Suspect virus/spyware

Greetings all,

My PC is a Compaq with Win XP, Home edition;
I have AVG and run it every day; I also have SpyHunter and Spybot.

Since last Monday I've been experiencing the following problems:

1. On opening Word Perfect 9, an error message appears titled
"wpwin9.exe - Bad image"
The text reads: The application or DLL c:\windows\apppatch\AcSpecfc.dll is not a valid Windows image. Please check it against your installation diskette".

On clicking the OK button, the error message vanishes and Word Perfect works fine;

2. Similar problem with Photoshop 7, except the file name/path reads:

c:\windows\system32\ATMLIB.dll

Again, on clicking the OK button, the error message vanishes and Photoshop works fine;

3. Similar problem with Acrobat (version 5);

4. MS FrontPage stopped working:

Page Design contains 3 tabs: form, html, preview;

Two days ago the html tab stopped displaying code for any page;

Today, I connected to my web site but when opening a page (any page) and was greeted by an error: system exception: access violation. After that, the application was "not responding" and had to be removed from Task manager;

Also, as of few days ago, it takes at least 10-20 seconds to open FrontPage (before, it opened in just a few moments).

5. Application rename.exe (simple file rename freeware; in use for 2-3 years) changed its appearance. I deleted it and reinstalled, but it did not help.

6. AOL Instant Messenger stopped working;

7. MS Explorer showed problem not seen before: clicking on the Search button in one particular library database, closes the Explorer.

Has anybody observed similar symptoms?

If my PC is infected, is it possible to clean it? If yes, How?

Any suggestion is greatly appreciated.

Thanks in advance,

Boris

May 27, 2006

As per Johanna’s direction, I followed the procedure described on the “You Must Read This Before Posting A Hijackthis Log...” page.

However, not everything worked and I performed certain actions not prescribed on the web page.

1. Ewido did not worked as described.

After going through the installation, an icon for ewido DID NOT appear on the desktop. I did see a DOS window open for a second named ... dwwin.exe I am not sure what action was performed.

2. Trend Housecall was open for at least 30-40 min with the “transferring data from the web site” on the browser status line so I lost patience and killed Netscape.

3. TojanHunter. It also stayed open forever and, not sure what was going on, I killed the process;

My current XP version is 5.1 (build 2600.xpsp2.030422-1633: Service Pack 1).

Since I am not sure whether I have any malware left, I did not installed SP2 (I am also confused by BOTH “sp2" and “Service Pack 1" in the XP description)

WHAT I DID ON MY OWN

Downloaded and new versions of several DLL’s from http://www.dlldump.com/ :

faultrep.dll (was not mentioned in the initial posting but “ not a valid Windows image” started appearing on every system start; now it’s gone;

AcSpecfc.dll - WP starts OK;

ATMLIB.dll - PS starts OK;

dciman.dll and riched20.dll - not remember which programs started with errors, but everything seems OK now;

MS Office was reinstalled and FrontPage does display the HTML code now;

Before I paste the Logfile of HijackThis I want to express my deepest appreciation to all who are willing to help.

Boris

***************

Logfile of HijackThis v1.99.1
Scan saved at 4:49:32 PM, on 5/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\AOL\1148760673\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1148760673\ee\AOLServiceHost.exe
C:\Program Files\Corel\WordPerfect Office 2000\Programs\Wpwin9.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Boris\Desktop\anti-virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Boris\Application Data\Mozilla\Profiles\default\6efdj5sa.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Boris\Application Data\Mozilla\Profiles\default\6efdj5sa.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {31ba2ad3-8ae3-4b56-9df3-f77b52b736f4} - C:\WINDOWS\System32\erkfrbyb.dll (file missing)
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\ServicePackFiles\vgakb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148760673\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Adaware Bootup] C:\Program Files\Lavasoft Ad-aware\Ad-aware.exe /Auto /Log "C:\Program Files\Lavasoft Ad-aware\"
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Advanced Email Extractor - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link with AEE - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/link.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095556343652
O20 - Winlogon Notify: vgakb - C:\WINDOWS\ServicePackFiles\vgakb.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

***********
END OF POST

#1
BerDov

Posted 21 May 2006 - 02:03 PM

Advertisements

#2
Johanna

Posted 21 May 2006 - 03:58 PM

#3
BerDov

Posted 27 May 2006 - 02:53 PM

#4
Retired Tech

Posted 27 May 2006 - 02:59 PM

#5
BerDov

Posted 27 May 2006 - 03:03 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us