Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] probs multiplying ~TR & V ~ Lost system files


  • This topic is locked This topic is locked
2 replies to this topic

#1 leftlane

leftlane

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 11 December 2007 - 12:13 PM

Hi, (Compaq XP) have been running A2Squared, have some traces quarantined.
Used AV Personal, which DID find 3 TR "av-patch" corrupted system files, and quarantined.
But it seemed the TR's ate through, or another TR invaded, as program became corrupted and updated with the downloader trojans filename ending in .gz.
I was alarmed by the extension names whizzing past, as did not seem correct.
But ran deep full scan.
AVPersonal then turned up 24 warnings in log stating "could not open file & "ARCHIVE BOMB"

So then uninstalled AVPersonal,(hopefully including the gz's downloaded?),
reloaded fresh from existing AVP set-up I still had on desktop, ran AV scan again (withOUT updating), but AVPersonal did not then turn up anything.

Uninstalled AVPersonal, deleted out, and installed Kaspersky AV 7.0.
Kasp found a TR dwnldr file, which I deleted out. Also deleted out the back-up file of same.
Uninstalled Kasp 7.0 AV.
Downloaded Kaspersky Security 7.0 (includes firewall).
Ran scan.
Found nothing at all.

Cannot find the bogies.

I tried then to beef up firewall protection, thinking that this might help nail the rogues as I was receiving warning messages from Kasp such as for one, "svchost is trying to embed in another process to access the internet"
And another such warning, TPO or something (warnings about processes using other processes)

So I downloaded ZoneAlarm from filehippo, tried to install, and it bogged down & froze at 25% installed, repeatedly. So I ran CCleaner, and deleted out the set-up for ZA.

I then found
vsmon.exe running in start-up processes, and discovered that True Vector (of ZoneAlarm) was running, and that ZA was listed in my "remove programs" from Control Panel.
So I removed ZoneAlarm, even though it was only 25% installed.
NOW, when I go to Control Panel, "remove programs", almost none are listed.
In fact, of the 6 things or so listed, i don't even recognize what some of them are!!
In addition, CCleaner's list is corrupted the same.

In addition, SYSTEM RESTORE is out of commision, will not do a restore.
Not even the restore point I had created just before attempting to install ZA this morning, nor retsore to days ago.
Completely unfunctional, have lost Restore capability.

Tried F8 ing to "last known good config".
But system has been corrupted,
even the Control Panel cannot list installed programs on the add/remove list.

(Also, I cannot find any of the traces of True Vector, to see if I can re-install to ungroup programs, in case TrueVector had seized programs list)

Now, on top of all this, when I try to run my A2Squared scanner, it is showing up as Kaspersky scanning. The A2 window is open, but Kasp shows as scanning. If I "pause" in A2Sq, Kaspersky shows as paused.

Both programs seem utterly corrupted.

I have an older version HiJackThis, but am afraid to download newest!
Please advise if I need to, and please advise if you can on any of it!!
Many Thanks!
This affects my income, too..no computer, I'm in tough shape.
Thanks>>
Here is LOG FILE:

Logfile of HijackThis v1.99.1
Scan saved at 12:27:38 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2free.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cleveland.cox.net/cci/news
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...od/install.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093828361359
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Edited by leftlane, 11 December 2007 - 12:41 PM.

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 16 December 2007 - 05:54 AM

Hello and welcome to the forum.Sorry about the delay in responding :( If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 31 December 2007 - 09:59 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users