Contents of the 'Scheduled Tasks' folder "2007-11-10 06:18:59 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job" - C:\PROGRA~1\NORTON~1\Navw32.exe . ************************************************************************ catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-11 17:00:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2007-11-11 17:00:57 . --- E O F --- OK, that helped. We will want to do another scan though. There are a lot of directions here but it only takes a minute to go through. They include mainly details on how to get a correct log that will be needed in the next post. First however we need to do a quick cleaning. Please download ATF Cleaner by Atribune. ATF Cleaner.exe This program does not require an installation. The executable actually runs the program. NOTE:** ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first. * Double-click ATF-Cleaner.exe to run the program. * Under Main choose: Select All * Click the Empty Selected button. If you use Firefox browser * Click Firefox at the top and choose: Select All * Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser * Click Opera at the top and choose: Select All * Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main ATF Cleaner menu to close the program. ========== Download AVG Anti-Spyware saving the installation file to your desktop. * Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program. * Once the setup is complete you will need run AVG Anti-Spyware and update the definition files. * On the main screen select the icon "Update" then select the "Update now" link. * Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. * Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. * Once in the Settings screen click on "Recommended actions" and then select "Quarantine". * Under How to scan? *All checkboxes should be ticked. Under "Reports" Select "Automatically generate report after every scan" * Also, Un-Select "Only if threats were found". * Under "What to scan"? **"Select Scan every file". * Now close AVG Anti-Spyware and procede to the next set of instructions. Picture For Visual Reference * Reboot your computer into "Safe Mode". You can do this by restarting your computer and continually tapping the "F8" key until a menu appears. Use your up arrow key to highlight "Safe Mode" then press "ENTER". * IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess: * Now lauch AVG Anti-Spyware by double-clicking the icon on your desktop. * Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". * AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time. * Once the scan is complete do the following: * If you have any infections you will prompted, when prompted select "Apply all actions". * Next select the "Reports" icon at the top. * Select the "Save Report As" button in the lower left hand of the screen and save it to a text (.txt) file on your desktop (make sure to remember where you saved that file, this is important). * Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan. ===== Next post please add: AVG scan log New HijackThis log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:38:51 PM, on 11/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://refdesk.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147904416968 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147904410343 O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 6647 bytes I can't seem to complete the AVG Anti-Spyware installation...can't get an icon on the desktop, also can't access the AVG main window...OK, we will try another scanner, first I need you to do this: Enable Viewing Of Hidden System Files & Folders Windows XP 1. Right Click Start. 2. Select Control Panel. 3. Select the Tools menu and click Folder Options. 4. Select the View Tab. 5. Under the Hidden files and folders heading select Show hidden files and folders. 6. Uncheck the Hide extensions for known file types option. 7. Uncheck the Hide protected operating system files (recommended) option. 8. Click Apply. 9. Click OK. Then go to http://www.virustotal.com/ Select "Browse" and navigate to C:\WINDOWS\system32\d3d8caps.dat Double click d3d8caps.dat it to enter it in the window and then select "Send File" This will run the file through 32 different virus scanners and show the results. Let me know what (if anything) is reported. ===== Again with the long instructions.... Download Superantispyware (SAS) SUPERAntispyware Free Edition Install it and double-click the icon on your desktop to run it. * It will ask if you want to update the program definitions, click Yes. * Under Configuration and Preferences, click the Preferences button. * Click the Scanning Control tab. * Under Scanner Options make sure the following are checked: + Close browsers before scanning + Scan for tracking cookies + Terminate memory threats before quarantining. + Please leave the others unchecked. + Click the Close button to leave the control center screen. * On the main screen, under Scan for Harmful Software click Scan your computer. * On the left check C:\Fixed Drive. * On the right, under Complete Scan, choose Perform Complete Scan. * Click Next to start the scan. Please be patient while it scans your computer. * After the scan is complete a summary box will appear. Click OK. * Make sure everything in the white box has a check next to it, then click Next. * It will quarantine what it found and if it asks if you want to reboot, click Yes. * To retrieve the removal information for me please do the following: + After reboot, double-click the SUPERAntiSpyware icon on your desktop. + Click Preferences. Click the Statistics/Logs tab. + Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. + It will open in your default text editor (such as Notepad/Wordpad). + Please save the notepad file to your desktop by clicking (in notepad) "File" "Save As". * Click close and close again to exit the program. * Please add the log in the next post.Ok evil, I think I got it together this time.... SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 11/11/2007 at 10:16 PM Application Version : 3.9.1008 Core Rules Database Version : 3342 Trace Rules Database Version: 1343 Scan type : Complete Scan Total Scan Time : 01:03:50 Memory items scanned : 408 Memory threats detected : 0 Registry items scanned : 5765 Registry threats detected : 0 File items scanned : 58730 File threats detected : 6 Adware.Tracking Cookie C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt Trojan.Downloader-CounterMeasures C:\QOOBOX\QUARANTINE\C\WINDOWS\TEMP\1186997838.EXE.VIR

Discussion

No Comment Found

Related InterviewSolutions