Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus/Driver Trouble


  • Please log in to reply

#1
Madness341

Madness341

    New Member

  • Member
  • Pip
  • 6 posts
This is my first post here so bare with me. I've been having this problem for almost a week and I've put many hours into trying to fix it. I've been browsing through forums and trying everything that usually helps me out but nothing is working. The problem started after opening an infected file. My Ad-Watch began showing registry modifications and I rebooted and began trying to kill it with Ad-Aware, ect. It appeared to be cause by MediaAccess but continued after I deleted the files. I've tried several spy-ware and anit-virus programs but none have resolved the problem fully. At this point Windows will start and Ad-Watch will occasionally show a registry mod for a value
[KavSvc] Windows/System32/rvmvlv.exe
I have removed this file and have removed it several times from the registry. I have not noticed any suspicious processes although svchost is often represented 2 or 3 times. The big problem is that none of my devices will work. My Device Manager will open, but it will not show any of my devices. I've tried showing hidden devices but haven't had luck. Errors occur whenever I try to open software that uses a device. I tried reinstalling Windows today but was stopped by a message that said it could not find a hard drive on my machine. Here is my HijackThis log, thanks for the help.

Logfile of HijackThis v1.99.0
Scan saved at 4:20:53 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dnpn.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netsc...com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B9CD23D-A7BA-5D9B-77CB-605E1A34E4EF} - (no file)
O2 - BHO: (no name) - {EE2780D2-E757-C79A-CBA8-40C1A2C565A8} - (no file)
O2 - BHO: (no name) - {FDF77350-64AC-7D1A-9DA7-B29E6902123C} - (no file)
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c9.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
  • 0

Advertisements


#2
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
Your log looks moderately clean and does not explain the problems you are describing....

start > run, type
eventvwr.exe
enter

Look under system and applications for Red Xs.


---------------------------------


Addiitionally, download process explorer from Sysinternals, run it, and look for odd entries/processes running in the background


----------------------------------

Finally, download rootkit revealer from the same site.

Run it and run a scan. Do not work on your computer during the scan or you will get some false positives. Anything odd here, like hidden from windows API?
  • 0

#3
Madness341

Madness341

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Sorry it's taken me a while to reply. I did the three things you said and these were the results:
1. When I tried clicking on anything in the Event viewer I would get an error that said: "Unable to complete the operation... The interface is unknown."

2. Process explorer gives me an internal error in normal mode but runs fine in safe mode.

3. Root-kit Revealer gave me one positive result:
"HKLM\SOFTWARE\Classes\webcal\URL Protocol
Data mismath between Windows API and raw hive data"
  • 0

#4
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
i'm sorry, I was nearly asleep when I posted

1. start > run,
eventvwr.msc

2. Did you download the correct one? One is for winnt the other for win98

3. That is ok...it means the registry changed while you were running the scan and that is typical
  • 0

#5
Madness341

Madness341

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I tried again but still received the same error when I tried to open the logs. I redownloaded the version for XP but am still receiving internal errors. I think there must be something running in normal mode to cause the error because it works in safe mode.
  • 0

#6
Madness341

Madness341

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
any other ideas?
  • 0

#7
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
You haven't, by any chance, been disabling services have you?

Start > run
compmgmt.msc
enter

go to services...event log...running? Disabled? Startup type (double click)
  • 0

#8
Madness341

Madness341

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
While I haven't been disabling services, my eventlog was indeed disable as was the majority of my services. I suppose this is what would explain my lack of devices. A few were listed as automatic but otherwise they're disabled. When I double click it gives me a plug and play error but then lets me access the properties. Should I just enable them all?
  • 0

#9
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
AUghhh BLACKVIPERS SITE IS GONE!

(sorry, it was a shock)

Go here and follow the default settings

under Black Viper's Windows XP Home and Professional Service Pack 2 Service Configurations

http://web.archive.o.../servicecfg.htm
  • 0

#10
Madness341

Madness341

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Well I went through and configured my services and now all my devices are back up and working. There are some services that I wasn't sure about that don't seem to be from the system... DSLV, VTAUKL, ZCSQEY. They're all disable but I wasn't sure if I could or should deleted them. When I boot up I still get a registry modification in Ad-watch on the value [KavSvc] Windows/System32/rvmvlv.exe, and after a few minutes my Symantec auto-protect gets turned off. There's also an error message at start up about missing a Wild Tangent file. Both of these files have been deleted and I can't find them anywhere in the registry. Anyway, thanks a lot for the help, I really appreciate what you're doing here.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP