Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected!!!

Unread postby lorenr » December 28th, 2005, 9:50 pm

Help!! Don't know what this is but it's really messed up my computer.
Here's my Hijackthis log Logfile of HijackThis v1.99.1
Scan saved at 8:13:54 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\sachostx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\sachostc.exe
C:\WINDOWS\system32\sachosts.exe
C:\Documents and Settings\user\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BJ Status Monitor Canon S520.lnk = C:\Documents and Settings\user\cnmss3m.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterpr ... ll_pre.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4244830328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_do ... Button.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

file:
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm
Advertisement
Register to Remove

Unread postby jwbirdsong » December 29th, 2005, 7:52 am

First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

Please temporarily disable MSAS by doing the following:
It may interfere with the fix.

  • Open Microsoft AntiSpyware.
  • Click on Options -> Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
  • Restart your computer.
  • Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware

Make sure the settings are changed back when we are done.

Click HERE to download Atri's ATF Cleaner (Atri'sTempFile)..Download to your desktop
More info on this tool HERE

Please run HijackThis and click "Scan." Place checks next to the following entries:

  • F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
  • F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
  • O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
  • O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
  • O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll

Close all browser and other windows except for HijackThis, and click "Fix Checked".


Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Next, delete the following folders (if they exist):

C:\WINDOWS\inet20001\

Also, delete the following files (if they exist):

C:\WINDOWS\SYSTEM32\msupdate32.dll
C:\WINDOWS\sysldr32.exe
C:\WINDOWS\sachostx.exe

Run the ATFcleaner you downloaded earlier>check Select All>Click Empty Selected>OK>Close it

Restart your computer and run this online virus scan: ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
    - Select either Home User or Company
  • Click the big Scan Now button
  • If/when you get a notice that Panda wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.


Reboot and rerun HijackThis. Please post a new HijackThis log in a reply to this thread.
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Instructions Question

Unread postby lorenr » December 29th, 2005, 10:04 pm

How do I find the folder "C:\WINDOWS\inet20001\" and the other 3 files I am to delete and how do I delete them?
Thanks,
Lorenr
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

One other Question

Unread postby lorenr » December 29th, 2005, 10:08 pm

Can I access the Internet while my computer is in Safe Mode?
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

Re: Instructions Question

Unread postby jwbirdsong » December 30th, 2005, 3:05 am

lorenr wrote:How do I find the folder "C:\WINDOWS\inet20001" and the other 3 files I am to delete and how do I delete them?
Thanks,
Lorenr


Just open Windows Explorer aned browse to the location.. Start at My computer> Open your C: Drive>Double click Windows (folder).> Look for inet20001i n the list of folder on the right> Once found; RIGHT click it and choose Delete.. Browse to the other file locations in a similar manner.

If you are still having problems, we'll attack then another way.

NO you can not access the internet in safe mode.
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

More Questions

Unread postby lorenr » December 30th, 2005, 7:24 pm

I did not find the folder or the files mentioned above in the safe mode.
I could not run the ATF cleaner in the safe mode as there was no icon for it and I did not see it in the programs. The icon does appear when I do a normal start up. Am I doing something wrong?
Thanks!!!
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

Unread postby jwbirdsong » December 30th, 2005, 7:36 pm

sounds like maybe when you boot to safe mode you are logging into a different profile......that would explain why the desktop item is not present....
Would also maybe explain why you can't see the files..if you set YOUR profile to view hidden files and are logging into another; hidden files may not be viable...boot to safe mode and follow the steps again for hidden files

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

See if you are able to find any then....
Just run ATF in normal mode; that should be fine also.
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

New Problem

Unread postby lorenr » December 31st, 2005, 1:07 am

I found out what I was doing wrong, thanks to you. I was logging on in safe mode as the administrator instead of my normal log on. I still could not find the WINDOWS\inet20001\ file, but did find thesachostx.exe file and deleted that.
Now, when I try to run ActiveScan on Panda, I keep getting an error message from them that there was an error in downloading and to shut down and try again. I've done this numerous times and keep getting the same message. I did use their scan about 5 or 6 weeks ago with no problem.
I am posting the HJT log I just ran in safe mode before trying to run ActiveScan.

Logfile of HijackThis v1.99.1
Scan saved at 11:24:33 PM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Rar$EX00.516\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
F3 - REG:win.ini: load=???
?
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterpr ... ll_pre.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4244830328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_do ... Button.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Please let me know what else I must do.
Thanks, Thanks, Thanks Again for all of your help!!!!
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

Unread postby jwbirdsong » December 31st, 2005, 1:40 am

Copy everything inside the quote box below (starting with REGEDIT4) and paste it into notepad. Go up to "File > Save As", click the drop-down box to change the "Save As Type" to "All Files". Save it as fix.reg on your desktop. (you must type in the WHOLE name fix.reg)

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{9a9307a0-7da4-4daf-b042-5009f29e09e1}]

Double-click fix.reg A window will open and ask if oyu want to merge into the registry..say yes..then you will get a confirmation that it was merged.

After a reboot you should be able to run Panda now.

Also after you have finished rebooting

This line
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
indicates you may have some entries stopped at startup..Please go to Start>Run>type "msconfig" (no quote)>Enter>check box for Normal Startup>Apply>Close. do NOT reboot and run a new HijackThis log for me please.

Looks good so far tho... :P
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Nothing works

Unread postby lorenr » December 31st, 2005, 4:05 pm

OK, I've tried all the above, still can't run Panda. This is the error message I get.
"An error has occurred in downloading Panda ActivScan. Please repeat the process. If the error occurs again, restart your system and try again.
(I've done this)
Possible causes of this error are:
Not allowing the application's Active X control to be downloaded.
Problems with the internet connection.
The error could be due to a download error or an installation error due to lack of hard disk space, priveleges, etc."
My internet connection is fine and disk space is not a problem. I also went to Trend Micro's HouseCall and had the same problem.
What now. This is really getting me down :x . Not you folks, believe me I think you guys are great. :)
Thanks again!!
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

Unread postby jwbirdsong » December 31st, 2005, 8:17 pm

Open I.E.>Click Tools>Internet Options>Security>Click the Internet (Globe) icon>Click the button Default Level> OK>Now clickCustom Level buttton>Look for Active X section>Set Download signed Active X controls to Enable (for now)>Set Run Active X controls and scripts to Enable.>OK and Apply your way out. My guess is you can run it now...Also make sure to look for a thin yellow bar appearing in the top of you IE windows with instructions about Active X...May or may not appear.


If all else fails (I don' it think it will) run this JAVA based Housecall scan
http://uk.trendmicro-europe.com/enterpr ... launch.php
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Infected - continued

Unread postby lorenr » January 1st, 2006, 3:01 pm

Ok, that worked.:D I've attached the results of the scans (My Computer and Local Disks) and the new HJT log. Was there supposed to be a fix for the ActiveScan?
Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 1:53:40 PM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust

Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Rar$EX00.547\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.rr.com/flash/index.cfm
F3 - REG:win.ini: load=???
?
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ

Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe"

/server /startmonitor /deaf
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common

Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust

Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia

Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ

Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ

Antivirus\CAVTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: TREND MICRO HouseCall -

{2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} -

http://uk.trendmicro-europe.com/enterpr ... ll_pre.php (file

missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration

Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility

Class) -

http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftup ... ient/muweb

_site.cab?1124244830328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2005 ... com/housec

all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -

http://de.trendmicro-europe.com/file_do ... seCallButt

on.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -

https://www-secure.symantec.com/techsup ... veData.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program

Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -

Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates

International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ

Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

My Computer ActiveScan Results:
Incident Status Location

Adware:adware/adsmart Not disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/psguard Not disinfected C:\WINDOWS\warnhp.html
Adware:adware/delta Not disinfected Windows Registry
Virus:Trj/Downloader.GYS Not disinfected C:\WINDOWS\csvhost.exe
Virus:Trj/Agent.AZX Not disinfected C:\WINDOWS\system\ctldlg32.dll
Local Disks ActiveScan results:
Incident Status Location

Virus:Trj/Downloader.GYS Not disinfected C:\WINDOWS\csvhost.exe
Virus:Trj/Agent.AZX Not disinfected C:\WINDOWS\system\ctldlg32.dll
Adware:adware/adsmart Not disinfected C:\WINDOWS\system32\vx.tll
Adware:adware/psguard Not disinfected C:\WINDOWS\warnhp.html
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

Unread postby jwbirdsong » January 5th, 2006, 9:53 pm

I got a notice yesterday that this had slipped by me and I SWEAR I posted last night here..but it has not shown up so I am so very sorry.

As so much time has passed would you please post a current HijackThis log so we can work with current information.

Again; I am truly you have went unhelped so long; it was an over site on my part; no more/no less.
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Good to hear from you JW

Unread postby lorenr » January 5th, 2006, 10:41 pm

:D That's OK, we all have our moments. Here is my HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 9:39:40 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Rar$EX00.265\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterpr ... ll_pre.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4244830328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_do ... Button.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

I forgot to mention

Unread postby lorenr » January 5th, 2006, 10:43 pm

I'm not getting an email stating that you have replied like I was before. I think my email is screwed up too.
Thanks,
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware