[Kat]

Gina...

I see you currently reading the post. I just NOW made a couple of changes, so please refresh your browser and make SURE you have the current instructions before you proceed!

[Advertisements]

Kat~

I just wanted to check really quick...when I go to log off, I only have the one name "gina" and not the administrator file. I've always used this one and didn't even realize there was a separate administrator option until I tried the safe mode stuff. So is this one ok?



Thanks!

[gmg]

Kat~

I just wanted to check really quick...when I go to log off, I only have the one name "gina" and not the administrator file. I've always used this one and didn't even realize there was a separate administrator option until I tried the safe mode stuff. So is this one ok?



Thanks!

[Kat]

Use your account, Gina. Since that's the only one you see..you ARE the Admin account!

[gmg]

Kat~

Ok, almost there! I ran vundo alright, though it didn't show the first line anywhere (02-BHO: MSEvents...) I also had to disable my nortons because it kept popping up warnings. I'm working on the pandascan, but it's not doing anything...I told it to scan my computer (should I have said the drives?) and it hasn't moved or done anything in five minutes...EDIT::: Nevermind, I guess it just needed a kick in the pants, now panda is moving!

so close!

Thanks!
gina

Edited by gmg, 06 September 2005 - 08:31 PM.

[Kat]

Gina...when you are finished with those instructions, I need you to do this:


Go to Start>Run and paste this line in there:

regedit /e c:\safeboot.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"


Then click "ok" A log called "safeboot.txt" will be saved in C:\safeboot.txt

Please zip this file using WInzip (or any zip program of your choice), and attach this zip file to an email, and mail it to [email protected]


This may give us a look into why you can't boot into Safe Mode!

[gmg]

So close...after about 15 mins of the panda scan (it was less than half done) my internet browser popped up a message saying an error had occured and needed to close so I lost the whole scan.

Should I try running it again? Should it also be taking that long?

Thanks all
Gina

[Kat]

Try running nothing but the Panda Scan. Close every other window, program, etc. Sometimes it may take awhile. I know it's frustrating, trust me. I started out in this business after getting my own computer severely b0rked two years ago!

[Kat]

Hey again Gina! Atri said to just forego the Panda scan if it's still giving you trouble. Just give us the copy of the Vundo log and a new HijackThis log and we'll go from there.

Don't forget to do the step to get that safeboot.txt and get it sent to Atri to look at!

[gmg]

Ok, thank goodness I have 2 computers in the house so I can let my laptop run thru and type on this one. It's about halfway thru and has found 2 viruses and 1 spyware. It has stopped at "F:" and popped up a window that says "Choose Profile" and in the box it says "Profile Name" and the suggested title of "outlook"

Now what?

[Kat]

Gina..let's go ahead and close out the Panda scan for now. We'll do a different scan in a bit. I need to see the Vundo log and a new HJT log please!

[gmg]

Alrighty then...the Panda still gave me a summary even though I cancelled, so here's that just in case.


Incident Status Location

Spyware:spyware/bargainbuddy No disinfected Windows Registry
Virus:Trj/Pakes.AV Disinfected C:\WINNT\system32\ddabb.dll
Virus:Trj/ShellHook.E Disinfected C:\WINNT\system32\ssqrs.dll


Here's Vundo

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 816 'smss.exe'
Threads [820][824][828]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1904 'explorer.exe'
Killing PID 1904 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 892 'winlogon.exe'
Killing PID 892 'winlogon.exe'
Killing PID 892 'winlogon.exe'
Could not delete file.
Files Deleted sucessfully.


And Hijack

Logfile of HijackThis v1.99.1
Scan saved at 8:35:06 PM, on 9/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\PROGRA~1\COMMON~1\AOL\110176~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110176~1\EE\AOLServiceHost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aolmail.aol.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=488
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101763676\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7J5BR9KW\CWShredder[1].exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE



Thanks!
Gina

[gmg]

And by the way, I have the safeboot txt but am ashamed to admit that I don't know how to zip it up...I can unzip...just not zip up I guess!

Thanks
Gina

[Kat]

No shame, Gina! I had to learn how to do it not long ago myself! I'm assuming you have WinZip! Here is instructions step by step to zip it up!

open winzip with the wizard mode. Click next and then click the button/circle that says "Create a new zip file" and click next. in that box, just type safemode and click next. In the big box area, click on the "Browse" button, and browse to where your safemode.txt is located (C:\..) Click "ok" then click "Zip now". The new zip will be saved in your "My Documents" folder. Attach that zip to an email and send it off to Atri! He'll let me know when he gets it and what we should do next, since I'm in the chat room with him!

[Kat]

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Now close all windows other than HiJackThis, then click Fix Checked. Reboot the computer.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Viewpoint
Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

C:\Program Files\Viewpoint
Please delete these files using Windows Explorer(if present):

C:\WINNT\system32\ddabb.dll
After that, Reboot.

Post another HijackThis log here in a reply when done!

[gmg]

I don't think I have WinZip...or if I do, it's hiding somewhere. I'm pretty sure I've used it to open files before, but I ran a search and it's not appearing in my computer anywhere except in a cookie. Where would one usually find it?