[harveybacon]

re-Peattt...

Edited by harveybacon, 20 May 2008 - 04:08 PM.

[Advertisements]

maybe refreshing the page did this?

Edited by harveybacon, 20 May 2008 - 04:09 PM.

[harveybacon]

maybe refreshing the page did this?

Edited by harveybacon, 20 May 2008 - 04:09 PM.

[harveybacon]

re?

peat.

Edited by harveybacon, 20 May 2008 - 04:09 PM.

[harveybacon]

RePeAt

Edited by harveybacon, 20 May 2008 - 04:10 PM.

[Blender]

Looking better.
Still one earthlink to go and a few questions and such.

I don't use Groove and don't care about Real (player) unless online.

You should be able to open RealPlayer and via the options tell it not to run at bootup or check for updates every time it is run.
Groove -- best to leave alone or we might foobar the rest of your Office install.

Do I need Win Defender?

Your choice. I don't use it myself.
You have SuperAntispyware and Mbam. They should be fine for antispyware.
When we are done cleaning I'll have some other recommendations as well to help keep you protected.

VTTimer is clocking don't need,

Aparently part of graphics drivers:
http://www.bleepingc...r.exe-6142.html
Your choice wether or not to have running at bootup.
You can use MSConfig to disable if desired.

don't know what Grxp4exe is

If you play the games this software comes with -- you will need it:
http://www.bleepingc...e.exe-1871.html

SOUNDMAN.EXE is just unnecessary added from motherboard

This too can be disabled via MSConfig

don't know what LTMSG.exe,

Part of modem software:
http://www.bleepingc...g.exe-2651.html

KBD.exe is a utility to configure keyboard shortcuts on multimedia keyboards.
Your choice:
http://www.liutiliti...esslibrary/kbd/

spoolsv.exe (printer?),

Yep. It handles print/fax jobs on the computer.

netdde.exe ...
Did you or a program you have installed set this service up to run auto?
Normally it is not running. Part of the reason I am interested in your virus scan log because this service can be exploited by backdoors.
About the program:
http://searchtasks.a...php?File=NetDDE

mDNSResponder.exe ..
Part of iTunes/QuickTime for music sharing.

clipsrv.exe -- not normally running but could be your OneNote or sessmgr.exe keeping this running.
Speaking of sessmgr.exe --- you using remote assistance?

crypserv.exe --
Software copy protection:
http://www.bleepingc...v.exe-7633.html

C:\WINDOWS\system32\msiexec.exe
Part of Windows installer ...
Either you just finished uninstalling or installing something and it isn't complete yet at time of log.

C:\WINDOWS\system32\svchost.exe
Controls most of Windows services. (It is not unusual to see several of these runnning as each one has its own set of services to control)

UAService7.exe
Needed:
http://www.bleepingc...7.exe-8046.html

wuauclt.exe
Windows auto updates

ctfmon.exe..
Yep. Part of Office:
http://support.microsoft.com/kb/282599
Even though they describe method of removing it --- I don't recommend it because Office might not work properly after.

--------------------------------------

When done Avast scan --- let me know how it went.

Have Hijackthis fix this entry:

O4 - .DEFAULT User Startup: Earthlink.lnk = ? (User 'Default user')


Post fresh hijackthis log please.

How is FF & IE running?
No more "server not found" errors?

Thanks

[harveybacon]

Okay, after a long wait, Avast has rid me of 4 things. I don't know if this will help. I have moved them to the Chest. I did not set up for logs before hand. I am now attaching jpg of files in chest. ("print screen" button, paste in MSpaint).

I have been getting Server Not Found (SNF) throughout the wait.


netdde.exe? I have a 6 year old that plays ToonTown online? I would be afraid to remove it, so I will put it on manual for now.


Earthlink and AOL don't wanna leave. been here for years. They're gooood...

Check: O4 - .DEFAULT User Startup: Earthlink.lnk = ? (User 'Default user')
and reboot again, see if it will even go away.

Should I need to run any RegCleaner after all this?

log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:30 AM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Grxp4exe.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Owner\Desktop\fix\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: Earthlink.lnk = ? (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.updat...b?1193626600328
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...33.7/ttinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Advanced Micro Devices, Inc. - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8462 bytes

[harveybacon]

SNF.

[harveybacon]

SNF.

[harveybacon]

SNF.

Strange, I don't keep posting these repeats....?

Edited by harveybacon, 20 May 2008 - 08:08 AM.

[harveybacon]

I think I mis-understood you, Blender:


"<harveybacon> move it?
<harveybacon> Win32:Trojan-gen {UPX}
<harveybacon> C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\DigiMode VCD.exe
<harveybacon> still scanning after moving to chest
<Blendersww> hmmm
* Blendersww wonders if that is a false positive ... grrrrr
<harveybacon> I play VCDs in the comp, but don't know what that was
<Blendersww> the AV might have jumped it simply cus of the packer used
<harveybacon> SNF just before it was found. I'll let u know if I get SNF again...
<Blendersww> where did u download the program?
<harveybacon> eh, I got it of their site, but used a key. Is that bad?
<harveybacon> off their site
<Blendersww> used a key --- you mean keygen?
<Blendersww> if so --- yeah thats bad --- bout 75% of the infections ppl get come from keygens/cracks
<Blendersww> prolly how ya got backdoored
<harveybacon> no, just a server serial I have
<Bobbi_Work> new verb? to backdoor?
<harveybacon> I didn't use keygen
<harveybacon> or crack
<Blendersww> ahh kk. I mis-understood
<harveybacon> I have used them in past, but not recently. "


I thought you meant Avast!, did you mean the VCD player? I don't know of a program called DigiMode.
I haven't used anything but MS MediaPlayer or Nero Showtime. I have a codec file. I don't think it would be called anything, just codec pack or KazaLite (something).

[harveybacon]

took out iso programs that I had downloaded before. MSconfig'ed and got system start-up quick. Turned off a few unnecessary prog. We will see.

[Blender]

Hi,

Thanks for the logs, info.

I think those detections by Avast are falso positives. (meaning they should not have been detected)
However -- keep those files in chest for now.
Anything else Avast yells about -- do send files to chest if that option is available.
FYI -- the chest is a folder where avast stores files it detected as malware safely so you can't accidently run it.
Remind me later if I forget -- but I want to get samples of those files later to see whats up with em.

Your question earlier regarding registry cleaners -----
No. I don't recommend running registry cleaners.
They are dangerous programs unless you know exactly what is being fixed.
Most don't make good backups and backups can't be accessed if the computer won't boot after.
I personally lost 2 machines after running reg cleaners and had to format both.
Alot of these programs muck around with things they shouldnt.
Contrary to popular belief --- registry cleaners are not going to speed up system except in rare cases.
You would have to have 1000's of orphan entries to make any speed problems.
When it gets to the point where registry has to be "cleaned" its IMO better to format!

You have some leftovers of old ISP software and we'll look for that stuff specifically and target it to clean it up.
I don't know yet what is causing your SNF issue wo will ask for a couple other logs below.

------------------------------

Let's see what this log tells me:

Download "Autoruns" from here:

http://download.sysi...es/Autoruns.zip

Save it and unzip it to its own folder.
Open folder and double click autoruns.exe
Wait for scan to finish.
Click the "options" menu and check "include empty sections" & "varify code signatures" & "Hide Microsoft Entries".
Click "file" and "refresh"
Wait till scan is done.

Once done --- make sure the "everything" tab is selected, then click "file"> save as> give it a name and save the log to desktop.

Copy/paste contents of that log here.

------------------------------

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it to its own folder.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may get a warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning, just click "scan".
Let the scan finish.
Once done press "save"
In the new window that pops up, give the log a name and save it someplace handy.
Press save.

Re-enable your antivirus, re-connect to internet & post that log here

Thanks

[harveybacon]

getting rid of old software that is not used. I don't know why, but I have a lot under the service tab on MSconfig

[Blender]

Hi,

I don't know why, but I have a lot under the service tab on MSconfig

Explain what you mean please.
It is normal to see services listed under that tab --- and not recommended to disable services using MSConfig.
If you want to disable services use "services.msc" instead.

If you're tweakin though --- leme know what you're doing cus it is hard to troubleshoot if things are done that I don't know about.

Doing "autoruns" and "gmer" for me?

[harveybacon]

I was turning on everything in msconfig. I had tweeked things a long time ago using a websites directions. I was running them I have the one here. I ended up stoping the other, and I have to start all over. Thank you again. I really hope that we can figure this out. My wife, Heather, is wanting to spend time with me taking pics for eBay stuff....

now html isn't working. It's like the connection is being choked. Then I loose it.

It's not giving me the upload button. *mhmmm*