Sign in with
Sign up | Sign in
Your question

VIRUS+MS INSTSALL/DSN FIX?

Tags:
  • Security
  • Windows XP
Last response: in Windows XP
Share
September 18, 2009 5:53:18 AM

NOTE posted on another thread, no replies..
Note I ran ALL THE ANTIVIRUS and NONE picked up on this one, net search foujnd many had samer result. I suspect this thing is bigger then reported as it takes you off line.. it got by two of my AV"s Avast and Comodo.. NOW installed via CD "Hijack This" to get reports, so can send any HT reports asked for, will cut and paste it to disc, and get it on this machine (from closet is a 1998 win98 tiny HD, memory 300HTz processor.). as infected PC is down, will NOT go online as blocked :fou:  . SO NOT CANNOT DOWNLOAD TO INFECTED MACHINE. Details follows
REPEAT MESSAGE
lSep 5 I think I got a virus from email marked as Urgent, from old friend so I opened it. I THINK that was source as had a odd canned message about "virus warning" deleted but it seems not in time. Then got two more of same so probably was source, days later got another one on "not an issues" etc from another person that was on email list, seems still going on. I told them to remove my name email until they cleared it up and to NOT reply to my message.
.End result of virus.
SERIOUS: It shut down PC to DSL earthnet card to dsl router as internet connection is fine. When I try to go online first get message "MS Installing SCAN" and it proceeds as if in normal install mode. Noted on WR 2.2 (What's Running) this "Install" starts via ms install and ID's self as msiexec.exe and is exact copy of msiexec,exe. Install, looks like uses msi to mask itself, as a install runs down to point it asks for CD.. WHEN I "Cancel" install, simply restarts self and even does it after using task manger to "end task". NOTE when starting in safe mode, it will flash as attempt to run, but will not go. Safe with network will NOT concoct in same manner as "normal" will not..

My internet connection is via 4 hookup dsl router, other two PCs on it works fine. This is ole 1998 PCm win98 and not a lot of HD-memory-etc. I pulled other one off the DSL to prevent spread as this one is networked to it, a back up if all else fails I kept handy, this PC is on same dsl router, DSL HW is not an issue. Infected PC will ping OK, Now left with virus may be after TCP or such. DO NOT know how to test TCP etc, but did reinstall new earthnet card config. Have heard where this can set up a "hidden" address or such but have NO idea of what that is or how to check it out, as supposedly can conflict TCP or router? Ideas there? But not core issue as it would not start "install" when I try to go online.

NOTE infected PC CANNOT get "connected' but all www-emails-etc are DSN"s "cannot find server". Tried everything so far, virus scans AVAST COMODO were there, they will NOT find it.. manually cleaned "Trojans-hijacker-tracking etc from registry active x, ran mawlare and avg via CD made off other machine. Ran a regedit listing of backdoor etc I got off www sites, it found a few issues but virus still there.

ANY ideas, "format" is not an option. Do NOT recommend any "run virus scan from //// as PC will NOT go on line, all has to be from CD that copies off other PC, OK? NOTE when I run "WR2.2 (whats running SW) I can see the thing come through msiexec.exe as a sub routine, Something starts msi and uses copy to mask itself.. as the "msi" I see as subroutine from msi (legit( is exact copy, shut it down and whatever runs under it goes away, for a time. It seems to have a timer as goes more destructive and after 1-2 hours goes into shut down restart loop.. When in 'SAFE" I can see "install" flash on but is shut off or not allowed to start..
IDEAS as spent ONE week trying about all I can find.. HELP

More about : virus instsall dsn fix

September 18, 2009 2:54:42 PM

Hi,

Post your HijacThis log, without report, we are blind.

@+
m
0
l
September 18, 2009 6:58:01 PM

Mister_M@sk said:
Hi,

Post your HijacThis log, without report, we are blind.

@+

Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
O4 - HKLM\..\Run: [Ptipbmf] ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWW\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWW\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWW\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWW\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWW\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWW\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http:/[COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
O4 - HKLM\..\Run: [Ptipbmf] ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWW\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWW\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWW\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWW\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWW\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWW\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co...
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/Sym...
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/Act...
O17 - HKLM\System\CCS\Services\Tcpip\..\{2254DC17-320D-4BE8-8AE7-E6D1E7803DA0}: NameServer = 64.53.83.131,206.74.254.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{686A7617-1904-4285-971F-FC910D59CF47}: NameServer = 64.53.83.131,206.74.254.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F820688-4EA8-44BE-B8E0-990772E312D5}: NameServer = 64.53.83.131,206.74.254.2
O20 - AppInit_DLLs: C:\WINDOWW\system32\guard32.dll
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWW\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: plasservice (ZeppelinService) - Unknown owner - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.mozilla.org/images/body_back.gif

--
End of file - 6640 bytes
m
0
l
Related resources
September 19, 2009 12:33:58 PM

Hi,

Your report is not complete, but it's not important.

  • Please do not run other tools or scans.
  • Copy and paste all logs requested in you reply and follow the instructions exactly.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.

    # 1 - Search Infections



    Download Random's System Information Tool (RSIT) by random/randomand save it on your Desktop.

  • Execute RSIT.exe to start RSIT.
  • Clic on Continue at screen Disclaimer and let the values as default
  • If the tool HijackThis is not present or not detected RSIT dowload it, you must accept the license.
  • When the analyst is finity, two reports pop up

    Please paste only Log.txt

    NB : Reports are saved in : C:\rsit\

    Please in your next reply, post :
  • Log.txt
    m
    0
    l
    September 19, 2009 5:42:25 PM

    m
    0
    l
    !