Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying To Get Rid Of Virusburst--computer Now Stuck


  • Please log in to reply
34 replies to this topic

#1 ally1350

ally1350

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 29 January 2007 - 11:00 AM

//Mod edit: To split HJT log away from post here > http://www.bleepingcomputer.com/forums/t/79251/trying-to-get-rid-of-virusburst-computer-now-stuck/

Thanks for the USB option to get HJT log.

It took awhile but the log is below.

I did not understand the part of your post about EDIT, COMPLETE EDIT, etc.

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 6:00:42 AM, on 1/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\ssstars.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LMPDPSRV] D:\English\Win2000\LMpdpsrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Edited by KoanYorel, 29 January 2007 - 11:17 AM.


BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 05 February 2007 - 01:35 PM

Hi ally1350,

Sorry for the delay. I see one process that may indicate an infection. You also have processes from two different anitiviruses that could be causing the problems you describe as well. My guess is that Norton was unsuccessfully uninstalled as it left one process behind that is still running and there is usually many more when it is properly installed and used. Can you confirm this and that Panda is what you are using now?

Please go here and perform step six. You'll have to transfer the file over to the affected computer. Let me know if you have any problem with running Stinger, and I also want you to run Sysclean.

Use the following instructions to get the Sysclean folder set up properly, then transfer it to you USB drive or whatever you use and then move the SysClean folder to the harddrive of the affected system. Make sure you run it in safe mode and post the log back here when done:


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download Sysclean Package & save it to your desktop.
  • Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
  • Place the sysclean.com inside that folder.
  • Then download the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number)
  • Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com. (Click here for information on how to extract a file if your not sure how to do this. DO NOT scan yet.
Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Note: Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them before going to the next step.

Scan with Sysclean as follows:
  • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
  • Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
  • Click the Advanced >> button.
  • The scan options appear. Select the "Scan all local fixed drives".
  • Click the "Scan button" on the Trend Micro System Cleaner console.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Another MS-DOS window appears containing the log file generated in the System Cleaner folder.
  • To view the log, click the "View button" on the Trend Micro System Cleaner console. The Trend Micro Sysclean Package - Log window appears.
    • The Files Detected section shows the viruses that were detected by System Cleaner.
    • The Files Clean section shows the viruses that were cleaned.
    • The Clean Fail section shows the viruses that were not cleaned.
  • Exit when done, reboot normally and re-enable your anti-virus program.
Instructions with screenshots are here if you need them.

This tool generates a log file (sysclean.log) in the same folder where the scan is completed. When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations. The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

Also while on the affected computer, I need to see a couple more logs from HijackThis:

Open HijackThis.

If you still have the New Users Quickstart screen enabled, click Open Misc Tools Section.
If you just have the regular opening screen, click the Config... button then the Misc Tools button.

Now click the Open Uninstall Manager button, then the Save List button. Save the list somewhere convenient like My Documents and then the list will open in Notepad. Copy and Paste that list into your next reply to this post.

Now hit the Back button, do a new scan and post a fresh HijackThis log along with the other logs I've asked for.

And one question: Are you on a dialup connection?

The thing about people

is they change

when they walk away.--Mipso


#3 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 05 February 2007 - 01:39 PM

Thanks for the response.

To answer your question quicky...I am using Norton and NOT using Panda. I deleted Panda but some remnants must still be around.

I will work on the rest ASAP.

Ally1350

#4 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 05 February 2007 - 04:46 PM

To answer the other question (I missed)....I am using a cable connection.

Just so you know---Stinger was run in Safe Mode and there were no problems running it.
==============

Here are the logs you asked for:

Sysclean:



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 11:45:49, Auto-clean mode specified.
2007-02-05, 11:45:49, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 11:46:56, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 11:46:56, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 11:45:52

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 11:46:56
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-02-05, 11:47:29, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-05, 11:47:38, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Scanner "G:\Sysclean\VSCANTM.BIN" has finished running.
2007-02-05, 11:47:38, The user stopped the operation.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 11:48:23, Auto-clean mode specified.
2007-02-05, 11:48:23, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 11:49:19, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 11:49:19, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 11:48:24

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 11:49:19
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-02-05, 11:49:22, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-05, 11:52:28, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Scanner "G:\Sysclean\VSCANTM.BIN" has finished running.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 12:25:04, Auto-clean mode specified.
2007-02-05, 12:25:04, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 12:26:10, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 12:26:10, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 12:25:07

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 12:26:10
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-02-05, 12:26:38, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-05, 13:05:21, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 12:26:44
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

38027 files have been read.
38027 files have been checked.
35915 files have been scanned.
60536 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/5/2007 13:05:21
---------*---------*---------*---------*---------*---------*---------*---------*
2007-02-05, 13:05:21, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 12:26:43
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL %2

#5 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 05 February 2007 - 04:54 PM

Last post did not go through completely:

To answer the other question (I missed)....I am using a cable connection.

Just so you know---Stinger was run in Safe Mode and there were no problems running it.
==============

Here are the logs you asked for:

Sysclean:


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 11:45:49, Auto-clean mode specified.
2007-02-05, 11:45:49, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 11:46:56, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 11:46:56, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 11:45:52

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 11:46:56
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-02-05, 11:47:29, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-05, 11:47:38, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Scanner "G:\Sysclean\VSCANTM.BIN" has finished running.
2007-02-05, 11:47:38, The user stopped the operation.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 11:48:23, Auto-clean mode specified.
2007-02-05, 11:48:23, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 11:49:19, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 11:49:19, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 11:48:24

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 11:49:19
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-02-05, 11:49:22, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-05, 11:52:28, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Scanner "G:\Sysclean\VSCANTM.BIN" has finished running.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 12:25:04, Auto-clean mode specified.
2007-02-05, 12:25:04, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 12:26:10, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 12:26:10, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 12:25:07

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 12:26:10
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-02-05, 12:26:38, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-05, 13:05:21, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 12:26:44
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

38027 files have been read.
38027 files have been checked.
35915 files have been scanned.
60536 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/5/2007 13:05:21
---------*---------*---------*---------*---------*---------*---------*---------*
2007-02-05, 13:05:21, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 12:26:43
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sy

#6 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 05 February 2007 - 04:58 PM

Last reply did not go through completely so I will send 2 separate posts"

HIJACK LOG


Logfile of HijackThis v1.99.1
Scan saved at 1:16:50 PM, on 2/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\Al Pearce\Desktop\HijackThis.exe
C:\WINNT\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LMPDPSRV] D:\English\Win2000\LMpdpsrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#7 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 05 February 2007 - 05:01 PM

2nd reply:

STARTLIST:

ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Flash Player 9 ActiveX
AI RoboForm (All Users)
Apple Software Update
ATI Win2k Display Driver
AVG Anti-Spyware 7.5
AXIS Media Control
BeTheDealer Casino
CCleaner (remove only)
CleanUp!
Command On Demand for Command Software
eFax Messenger Plus
GdiplusUpgrade
HijackThis 1.99.1
Hotfix for MDAC 2.80 (KB911562)
HP Software Update
Interactive Userís Guide
Internet Explorer Q903235
J2SE Runtime Environment 5.0 Update 10
LiveUpdate 1.6 (Symantec Corporation)
MeritLine EZ Label Pro - EZ Burn
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
Microsoft XML Parser and SDK
MSXML 6.0 Parser
My DSC
Nero
NeroMediaPlayer
Norton AntiVirus Corporate Edition
Norton Spyware Scan provided by Yahoo!
Outlook Express Quick Backup
overland
Panda Antivirus 2007
QuickTime
RealPlayer
ScanModule V5.1
Spyware Doctor 4.0
SpywareBlaster v3.5.1
SpywareGuard v2.2
UBT
Update Rollup 1 for Windows 2000 SP4
VIAhm
ViewAhead Photo Center
WebEx
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Player system update (9 Series)
WinZip
XMLplayer
Yahoo! Toolbar for Internet Explorer
ZoneAlarm



SYSCLEAN LOG:



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 11:45:49, Auto-clean mode specified.
2007-02-05, 11:45:49, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 11:46:56, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 11:46:56, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 11:45:52

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 11:46:56
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-02-05, 11:47:29, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-05, 11:47:38, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Scanner "G:\Sysclean\VSCANTM.BIN" has finished running.
2007-02-05, 11:47:38, The user stopped the operation.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 11:48:23, Auto-clean mode specified.
2007-02-05, 11:48:23, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 11:49:19, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 11:49:19, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 11:48:24

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 11:49:19
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-02-05, 11:49:22, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-05, 11:52:28, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Scanner "G:\Sysclean\VSCANTM.BIN" has finished running.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 12:25:04, Auto-clean mode specified.
2007-02-05, 12:25:04, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 12:26:10, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 12:26:10, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 12:25:07

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 12:26:10
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed cou

2nd reply:

STARTLIST:

ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Flash Player 9 ActiveX
AI RoboForm (All Users)
Apple Software Update
ATI Win2k Display Driver
AVG Anti-Spyware 7.5
AXIS Media Control
BeTheDealer Casino
CCleaner (remove only)
CleanUp!
Command On Demand for Command Software
eFax Messenger Plus
GdiplusUpgrade
HijackThis 1.99.1
Hotfix for MDAC 2.80 (KB911562)
HP Software Update
Interactive Userís Guide
Internet Explorer Q903235
J2SE Runtime Environment 5.0 Update 10
LiveUpdate 1.6 (Symantec Corporation)
MeritLine EZ Label Pro - EZ Burn
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
Microsoft XML Parser and SDK
MSXML 6.0 Parser
My DSC
Nero
NeroMediaPlayer
Norton AntiVirus Corporate Edition
Norton Spyware Scan provided by Yahoo!
Outlook Express Quick Backup
overland
Panda Antivirus 2007
QuickTime
RealPlayer
ScanModule V5.1
Spyware Doctor 4.0
SpywareBlaster v3.5.1
SpywareGuard v2.2
UBT
Update Rollup 1 for Windows 2000 SP4
VIAhm
ViewAhead Photo Center
WebEx
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Player system update (9 Series)
WinZip
XMLplayer
Yahoo! Toolbar for Internet Explorer
ZoneAlarm



SYSCLEAN LOG:



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 11:45:49, Auto-clean mode specified.
2007-02-05, 11:45:49, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 11:46:56, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 11:46:56, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 11:45:52

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 11:46:56
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-02-05, 11:47:29, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-05, 11:47:38, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:47:37
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
2007-02-05, 11:47:38, Scanner "G:\Sysclean\VSCANTM.BIN" has finished running.
2007-02-05, 11:47:38, The user stopped the operation.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 11:48:23, Auto-clean mode specified.
2007-02-05, 11:48:23, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 11:49:19, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 11:49:19, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 11:48:24

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 11:49:19
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-02-05, 11:49:22, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-05, 11:52:28, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 11:49:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 247 (155673 Patterns) (2007/02/05) (424700)
Command Line: G:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=G:\Sysclean

2007-02-05, 11:52:28, Scanner "G:\Sysclean\VSCANTM.BIN" has finished running.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 12:25:04, Auto-clean mode specified.
2007-02-05, 12:25:04, Running scanner "G:\Sysclean\TSC.BIN"...
2007-02-05, 12:26:10, Scanner "G:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 12:26:10, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows 2000(Build 2195: Service Pack 4)

Start time : Mon Feb 05 2007 12:25:07

Load Damage Cleanup Template (DCT) "G:\Sysclean\tsc.ptn" (version 834) [success]

Complete time : Mon Feb 05 2007 12:26:10
Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed cou

#8 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 05 February 2007 - 05:15 PM

Sorry, I do not know what happened with the last few post....started to get....'page can not be displayed'.

You should have a good Hijack log and Startup list log.

Let me know what you want me to re-send.


Ally1350

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 05 February 2007 - 10:56 PM

OK, SysClean didn't find anything, but it looks like you didn't move the SysClean folder to the hard drive. You need to copy that folder from your transfer drive to your C:\ drive before you run it. Try it again and if it finds anything post new log.

You say you "deleted" Panda. Could you tell me how you did that exactly? Your log looks like it is all still there and the uninstall entry is still in Add/Remove. Always uninstall software, especially security software. Go to this page and follow those instructions exactly. In sum use the uninstaller from the Start menu first, then see if the Add/Remove entry is still there. If so, try uninstalling thru Add/Remove. If still there after a reboot, run the uninstaller from the page I linked you to.

Then see if you can get on the net and post back a fresh HijackThis log.

One program in your Add/Remove list I'm not familiar with--do you recognize it and can you tell me what it is?

overland

Also the following is unknown as far as being bad or not. Most of these poker and casino games are associated with some dodgy people and if nothing else can lead to infection. Some are installed along with malware without the user's knowledge or consent. If you don't use it, uninstall it, and if you do, consider it.

BeTheDealer Casino


If uninstalling Panda doesn't fix the problem, we'll look into some other things. But one more question for now: You say this began when you were removing VirrusBurst. Were you using one of BC's self-help guides? There is this one: How To Remove Virusburst (removal Instructions)
And then there are another couple of variants spelled a bit differently here: How To Remove Virusburster Or Virusbursters (removal Instructions)

Different tools are used in the two guides and if there is a problem with one of them we need to know so it can be corrected. So let me know which gudie (if any) and what tool was used or if you used the manual method.

The thing about people

is they change

when they walk away.--Mipso


#10 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 06 February 2007 - 02:49 AM

To answer your question while I am waiting for the logs:

As far as deleting Panda....I can not remember exactly but I think I went to Add/Remove and tried to remove it that way but a box came up and said there was a cople of DLL files missing and it could not complete the uninstall. Nexe I went to Programs and right clicked and tried to delete it. Then I went to the C: drive and deleted the folder.
I think that is all I did.

I did follow the link you gave ne in the last post to eliminate Panda and that has been done.

As far as "Overland"....I have no idea what it is and it does not show up on my add/remove page so I am not sure how to delete it.

As far as "Be the Dealer Casino"....I deleted it.

Some good news....I disconnected Norton and I can now get onto the internet and I am re-running SysClean and I will also send a new Hijackthis Log.

Thanks for the help!!!!!!!!!!!!!

#11 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 06 February 2007 - 10:27 AM

To answer the other question I missed....When I was trying to eliminate 'virusburst".....yes I did use the BC link. I did a search on Google for virusburst and cam up with:

http://www.bleepingcomputer.com/forums/t/63896/how-to-remove-virusburst-removal-instructions/

When I got down to loading Panda it did not load completely and that is when I started with my problems.

Things are starting to look much better....you are the "wizard"

I might have a couple of question on my HIJACKTHIS log after I see what you want me to fix.

===========

LOGS:

SYSCLEAN:



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-05, 23:36:32, Auto-clean mode specified.
2007-02-05, 23:36:32, Running scanner "C:\Sysclean\TSC.BIN"...
2007-02-05, 23:36:45, Scanner "C:\Sysclean\TSC.BIN" has finished running.
2007-02-05, 23:36:45, TSC Log:

2007-02-05, 23:37:12, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-06, 00:15:20, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 23:37:18
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 249 (155745 Patterns) (2007/02/05) (424900)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

37203 files have been read.
37203 files have been checked.
35161 files have been scanned.
59783 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/6/2007 00:15:20
---------*---------*---------*---------*---------*---------*---------*---------*
2007-02-06, 00:15:20, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 23:37:18
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 249 (155745 Patterns) (2007/02/05) (424900)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

37203 files have been read.
37203 files have been checked.
35161 files have been scanned.
59783 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/6/2007 00:15:20 37 minutes 47 seconds (2266.76 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-02-06, 00:15:20, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 2/5/2007 23:37:18
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 249 (155745 Patterns) (2007/02/05) (424900)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

37203 files have been read.
37203 files have been checked.
35161 files have been scanned.
59783 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/6/2007 00:15:20 37 minutes 47 seconds (2266.76 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-02-06, 00:15:20, Scanner "C:\Sysclean\VSCANTM.BIN" has finished running.


================


HIJACK LOG:

Logfile of HijackThis v1.99.1
Scan saved at 7:20:04 AM, on 2/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\Al Pearce\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LMPDPSRV] D:\English\Win2000\LMpdpsrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O20 - Winlogon Notify: avldr - avldr.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 06 February 2007 - 02:49 PM

OK, SysClean still didn't find anything--that's good, just wanted to check.

Glad to hear you were able to get back on the net. Having to disable Norton to do it confirms my suspicion of what the main problem is, but it is not a good idea to surf around unprotected. It must not be correctly properly either so we need to get you properly protected before we go much further. Probably both of your antivirus (AV) programs got borked and may have borked some of your system as well. As much as they are necessary, the more popular commercial AV's are especially complex and can cause problems on their own that mimic infection symptoms and most of them don't uninstall without a removal tool. Norton is the worse at this and even with the removal tool I still often see some processes left behind.

So you have two choices here;

1. Uninstall Norton and then reinstall it. Reboot the system in between, then test to see if it is still blocking internet access.

2. Uninstall Norton and then install a free AV long enough for us to get everything straightened out and if it allows you to get on the net. You can change back later if you like.

Personally, I would recommend the latter, and you may find you are better off without Norton. Either way, you will need to uninstall Norton, but since you are running the Corporate Edition for now let's just try the first option. Because you just about have to use Norton's removal tool in this situation, but it is designed for personal editions--it might work for the Corporate, too, but I haven't found the documentation for it yet. Manual removal is pretty complex and has you rooting around in the registry, which I would like to avoid. This page seem to fit what you have installed, so you can see what I mean: http://service1.symantec.com/SUPPORT/ent-s...lg=en&ct=us

But that is for version 7.5 and 7.6. These instructions seem to be version dependent. If you can post back what version of Norton you are using, I can see if I can find the correct document for you. To determine the version, open Norton and click Help and About.

So for now, go off-line (disconnect the cable), disable Norton, disable Zone Alarm, go to Add/Remove and uninstall Norton. Reboot, then install it again. See if you can get online, then post back how it goes. If you get stuck at any point or have any questions let me know. I would suggest you backup any important data before starting the process.

Then you have one process left over from Panda that HijackThis should be able to fix.

Scan again with HijackThis and put a check next to the following:

O20 - Winlogon Notify: avldr - avldr.dll (file missing)

Make sure your browser and all other windows are closed and then click FixChecked. Reboot and then post a fresh log.

There are some other things to look into, sorry it's taken so long to post this but I've been distracted a bit today and I won't be back after posting this til later this evening.

The thing about people

is they change

when they walk away.--Mipso


#13 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 06 February 2007 - 03:09 PM

Using Norton Version: 7.60.926

Working on the rest of the things from your last post.

Ally1350

#14 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 06 February 2007 - 03:50 PM

Disconnected Zone Alarm and Uninstalled Norton per your last post.

Connected Zone Alarm and reinstalled Norton (including updating virus definitions and scheduled daily scans)

No problems....able to get email and get onto the internet.

On HIJACK I deleted/fixed the line you requested in your last post.

Questions about HIJACK LOG:
Do you have any thought on the following (are they OK or should they be "fixed"):

02 - BHO: (no name) etc., etc.
03 - Toolbar: @msdxmLC.dll@1033&Radio - etc., etc.

One thing that I noticed when I was able to get back onto the internet....I have Internet Explorer 5 installed instead of IE 6. When I try to update it says something about another upgrade is in the process and the computer needs to be rebooted. After I reboot the same things happens when I try to install IE 6----Any thoughts?

===============
New HIJACK LOG:


Logfile of HijackThis v1.99.1
Scan saved at 12:33:17 PM, on 2/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Documents and Settings\Al Pearce\Desktop\HijackThis.exe
C:\WINNT\system32\cidaemon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LMPDPSRV] D:\English\Win2000\LMpdpsrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#15 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 06 February 2007 - 10:27 PM

OK, cool, you got your internet back. :thumbsup:

Not sure what is going on with IE6 and sorry I missed seeing you only had IE 5 installed. IE 5 is much more vulnerable to infections. If you can write down the exact message you get I can better help find out the cause.

And sounds like you are installing thru windows updates. Can you confirm that? I believe you would have a better chance at a successful install if you downloaded the setup files, save them to disk and try installing with AV and firewall shutdown. You can download (or order the CD) Microsoft Internet Explorer 6 SP 1 from here: http://www.microsoft.com/downloads/details...;DisplayLang=en

After you have shut down your security software (including SpywareDoctor), first look in Add/Remove and see if there is an entry for Microsoft Internet Explorer 6 SP 1 and uninstall it if so. Reboot, install from the setup files as per the instructions on the download page, reboot again and if all goes well, re-enable your security apps before going back online.

BTW, after re-reading your posts, I believe I see what happened and it's not a problem with the removal tools for Virusburst. Somehow you installed the full AV application that gummed up the owrks instead of using the online scanner.

Your HijackThis log shows no signs of malware, but it doesn't show all leftover bad files, only processes and registry entries that start programs running--and not all of those. The Panda online scanner will help clean up leftovers. We can forgo it til we see if IE gets straightened out--there are other ways to clean up and check for leftovers or what may still be lurking.

Questions about HIJACK LOG:
Do you have any thought on the following (are they OK or should they be "fixed"):

02 - BHO: (no name) etc., etc.
03 - Toolbar: @msdxmLC.dll@1033&Radio - etc., etc.

Those are fine.

For the (no name), the programmer just neglected to fully write out the registry code, but it doesn't hurt anything.

The 03 allows IE to play internet radio: http://www.microsoft.com/windows98/usingwi...03Mar/radio.asp

I would like to see IE upgraded first, but when you get the time do the following:

1. I see you have AVG AntiSpyware installed. Upgrade it, boot into safe mode and run a scan and post back the log. Here are the standard set of instructions--just ignore the downloading and other parts you have already done and run it this way.

Download and install AVG Anti-Spyware v7.5.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

2. Download Registry Search.

- Create a new folder on your desktop named Regsearch
- Extract regsearch.zip file to the newly created folder.
- Open the Regsearch folder and double click regsearch.exe to start the program.
- Use copy and paste to enter the following bold text to search for and click OK.

overland

- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply along with the new HijackThis log.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users