[mbleydig]

Hi wonderful people. I wonder if someone out there can't help me. My problem is this. A while back I received an AIM message that had the gist of "Click *this* cool link". Obviously I didn't click it, however, what i'm understanding is the virus may have already taken hold when the window that popped up.

Unfortunately for me, my Nortons antivirus had expired and I was delinquent in buying the update. My computer kept crashing for no apparent reason. I tried running Spybot and AdAware, and neither seemed to work. I purchased Nortons and tried to reinstall and got the message:

Windows\system32\msiexec.exe buffer overrun has corrupted internal state.

Nortons would not complete the install. I had also tried to reinstall Spybot and received the message that the files are corrupted.

Now here's the issue...I've seen several instances where the answer is to downloan hijack this and post a log file. Whatever it is that has infected my computer has also taken away my ability to get online. Any ideas?

[Advertisements]

We really do need a HijackThis log.

Can you download these three programs to a floppy and transfer them to the infected computer:

Windows installer cleanup : http://download.micr...1bd/msicuu2.exe

HijackThis: HJT + extra

WinsockFix: http://www.softpedia...inSockFix.shtml

Use HijackThis as described here:
http://home.planet.n...on.html#BOTHLOG

Transfer the log back to floppy and post it.

Regards,

[Metallica]

We really do need a HijackThis log.

Can you download these three programs to a floppy and transfer them to the infected computer:

Windows installer cleanup : http://download.micr...1bd/msicuu2.exe

HijackThis: HJT + extra

WinsockFix: http://www.softpedia...inSockFix.shtml

Use HijackThis as described here:
http://home.planet.n...on.html#BOTHLOG

Transfer the log back to floppy and post it.

Regards,

[mbleydig]

Here's hoping I did this right. I had to turn the computer off and on multiple times as it kept cutting off:

Logfile of HijackThis v1.99.1
Scan saved at 8:42:15 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Generic\FlashIcon v1.3.0.5\FlashIcon.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\THDetect.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Documents and Settings\Matt Leydig\Desktop\stuff\HJT_and_more_1.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Matt Leydig\Desktop\stuff\HJT_and_more_1\HJT and more 1\HijackThis.exe
C:\WINDOWS\system32\ping.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/sports
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\FlashIcon v1.3.0.5\FlashIcon.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: THDetect.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {BBF26523-5BC7-435D-BDD3-AC84C5DC00C3} (UIEPlayer 1.4 Class) - http://espn-att.star...IEPlayer1_4.cab
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[Metallica]

OK I can see some stuff that we can do to make it a bit more usable.

First, I'd like to advise you to uninstall ViewPoint manager under Add/Remove Software. If this doesn't work now, you can try it after the last step in this post.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

Then run the Windows Installer CleanUp Utility and you will probably see one application or program that is listed many times.

Remove them all but the first and last entry and let me know which program it is.

Regards,

[mbleydig]

Thanks much for the reply. First, I did try to add/remove software, however, wasn't able to. I was able to run hijackthis and fix the items you listed. I did run the Windows Installer CleanUp but there were no applications listed several times. I ran hijackthis again and saved the following log file:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:05 PM, on 8/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\THDetect.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Documents and Settings\Matt Leydig\Desktop\stuff\HJT_and_more_1\HJT and more 1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/sports
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\FlashIcon v1.3.0.5\FlashIcon.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: THDetect.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {BBF26523-5BC7-435D-BDD3-AC84C5DC00C3} (UIEPlayer 1.4 Class) - http://espn-att.star...IEPlayer1_4.cab
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Any help would be much appreciated. Thanks!!!

[Metallica]

Some viruses will prevent NAV from being installed.
Please do an online virusscan for example here: http://housecall.antivirus.com/

Let us know the results.

Regards,

[mbleydig]

Is there any way to get around the online scan? My network is still not working. I can download any executable and run it on my machine.

[Metallica]

You can try Stinger:
http://vil.nai.com/vil/stinger/

It gets a lot of the most popular ones.

Regards,

[mbleydig]

I actually have stinger also. I've run it before and it found nothing. Also, the scan takes longer than most I've used, and my computer will shut down long before it's done this time. I have my computer with me at work today and ran the scan again, but it wasn't able to make it the whole way through before cutting off. Help...

Thanks.

[Metallica]

Here is another one you can try:
http://www.microsoft...ve/default.mspx

The details how to download and run the tool are in the NOte under point 2

[mbleydig]

I was able to download and install the program. It ran the scan and said it found nothing. Ugh! Do you know of anything else I could try? Thanks again in advance.

[Metallica]

Since I don't see how it can make things any worse, run the WinsockFix and see if that gets you connected again.

Let me know.

Regards,

[mbleydig]

That is an excellent point.

Ran the program and it didn't get me up and running.

[Metallica]

Do you have a Windows CD.

If so, click Start > Run > copy& paste sfc /scannow > OK

The system file checker will scan your system for missing/corrupted system files and prompt ou for the CD if it finds one that needs to be replaced.

Regards,

[mbleydig]

I tried running the scan a few times, but each time my computer cuts off before it will complete.