Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojans in xp


  • Please log in to reply
10 replies to this topic

#1 lotsofproblems

lotsofproblems

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 30 October 2008 - 10:46 PM

Hi everyone,
I seem to have at least two trojans on my computer. trojan.virantix.c and trojan.satiloler.d. The virantix one was diagnosed by the new norton antivirus 2009, and I found the other one in the registry. I have been online for most of the past two days with tech support at Norton antivirus, and the problems wont reproduce when someone else is looking.
Here is what is happening. Everything seems to be running fine and then if the computer is left idle for 30 min to an hour the antivirus is turned off. Not by me . I also cannot send or receive email when this happens. If I reboot, the antivirus comes back and everything seems fine. If It has sat for a while without the antivirus, it will find a backdoor.tidserv. I was getting a taskbar popup or notification that said something was wrong with windows and I should follow the link to download a new program. The techs at Norton virus removal have done a lot of things and assured me that the problems are all fixed, but it keeps happening. What should I do? Is this fixable enough so that I can trust my computer again? I am worried about doing my banking from this computer now. Should I fdisk and reinstall the recovery disk? I have done that a few times with my old e-machine computer. Any help here would be appreciated.

BC AdBot (Login to Remove)

 


#2 lotsofproblems

lotsofproblems
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 31 October 2008 - 02:09 AM

:thumbsup: Ok, let me try again. also i realize i could have put this in a better spot in the forum.
At first, it looked and acted like a virus, freeze up, pages loading to infinity,and bogus windows alerts about spyware.
this was right after I upgraded to norton antivirus 2009. then the taskbar icon of norton would dissapear. if i try to open the program, it wont open. after about two minutes, I would get an error message. 3038,107 was one of the error messages.
So at this point I cannot open Norton. so I go to the site, wait for a tech to help, and the tech uninstalls norton, reboots, and reinstalls. at this point, everything is fine. virus scan turns ups some things, but says they are fixed. The very nice tech says all fixed, not to worry. after about an hour of doing something else, i return to find that the antivirus has been turned off again. try to open and get error message. get tech help, same thing done a little differently. this one edited the registry, and removed a few files. I dont know what files, sorry. oh, I forgot to say that after the norton is off the task bar, I can no longer send or receive mail. Anyway, everything is supposed to be fine. well, not so much. does it again with longertime no virus protection. tech says try a reboot. it works and everything is back. but virus scan finds trojan.virantix.c and backdoor.tidserv. so again I have to leave for a while, i get back, guess what? So now I'm paying for virus removal through
norton. I have techs controlling mydesktop going through all the steps, and telling me "all fixed, not to worry". Still...leave it idle for 30min or more, same thing happens. I got malwarebytes anti-malware, it found all kind of stuff, says everything is fine, i got superantispyware professional, says everything is fine. I know as soon As I let the computer sit idle it will happen again. I'm sure this is above my head, Help would be greatly appreciated.

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:46 PM

Posted 31 October 2008 - 07:56 AM

I'm moving you to Am I Infected
Reboot your computer and run and post Mbam again
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 lotsofproblems

lotsofproblems
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 31 October 2008 - 11:05 AM

Thank you for moving this and posting.
Ok this should be the first log from mbam- from last night

Malwarebytes' Anti-Malware 1.30
Database version: 1341
Windows 5.1.2600 Service Pack 3

10/30/2008 10:24:09 PM
mbam-log-2008-10-30 (22-24-09).txt

Scan type: Quick Scan
Objects scanned: 53178
Time elapsed: 10 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 29
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.

#5 lotsofproblems

lotsofproblems
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 31 October 2008 - 11:06 AM

here is the one I just did after rebooting, and after something, once again, turned off the norton antivirus.

Malwarebytes' Anti-Malware 1.30
Database version: 1341
Windows 5.1.2600 Service Pack 3

10/31/2008 10:01:14 AM
mbam-log-2008-10-31 (10-01-14).txt

Scan type: Quick Scan
Objects scanned: 54636
Time elapsed: 11 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 lotsofproblems

lotsofproblems
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 31 October 2008 - 11:08 AM

I also put in superantispyware last night, here is the first log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/30/2008 at 07:01 PM

Application Version : 4.21.1004

Core Rules Database Version : 3616
Trace Rules Database Version: 1602

Scan type : Complete Scan
Total Scan Time : 01:23:21

Memory items scanned : 434
Memory threats detected : 0
Registry items scanned : 5228
Registry threats detected : 43
File items scanned : 30061
File threats detected : 43

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@chitika[1].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaonenetwork[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.foodbuzz[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media6degrees[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CA2MQP7Q.txt
C:\Documents and Settings\Owner\Cookies\owner@b5media[2].txt
C:\Documents and Settings\Owner\Cookies\owner@dmtracker[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[3].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.jpgmag[1].txt
C:\Documents and Settings\Owner\Cookies\owner@serv.clicksor[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.mynortonaccount[1].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[1].txt
C:\Documents and Settings\Owner\Cookies\owner@specificmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.mystat[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@myroitracking[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.w3counter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[2].txt

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}\TreatAs
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version

Rogue.Netcom3/SpyClean
HKU\S-1-5-21-341062306-2209408353-4101209976-1003\Software\Netcom3 Cleaner
HKU\S-1-5-21-341062306-2209408353-4101209976-1003\Software\SpyClean
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3#Type
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3#Start
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3\Security
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Netcom3\Enum#NextInstance
C:\Program Files\Netcom3 Cleaner\Backup
C:\Program Files\Netcom3 Cleaner\Logs\2008_09_01.log
C:\Program Files\Netcom3 Cleaner\Logs\2008_09_21.log
C:\Program Files\Netcom3 Cleaner\Logs\2008_09_22.log
C:\Program Files\Netcom3 Cleaner\Logs
C:\Program Files\Netcom3 Cleaner\PscMonitor.exe
C:\Program Files\Netcom3 Cleaner

#7 lotsofproblems

lotsofproblems
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 31 October 2008 - 11:12 AM

Here is the second log from superantispyware.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/31/2008 at 09:47 AM

Application Version : 4.21.1004

Core Rules Database Version : 3616
Trace Rules Database Version: 1602

Scan type : Quick Scan
Total Scan Time : 00:24:40

Memory items scanned : 438
Memory threats detected : 0
Registry items scanned : 388
Registry threats detected : 0
File items scanned : 6714
File threats detected : 24

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.halstats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.belointeractive[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt

#8 lotsofproblems

lotsofproblems
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 31 October 2008 - 10:49 PM

I am still having problems. I run all the scans, they say no problems. everything seems fine, no freezeup, not slow, no problems that I can see. Still, after 30 min to 1 hour of idle time, Norton antivirus 2009,(the new update), is turned off.
In the norton antivirus history there are things like trojan.virantix.c and backdoor.tidserv. from everything I have been reading they are turning off the antivirus and putting a backdoor in . there are also intrusion attempts logged. this is scary.
any help will be greatly appreciated.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:46 PM

Posted 01 November 2008 - 10:24 AM

Let's try another tool as sometimes a different set of signatures will see what another did not.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 lotsofproblems

lotsofproblems
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 01 November 2008 - 01:23 PM

thanks for your help. The whole system got out of control last night, so I am starting over. So far no viruses or backdoor or attacks. Again thanks for your help

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:46 PM

Posted 03 November 2008 - 11:02 PM

Hi did you mean you reformatted?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users