joshstegall

Virus Removed, Still Cant Update Windows

Recommended Posts

I used Norton and resolved 1 virus. I still cant update virus definitions or windows. Here is the log file. Thanks!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:35:29 PM, on 4/11/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\atievxx.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\mrofinu1001186.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\rundll32.exe

C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\System32\wpabaln.exe

C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\NORTON~1\IWP\Aleupdat.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL78.tmp

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

O4 - HKCU\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'Default user')

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207935888402

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207948535999

O17 - HKLM\System\CCS\Services\Tcpip\..\{5502C19E-B634-45F7-A58E-30E35966212E}: NameServer = 166.102.165.11 166.102.165.13

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 4530 bytes

Share this post


Link to post
Share on other sites

Still infected.

Next download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

REBOOT

Next download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
    (Vista users, please right click on OtScanIt.exe and select "Run as an Administrator")
  • Leave all the setting to the default except as noted below
    • Check the box for Scan all user accounts
    • Under Additional Scans sections, check the following
      • Reg - BotCheck
      • File - Additional Folder Scan

    [*]Now click the Run Scan button on the toolbar.

    [*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.

    [*]When the scan is complete Notepad will open with the report file loaded in it.

    [*]Save that notepad file

Since the log is too large to post, use the ADDREPLY button, scroll down to the attachments section and attach the notepad file here.

Share this post


Link to post
Share on other sites

Walwarebytes did not find anything. I have attatched the two requested. I will reply with the new hijackthis log in just a minute.

Still infected.

Next download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

REBOOT

Next download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
    (Vista users, please right click on OtScanIt.exe and select "Run as an Administrator")
  • Leave all the setting to the default except as noted below
    • Check the box for Scan all user accounts
    • Under Additional Scans sections, check the following
      • Reg - BotCheck
      • File - Additional Folder Scan

    [*]Now click the Run Scan button on the toolbar.

    [*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.

    [*]When the scan is complete Notepad will open with the report file loaded in it.

    [*]Save that notepad file

Since the log is too large to post, use the ADDREPLY button, scroll down to the attachments section and attach the notepad file here.

OTScanIt.Txt

mbam_log_4_12_2008__22_41_19_.txt

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:03:41 PM, on 4/12/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\atievxx.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\WINDOWS\System32\servupdate.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Windows USB Monitor] servupdate.exe

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\RunServices: [Windows USB Monitor] servupdate.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207971326210

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207972206296

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Windows Task Services (TASKMNGR) - Unknown owner - C:\WINDOWS\system\taskmngr.exe (file missing)

--

End of file - 2454 bytes

Share this post


Link to post
Share on other sites

Start OtScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

 [Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> servupdate.exe -> %SystemRoot%\system32\servupdate.exe
[Win32 Services - Non-Microsoft Only]
YY -> (TASKMNGR) Windows Task Services [Win32_Own | Auto | Stopped] -> %SystemRoot%\system\taskmngr.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Windows USB Monitor -> %SystemRoot%\system32\servupdate.exe [servupdate.exe]
< RunServices [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
YY -> Windows USB Monitor -> %SystemRoot%\system32\servupdate.exe [servupdate.exe]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > ->
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\System32\servupdate.exe -> C:\WINDOWS\system32\servupdate.exe [C:\WINDOWS\System32\servupdate.exe:*:Enabled:Windows USB Monitor]
[Files/Folders - Created Within 30 days]
NY -> av.exe -> %SystemRoot%\System32\av.exe
NY -> servupdate.exe -> %SystemRoot%\System32\servupdate.exe
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 135 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
[Files/Folders - Modified Within 90 days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> i -> %SystemRoot%\System32\i
NY -> servupdate.exe -> %SystemRoot%\System32\servupdate.exe
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 1 C:\Documents and Settings\Josh Stegall\Local Settings\Temp\is-IMRJR.tmp\_isetup\*.tmp files -> C:\Documents and Settings\Josh Stegall\Local Settings\Temp\is-IMRJR.tmp\_isetup\*.tmp
NY -> 1 C:\Documents and Settings\Josh Stegall\Local Settings\Temp\is-LV4V0.tmp\_isetup\*.tmp files -> C:\Documents and Settings\Josh Stegall\Local Settings\Temp\is-LV4V0.tmp\_isetup\*.tmp
NY -> 12 C:\Documents and Settings\Josh Stegall\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Josh Stegall\Local Settings\Temp\*.tmp
[Empty Temp Folders]
[Start Explorer]
[ZipFiles]
[Reboot]

The fix should only take a very short time. You run will take a few minutes because I'm zipping up some files for submition.

When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

If it reboots this may not happen. You need to manually find the file. it is at Desktop\OTScanIt\MovedFiles4112008_163441.log or what ever yours is named(Date/Time you ran the fix)

In your case there will also be a 04112008_163441.ZIP there also. Please upload this zip file to HERE then continue with the following.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

  • Click on the Start Scanning button at bottom of page.
  • Accept the License Agreement and the ActiveX install.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report to your Desktop for later posting.

Please post

  • OTscan it "results" log (described above)
  • F-Secure log
  • Fresh OtScanIt log made after F-secure

in your next reply here

Share this post


Link to post
Share on other sites

I am having a hard time making it through the e-secure scan without it shutting down. I made it 2 hours in last time. Is there anyway that I could get rid of if by deleting the entire hard drive. I have already installed windows several times and that did not do anything. I am not worried about file loss though, if there are any other possibilities. Thanks so much for all of your help thus far!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...