Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win AntiVirus 2007 Pro has taken over!

Started by Spider-Man , Feb 04 2007 07:04 AM

  • Please log in to reply

#1
Spider-Man
Posted 04 February 2007 - 07:04 AM

Spider-Man

    Member

  • Member
  • PipPipPip
  • 167 posts
I wiped my computer back down to 'factory settings' then reinstalled XP SP2, followed by the latest updates, and AVG Free Edition and Ad-Aware Personal Edition. I located these simply by opening up google, searching 'AVG Free' and clicking the grisoft link, the Ad-Aware was located from the Lavasoft website. I installed them both, restarted the computer, did all the updates for both programs then started to run an AVG scan. Then all of a sudden it popped up 'Threat Detection' and found something in the folder "C:/System Restore Information".I deleted it, but a pop up from IE immediately came up for Win Anti Virus 2007 Professional, then all of these processes started to run as soon as I clicked the 'x' button, these processes appeared to be all numbers such as 567402740.exe etc, so I closed them all - it then appeared to hijack the Doctor Watson debugger and started giving error messages every time I opened AVG, or any other program for that matter. I couldn't even click 'Run' in the start menu without an error message, but pressing Windows key+R ran the runbox command, so I was able to run avg from there. A few viruses were found all in the same folder. I then started noticing random files appearing on the desktop and in My Documents, again they were text and picture files with number names, such as 2472854.jpeg, which I deleted all the ones I could find. I then found it was starting up in the MSCONFIG Start-Up command, so I disabled it and rebooted - AVG ran fine, as did every other program, so I thought I had beat it, or almost. Ad-Aware was finding 30+ critical objects every scan, despite not being connected to the internet as did AVG find viruses. I've managed to get all the files deleted, and all the processes to stop running and programs to actually open up from the start menu, but AVG keeps on popping up viruses being found in this System Restore Information folder, which I cannot locate - although I have tried cleaning out all 'crap' files with ccleaner, and using the Disk Cleanup's cleanup of old System Restore points, yet this doesn't solve it. I am at a complete loss with this one, the computer is intended to be used as a home pc which won't have internet access, but all these viruses are making it unstable, with error messages coming up all over the place. When I first got the WinAntiVirus thing appearing, I thought, screw it and reformatted and reinstalled XP - but it was there before I even put a single cd in, or connected to the net, so how do I get rid of this? It just won't go away, no matter what I do. Below is a HJT log I produced as soon as avg popped up to say a virus had been found:

Logfile of HijackThis v1.99.1
Scan saved at 12:39:31, on 04/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\wpabaln.exe
C:\DOCUME~1\Danalyn\LOCALS~1\Temp\Rar$EX00.407\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170287080426
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3020597-4E9E-4F46-AAC3-DF28F45710C0}: NameServer = 62.24.252.135 62.24.252.134
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

I've got a feeling these two are suspects:
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3020597-4E9E-4F46-AAC3-DF28F45710C0}: NameServer = 62.24.252.135 62.24.252.134
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

as they are two of the things shown in HJT logs before and after I reformatted the hard drive for the second time. I am unsure of this, so would prefer if someone with the knowledge could confirm whether or not they are the files responsible. Thank you for any help that may be available:)
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP