Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer hijacked [RESOLVED]


  • This topic is locked This topic is locked

#1
xxlucienxx

xxlucienxx

    Member

  • Member
  • PipPip
  • 40 posts
It seems that my Anti-Virus program, AVG, has been under attack. I am getting these messages when my pc boots up:

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ext
Validation failed for C:\WINDOWS\system 32\VSINIT.dll. You are probably missing a necessary root certificate.

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ext
Validation failed for C:\WINDOWS\system 32\vsdata.dll. You are probably missing a necessary root certificate.

AVG Anti-Virus System
Could not initialize AVG Anti-Virus kernal interface. Application cannot run.


I am also getting a netwok cable is unplugged icon in the system tray, yet here I am. I have included below an ewido scan log and a HJT log.
Please help if you can.

thanks

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:11:50 AM, 12/30/2002
+ Report-Checksum: 7D2D4F8D

+ Scan result:

:mozilla.14:C:\Documents and Settings\Chris is God\Application Data\Mozilla\Firefox\Profiles\vkxkglme.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Chris is God\Cookies\chris is god@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\system32\MRT.exe -> Heuristic.Win32.AVKiller : Cleaned with backup


::Report End


**************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 12:45:47 AM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103225621952
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
That Win32.Avkiller appears to be a false positive, I'd like to check it out.

Please do the following:

Open Ewido
Click Quarantine on the left side.
Look for the following items:

C:\WINDOWS\system32\MRT.exe

Click each one of the items above. When ONLY those items are highlighted, click Restore

A small window will open up. Click Restore on this one as well.

Once you have restored it Please zip the file up and email it to submit@atribune.org.

After I recieve it. We will see what we can do about your programs not working.
  • 0

#3
xxlucienxx

xxlucienxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
I did what you asked and the file has been emailed to the address you provided.
  • 0

#4
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Ok as I thought Ewido made a false detection on MRT.exe

Please try redownloading both zonealarm and AVG.

Once they are downloaded Disconnect from the internet. Then go to add/remove programs and uninstall both AVG and Zone alarm.

After they are uninstalled, reboot your computer.

Once rebooted reinstall both programs. Then reconnect to the internet and update them.

Let me know how that works.
  • 0

#5
xxlucienxx

xxlucienxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Installer initialization failed due to following error:
Undefined error: Initialization of the setup data file failed.
Opening of the setup data file "C:\Program Files\Grisoft\AVG Free\setup.dat" failed.
No such file or directory

I am not able to unisntall AVG, so I did not proceed with the rest of your instructions
  • 0

#6
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Try installing the new copy of avg over the old.
  • 0

#7
xxlucienxx

xxlucienxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
When I try to uninstall I get this error message:

Local machine: installed successfully
Installation:
Warning: Action failed for file avg7rsxp.sys: stopping service....
Service Avg7RsXP failed to progress during stopping at checpoint 0 (wait hint 10000 ms) in 90130 ms.
Warning: Action failed for file avg7core.sys: stopping service....
The requested resource is in use. (170)


When I try to Install over the old AVG I get this message:

Local machine: installation failed
Installation:
Error: Action failed for file avg7dos.lng: creating file....
Changing language to 67698688 failed.
General failure.
Warning: Action failed for file avg7rsxp.sys: stopping service....
Service Avg7RsXP failed to progress during stopping at checpoint 0 (wait hint 10000 ms) in 90130 ms.
  • 0

#8
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Looking around the Grisoft site, they suggest for that error that delete the C:\Program Files\Grisoft folder.

So lets delete it :tazz: After you delete try to reinstall.
  • 0

#9
xxlucienxx

xxlucienxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Ok, I was finally able to reinstall both programs and they seem to be working fine now.
Also, I am not getting the error messages that I was at startup.
All of my issues seem to be resolved.
Thank you for the help!
  • 0

#10
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Great!! , I'm glad to hear it.
  • 0

#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP