|
Answer» I'm running Windows Vista and neither my CA antivirus software nor my SpySweeper software will turn on or allow me to do a sweep. I was using an internet based scanner to scan my system but then my computer froze and after about 5 MINUTES and a couple of CTRL ALT DEL's later I got back to the login screen with a message that said security error and again my comp was frozen. Any help would be GREATLY appreciated. Oh and one more thing... I'm not sure if this could be related, but after browsing my file I found a suspiscious folder labled Acceleration Software that seems to contain a bunch of random files and some mock anti-virus software. I tried to delete it but was told I needed permission... So I tried to change the permissions and told I wasn't able to... So I tried to change the owner and was once again, you guessed it, wasn't able to... HELP ME!!!Go here and read post 1 and do the steps in post 2.
Once we see the logs we will know more.Whew... Ok here's what I found...
Questionable Programs:
MSXML Parser
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
and something called XFire
Another thing when SpySweeper tries to start up upon login I get and error message that says "Could not locate valid definitions file. Please go to the Program Options page and click "Update Definitions" to download a definitions file." I did this and nothing happened...
The Super Anit-Spyware software you guys told me to download run ran until about 15,000 files then it just kept going through the same files over and over until I stopped the scan around 17,000 files...
And lastly when I try to run the Online Scanner you RECOMMENDED I got another error message that said something like "Cannot initialize... Administrative rights required."
And here are the logs you requested....
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/23/2008 at 09:09 PM
Application Version : 3.9.1008
Core Rules Database Version : 3386
Trace Rules Database Version: 1380
Scan type : Complete Scan
Total Scan Time : 00:25:37
Memory items scanned : 584
Memory threats detected : 0
Registry items scanned : 6028
Registry threats detected : 0
File items scanned : 17306
File threats detected : 0
This is the Dr. Webb log...
popcaploader.dll;c:\windows\downloaded program files;Program.PopcapLoader;Incurable.Deleted.;
TRAINER.EXE;C:\Documents and Settings\William\Downloads\clses3mt;Trojan.PWS.Banker.3099;Deleted.;
Uninstall Fun Web Products.dll;C:\Program Files;Adware.MWS.origin;Incurable.Deleted.;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:45 PM, on 1/24/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [MSCONFIG] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O13 - Gopher Prefix:
O16 - DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} (WCLoaderCtl Class) - http://download.paltalk.com/wcloader_prod/wcloader.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/ZwinkyInitialSetup1.0.1.0.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CCProvSP - TODO: - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ccprovsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 7478 bytes
And thats that... thanks for all the help guys you guys rockQuote MSXML Parser
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181) - Microsoft XML Core Services (MSXML)
MSXML 4.0 SP2 (KB941833)
and something called XFire - http://www.xfire.com/
Do you have administrative rights on the computer or is it a limited account?
I don't see any malware in the log but there is an entry to fix with HJT.
Open HijackThis and select Do a system scan only.
Place a check mark next to the FOLLOWING entries:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/ZwinkyInitialSetup1 .0.1.0.cab
Close all windows except for HijackThis and click Fix checked.
Exit Hijackthis.
---------------
When running antispyware/antivirus programs or updates on Vista you have to run it as an Administrator.
Right-click the program icon or file that you want to open, and then click Run as administrator.
Click here >> More Information on Administrator Accounts
Let me know if this helps.It's an administrative log on so I assume I should have all the rights to run whatever I want, but it's very possible that I could be wrong. I do have another question though, Could the Trojan that Dr. Webb found and apparently removed be causing my anti-virus software not to turn on?Could the Trojan that Dr. Webb found and apparently removed be causing my anti-virus software not to turn on?
Possible but I don't think so.
Have you tried to update the programs by right clicking them and selecting Run As Administrator?
I would like to run another scan to DETERMINE where we are at. It will take a while to run so please be patient.
Run CCleaner before you start it.
Use the Kaspersky Online Scanner- Click Accept.
- Answer Yes, when prompted to install an ActiveX component.
- The program will then begin downloading the latest definition files.
- Once the files have been downloaded click on NEXT
- Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
- Scan Options:
- Click OK & have it scan My Computer
When the scan is done, in the Scan is complete window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As... (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area, use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please add the Kaspersky Online Scanner Report in your next post.
---------------
Next post add
Kaspersky log
To answer your question, no it doesn't seem to matter whether or not I run the program as an administrator or regularly, it behaves the same way regardless... and the link for the new scan you want me to do won't load for some reason... Have you tried running these programs in safe mode to see if they will
a) Run or b) Complete the scan?
I fixed the link for Kaspersky, sorry about that.No I haven't tried it safe mode, but i will after I run the scanner you suggested in the previous post...I tried to post the Kasperky Report but it won't let me because it's too long... It didn't find anything, but it skipped quite a few files because they were "locked"... If you want the report we'll have to find a different way for you to get it... And do you think I should still run the scans in safe mode and if so which scans should be ran?
|
