Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Please help! I can't even view the other posts on this forum

Started by axonwarrior , Dec 14 2005 06:53 PM

  • This topic is locked This topic is locked
2 replies to this topic

#1 axonwarrior

axonwarrior

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 14 December 2005 - 06:53 PM

I have a Dell 4550 with Windows XP SP2... I have run Registry Mechanic, Norton AV, Adaware, and Spybot S&D...

Before Norton I was running CA Etrust AV and it found items that it could not resolve...

Started scanning at 11/23/2005 3:50:16 PM. Engine Ver: 11.9.1. Sig Ver:9524. Sig Date: 11/22/2005.
C:\Documents and Settings\Administrator\ntuser.dat - scan failed.
C:\Documents and Settings\Administrator\ntuser.dat.LOG - scan failed.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - scan failed.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - scan failed.
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\350b3481ba97aa8d6efdc098a514f29c_1dce0e75-1303-433a-bfc1-6b582bd25551 - scan failed.
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp - scan failed.
C:\Documents and Settings\NetworkService\NTUSER.DAT - scan failed.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - scan failed.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - scan failed.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - scan failed.
C:\Documents and Settings\Zoe\Local Settings\Temporary Internet Files\Content.IE5\G16RW1I7\count[1].jar <BlackBox.class> - Java.ByteVerify!exploit trojan.
C:\Documents and Settings\Zoe\Local Settings\Temporary Internet Files\Content.IE5\G16RW1I7\count[1].jar <VerifierBug.class> - Java.ByteVerify!exploit trojan.
C:\Documents and Settings\Zoe\Local Settings\Temporary Internet Files\Content.IE5\G16RW1I7\count[1].jar <Dummy.class> - Java.ByteVerify!exploit trojan.
C:\Documents and Settings\Zoe\Local Settings\Temporary Internet Files\Content.IE5\G16RW1I7\count[1].jar <Beyond.class> - Java.Shinwow.AT trojan.
C:\Documents and Settings\Zoe\Local Settings\Temporary Internet Files\Content.IE5\XWDDOMSA\ie0502b[1].jar <GetAccess.class> - Java.ByteVerify!exploit trojan.
C:\Documents and Settings\Zoe\Local Settings\Temporary Internet Files\Content.IE5\XWDDOMSA\ie0502b[1].jar <NewSecurityClassLoader.class> - Java.ByteVerify!exploit trojan.
C:\Documents and Settings\Zoe\Local Settings\Temporary Internet Files\Content.IE5\XWDDOMSA\ie0502b[1].jar <NewURLClassLoader.class> - Java.ByteVerify!exploit trojan.
C:\Documents and Settings\Zoe\Local Settings\Temporary Internet Files\Content.IE5\XWDDOMSA\ie0502b[1].jar <Installer.class> - Java.Shinwow.AV trojan.
C:\Documents and Settings\Zoe\My Documents\Key Generators\Macromedia_Flash_MX_2004_by_HTBTeam.zip <pyn.exe> - Win32.SillyDl.BM trojan.
Finished scanning at 11/23/2005 4:49:10 PM.

Norton was able to do a lot better than Etrust and Adaware and with Registry Mechanic I have gotten myself back online, but it is so slow that I cannot get anything accomplished...

I've used Autoruns and disabled some auto starters and have regained explorer performance, but I can't initialize Outlook Express because another application is sending emails to people I don't know (Symantec scans Emails before they are sent and I have sent hundreds without my permission.) Windows Media player and my printer drivers are also casualties.

My Hijackthis log is:

Logfile of HijackThis v1.99.1
Scan saved at 7:50:09 PM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Zoe\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NetFxUpdate_v1.0.3705] "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\netfxupdate.exe" 1 v1.0.3705 GAC + NI NID
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B931B906-B275-475F-99DE-923596CC9DB6} (PAS6_Forecaster.Forecaster) - http://www.bplans.co..._Forecaster.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,15/mcgdmgr.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Please help me...

    Advertisements

Register to Remove

#2 axonwarrior

axonwarrior

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 17 December 2005 - 11:07 PM

I have resolved this issue myself... For anyone who wants to know...

The Java exploit and any other viruses in the log form ETrust can be deleted by Norton... what's left is the corrupt drivers and the changed registry/

Disable these in MSConfig:
App Layer Gateway
Background Intel Trans
Cryptog
Human IDev
HTTP SSL
TCP IP
Task Man
Sys Res
Win Im
Win User Mode Dr
Web Cli
Win Man Int
WMI Perf
Net Provis

Once these are disabled restart and let windows load normally... download the Autoruns, Reg Mechanic, Norton AV, Adaware, and Spybot...
Restart once installed and run the programs (deleting all the entries that are malicious.)

The first thing is to get the autoruns program started and disable all of the webcheck and IE and Outlook initializers... then run Norton, Adaware, and Spybot (make sure you configure Adaware to skip Spybot)...

Once all of the progams have run IE and Outlook will still be problematic...
do this: http://support.micro...om/?kbid=304872 then this:http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263837

Then go to the registry key and change the permissions for the the files in: HKEY_LOCAL_MACHINE \Software, HKEY_CURRENT_USER\Software to accept changes from the user (you) then reinstall a different browser and email client like MOZILLA and run the registry mechanic to optimize and fix the registry. Then get new drivers for Windows Media player and your ethernet card and any other program that was a victim and reinstall them... Good luck! It worked for me!

Edited by axonwarrior, 17 December 2005 - 11:09 PM.

#3 wng_z3r0

wng_z3r0

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 986 posts
  • Interests:Cornet, video games

Posted 15 January 2006 - 09:12 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
There are 10 kinds of people in this world, those who understand binary #'s & those who dont
Just my 10 cents

Posted Image
Proud member of Alliance of Security Analysis Professionals since 2005

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·