Do I have a Virus?

What can I do to find out if I have a virus? I have 4 different Apps. that are not performing. I ran HJT, Adaware and Spybot-They did not show a virus but HJT showed 16 entries for 023 My Norton AV is not working.
I cannot get any help from them. My printer is one of the Apps. not working.
This has been going on for over a month.
Any help will surely be appreciated. Joe R.

 

You can do an online AV scan (see quicklinks in my signature) to locate and clean any infections.

If your Microsoft AV isn't working, why not uninstall it and get the free version of AVG loaded and updated?

Maybe post a HJT scan log so we can have a look?

 

Do I ...........

Newt: Thanks for the reply. HJT file encl. also running processes. TOO
many???? I have a single PC and I am the only one using it.
I have the AVG in my E mail and will download shortly, will probably buy
the $38.95 version and get rid of NIS as it is not working. Could not find the
online scan you mentioned.

I cannot go from your links to the site. Earlier you or someone answered a Q.
in the XP Forum, I think, about that but the URL did not work. Got a 404 error. Thanks for your help. Joe R

It was not XP, it was in Outlook Express, and the non-working links were posted by Steve and Welshjim.

 

I just verified a couple of the scan links and they look OK. I'm guessing you've been attacked.

Locate a file named hosts (no extension) in \windows\system32\drivers\etc and rename it to hosts.old . You may have to set windows explorer to show hidden and system files to see it.

After that, try some of the links again.

And the HJT log will be a big help.

 

Do I...........

Newt: Here is the log--I hope
Logfile of HijackThis v1.99.1
Scan saved at 6:21:19 AM, on 10/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\E_SSRP03.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System\CSRSS.EXE
C:\WINDOWS\System32\locator.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\EPSON\EBAPI\EBRR.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgentNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Joe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infocow.net/cancellations/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://my.netscape.com/index2.psp "); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\pd5dchcv.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src "); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\pd5dchcv.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [.svchost] C:\WINDOWS\System\CSRSS.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: AOpen.com.tw
O15 - Trusted Zone: www.club.aopen.com.tw
O15 - Trusted Zone: www.netscape.com
O15 - Trusted Zone: *.stamps.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/3_0_0_834/sdcregie.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://www.lifescan.com/otdms/isetup.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - https://secure.stamps.com/download/us/cab/stamps/stamps.cab?r=0.409881591796875&file=stamps.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{841CA08C-F141-4A97-BFD4-93A7DE404582}: NameServer = 24.229.54.212 216.144.187.199
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON STM Service03 (EPSON_PM_RPC_03) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_SSRP03.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~3.EXE
O23 - Service: NVSvc - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Epson Printer Status Agent (StatusAgent) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgentNT.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I will do the HOSTS thing next.
Re: The links--I cannot go from any link in OE or IE. Joe R.

 

Do I ...........

I d/l AVG to desktop but have not installed it yet.Also, have uninstalled Epson printer and will do Norton NIS also after I make a restore point.

 

Good idea on the RP/remove/install.

You REALLY need to load SP2. Really.

You need to put HJT in a normal folder. Desktop isn't good if you ever use HJT to remove stuff nor is any sort of temp folder.

Not a lot in the HJT log that is really exciting. I do think that unless there is strong reason to leave those two Tiwan sites in your trusted zone, you'd do better to remove them (HJT scan and check them for removal) so they will be back under the security you have for normal internet sites.

Post back after you've finished with the hosts file rename and the AV switch and a scan with AVG.

 

I ran AVG and it found 4 baddies. Put them in the Vault. Do I need all those 023 listings in HJT log?I have only 1 PC and am the only one using it.

Renamed HOSTS--No help. Do you have any preference between AVG and
PC cillan?? AVG is a 30 day trial version, but no firewall. Once I'm sure I do not have any more baddies I'll consentrate on the printer and Netscape, I'm sure the exe. file is shot as it will not load, even from RUN. It's being discussed in the NS forum. Joe R.

 

Most of the 023 services are Norton so if that is uninstalled and you still see them, then the uninstall was only partial. Norton is well known for doing that to you and you'd need to do a manual removal to get rid of the rest. Good idea but time consuming.

It would not be a good idea to just kill the services via HJT though - at least it's not something I would personally do or recommend.

I run the free version of AVG and it seems to do fine for me. I switched to it after I got fed up with Norton. I just rely on my router/NAT and the XP SP2 firewall. You can get some well-reasoned arguments on here about why I'm not safe with this setup (no control over what goes out from my PC since NAT & the XP firewall only deal with inbound traffic) but it works for me.

 

Viruses ???

Newt: Got rid of the 023 Nortons using RFA. I was looking around and found
PC cillan IS 2005 for $14.89 at Amazon. There were a lot of gooood reviews
there for it. I'm satisified now that I do not have any baddies so I can concentrate on getting my printer to work but I've got a feeling I need a new one My Netscape problem is being discussed in that forum.

Thanks for your help, Joe R.