A lot of viruses, need help directing 360

First time posting on these forums but I have come here in a bit of a panic since I am at a complete loss as to what to do.

 

Today, sometime around 5:00pm I was turning on my computer and did my regular virus scan. I always watch the first 100,000 files get scanned (as it appears the newest ones, speffically viruses, appear near the front) and I noticed a tonne of programs that shouldn't be there, and not only feel like a security risk, but are blatantly labled.

 

I managed to pause Norton 360 V2.0 inbetween its rapid scans of these files (only displayed for a split second, if that) and wrote a lot of them down. Norton 360 V2.0 does not recognize them as a threat nor do I know how to make it recognize them as a threat, let alone remove them.

 

For what its worth, I am using Vista 64 bit service pack 1 with all the recent updates downloaded and installed. as well as 360 being completely up to date.

 

Here is the list of Viruses I managed to catch and write down.

 

Trojan.zlob

Trojan.bookmarker

Backdoor.haxdoor.L

Backdoor.subseven.215

Backdoor.Delf.Family

Trojan.Horst

Trojan.perfcoo

CainAbel

888 Bar

Infostealer.haxdoor

Trojan.Qhost

Backdoor.graybird.G

 

These are all new and only showed up today. An aditional file that was being looked at heavily (but never dealt with) was "W32.Sality.U" and any and all help with this would be tremendously appreciated.

 

Again, these only showed up today, and I am at a complete loss as to where to get started, and I am really afraid of having important and personal information compromised (as such I had to create an entirely new email to do this so I wouldn't lose a lot of personal information) on top of having my computer wrecked (as I am in no position to replace it entirely).

First time posting on these forums but I have come here in a bit of a panic since I am at a complete loss as to what to do.

 

Today, sometime around 5:00pm I was turning on my computer and did my regular virus scan. I always watch the first 100,000 files get scanned (as it appears the newest ones, speffically viruses, appear near the front) and I noticed a tonne of programs that shouldn't be there, and not only feel like a security risk, but are blatantly labled.

 

I managed to pause Norton 360 V2.0 inbetween its rapid scans of these files (only displayed for a split second, if that) and wrote a lot of them down. Norton 360 V2.0 does not recognize them as a threat nor do I know how to make it recognize them as a threat, let alone remove them.

 

For what its worth, I am using Vista 64 bit service pack 1 with all the recent updates downloaded and installed. as well as 360 being completely up to date.

 

Here is the list of Viruses I managed to catch and write down.

 

Trojan.zlob

Trojan.bookmarker

Backdoor.haxdoor.L

Backdoor.subseven.215

Backdoor.Delf.Family

Trojan.Horst

Trojan.perfcoo

CainAbel

888 Bar

Infostealer.haxdoor

Trojan.Qhost

Backdoor.graybird.G

 

These are all new and only showed up today. An aditional file that was being looked at heavily (but never dealt with) was "W32.Sality.U" and any and all help with this would be tremendously appreciated.

 

Again, these only showed up today, and I am at a complete loss as to where to get started, and I am really afraid of having important and personal information compromised (as such I had to create an entirely new email to do this so I wouldn't lose a lot of personal information) on top of having my computer wrecked (as I am in no position to replace it entirely).

Hi

 

Quadsie (Quads) is here, please give me time to read your messages.

 

Quads 

Hi

 

Well that a few names,  

 

What Operating system do you have?  As some tools don't work with Vista?

 

Download Hijackthis http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download and download the third in the list (Excutable) and click "Scan with log"  open the log in Notepad, the paste me the results please in a Personal Message. We will try and stop any starting Items.

 

Quads 

Hi 

 

 

Run Hijackthis again and tick the box beside these items  only, careful some could look the same when just skimming.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enCA/ 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe              (Used by one of the infections on startup, to be able to run)

O1 - Hosts: ::1 localhost                                        (one is using or attempting to use the Local loopback,) we will fix the "hosts" file once clean) 

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)       (yes there are 2 entries, if you look carefully, different numbers) 

O13 - Gopher Prefix:

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) 

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) 

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

 

After ticking  the entries above  Click "Fix Checked"   

 

Looks Like some of the Malware has at least been removed, You may be asked by Hijackthis to restart 

 

Now download SuperAntispyware Free http://www.superantispyware.com/download.html, do a manual update then     Run a full scan in Safe Mode    

 

I have to go out, be back later

 

Quads 

I believe this is normal behavior; Norton always scans for specific and prevalent malware before scanning your files specifically.

 

 

 

Message Edited by Tech0utsider on 12-10-2008 05:03 PM

I am installing Superantispyware now and I will restart in safe mode once it is updated.

 

I'll send you a copy of the scan again? Or will everything be fixed?


Mechy wrote:

On a related note. Sometimes running a full scan will only go to about 5600 files, stop, then say the scan was completed.


I do not know why; however I can assure you that N360 is protecting you. 

Alright, I did the steps and superantispyware said it found no harmful viruses/files etc. in safe mode.

 

Do I scan again with Norton?

That could be why your Hijackthis log had a lot of registry entries linked to missing files, the files are already gone. So Vista was wanting to load files on startup at are Non existant.

 

You could try another full Norton scan.

 

Quads 

More files were detected.

 

Trojan.EliteBar

Trojan.WGirl

Backdoor.Graybird

W32.Netsky.BG

Trojan.Zlob

W32.Mytob.BE@mm

Backdoor.Haxdoor.L

Backdoor.Subseven.215

Trojan.Horst

Trojan.Perfcoo

Downloader.Lop

Adware.180Search

Adware.HungryHands

Dialer.UKAmPorn

Adware.PortalScan

Dialer.NewDial

Adware.BlockChecker

Adware.Littlehelper

SpyBouncer

Spyware.CMK

Dialer.RatedXXX

Trackware.Energyplus

Adware.cacb

FreeSpyScanRemove

Spyware.PCPandora

Adware.2Search

Spyware.Earspy

Spyware.WebSnitch

SpyKill

AntiSpyZone

Spyware.ISnake

VirusRay

Spyware.DDominator

MalewareWar

Spyware.GURLWatcher

Trackware.WebGuardian

 

So the spyware scan and Norton are doing absolutely nothing to protect me? What I can do to stop this!

 

Hi 

 

Well that is strange, after using Hijackthis to delete entries and do a SuperAntiSpyware scan to show nothing, a couple have gone, But MORE has been added to the list, ones that were not showing in the log. and not in your previous list

 

Maybe 360 has had a Malware infection causing N360 to become defective and now showing false Positives, what are some of the files that 360 is flagging?? 

 

Quads 

I am thinking hard

 

Quads 

Can you take a screenshot for us when N360 is exibhting that kind of behaviour?

I don't know how to take a screen shot, let alone post it or give it to some one.

 

I checked the Norton database for what these viruses do, and, if I had Trojan.Horst... I would have been directed to all kinds of pornography sites, and I haven't been redirected at all.

 

When I launched the Norton scan, it starts with a * and then scans the files.

 

The files I listed are displayed exactly as Norton displays them during the scan. Superantispyware also has detected nothing. That is with 2 scans in safe mode, a scan disconnected from the internet and a scan connected to the internet.

 

I'm going to the computer to store grab a CD-key of Vista 64 for the final solution of just reloading everything, but I also don't want to lose the data.

 

Is it possible Norton has been blind sided and disabled and this is disabling other anti-virus programs like Superantispyware?

<< I'm going to the computer to store grab a CD-key of Vista 64  ... >>

 

I'm not sure you need to do that, apart from any question of stealing if you plan to open a pack and copy the KEY!! <g>

 

Can you explain why you need this (new?) KEY ? The KEY you have, I presume, will work under Windows 64 (VISTA?). I don't know about N360 and 64 bit although be aware that NIS 2009 / NAV 2009 are not yet fully featured under VISTA 64 .

 

Explain what you plan to do and maybe we can help you.

EVERYONE – This is VISTA 64 bit and Norton 360 – I was confused at first! I’ve no background on N360 and VISTA 64


Mechy wrote: 

 

When I launched the Norton scan, it starts with a * and then scans the files.

 

"The files I listed are displayed exactly as Norton displays them during the scan". Superantispyware also has detected nothing. That is with 2 scans in safe mode, a scan disconnected from the internet and a scan connected to the internet.

 

I'm going to the computer to store grab a CD-key of Vista 64 for the final solution of just reloading everything, but I also don't want to lose the data.

 

Is it possible Norton has been blind sided and disabled and this is disabling other anti-virus programs like Superantispyware?

 


 

Huh huh, click, By this Comment "The files I listed are displayed exactly as Norton displays them during the scan" Does that mean you are watching the scan and seeing the Malware names list?
You are watching it look for those infections NOT that N360 has found those infections, Like people who saw "carny_ride" thinking they were infected but weren't.
 
Only the infections listed after the scan has finished, are infections, It will say the files it has detected as well.
 
There are No more bad entries in your Hijackthis.log, and a full scan of SuperAntispyware has found nothing ,
 
Quads 

Sorry for the delay. As to the kind person wondering about the CD-key, when I bought the computer they didn't give me the key or the disc, if I wanted to reload the whole OS from the disc, I'm outta luck.

 

Yes, I am watching the scan and seeing the Malware names. Norton says nothing, and neither does Superantispyware.

 

So, is my computer, infact, not infected, and that when Norton displays:

 

"Searching Trojan.Horst"

 

Instead of:

 

" Searching Windows:C/Pictures/Downloads/Example_Picture"

 

it really means its just scanning for the trojan? And not that it actually found it?


Mechy wrote:

Sorry for the delay. As to the kind person wondering about the CD-key, when I bought the computer they didn't give me the key or the disc, if I wanted to reload the whole OS from the disc, I'm outta luck.

 

Yes, I am watching the scan and seeing the Malware names. Norton says nothing, and neither does Superantispyware.

 

So, is my computer, infact, not infected, and that when Norton displays:

 

"Searching Trojan.Horst"

 

Instead of:

 

" Searching Windows:C/Pictures/Downloads/Example_Picture"

 

it really means its just scanning for the trojan? And not that it actually found it?


The OS with no CD key, Oh boy, a COD should be with the computer when bought, sometimes on the side of the case, Or on the reading material that came with Vista.  The Comapny has to give you the Legit key for cases like Re-installing the OS. I don't think Microsoft would be happy, the company hasn't.
HP and Dell place the sticker on the case 
Now you have used Hijckthis early on to remove the entries I stated in message #5 on page 1. SAS comes up clean in scanning etc, so yes you are clean
"So, is my computer, infact, not infected, and that when Norton displays:

 

"Searching Trojan.Horst"

 

Instead of: " Searching Windows:C/Pictures/Downloads/Example_Picture" 

 

Correct, But if you do a full scan N360 can go in to scanning the full directory structure so will change to  " Searching Windows:C/Pictures/Downloads/Example_Picture"  But just in a Quick scan it only does "Searching Trojan.Horst" etc.  and the scan is shorter in length.

 

Quads