Jump to content

Unable to remove ALL infections


ktwister
 Share

Recommended Posts

I had 'VIRUS ALERT' imbedded into my clock, and it displayed military time. I removed that partially with Spybot. Now, the 'VIRUS ALERT' is removed, but the clock is still in military time. At one point these infections broke into my safe mode, and begin affecting things. Also desktop screen is pulled into an 'Active Desktop Recovery' mode while the computer loads into a normal boot. Used various virus programs since my Norton contract has lapsed. The Norton Program is also unable to be removed from the add/remove program section of the Control Panel. Am currently using Avira evaluation. I scanned for the bad wares and removed many with AVG & Malwarebytes, however I restarted into safe mode after scans in a couple instances. Not sure if that is going to affect my startup, but the computer is STILL infected since it starts up very very slow now, and I noticed that the browser is hijacked in a couple areas.

One, where you can expand your icons at the bottom right, and the arrow is missing.

Two, where you can hit the green 'Start' in the bottom left, most preferentials such as quicklinks to folders are missing including, 'My Computer'.

I cannot update to most other virus programs on that computer right now since I am Windows XP Home SP1, and most viral programs require SP2. Arrrggggh! :angry:

Included attachments in the following order: Pandascan log, Malwarebytes log. Tried to attach the HijackThis log, and was told that "Upload failed. You are not permitted to upload this type of file." I will include it below:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-09-17 20:02:03

PROTECTIONS: 1

MALWARE: 7

SUSPECTS: 3

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Norton Antivirus 2007 14.0.4 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00003992 spyware/adclicker Spyware No 1 Yes No c:\windows\usta33.ini

00029767 adware/delfinmedia Adware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\run\motoin

00032724 adware/portalscan Adware No 0 Yes No c:\windows\mmgsvcva.bin

00032724 adware/portalscan Adware No 0 Yes No c:\windows\mmgsvc.dat

00135099 adware/powerstrip Adware No 0 Yes No c:\windows\mmgsvce.bin

00145454 Cookie/Centralmedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@centralmedia[2].txt

00145454 Cookie/Centralmedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@centralmedia[3].txt

00145454 Cookie/Centralmedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@centralmedia[4].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt

00278769 Application/PRScheduler HackTools No 0 Yes No C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location u^H\s5

;===============================================================================

================================================================================

=

===================

No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4P6VCPAF\msfont[1].dll

No C:\Documents and Settings\Owner\My Documents\acoustica\keymaker.exe u^H\s5

No C:\hp\bin\KillIt.exe u^H\s5

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description u^H\s5

;===============================================================================

================================================================================

=

===================

133387 MEDIUM MS06-065 u^H\s5

133386 MEDIUM MS06-064 u^H\s5

133385 MEDIUM MS06-063 u^H\s5

133379 HIGH MS06-057 u^H\s5

131654 HIGH MS06-055 u^H\s5

129977 MEDIUM MS06-053 u^H\s5

129976 MEDIUM MS06-052 u^H\s5

126093 HIGH MS06-051 u^H\s5

126092 MEDIUM MS06-050 u^H\s5

126087 HIGH MS06-046 u^H\s5

126086 MEDIUM MS06-045 u^H\s5

126083 HIGH MS06-042 u^H\s5

126082 HIGH MS06-041 u^H\s5

126081 HIGH MS06-040 u^H\s5

123421 HIGH MS06-036 u^H\s5

123420 HIGH MS06-035 u^H\s5

120825 MEDIUM MS06-032 u^H\s5

120823 MEDIUM MS06-030 u^H\s5

120818 HIGH MS06-025 u^H\s5

120815 HIGH MS06-022 u^H\s5

120814 HIGH MS06-021 u^H\s5

117384 MEDIUM MS06-018 u^H\s5

114666 HIGH MS06-015 u^H\s5

114664 HIGH MS06-013 u^H\s5

111790 MEDIUM MS06-011 u^H\s5

108744 MEDIUM MS06-008 u^H\s5

108743 MEDIUM MS06-007 u^H\s5

108742 MEDIUM MS06-006 u^H\s5

104567 HIGH MS06-002 u^H\s5

104237 HIGH MS06-001 u^H\s5

101055 HIGH MS05-054 u^H\s5

96574 HIGH MS05-053 u^H\s5

;===============================================================================

================================================================================

=

===================

Malwarebytes' Anti-Malware 1.28

Database version: 1166

Windows 5.1.2600 Service Pack 1

9/17/2008 6:42:52 PM

mbam-log-2008-09-17 (18-42-52).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 125499

Time elapsed: 23 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:46:05 PM, on 9/17/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: fqbewlna - {C5822EDE-ACAD-4FC2-BA40-079C03BB77E8} - C:\WINDOWS\fqbewlna.dll (file missing)

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min

O4 - HKLM\..\Run: [NAV] "C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\562C4DD5\16.0.0.125\InstStub.exe" /RELAUNCH /RUNONCE /MEDIA "G:\NAV09EN.exe"

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll

O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/cont...s/AvDetInst.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/09a21f09ab9646...ip/RdxIE601.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126953444921

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126953431984

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {CF47FBE2-E306-4EF2-9775-BB59ADBA99BD} (DownloadList Class) - http://www.mp3search.ru/dm/dm_10111.cab

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O20 - AppInit_DLLs: ygapgm.dll

O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe

O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe

O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe

O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE

O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 9753 bytes

I was VERY worried when these infections started affecting my SAFE mode, but have got this far. Am REALLY hoping to FINALLY finish this absolute nightmare. PLEASE ANY help would be GREATLY APPRECIATED.

THANKS!!!

Just got a HijackThis log in normal boot mode. FINALLY...

Here it is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:57, on 9/17/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\palmOne\LifeDriveMgrTray.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\palmOne\PalmOneLiveConnect.exe

C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe

C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe

C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: fqbewlna - {C5822EDE-ACAD-4FC2-BA40-079C03BB77E8} - C:\WINDOWS\fqbewlna.dll (file missing)

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min

O4 - HKLM\..\Run: [NAV] "C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\562C4DD5\16.0.0.125\InstStub.exe" /RELAUNCH /RUNONCE /MEDIA "G:\NAV09EN.exe"

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - HKCU\..\Run: [smart Antivirus-2009.exe] C:\Program Files\Smart Antivirus 2009\Smart Antivirus-2009.exe

O4 - Startup: LifeDrive™ Manager.lnk = C:\Program Files\palmOne\LifeDriveMgrTray.exe

O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\InstantCD+DVD\SharedFiles\Pixie\RegTool.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll

O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/cont...s/AvDetInst.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/09a21f09ab9646...ip/RdxIE601.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126953444921

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126953431984

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {CF47FBE2-E306-4EF2-9775-BB59ADBA99BD} (DownloadList Class) - http://www.mp3search.ru/dm/dm_10111.cab

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O20 - AppInit_DLLs: ygapgm.dll

O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe

O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe

O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe

O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE

O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--

End of file - 11893 bytes

ActiveScan.txt

mbam_log_2008_09_17__18_42_52_.txt

ActiveScan.txt

mbam_log_2008_09_17__18_42_52_.txt

Edited by ktwister
ad logs inline and unwrap HJT text
Link to post
Share on other sites

Did you install WinPcap, and do you know what it's used for?

This computer was offline until just recently.

For four years? The SP2 update was released in August of 2004.

I tried to update to sp2, and tried to get some security updates, but the screen just hung whenever I tried installing sp2 or updating security.

I'd like to assume that you tried downloading those updates on the very day that you put this thing back online after the 4 year hiatus but if that were so, you would not be having these issues.

For the time being, it is not a good idea to install the Windows Updates while the system is still infected. Let's get you cleaned up first, then install those updates later. I merely asked if there was a reason you chose not to install the sp2 because it has been my experience that folks who've balked on the download complain that their dial up connection takes too long since it's such a large file. In which case, I would have recommended that you obtain the sp2 CD from Microsoft...it's free.

There's a couple of things to mention regarding your hjt log. It shows you are running two antivirus applications in real time. Doing that actually reduces your level of protection (contrary to popular thought)...in addition, you run the risk of data loss from a system crash brought about by the instability that it causes. You should decide which to keep and uninstall the other (Symantec vs. Avira). Since I am partial to Avira, I would recommend you keep that one.

I'll also recommend that you uninstall the AVG antispyware version 7.5 since it's dying of a natural death in the near future. The mbam is most excellent for removing malware...and, by the way, mbam removes some malicious software that AVG A/S has problems with on removal. If you intended to purchase any protective software (the symantec application comes to mind since it must be licensed to keep it up to date), then I would seriously consider purchasing a license for the mbam application in order to take advantage of it's real time protection and other configurable options not available in the free version. It's your call...

Next, your Java application is out of date and causes a slight security risk as a result.

Please follow these steps to remove older version Java components

1. Close any open programs you may have running, especially your web

browser.

2. Click Start-->Control Panel-->Add or Remove Programs.

3. Click once on any item listing Java Runtime Environment in the name (to highlight it) then click the "Remove" or "Change/Remove" button.

Not every version of Java will begin with "Java" so be sure to read each entry in the list.

Repeat step 3 as many times as necessary to remove all versions of Java.

**If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.

4. Navigate to and delete:

  • C:\Program Files\Java <=this folder if found

5. Then go to this page.

Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications" and click the "Download" button to the right. Select the platform for "Windows".

6. Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement", then click Continue...The page will refresh

Then, click on the link to download Windows Offline Installation. Save it to your desktop.

Now, from your desktop, double-click on the executable to install the newest version.

Next, please run hijackthis again and check the box next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O3 - Toolbar: fqbewlna - {C5822EDE-ACAD-4FC2-BA40-079C03BB77E8} - C:\WINDOWS\fqbewlna.dll (file missing)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe

O20 - AppInit_DLLs: ygapgm.dll

Now, close all windows<--Very Important except for the HijackThis application's window...that includes this browser window. Now, click the Fix Checked button.

Reboot the computer into safe mode. Once in safe mode and logged on as "Administrator", please continue with the instructions below:

Using Windows Explorer, (don't just search for these files, navigate to the file) locate and delete the following files indicated in Bold text:

C:\WINDOWS\mm15201518.Stub.exe

C:\WINDOWS\System32\ygapgm.dll

Reboot the computer back to your normal windows user mode and post back a fresh HijackThis log. Please advise how the system performs now. Thanks!

Link to post
Share on other sites

ha. yeah, this computer was not offline the entire four years. As I said previously the sp2 was never installed because when I had attempted to install it back in '04-05 the installation had just hung, and I was told that the hp I had didn't like the sp2 upgrade, and I should wait. I am not sure why it was never upgraded at a later date other than probably the same issues. I normally try and keep up on ALL my updates, but the sp2 had never been an issue with this machine until just now. I tried to remove the java runtime installations from the add/remove menu, but was told I can't since I am in shell/safe mode. I am not able to access my control panel from the normal boot menu, so am unable to do removals of java at this time.

Also, as far as double virus programs showing up. The Norton Antivirus was from 2007, and I had nothing but issues with it, and never renewed it. It was unable to be removed from the add/remove menu, and had no idea if it was still running as the icon has a red 'x' over it in the start tray back when the computer was running normally. I only recently grabbed a copy of the Avira, and it is an evaluation copy. Avira is one of the few virus removal programs I can use since I don't have the Windows SP2 update that most other virus programs require for installation. I tried to use Panda virus removal, but it told me upon installation that I had to change the resolution of my monitor, and I can't since I am in safe mode.

I only have the AVG spyware in there because I was a former lifetime Ewido license holder, and AVG honored that when they bought Ewido. I figured it wasn't hurting anything to have more than one spyware removal system since I was receiving free updates for AVG, and Spybot, and Spyblaster had taken care of everything else until this point I really never considered removing AVG.

I am only able to start HijackThis from safe mode right now. I started it up and removed some of the items on the list you suggested, but noticed several weren't there. not sure if this is because of safe mode or not.

These are the one that weren't there:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O3 - Toolbar: fqbewlna - {C5822EDE-ACAD-4FC2-BA40-079C03BB77E8} - C:\WINDOWS\fqbewlna.dll (file missing)

O20 - AppInit_DLLs: ygapgm.dll

did the HijackThis removal for the ones that were there, and rebooted. same issues, very slow, military time, and when I try to access my drives, lockup. am only able to get into HijackThis right now through safe mode. attached the log.

tried to manually delete the two files you included in BOLD, but they were no longer there.

Thanks!

Link to post
Share on other sites

forgot I can't attach the hijackthis.log files

HijackThis log file

______________________

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:42:22, on 2008-09-18

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\Explorer.EXE

C:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate/

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min

O4 - HKLM\..\Run: [NAV] "C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\562C4DD5\16.0.0.125\InstStub.exe" /RELAUNCH /RUNONCE /MEDIA "G:\NAV09EN.exe"

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll

O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/cont...s/AvDetInst.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126953444921

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126953431984

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {CF47FBE2-E306-4EF2-9775-BB59ADBA99BD} (DownloadList Class) - http://www.mp3search.ru/dm/dm_10111.cab

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe

O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe

O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe

O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE

O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 8770 bytes

Link to post
Share on other sites

Avira is one of the few virus removal programs I can use since I don't have the Windows SP2 update that most other virus programs require for installation.

Can you please point me to even ONE of these programs you mention that require SP2 to be installed before you can install the antivirus software? I've not heard anything of this before.

Coincidentally enough, as luck would have it, the antivirus program you DO have installed is more than capable of removing the problems that still exist on your computer. So, please run a manual update of the software then run a complete system scan. Post back your results. Thanks!

Link to post
Share on other sites

Can you please point me to even ONE of these programs you mention that require SP2 to be installed before you can install the antivirus software? I've not heard anything of this before.

Kaspersky 2009, Norton 2009, and a couple other bigger ones require the sp2 upgrade. that's what the installation screen says when you try to install.

am running the avira scan now. updated definitions last night, and scanned. found nothing.

will post when it's done.

Link to post
Share on other sites

I just ran the recovery console that is included under my f10 key with my hp unit, and it recovered everything back to normal except for the removal/re-installation of a few programs. Should I run another hijack this log ?

Also, tried to update windows from the windows update and microsoft update links in the start program area, and am not receiving any updates for sp2. any ideas ?

Link to post
Share on other sites

Removed AVG. Immediately re-installed Malwarebytes & Avira. Noticed that the computer re-booted near the end of the Avira installation. and Avira wouldn't update due to 'Scheduler was not loaded'. I am sure that Avira lets you update evaluation copies, so am ? on that issue. Ran Malwarebytes, found nothing. Ran Avira, computer booted on & off during scan. Am attempting another try at a virus scan.

Any suggestions on how to proceed ?

Also, should I be using something different besides Avira ?

what about for a firewall ?

Link to post
Share on other sites

Kaspersky 2009, Norton 2009, and a couple other bigger ones require the sp2 upgrade. that's what the installation screen says when you try to install.

OK thanks. I understand now what you were trying to tell us. I had orginally thought you were making reference to the sp2 installation issues regarding antivirus software already installed as it relates to the issues that were present in 2004.

You had me confused about this issues since you had said this computer was offline more or less, for 4 years...and in your statement of post #5 you did say you tried installing the update in 04 or 05 so I naturally thought you were referring to that time period. It was, at that time, pretty much a requirement to uninstall your a/v software first, then install the update. Afterward, you would have been sent to the a/v author's web site to install the latest upgrade making it compatible with sp2...then installation of those a/v applications you mentioned would have gone forward without a hitch. But that was then...so now I believe we both are singing from the same sheet of music.

I just ran the recovery console that is included under my f10 key with my hp unit, and it recovered everything back to normal except for the removal/re-installation of a few programs. Should I run another hijack this log ?

...And now, since you've performed a reinstall (which by the way, is what a "system recovery" option with the HP systems does) your issue should now be defunct. You can post a fresh HijackThis log if you want so we can have a look.

Upon reinstallation of the O/S the first thing you should do is visit Windows Update. As to why you are not receiving the sp2 update during the Windows Update scan may relate to your operating system being a new installation. You must first download the Active X control from the web site, which you did evidently, and after installing the critical updates presented, you should reboot and return to the windows update site. Rescan and install THOSE updates. Continue in this matter until you DO find the sp2 update. Post back your results. Thanks!

Link to post
Share on other sites

sorry for the delay, hard at work. :angry:

pulled Avira which fixed the reboot problem, and then noticed that almost everytime I would try and click on the Control Panel it would reset my browser. since reboot system was fixed and I could access through normal boot mode, I installed Panda which found a rootkit, and a couple other things, and then I started trying to install sp2. I installed all the fixes and am now running on sp3 with all the fixes installed. Re-detected for vulnerbilities through Panda, and received an all clear. Outside of a couple conflicts and re-installations, everything is running smoother than ever.

any advice ?

Also, I had a couple questions regarding this whole mess.

Would HijackThis be able to detect if there was a change in my script/registry that would allow a Internet Exlorer7 hijack ?

I though I remembered seeing something regarding this when installing Internet Explorer7 on the Panda pop up that said something like Internet Explorer hijack, and asked if I would allow it script. I am not sure what was hit since the computer was rebooting and I just saw the tail end coming in the room, but was definitely interested in your educated answer.

Also if somebody got ahold of the number on the bottom of my modem, what should I do ?

THANKS ALOT for ALL YOUR HELP so far!!! :lol:

Link to post
Share on other sites

The several issues you mentioned that arose after your system recovery could have been avoided entirely. When YOU perform a system recovery using the option available with your unit, you should make sure to un-plug all of your peripherals except for your keyboard, monitor and mouse. This holds true if you were to use an installation CD to perform a reinstall.

Immediately after your fresh install (or recovery) you should do nothing before installing all of the microsoft updates.

Outside of a couple conflicts and re-installations, everything is running smoother than ever.

any advice ?

My advice would actually be to perform a fresh install...especially since you picked up a rootkit with this recovery. If you feel the system is secure and running the way you expect, I would create a restore point to reference should the need arise in the future. In addition, to this and in either case, I would certainly recommend that you keep mbam on board and scan with it often. If you are considering purchasing any type of security software in the future I would certainly suggest you consider purchasing the licensed version to take advantage of the real time protection and other configurable options available with the licensed version.

...I had a couple questions regarding this whole mess.

Would HijackThis be able to detect if there was a change in my script/registry that would allow a Internet Exlorer7 hijack ?

Yes...HijackThis would show us the hijacked browser entry.

...if somebody got ahold of the number on the bottom of my modem, what should I do ?

This question could be answered better if we knew what type of modem you are speaking of. Most often, dsl modems that are hard wired or connected by usb have no access by anyone other than the logged on user through that particular system. If you are speaking of a router/modem in use with a wireless connection, you undoubtedly would have created a secure password that will keep the pagans out.

On your next reply, please let us know if you are having any other issues. Thanks!

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this Topic is closed to prevent others

from posting here. If you need this topic reopened, please send a

Private Message to any one of the moderating team members. Please

include a link to this thread with your request. This applies only

to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for

this machine only. Do not apply the instructions from this thread to

your own machine. Please start a new thread describing your issue

and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.