[Finsch]

Helle everyone:

The following computer is owned by my grantfather, who likes to ebay old radios & things. I set up the PC two years ago, installed all available updates and bought him an antivirus scanner (Panda Antivirus), that always keeps itself up to date. That was more than a year ago, no further updates were installed.
A week or two ago, he got an email with a file attachement that he foolishly opened. It seems that this deactivated PAV (panda anti virus) and let in several other viruses and dialers.
This guy knows absolutely nothing about PC's, so my only way to fix his problem is by using VNC (a remote control for PCs), because i am several hunded miles away from him.
I reinstalled PAV, which detected 5 viruses and several dialers at once. I installed all windows update i could find, used CDShredder, adaware, spybot.

The PC crashes whenever i try to install SP2 or use automated windows updates, so there is no way i can see to update tp SP2.
adaware and spybot identify some malware, but are not able to remove it. It always shows up again after a system restart.

This is the hijack this logfile. I hope i did everything right and it provides you with the necessary information.
------------------------------------------
------------------------------------------




Logfile of HijackThis v1.99.1
Scan saved at 20:58:00, on 15.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programme\RealVNC\VNC4\WinVNC4.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Programme\FRITZ!DSL\Awatch.exe
C:\Programme\SurfAccuracy\SAcc.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Dokumente und Einstellungen\Gerd\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AWatch] C:\Programme\FRITZ!DSL\Awatch.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteowm32.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Programme\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123931199015
O17 - HKLM\System\CCS\Services\Tcpip\..\{34CD470C-A739-413B-B18C-672DD370FCDE}: NameServer = 217.237.149.161 217.237.151.225
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14B849E-BA5C-484E-856B-55F86A6D7263}: NameServer = 192.168.122.252,192.168.122.253
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programme\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[Advertisements]

Hi Finsch,

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp

LQfix.zip

Unzip it and save it to your desktop, don't use it yet!

2. Remove Infections

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

From the LQFix folder-> Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, this is normal.

Run CleanUp and delete all temp files including temporary internet files

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteowm32.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Programme\SurfAccuracy\SAcc.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

Surf Accuracy

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Folders
C:\Programme\SurfAccuracy\


Files
C:\windows\system32\eliteowm32.exe



Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.


Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.

[tampabelle]

Hi Finsch,

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp

LQfix.zip

Unzip it and save it to your desktop, don't use it yet!

2. Remove Infections

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

From the LQFix folder-> Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, this is normal.

Run CleanUp and delete all temp files including temporary internet files

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteowm32.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Programme\SurfAccuracy\SAcc.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

Surf Accuracy

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Folders
C:\Programme\SurfAccuracy\


Files
C:\windows\system32\eliteowm32.exe



Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.


Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.

[Finsch]

Thank you very much for your help.
Most problems seem to befixed. I fear, the last problem was just caused by the spyware, but can not be reapaired any more since it is an "after-effect".

Okay, followed the steps. Not everything worked the way as it was mentioned on the list.

1. ITEM MISSING: When running HJT in safe mode, eliteowm32.exe does not show up on the scan-list. Just checked and fixed SurfAccuracy
2. After uninstalling, the directory c:\programme\surfaccuracy did not exist any more - not a problem, but i thought i mention it.
3. c:\windows\system32\eliteowm32.exe does not exist. Probably the virus scanner catched it in the last windows session (he always catched several dialers when starting up the pc)
3. The folder prefetch was already completely empty.

So, everything looks fine here.

In normal mode, windows looks a lot better now. There are NO MORE popups. Problem fixed. Panda antivirus permanent protection does not catch any dialers or viruses when starting up windows. Problem fixed.

I used active scan from the panda hompepage, as told. It found 4 or 5 spyware items, and at least one virus. I am NOT able to save the report.

Why??
This is the problem that remained. When i start up windows, everything works fine the first few seconds. I can click to download files from the internet, for example hijackThis.exe or whatever. The dialogue that asks if the file should be opened or saved appears. I can click save, the dialogue that asks me where the file should be saved appers. I can save the file.
BUT: After a few seconds or minutes, when i try to download something, the first dialogue pops up. But, no matter wheter i click "save to disk" or "open", no further dialogues pop up, i can not open the file. The process hangs. The process must be forced to shut down. (i click the X in the upper right corner, the usual window pops up informing me that the process does not respond) I can no longer download files.
When i want to save the Panda Scan report, this error occurs. I click "save report", and i believe a window has to appear where to save the report. But, since the scan takes longer than a few seconds, the problem already kicks in: No save dialogue appears, the process hangs, it has to be forced to shut down.
Usually, at that moment, the windows task bar also freezes. I can no longer click the "start" button, the system clock hangs. I can still use open explorers, though.
Ctrl+alt+del will not show the running processes any more, the window does not show up after the problem occurs.
Trying to install SP2 makes the system crash completely.

I am sorry for my english, this is not my first language.


This is the hijack this log, after running Panda, before trying to install SP2:
(Is mousecrm.exe a mouse driver or is this not "clean"?)

-----------------------------------
-----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:27:27, on 16.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programme\RealVNC\VNC4\WinVNC4.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Programme\FRITZ!DSL\Awatch.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Dokumente und Einstellungen\Gerd\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AWatch] C:\Programme\FRITZ!DSL\Awatch.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus

2004\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros...b?1123931199015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34CD470C-A739-413B-B18C-672DD370FCDE}: NameServer =

217.237.149.161 217.237.151.225
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14B849E-BA5C-484E-856B-55F86A6D7263}: NameServer =

192.168.122.252,192.168.122.253
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame

Dateien\AVM\de_serv.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe

(file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software -

C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programme\Panda

Software\Panda Titanium Antivirus 2004\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional -

C:\Programme\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner -

C:\Programme\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[tampabelle]

Hi Finsch,

DONT INSTALL SP2 YET !!!!!!! If you install it on a infected PC, it will create more problems !!!! I will tell you when to install it.

Second, infections also come in file names similar to windows file names. This enables them to hide from people not totally conversant with the way infections behave. There are some infections which infact use the same file names as Windows !!!! The file or item Mouse Cursor Monitor has nothing to do with your mouse !!!! So as you pointed out we need to fix it. We will fix it now.


Click on Start ---> Run. Type Services.msc and hit enter. Locate the item - Mouse Cursor Monitor. Right click on it and then click on properties. In the Startup Type choose the option Disable. Close the window.


Delete the file - C:\WINDOWS\System32\mousecrm.exe

Run Hijack This. Click on config ---> Misc Tools ---> Delete an NT Service. Type in mousecrm and hit enter.

Reboot the PC.

Now try Panda scan again. I would like to see what is hiding on you PC.

[Finsch]

Okay, this is how it went:

1. Disabled Mouse Monitor in services.msc
2. Deletion not possible (or necessary?) - file did not exist
3. deleted the NT service with HJT - worked.
4. scanning with panda


-------------------------
result file: It is a bit hard to read. I also attached it.
Note: "nicht desinfiziert" means "not disinfected" - this applies to every item. Panda did not remove a thing.
-------------------------





Ereignis Zustand Standort

Spyware:spyware/istbar Nicht desinfiziert Windows-Registry
Adware:Adware/SurfAccuracy Nicht desinfiziert C:\Dokumente und Einstellungen\Gerd\Lokale Einstellungen\Temp\uninstall.exe
Adware:Adware/MediaTickets Nicht desinfiziert C:\Program Files\Media Gateway\MediaGateway.exe
Spyware:Spyware/ISTbar Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\856VGLEN\istbarcm[1].dll
Spyware:Spyware/ISTbar Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\856VGLEN\istsvc[1].exe
Adware:Adware/SideFind Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\856VGLEN\sfbho13[1].dll
Spyware:Spyware/BargainBuddy Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\856VGLEN\webservice[1].htm
Spyware:Spyware/ISTbar Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8PQZOH6F\cmctl[1].dll
Spyware:Spyware/Dyfuca Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8PQZOH6F\optimize[1].exe
Spyware:Spyware/BargainBuddy Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8PQZOH6F\package_MARKETING27[1].exe
Adware:Adware/PowerScan Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8PQZOH6F\power_remove[1].exe
Adware:Adware/SideFind Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8PQZOH6F\sidefind13[1].dll
Spyware:Spyware/ISTbar Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8PQZOH6F\sidefind[1].exe
Spyware:Spyware/BargainBuddy Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\CHEBCPAB\bb[1].exe
Spyware:Spyware/ISTbar Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\CHEBCPAB\istrecover[1].exe
Spyware:Spyware/Dyfuca Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\CHEBCPAB\nem220[1].dll
Adware:Adware/PowerScan Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\CHEBCPAB\powerscan[1].exe
Adware:Adware/SurfAccuracy Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\CHEBCPAB\sacc_remove[1].exe
Adware:Adware/nCase Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\CHEBCPAB\stubinstaller5041[1].ex_
Spyware:Spyware/BargainBuddy Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\CHEBCPAB\webservice[2].htm
Spyware:Spyware/ISTbar Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\KL6J05E3\istdownload[1].exe
Adware:Adware/SurfAccuracy Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\KL6J05E3\SAcc[1].prod.11jui2005.exe.dd2bfdb316c9bf8d02d2419aba787f66
Spyware:Spyware/BargainBuddy Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\KL6J05E3\webservice[2].htm
Spyware:Spyware/ISTbar Nicht desinfiziert C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\KL6J05E3\xml_istbar[1].xml

Attached Files

•  Activescan.txt   7.77KB   65 downloads

[tampabelle]

Hi Finsch,


Delete the folder - C:\Program Files\Media Gateway.

You already have CleanUp downloaded.

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp

• Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
• When CleanUp starts go to the Options button (right side of CleanUp screen)
• Move the arrow down to "Custom CleanUp!"
• Now place a checkmark next to the following (Make sure nothing else is checked!):
  • Delete Cookies
    This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
  • Empty Recycle Bins
  • Delete Prefetch files
  • Cleanup! All Users
• Click OK
• Then click on the CleanUp button. This will take a short while, let it do its thing.
• When asked to reboot system select No
• Close CleanUp

Finally, restart your computer back into Normal Mode and please post a new HJT log

[Finsch]

Okay, i did everything you said. HJT logfile:

-----------------------------------------
-----------------------------------------
edit: i also attached a new panda active scan scan report

-----------------------------------------
-----------------------------------------



Logfile of HijackThis v1.99.1
Scan saved at 14:14:25, on 20.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programme\RealVNC\VNC4\WinVNC4.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Mixer.exe
C:\Programme\FRITZ!DSL\Awatch.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Dokumente und Einstellungen\Gerd\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AWatch] C:\Programme\FRITZ!DSL\Awatch.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123931199015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34CD470C-A739-413B-B18C-672DD370FCDE}: NameServer = 217.237.149.161 217.237.151.225
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14B849E-BA5C-484E-856B-55F86A6D7263}: NameServer = 192.168.122.252,192.168.122.253
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programme\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Attached Files

•  Activescan.txt   7.15KB   71 downloads

Edited by Finsch, 20 August 2005 - 07:08 AM.

[tampabelle]

Open Internet Explorer. Click on Tools ---> Internet Options.

Under the General tab, click on Delete Cookies and Delete Files.

Under the Advanced tab, look for security (right towards the end of the list of items). Check the box against the item - "Empty Temporary Internet Files folder when browser is closed".

Close Internet Explorer.

Download FxISTBar.exe and save it on your desktop.

Reboot the PC in Safe Mode (repeatedly tap the F8 kwey when the PC is starting up).

Run FxISTBar.exe and let it fix any itmes it finds.

Reboot the PC in Normal Mode.

Let me know if you any problems persist.

Edited by tampabelle, 20 August 2005 - 07:48 AM.

[tampabelle]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.