So many problems......primarily Install issues

[Ried]

Startup Mechanic appears to be a Ok as well.

[champster2k6]

Hi Ried, are you about again?

[Ried]

Hi Lee--my sincere apologies for the delay.

I'm not finding anything here. Download gmer and unzip it to your desktop.

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Press scan & when it has finished press copy & paste the log back here

Download GMER Rootkit Scanner from here or here.

--------------------------------------------

Let's try invoking Windows File Protection.

Click Start>Run and type in sfc /scannow (there is a space between sfc and /) and let it scan for missing/corrupt files. This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. If it finds any problems, it will prompt you for the Windows XP Install disc so have it handy.

[champster2k6]

Hi Ried, I've finally managed to get hold of an XP disc so I'll do these steps today and get back to you

[Ried]

Ok.

[champster2k6]

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-02 16:01:17
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 84BF8B68 ZwAlertResumeThread
SSDT 84BF8C40 ZwAlertThread
SSDT 84C6CB70 ZwAllocateVirtualMemory
SSDT 84CA33F0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey
SSDT 84BF8278 ZwCreateMutant
SSDT 84CB1F30 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey
SSDT 84C00580 ZwFreeVirtualMemory
SSDT 84BF8420 ZwImpersonateAnonymousToken
SSDT 84BF86C0 ZwImpersonateThread
SSDT 84C3F8F8 ZwMapViewOfSection
SSDT 84BF7F30 ZwOpenEvent
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 84C00EE8 ZwOpenProcessToken
SSDT 84BFB468 ZwOpenThreadToken
SSDT 84C06BC0 ZwResumeThread
SSDT 84BFA200 ZwSetContextThread
SSDT 84BFCA20 ZwSetInformationProcess
SSDT 84BF98F8 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey
SSDT 84BF79A8 ZwSuspendProcess
SSDT 84BF90B8 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 84BF9370 ZwTerminateThread
SSDT 84BFD138 ZwUnmapViewOfSection
SSDT 84C515C0 ZwWriteVirtualMemory
---- Processes - GMER 1.0.12 ----

Library C:\WINDOWS\system32\WTSAPI32.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [680] 0x76F50000
Library c:\windows\system32\WTSAPI32.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1132] 0x76F50000
Library C:\WINDOWS\system32\WTSAPI32.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [1760] 0x76F50000
Library C:\WINDOWS\System32\WTSAPI32.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [2132] 0x76F50000
Library C:\WINDOWS\system32\WTSAPI32.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2772] 0x76F50000
Library C:\WINDOWS\system32\wtsapi32.dll (*** hidden *** ) @ C:\Program Files\MSN Messenger\msnmsgr.exe [3908] 0x76F50000

---- Files - GMER 1.0.12 ----

File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt
File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt
File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt
File C:\Program Files\DAP\cabex.dll
File C:\Program Files\DAP\INSTALL.LOG
File C:\Program Files\DAP\license.txt
File C:\Program Files\DAP\privacy.txt
File C:\Program Files\HP\Digital Imaging\bin\hpotra08.rsc
File C:\Program Files\SpyCatcher 2006\lsplib.dll
File C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
File C:\WINDOWS\system32\aniServ.exe <-- ROOTKIT !!!
File C:\WINDOWS\system32\UAService7.exe <-- ROOTKIT !!!
File C:\WINDOWS\system32\uninstdivx.exe
File C:\WINDOWS\system32\wbem\wmiutils.dll
File C:\WINDOWS\system32\wtsapi32.dll

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\System32\aniServ.exe [AUTO] ANISERVICE <-- ROOTKIT !!!
Service C:\WINDOWS\system32\UAService7.exe [AUTO] UserAccess7 <-- ROOTKIT !!!

---- EOF - GMER 1.0.12 ----

Just doing the other bit now.

[Ried]

No--stop! You may have a rootkit. Let me research this a bit.

[champster2k6]

A rootkit, what's that

Stop the file protection thing?

[Ried]

Service C:\WINDOWS\System32\aniServ.exe [AUTO] ANISERVICE <-- ROOTKIT !!!
Service C:\WINDOWS\system32\UAService7.exe [AUTO] UserAccess7 <-- ROOTKIT !!!


You're ok--those belong to legit programs. Proceed with the sfc /scannow

[champster2k6]

So I don't have a rootkit?

I'm doing the scan now, its taking a while.

[Ried]

It should take about 15 or 20 minutes.

[champster2k6]

Ok, its just finished, nothing happened, it just ended and that's it

[Ried]

Try uninstalling Norton and ITunes using the Windows Installer Cleanup Utility. Follow the instructions given there.

Then try reinstalling your ITunes and Norton. If you still have issues, then I think you'd do best by following the advice given here regarding a Repair Install of Windows.

[champster2k6]

Ok, I'll get back to you.

[champster2k6]

Both are still not working Ried. I have completely uninstalled Norton and I have asked for a full refund. I am going to use a different anti-virus now. What ones do you recommened? Until I get my refund I will use a free antivirus and when I do get it I will pay for a full version. What are your recommendations?

Edit: I've found the files and downloaded Winamp. I'm going to use that in future.

I am going to try and repair Windows in a bit and see if that corrects my other issues (No system restore, error messages on startup and broken ATI driver).

I have attached another Hijack log to let you know the current situation.

What do you suggest to do now?


Logfile of HijackThis v1.99.1
Scan saved at 18:38:07, on 02/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/Cl.../OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123441493820
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

[Ried]

Hi Lee,

First order of business is to get an AV installed on this system.

Here are 3 very good free Antivirus products which are available:

• Avast!
• AVG

Or
Active Virus Shield (powered by Kaspersky) and save it to your desktop.

• Please remember to register for your Activation Code using a legitimate email address.
• Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process.

-------------------------------------------------------------

Once you've installed and updated an AV, there is still an active entry for Norton.

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Here is a guide for uninstalling Norton, including uninstallers. Be sure to use the uninstaller for the version of Norton/Symantec that is active on your system. http://basconotw.mvps.org/SymRem.htm

-------------------------------------------------------------

Run a scan with HijackThis. 'Check' and click 'Fixed Checked' for this orphaned entry:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

[champster2k6]

Hello Ried.

I've installed AVG now and I'm using Winamp instead of iTunes. I've unistalled Norton and asked for my money back (used the Norton removal tool etc). I have an XP disc but its for a Dell laptop - is this a problem as I have a Toshiba. I don't know what difference this makes.

[Ried]

As long as you are using a Microsoft Windows XP Install disc, and not a Dell Recovery disc, you're fine.

[champster2k6]

On the disc it says:

Operating System - already installed on your computer. Reinstallation CD, microsoft windows XP 1a. Only use this CD to reinstall this software on a Dell computer.

[Ried]

Sorry, no. That is an OEM install disc and will place Dell specific drivers, etc onto your system which will just cause more problems.

You need to find a plain ol' Microsoft XP install disc.