Jump to content


Photo

Constant problems + New ones


  • Please log in to reply
3 replies to this topic

#1 Suppin

Suppin

    Member

  • New Member
  • Pip
  • 2 posts

Posted 06 July 2004 - 02:26 AM

I've been having a bunch of problems, which seems to never end. For starters, my younger brother and his friends like to use my computer for their "cheat sheet" on every video game. They browse and click on everything on the internet which causes me to have horrible problems every day. I've been trying to fix this for weeks, but it will never stay away.

I have read the FAQ, and I have updated both SpyBot, and Ad-Aware.

After the last scan through both of them, I ran HiJackThis and created a log.

I also have Norton, after updating that also I have found it said 174 files "at-risk"?

Basically i'm at a loss for words, I cannot get rid of this, and it keeps coming back.


Logfile of HijackThis v1.98.0
Scan saved at 2:21:00 AM, on 7/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\mcamgr.exe
C:\WINDOWS\System32\WINVLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Brian Giglio\Desktop\ggg\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fiendsgui...orums/index.php?
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25 - (no file)
R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Autostart Config] WINVLORE.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\RunOnce: [Autostart Config] WINVLORE.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {F8B53C17-E393-42B0-8AEB-B01F0CFD107A} (IdmInstaller Class) - http://www.topicks.c...til/Topicks.cab

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 06 July 2004 - 04:56 AM

Hi,
First thing to do is ...

Posted Image Important! Create a folder via Windows Explorer for HijackThis, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

Next:

Reconfigure Windows Explorer to show Hidden Files: [required step]
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25 - (no file)
R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O4 - HKLM\..\Run: [Autostart Config] WINVLORE.EXE
O4 - HKCU\..\RunOnce: [Autostart Config] WINVLORE.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {F8B53C17-E393-42B0-8AEB-B01F0CFD107A} (IdmInstaller Class) - http://www.topicks.c...til/Topicks.cab


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\System32\mcamgr.exe <--this file
C:\WINDOWS\System32\WINVLORE.EXE <--this file

Restart normally and then ...

Posted ImageImportant! Your system is severly out of date!
Visit Posted Image Windows Update and install all the "Critical Updates"

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 Suppin

Suppin

    Member

  • New Member
  • Pip
  • 2 posts

Posted 06 July 2004 - 04:40 PM

Updated everything from windowsupdate, and I am using Firefox now.

Scanned files, deleted the others in safe mode, and all that.

I just ran norton and it found 28 files at risk, they were malware, and I don't know how to get rid of them, BUT this is my updated log.

Logfile of HijackThis v1.98.0
Scan saved at 4:36:11 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Brian Giglio\Desktop\ggg\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fiendsgui...orums/index.php?
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\mcamgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Autostart Config] WINVLORE.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll



WINVLORE.EXE is still there, what is it?

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 06 July 2004 - 05:18 PM

Hi,
First thing to do ...

Update Ad-aware's Reference File:
Please update the reference file following the instructions Posted Image here

Required Step: Posted Image Reconfigure Ad-Aware for Full Scan

Note: do not run Ad-Aware yet, just update and reconfigure.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\mcamgr.exe
O4 - HKLM\..\Run: [Autostart Config] WINVLORE.EXE


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\System32\mcamgr.exe <--this file
C:\WINDOWS\System32\WINVLORE.EXE <--this file

While still in Safe Mode, run Ad-Aware and then NAV (see below)

How To: Configure Norton AntiVirus to scan all files

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button