i might have a virus...

TheMSsForum.com: The Microsoft Software Forum

strange things happening: when Symantec is open, it scans a million messages,
until i have to close it. also, when it try to run trend micro's housecall,
it closes a few seconds after the scan starts. this sounds like a virus to
me, and it sucks because it's disabling my ability to find it.

this is my hijackthis list:

Logfile of HijackThis v1.99.1
Scan saved at 10:31:27 PM, on 3/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\PROGRA~1\Iomega\System32\AppServices.exe
F:\Program Files\Sony\Shared Plug-Ins\Media
Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\Tablet.exe
F:\WINDOWS\wanmpsvc.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
F:\Program Files\Norton AntiVirus\SAVScan.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\Program Files\BroadJump\Client Foundation\CFD.exe
F:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
F:\WINDOWS\system32\WTablet\TabUserW.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\Norton AntiVirus\OPScan.exe
F:\Documents and
Settings\x\Desktop\matthew\programs\folders\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -
F:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PnIEBrowserHelperObj Class -
{4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - F:\Program Files\EarthLink
TotalAccess\PnEL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
F:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
F:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common
Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common
Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [BJCFD] F:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge]
F:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [PrevxHome] F:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [OSS] f:\windows\system32\rk.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKCU\..\Run: [g3q24Tt25] mfctab32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk =
F:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://F:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: F:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} -
F:\PROGRA~1\COMMON~1\G7PS\SHARED~1\G7PSDLL\G7PS.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner -
F:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation -
F:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - F:\Program
Files\PREVX\Prevx Home\PXAgent.exe" -f (file missing)
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. -
F:\WINDOWS\system32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
Online, Inc. - F:\WINDOWS\wanmpsvc.exe
Top

RE: i might have a virus... by Pandaman

Pandaman
Wed Mar 22 02:39:51 CST 2006

My reply is at the bottom of your message :


"choklitlove" wrote:

> strange things happening: when Symantec is open, it scans a million messages,
> until i have to close it. also, when it try to run trend micro's housecall,
> it closes a few seconds after the scan starts. this sounds like a virus to
> me, and it sucks because it's disabling my ability to find it.
>
> this is my hijackthis list:
>
> Logfile of HijackThis v1.99.1
> Scan saved at 10:31:27 PM, on 3/21/2006
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
< snip>


Hello ! This is MS Usenet newsgroups and the best would be to post your
HiJack This to a special forum where you can get adequate HJT help.Search in
Google for AumHA forum.

Before that , you can perform the malware removal instructions in my
web-site to check and clean :
http://pandaman.my.contact.bg

By the way , if Symantec's products is scanning tons of messages doesn't
mean you have virus ,it can be a bug in the program , for example .

Panda_man
--
Prevention is always better than cure
--
My web-site:
http://pandaman.my.contact.bg
Learn how to protect your computer :
http://www.microsoft.com/protect
Please , rate posts
Top

RE: i might have a virus... by TMacK

TMacK
Wed Mar 22 10:47:30 CST 2006

BTW,I recently submitted a hijack log to www.bleepingcomputer.com and got
excellent help! You have to register before you can submit your log.
Good Luck
TMacK


"Panda_man" wrote:

> My reply is at the bottom of your message :
>
>
> "choklitlove" wrote:
>
> > strange things happening: when Symantec is open, it scans a million messages,
> > until i have to close it. also, when it try to run trend micro's housecall,
> > it closes a few seconds after the scan starts. this sounds like a virus to
> > me, and it sucks because it's disabling my ability to find it.
> >
> > this is my hijackthis list:
> >
> > Logfile of HijackThis v1.99.1
> > Scan saved at 10:31:27 PM, on 3/21/2006
> > Platform: Windows XP SP2 (WinNT 5.01.2600)
> > MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
> >
> < snip>
>
>
> Hello ! This is MS Usenet newsgroups and the best would be to post your
> HiJack This to a special forum where you can get adequate HJT help.Search in
> Google for AumHA forum.
>
> Before that , you can perform the malware removal instructions in my
> web-site to check and clean :
> http://pandaman.my.contact.bg
>
> By the way , if Symantec's products is scanning tons of messages doesn't
> mean you have virus ,it can be a bug in the program , for example .
>
> Panda_man
> --
> Prevention is always better than cure
> --
> My web-site:
> http://pandaman.my.contact.bg
> Learn how to protect your computer :
> http://www.microsoft.com/protect
> Please , rate posts
Top