Tech Support banner

Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
13 Posts
Discussion Starter · #1 ·
You guys are gonna hate me over here, but no sooner did i get done with the excellent instructions to fix my sisters computer a couple of hours ago, my brothers computer goes down with a virus. I hope i have not worn out my welcome, as your guys help is excellent. Here is the problem. I couple of days ago the realtime protecter from f-prot antivirus detected a virus in the aim.exe file of his windows XP machine. He does not remember the exact name of the virus. When a virus scan was run using f-prot antivirus the virus was deteceted in the aim.exe file, but it was unable to disinfect or delete the virus. Following directions from the f-prot website he tried to boot the computer into safe mode with command prompt and run the virus scan from there. Not rembering that his usb keyboard wouldnt be able to boot into safe mode by pressing f8 with out enabling it to in bios, he couldnt figure out why he couldnt get into the safe mode menu. He then went into msconfig in windows and tried to boot it that way. It was here that it was discovered that there was no boot tab in the msconfig window. So he started to mess with the boot in diagnostic start up and selective start up. Upon doing this the computer booted and the theme had changed to windows classic and there were no network options and he got runtime errors for windows intellimouse and keyboard. He then hooked up his old keyboard through a ps2 conection and was able to boot into safe mode and run the virus scan and it detected and deleted the aim.exe file which contained the virus. The problem now is that the computer seems to be stuck in some kind of diagnostic mode. There is no internet access and no options of any of his networking hardware in my network places. The theme of the computer is still in windows classic, you are not able to access the help and support menu and also when i went into the decive driver menu nothing showed up at all. He still gets the runtime errors for the intellimouse and keyboard upon start up also. The general tab in msconfig is set on normal startup. i was able to run hijackthis off a disc as i thought this might help. The following is the log:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:25:24 PM, on 9/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\WINDOWS\system32\sstray.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\FSI\F-Prot\F-Sched.exe
F:\Program Files\FSI\F-Prot\F-StopW.EXE
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ViewMgr] F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [type32] "F:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [FRISK FP-Scheduler] F:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] F:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "F:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - https://stores.musictoday.com/store/nugs.net/MTNugsActiveX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{142C464F-B00F-425C-B3B6-05312EFC0596}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{142C464F-B00F-425C-B3B6-05312EFC0596}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{142C464F-B00F-425C-B3B6-05312EFC0596}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS3\Services\Tcpip\..\{142C464F-B00F-425C-B3B6-05312EFC0596}: NameServer = 63.240.76.4,204.127.198.4


End of KRC HijackThis Analyzer Log.
====================================================================

Any suggetions or help with analyzing this log would be of great help.
Thanks in advance
Joel
 

·
Premium Member
Joined
·
14,311 Posts
Is the computer in safe mode now or normal mode?

Uninstall Viewpoint via the Add/Remove panel.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Restart your computer. Post the logs for HijackThis and Ewido.
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #3 · (Edited)
Thanks for the quick reply and the help. The system is not in safe mode, it is in normal mode. I performed the scans and here are the ewido and hjt logs.
ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:36:02 AM, 9/18/2005
+ Report-Checksum: F3EF5D6A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-1614895754-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000EF1-0786-4633-87C6-1AA7A44296DA} -> Spyware.FavoriteMan : Cleaned with backup
HKU\S-1-5-21-1614895754-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-1614895754-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99410CDE-6F16-42CE-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
F:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
F:\WINDOWS\Downloaded Program Files\AktiveSekurity.ocx -> Not-A-Virus.VirTool.Collector : Cleaned with backup
F:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup


::Report End

HJT log

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:41:53 AM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\userinit.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\WINDOWS\system32\sstray.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\FSI\F-Prot\F-Sched.exe
F:\Program Files\FSI\F-Prot\F-StopW.EXE
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [type32] "F:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [FRISK FP-Scheduler] F:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] F:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "F:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - https://stores.musictoday.com/store/nugs.net/MTNugsActiveX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{142C464F-B00F-425C-B3B6-05312EFC0596}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{142C464F-B00F-425C-B3B6-05312EFC0596}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{142C464F-B00F-425C-B3B6-05312EFC0596}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS3\Services\Tcpip\..\{142C464F-B00F-425C-B3B6-05312EFC0596}: NameServer = 63.240.76.4,204.127.198.4
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe


End of KRC HijackThis Analyzer Log.
====================================================================


Unfortunatly this made no change in how the system is running. There is still no internet conncetion and when i open my network connections it is empty. When i open device manager it is absolutly blank. The theme is classic windows and that was not what it used to be. When you try to open help and support it gives the following message: Windows cannot open Help and Support because a system service is not running. To fix this problem, start the service named "help and support".
i dont know how to do this. It also still gets the two runtime errors that i posted about in the previous post. It is like the computer is in safe mode, but not really in safe mode. Thanks for the help so far. looking forward to hearing back. Thanks, Joel
 

·
Registered
Joined
·
6,574 Posts
Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

(if nothing begins to change you may want to consider a System Restore, and we'll clean the system from there.)
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #5 ·
Thanks for the help, unfortunatly it wont let me run system file checker, it says it cant find the files to run it. I tried a system restore but that didnt work either. Apparently system restore was disabled to run the virus scan in safe mode with command prompt. I dont know what to do actually, unless any of you guys have any suggestions i think i may just reformat and reinstall XP and start new. The help from you guys is much appreciated though.
Thanks, Joel
 

·
Registered
Joined
·
6,574 Posts
Hi Joel,

I think a re-format would be best, Windows is missing files it needs. Without knowing exactly which ones, an attempt at restoring the system would be a losing battle, IMO.

If you choose to reformat, make sure that you are protected with Antivirus, Firewall and Antipsyware. Make sure that Windows is up to date with the latest Service Packs and Patches.

G'luck.
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #7 ·
Thanks poadb. What antispyware would you suggest using? I have always just scanned with adaware SE periodically, but im not sure that is enough. Thanks for all of your guys help here, I greatly appreciate it.
Joel
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top