View Full Version : Laptop Malware Woes
FlashGal
2006-11-21, 23:19
Hi All!
The initial scans showed over 900 instances of malware. I've been using Spybot, Norton Antivirus, and AdAware (Safe Mode). I've visited the Symantec site for their info to verify removal. I've repeatedly deleted all Temporary Internet Files and Cookies, but the same ones keep showing up. The built-in Administrator account was corrupted and wouldn't load. I've run Windows Defender and Microsoft Malicious Software tool (something there but couldn't remove it). I keep getting hits for the W32.Mixor worm on Norton AV even though it appeared to have been removed successfully. I'm really desperate here so I appreciate all the help I can get! I've run HiJackThis and the Panda scan; however, the Panda scan bombed about halfway through when something attempted to create a new profile. Sorry for the long post. Here's the first scan (post size restrictions).
Logfile of HijackThis v1.99.1
Scan saved at 11:59:09 AM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.usaa.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {36CCD59A-8179-C65D-23CE-03A6AA6C0FDC} - C:\WINDOWS\System32\aanghtj.dll (file missing)
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CATLEvents Object - {55E301E5-BA44-4095-BB0B-14E0123CCF71} - C:\DOCUME~1\ALLISO~1\LOCALS~1\Temp\tunksid.dat (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [cmdwave] C:\WINDOWS\assembly\temp\cmdwave.exe
O4 - HKLM\..\Run: [*cmdwave] C:\WINDOWS\assembly\temp\cmdwave.exe
O4 - HKLM\..\Run: [*apodbc] C:\WINDOWS\Fonts\apodbc.exe
O4 - HKLM\..\Run: [*runwms] C:\WINDOWS\Tasks\runwms.exe
O4 - HKLM\..\Run: [*scom] C:\WINDOWS\system\scom.exe
O4 - HKLM\..\Run: [*disknut] C:\WINDOWS\Fonts\disknut.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/poth_x.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\Courseware\players\full\awswaxf.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163797315873
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141415430201
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
FlashGal
2006-11-22, 02:17
WhenI thought the PC was clean, I had tried to install the Win XP SP2 updates, but it was a no go. Spybot, with the latest updates, is running clean, except for a Microsoft.WindowsScurityCenter.FirewallDisableNotify (using Symantec Client firewall).
Here's what I got from the Panda scan:
Incident
Status
Location
Adware:adware/sidestep Not disinfected Windows Registry
Adware:adware/wintools Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Admin\Cookies\admin@2o7[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Admin\Cookies\admin@doubleclick[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@112.2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@2o7[2].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@abetterinternet[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@atwola[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@cgi-bin[3].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@com[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@go[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@rn11[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@target[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@www.burstbeacon[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@adultfriendfinder[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@atwola[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@go[2].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@kount[1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@smni[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@toplist[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@webpower[1].txt
Adware:Adware/BraveSentry Not disinfected C:\Documents and Settings\Mark Wade\Application Data\Install.dat
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@112.2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@2o7[2].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@abetterinternet[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@atwola[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@cgi-bin[3].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@com[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@go[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@rn11[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@target[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@www.burstbeacon[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@adultfriendfinder[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@atwola[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@go[2].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@kount[1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@smni[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@toplist[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Earthlink\6.0\amwade@earthlink.net\Cookies\mark wade@webpower[1].txt
Adware:Adware/BraveSentry Not disinfected C:\Documents and Settings\Mark Wade_Save\Application Data\Install.dat
Potentially unwanted tool:Application/Processor Not disinfected C:\My Downloads\Reg_Temp_Cleaner\SDFix.exe[SDFix\apps\Process.exe]
Spyware:Cookie/2o7 Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@112.2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@2o7[2].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@abetterinternet[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@atwola[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@cgi-bin[3].txt
Spyware:Cookie/Com.com Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@com[2].txt
Spyware:Cookie/Go Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@hg1.hitbox[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@rn11[1].txt
Spyware:Cookie/Target Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@target[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\allison mcgurk-wade@www.burstbeacon[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\mark wade@atwola[1].txt
Spyware:Cookie/Go Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\mark wade@go[2].txt
Spyware:Cookie/Kount Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\mark wade@kount[1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Program Files\EarthLink 5.0\amwade@earthlink.net\Cookies\mark wade@smni[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix.exe[SDFix\apps\Process.exe]
LonnyRJones
2006-11-26, 13:05
Welcome
Start Hijackthis and place a check next to these items If there.
O2 - BHO: CATLEvents Object - {55E301E5-BA44-4095-BB0B-14E0123CCF71} - C:\DOCUME~1\ALLISO~1\LOCALS~1\Temp\tunksid.dat (file missing)
O4 - HKLM\..\Run: [cmdwave] C:\WINDOWS\assembly\temp\cmdwave.exe
O4 - HKLM\..\Run: [*cmdwave] C:\WINDOWS\assembly\temp\cmdwave.exe
O4 - HKLM\..\Run: [*apodbc] C:\WINDOWS\Fonts\apodbc.exe
O4 - HKLM\..\Run: [*runwms] C:\WINDOWS\Tasks\runwms.exe
O4 - HKLM\..\Run: [*scom] C:\WINDOWS\system\scom.exe
O4 - HKLM\..\Run: [*disknut] C:\WINDOWS\Fonts\disknut.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post a new hijackthis log
Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
click the first download button (version with grapichal user interface)
Download/save (not open) and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.
FlashGal
2006-11-27, 02:11
Hi Lonny, thank you so much for your reply! You have no idea how much I appreciate your assistance with this!
Here's the HiJackThis scan (the second one will follow.)
Logfile of HijackThis v1.99.1
Scan saved at 4:40:14 PM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.usaa.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {36CCD59A-8179-C65D-23CE-03A6AA6C0FDC} - C:\WINDOWS\System32\aanghtj.dll (file missing)
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.symantec.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/poth_x.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\Courseware\players\full\awswaxf.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163797315873
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141415430201
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
FlashGal
2006-11-27, 02:14
Sorry, I thought this Blacklight log was much longer.
11/26/06 16:42:55 [Info]: BlackLight Engine 1.0.47 initialized
11/26/06 16:42:55 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/26/06 16:42:55 [Note]: 7019 4
11/26/06 16:42:55 [Note]: 7005 0
11/26/06 16:43:10 [Note]: 7006 0
11/26/06 16:43:10 [Note]: 7011 480
11/26/06 16:43:11 [Note]: 7026 0
11/26/06 16:43:11 [Note]: 7026 0
11/26/06 16:43:26 [Note]: FSRAW library version 1.7.1020
11/26/06 17:03:32 [Note]: 7007 0
Thanks again!
LonnyRJones
2006-11-27, 04:44
Scan and Fix this item with Hijackthis
O2 - BHO: (no name) - {36CCD59A-8179-C65D-23CE-03A6AA6C0FDC} - C:\WINDOWS\System32\aanghtj.dll (file missing)
======================================
Although vundo doesnt seam active
Please download VundoFix.exe (http://www.atribune.org/content/view/24/2/)
to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
Double-click VundoFix.exe to run it.
Click scan for vundo, when it is finished scanning
Click the Remove Vundo button. (if any files were found)
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Wait two mimutes then turn your computer back on.
Please post the contents of C:\vundofix.txt
FlashGal
2006-11-27, 06:17
Here's the result of the scan:
VundoFix V6.2.13
Checking Java version...
Java version is 1.5.0.6
Scan started at 8:41:12 PM 11/26/2006
Listing files found while scanning....
No infected files were found.
_____________________________
Hmm, do you think it might be clean yet?
LonnyRJones
2006-11-27, 06:35
Are there any current problems. Questions ?
FlashGal
2006-11-27, 06:59
The immediate launch of Norton Antivirus (because of the W32.Mixor problem) seems to be gone. WAHOO!
However, I wasn't able to download Win XP Pro SP2 updates before. I don't have an available network connection for the laptop with the problems right now, but I will try to download them in the morning.
I'm currently running Norton AV then I'll run Spybot again and maybe AdAware, too. I'll get any updates for them when I get connected in the morning, then I may run them again (just to see if I get anything) before I try to download XP updates.
Any suggestions on things to look for other than the usual scan results or performance problems?
Thanks again, Lonny! You're a lifesaver!
LonnyRJones
2006-11-27, 07:17
Change all your passwords
Let us know if there are problems at windows update, if any errors write them down for us.
FlashGal
2006-11-29, 21:42
Sorry for the delay. Just after my last post, I got snowed in and the power had been out until late last night.
Here's the latest: I updated Spybot, AdAware, and Norton AV. The last two ran clean, but Spybot picked up something new (at least, I haven't seen it picked up before now anyway) called Adir.wget. There were three subitems, including a file called adirss.exe. Spybot appears to have removed it, but I got a HijackThis scan for you, just in case. And I did change the passwords. Thanks for the reminder!
I had some success on Nov. 20th in geting most of the Windows updates, but this morning when I attempted to download and install the last nine, they failed to download. I don't know, maybe it's a setting I missed, but I can't find any specific info on microsoft.com. The nine updates are:
Security Update for Microsoft .NET Framework, Version 1.0 SP3, English
(KB886906)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB911280)
Security Update for Windows Media Player 9 (KB917734)
Here's the HijackThis log (just in case):
Logfile of HijackThis v1.99.1
Scan saved at 12:29:41 PM, on 11/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/poth_x.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\Courseware\players\full\awswaxf.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163797315873
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141415430201
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8093FEA-C748-4F99-95C5-F258B4DDC5D3}: NameServer = 207.115.64.2 207.115.64.3
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Thanks!
LonnyRJones
2006-11-30, 01:52
Try one or two updates at a time, if you get any error messages tell us about them.
Run Blacklite once more and post its log if any files show.
No need to if none show.
Any Luck with windows update ?
FlashGal
2006-11-30, 05:08
In your last sentence, were you referring to the new Microsoft Updates that Microsoft is pushing to work with Automatic Updates or just the regular Windows updates that you can set up for automatic installation or just being notified when there are any updates available? I usually go with notification and then just download and install them myself.
Actually, I did try the high-priority Windows updates not only two at a time but also only one at a time with no luck.
I can't remember if I mentioned it or not, but I did have to do a repair re-installation of Windows XP Pro SP2 to get the laptop working again even marginally. Would that make a difference?
I ran Blacklight again: "No hidden items found."
Thanks!
LonnyRJones
2006-11-30, 11:12
"Would that make a difference?"
While this thread was going on ?
Try visiting windows update and get one or two at a time.
then if there are problems we can check c:\windows\windowsupdate.log for recent errors, might have to copy that log to another location before you can open it.
FlashGal
2006-11-30, 17:16
Hi Lonny,
I had been working on these problems for nearly two weeks before I posted anything to this forum (I didn't know it existed). The operating system was barely functioning so our company's network administrator suggested I repair Windows before I even attempted to tackle the rest of the malware problems. So I think I actually did the reinstall a day or two before I started this thread. I was running out of ideas, and the network administrator had no other suggestions besides things I had already done so...
The road is finally clear enough for me to get into town so I'm going to take the laptop into work today and try the Windows Updates using our T1 connection. I'll get back to you.
Thanks!
LonnyRJones
2006-12-06, 12:41
Hows that PC ?
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.