Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown virus


  • Please log in to reply

#1
PeteW

PeteW

    New Member

  • Member
  • Pip
  • 1 posts
Okay, I'll start from the beginning. I've got Windows XP, just so you know.
Two weeks ago, my computer suddenly stopped. It didn't respond to anything. A weird noise came from the harddrive. The computer restarted itself. It didn't start. It couldn't detect the harddrive. After restarting it a couple of times it worked again.
This happened again several times the next days.
A couple of days later it crashed again, and this time it wasn't working at all. When I started the computer, two different things could happen:
1. It couldn't detect the harddrive. I've got two harddrives, and it was just the master harddrive, with Windows it couldn't detect.
2. It could detect the hardrive, but when Windows was going to start, it showed a message that said /Windows/System32/Config/System was missing or damaged.

I tried to repair it using the repairing tool on the XP disc. It worked, Windows worked.
But next day, the computer crashed again, and Windows couldn't start. Same problem. But I couldn't fix it this time.

So then I just re-installed windows. I unplugged my network cable. When it was done I installed SP2 from a CD I had burned before. Then I installed Norton, and lastly I plugged in my network cable again.

And now the real problem starts

Just a few hours after install, Norton was crapped up. And a message popped up, explaining that something had mixed with Norton's settings. It said it would restart the system to make sure everything is fine.
But after both restarting Windows and re-installing Norton, it still didn't work. So I went here. Scanned with
Trendmicro - it found one trojan. Deleted it.
Then Panda Activescan - nothing.
Ad-aware - nothing
And now the most interesting. Spybot SD found one registry key, that prevented Norton to run.
Okay... But after re-starting my computer it still didn't work.
So now I post my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 16:48:22, on 2005-12-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Google\Google Talk\googletalk.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] C:\Program\Delade filer\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program\Google\Google Talk\googletalk.exe" /autostart
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133934516316
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

[b]Update:

I searched with Spybot SD again but it didn't find anything.
This message still pops up every time I start my computer:

Settings alert! Some Symantec product settings have been changed by an unauthorized program. This can indicate that an attacker or a virus is attempting to disable your program. To avoid problems settings will be reverted to their previous configuration and the system will be restarted. Click OK to continue.


And if I click OK (the only thing to do) the computer restarts. And then the window pop up again.
So now I just drag the window out of the screen and ignores it.

Edited by PeteW, 08 December 2005 - 11:53 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP