A Virus has infected my PC - need help please

lkenshin23 · June 03, 2006, 02:05:09 PM

I tried checking and removing O23 - Service: Socks-Cap (Sc32Inch) - Unknown owner - C:\WINDOWS\Sc32Inch.exe (file missing) through hijackthis but it just won't budge. It just won't be removed. It says in the previous log from avenger that the file doesn't exist. But when I try to delete it using NT service button from HJT config it says that I am using it. It's really really fishy.

These are the Current Active Services: :)

WINDOWS AUDIO
C:\WINDOWS\System32\svchost.exe -k netsvcs

COMPUTER BROWSER
C:\WINDOWS\System32\svchost.exe -k netsvcs

CRYPTOGRAPHIC SERVICES
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP CLIENT
C:\WINDOWS\System32\svchost.exe -k netsvcs

ERROR REPORTING SERVICE
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ EVENT SYSTEM
C:\WINDOWS\System32\svchost.exe -k netsvcs

FAST USER SWITCHING COMPATIBILITY
C:\WINDOWS\System32\svchost.exe -k netsvcs

HELP AND SUPPORT
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVER
C:\WINDOWS\System32\svchost.exe -k netsvcs

WORKSTATION
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK CONNECTIONS
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK LOCATION AWARENESS (NLA)
C:\WINDOWS\System32\svchost.exe -k netsvcs

REMOTE ACCESS CONNECTION MANAGER
C:\WINDOWS\System32\svchost.exe -k netsvcs

TASK SCHEDULER
C:\WINDOWS\System32\svchost.exe -k netsvcs

SECONDARY LOGON
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYSTEM EVENT NOTIFICATION
C:\WINDOWS\system32\svchost.exe -k netsvcs

SHELL HARDWARE DETECTION
C:\WINDOWS\System32\svchost.exe -k netsvcs

TELEPHONY
C:\WINDOWS\System32\svchost.exe -k netsvcs

TERMINAL SERVICES
C:\WINDOWS\System32\svchost.exe -k netsvcs

THEMES
C:\WINDOWS\System32\svchost.exe -k netsvcs

DISTRIBUTED LINK TRACKING CLIENT
C:\WINDOWS\system32\svchost.exe -k netsvcs

UPLOAD MANAGER
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS TIME
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS MANAGEMENT INSTRUMENTATION
C:\WINDOWS\system32\svchost.exe -k netsvcs

AUTOMATIC UPDATES
C:\WINDOWS\system32\svchost.exe -k netsvcs

WIRELESS ZERO CONFIGURATION
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYMANTEC EVENT MANAGER
"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

SYMANTEC PASSWORD VALIDATION SERVICE
"C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"

DNS CLIENT
C:\WINDOWS\System32\svchost.exe -k NetworkService

DVD-RAM_SERVICE
C:\WINDOWS\System32\DVDRAMSV.exe

EVENT LOG
C:\WINDOWS\system32\services.exe

PLUG AND PLAY
C:\WINDOWS\system32\services.exe

EWIDO SECURITY SUITE CONTROL
C:\Program Files\ewido anti-malware\ewidoctrl.exe

EWIDO SECURITY SUITE GUARD
C:\Program Files\ewido anti-malware\ewidoguard.exe

IPODSERVICE
C:\Program Files\iPod\bin\iPodService.exe

TCP/IP NETBIOS HELPER
C:\WINDOWS\System32\svchost.exe -k LocalService

SSDP DISCOVERY SERVICE
C:\WINDOWS\System32\svchost.exe -k LocalService

WEBCLIENT
C:\WINDOWS\System32\svchost.exe -k LocalService

NORTON ANTIVIRUS AUTO PROTECT SERVICE
"C:\Program Files\Norton AntiVirus\navapsvc.exe"

NOD32 KERNEL SERVICE
C:\Program Files\Eset\nod32krn.exe

IPSEC SERVICES
C:\WINDOWS\System32\lsass.exe

PROTECTED STORAGE
C:\WINDOWS\system32\lsass.exe

SECURITY ACCOUNTS MANAGER
C:\WINDOWS\system32\lsass.exe

PREVX AGENT
"C:\Program Files\Prevx1\PXAgent.exe" -f

RETROSPECT EXPRESS HD LAUNCHER
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

REMOTE PROCEDURE CALL (RPC)
C:\WINDOWS\system32\svchost -k rpcss

SOUNDMAX AGENT SERVICE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

PRINT SPOOLER
C:\WINDOWS\system32\spoolsv.exe

WINDOWS IMAGE ACQUISITION (WIA)
C:\WINDOWS\System32\svchost.exe -k imgsvc

WINDOWS USER MODE DRIVER FRAMEWORK
C:\WINDOWS\System32\wdfmgr.exe

WMI PERFORMANCE ADAPTER
C:\WINDOWS\System32\wbem\wmiapsrv.exe

Corrine · June 03, 2006, 04:53:49 PM

Hi, lkenshin23. We're double-teaming you and won't hesitate to bring in other team members either!

I have a few questions --

Are you logged on as Admin or regular user with limited permissions?
Have you tried removing in safe mode again or were you in normal mode?
Is the browser closed when attempting to remove with HijackThis?

SpyDie · June 03, 2006, 05:55:56 PM

Also, is Norton still alerting about remon.sys? (or anything else?)

lkenshin23 · June 03, 2006, 08:47:50 PM

Are you logged on as Admin or regular user with limited permissions?
I tried it in both admin and regular user but it just says the same thing. It says the program is running so I can't delete it.

Have you tried removing in safe mode again or were you in normal mode?
Yep. Tried it in safe mode as both admin and regular user.

Is the browser closed when attempting to remove with HijackThis?
Yes. It is closed.

is Norton still alerting about remon.sys? (or anything else?)
I haven't seen it recently; however, I'm still obseving though.

Corrine · June 03, 2006, 11:04:02 PM

Ok, let's try this.

Please download Process Explorer: http://www.sysinternals.com/Utilities/processexplorer.html (select "Download Process Explorer (x86 - 1.47 MB) - you plan on using Process Explorer on 32-bit NT/2K/XP/Server 2003").

Unzip to a folder of its own and click on procexp.exe to start Process Explorer.

Locate and highlight the demon service C:\WINDOWS\Sc32Inch.exe in the list under services.exe
With the Sc32Inch.exe entry highlighted, from the menu select Process > Properties
In the properties box, click threads and save a screen copy of that window with the Threads shown to include with your reply.
Click Cancel to close the Properties window
With only the Sc32Inch.exe entry selected (disregard the color coding), click Process Suspend and then Process Kill (del)

Scan with HijackThis and if the demon line appears, see if you can remove it this time. Please post the screen copy of the "Threads" with the results of the HJT scan.

winchester73 · June 04, 2006, 12:07:44 AM

I wonder if the Damage Cleanup Template/Engine here is worth a shot?

http://www.trendmicro.com.au/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=2&VName=WORM_SDBOT.DIN

This tab is interesting: http://www.trendmicro.com.au/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=WORM_SDBOT.DIN

lkenshin23 · June 05, 2006, 07:23:02 PM

Hi guys,

Sorry I wasn't able to reply yesterday. I was really caught up with work. So, anyway, here is the progress.

I tried Corrine's suggestion and downloaded process explorer. I, however, couldn't find the Sc32Inch.exe there. Here is an image of how it looked like.

Now, after checking process explorer, I went and checked Winchester's link and manually fixed the registry keys affected. I think that fixed it. I hope.

Anyway, here is the new HJT log and I couldn't see Sc32Inch anymore. :)

Logfile of HijackThis v1.99.1
Scan saved at 12:27:48 PM, on 6/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\EZSP_PX.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148951879136
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

I'm just posting the log for you guys to see if there is any more problems. Thank you all for your help. I really appreciate it. :)

winchester73 · June 05, 2006, 09:00:51 PM

Seeing WgaLogon.dll in the O20 line (Windows Genuine Advantage), and noticing that you are running SP1 ...

When things are sorted out finally, please be sure to update to SP2. Are you current in the other Windows updates?

Corrine · June 05, 2006, 10:25:47 PM

Many thanks for that link, Winchester73! Looks like it did take the big guns after all. ;)

How does it feel, lkenshin23, to know you're finally rid of that demon?

Indeed, Winchester73 is correct about your needing to update to XP Service Pack 2. In addition, IE also needs to be updated to SP2. Without updating, your PC is highly vulnerable to another serious infection.

So, before anything else happens, let's clear System Restore and create a fresh, clean restore point:

1. Click Start, and then right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check Turn off System Restore.
5. Click Apply, and then click OK.
6. Restart the computer.
7. Repeat steps 1 through 6, except in step 4, uncheck Turn Off System Restore.

Then after you do this, please create a new restore point:

Got to Start>All Programs>Accessories>System Tools>System Restore. On the next page that comes up you will have three choices, choose Create Restore Point. Then click next type in a description "after cleanup" or something like that. Then choose "Create" then close.

After that, indeed, get SP2 installed for both your PC and Internet Explorer.

For additional information on protecting your PC, please see Tony Klein's "So how did I get infected in the first place?" for important tips on how to prevent future infections. There is also a lot of helpful information in "Mitch's Good Stuff" linked from here.

Install and update both SpywareBlaster & SpyGuard to prevent the installation of spyware and other potentially unwanted software:

SpywareBlaster -- http://www.javacoolsoftware.com/spywareblaster.html
SpywareGuard -- http://www.javacoolsoftware.com/spywareguard.html

If you use Internet Explorer, IE-Spyad will add thousands of sites into your IE restricted zone: http://www.spywarewarrior.com/uiuc/resource.htm .

Another useful program is StartupMonitor, which will warn you when somethings tries to sneak in: http://www.mlin.net/StartupMonitor.shtml

Regards,

Corrine :rose:

winchester73 · June 06, 2006, 01:29:09 PM

Are you running BOTH Norton and NOD32?

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

Running processes:
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe

lkenshin23 · June 07, 2006, 04:23:13 PM

oh sorry i haven't checked this thread in a while...

yep i'm running both nod32 and norton in my pc :)

i'm trying to update to sp2 now by the way but there seems to be an error i still need to fix :)

winchester73 · June 07, 2006, 07:23:42 PM

Why are you running two anti-virus applications at the same time?

Most of us would say that running two anti-virus products concurrently will cause operational issues, and would strongly advise you never to do this.

lkenshin23 · June 07, 2006, 08:16:15 PM

oh really? I didn't know that. Thanks for telling me. I'll uninstall nod32 right away. :)

Corrine · June 08, 2006, 10:28:28 PM

Actually, I believe NOD has an excellent reputation.

If you continue to have problems installing SP2, this is a free service and toll-free call. It is the Microsoft PCSafety help center. Tell them you had an infection because you can't get updates.

1-866-PCSAFETY
or
1-866-727-2338

This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada.

(For support outside the United States and Canada, please contact your Microsoft Help and Support worldwide. Go to this page and choose your region from the box in the upper right corner: http://support.microsoft.com/?pr=SecurityHome )

winchester73 · June 08, 2006, 11:42:08 PM

LOL ... I use NOD32 ... :P