I'm a firm believer that once you contract a virus on your computer, you can never be absolutely sure it's gone until you format the machine.
It may appear to be gone, or it could be lying dormant, in a file, waiting to be run again.
Or it may be running, but you can't see it.
Or it may cause Internet Explorer to quit working.
What error messages do you get when you launch IE?
IE defaults to Google....
Message is : Website cannot be found.
Here is the log file from "HiJackThis"
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:59 PM, on 11/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
I:WINDOWSSystem32smss.exe
I:WINDOWSsystem32winlogon.exe
I:WINDOWSsystem32services.exe
I:WINDOWSsystem32lsass.exe
I:WINDOWSsystem32svchost.exe
I:WINDOWSSystem32svchost.exe
I:WINDOWSsystem32spoolsv.exe
I:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
I:WINDOWSExplorer.EXE
I:WINDOWSALCXMNTR.EXE
I:WINDOWSsystem32spooldriversw32x863hpztsb09.exe
I:Program FilesHPhpcoretechhpcmpmgr.exe
I:Program FilesHewlett-PackardHP Software UpdateHPWuSchd.exe
I:WINDOWSsystem32hphmon05.exe
I:Program FilesPinnacleShared FilesProgramsUSBTipUSBTip.exe
I:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe
I:Program FilesMSN MessengerMsnMsgr.Exe
I:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
I:Program FilesLinksys EasyLink AdvisorLinksysAgent.exe
I:PROGRA~1GrisoftAVG7avgupsvc.exe
I:Program FilesCommon FilesLightScribeLSSrvc.exe
I:WINDOWSsystem32nvsvc32.exe
I:WINDOWSSystem32svchost.exe
I:WINDOWSsystem32HPZipm12.exe
I:WINDOWSsystem32wuauclt.exe
I:WINDOWSsystem32xvyu5i4c.exe
I:Program FilesTrend MicroHijackThisHijackThis.exe
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigURL = 192.168.1.1
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:Program FilesYahoo!CompanionInstallscpnyt.dll
O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - I:Program FilesYahoo!CompanionInstallscpnyt.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE I:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE I:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM..Run: [HPDJ Taskbar Utility] I:WINDOWSsystem32spooldriversw32x863hpztsb09.exe
O4 - HKLM..Run: [HPHUPD05] I:Program FilesHewlett-Packard{45B6180B-DCAB-4093-8EE8-6164457517F0}hphupd05.exe
O4 - HKLM..Run: [HP Component Manager] "I:Program FilesHPhpcoretechhpcmpmgr.exe"
O4 - HKLM..Run: [HP Software Update] "I:Program FilesHewlett-PackardHP Software UpdateHPWuSchd.exe"
O4 - HKLM..Run: [HPHmon05] I:WINDOWSsystem32hphmon05.exe
O4 - HKLM..Run: [USB2Check] RUNDLL32.EXE "I:WINDOWSsystem32PCLECoInst.dll",CheckUSBController
O4 - HKLM..Run: [USBToolTip] "I:Program FilesPinnacleShared FilesProgramsUSBTipUSBTip.exe"
O4 - HKLM..Run: [avgnt] "I:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKCU..Run: [MsnMsgr] "I:Program FilesMSN MessengerMsnMsgr.Exe" /background
O4 - HKCU..Run: [dlmMgr] "I:Program FilesCommon FilesAdobeESDAdobeDownloadManager.exe" restart=1
O4 - HKCU..Run: [EasyLinkAdvisor] "I:Program FilesLinksys EasyLink AdvisorLinksysAgent.exe" /startup
O4 - HKUSS-1-5-19..Run: [AVG7_Run] I:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [AVG7_Run] I:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [AVG7_Run] I:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [AVG7_Run] I:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = I:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O8 - Extra context menu item: Update Page Content - I:Program FilesMSNMSNIACCMSNCCWArefreshpage.htm
O8 - Extra context menu item: View All Originals On Page - I:Program FilesMSNMSNIACCMSNCCWAgetoriginal.htm
O8 - Extra context menu item: View Original Image - I:Program FilesMSNMSNIACCMSNCCWAgetoriginal.htm
O10 - Unknown file in Winsock LSP: i:windowssystem32nwprovau.dll
O10 - Broken Internet access because of LSP provider 'i:program filescommon filesis3anti-spywareis3lsp.dll' missing
O12 - Plugin for .spop: I:Program FilesInternet ExplorerPluginsNPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink.....nkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - I:Program FilesYahoo!Commonyinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcp.....ysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: karna.dat
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - I:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - I:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:PROGRA~1GrisoftAVG7avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:PROGRA~1GrisoftAVG7avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - I:PROGRA~1GrisoftAVG7avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - I:Program FilesCommon FilesLightScribeLSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:WINDOWSsystem32nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - I:WINDOWSsystem32driverspclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - I:WINDOWSsystem32HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - I:Program FilesCommon FilesiS3Anti-SpywareSZServer.exe (file missing)
--
End of file - 6839 bytes
Hi Terry - Not good news, the logfile is still showing signs of nasties.
Check out this entry:
O10 - Broken Internet access because of LSP provider 'i:program filescommon filesis3anti-spywareis3lsp.dll' missing
This is the cause of the broken internet connection.....please try this free repair tool first:
http://www.cexx.org/lspfix.htm
I hope that works for you but I would be suggesting to your friend that he backs up all his data...I reckon a format and fresh install is on the cards.
[quote="CarbonTerry":hgbdcd1j]
Here is the log file from "HiJackThis"
Running processes:
[color=#FF0000:hgbdcd1j]
I:WINDOWSsystem32xvyu5i4c.exe[/color:hgbdcd1j]
[color=#FF0000:hgbdcd1j]O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM..Run: [AlcxMonitor] ALCXMNTR.EXE
O10 - Unknown file in Winsock LSP: i:windowssystem32nwprovau.dll
O10 - Broken Internet access because of LSP provider 'i:program filescommon filesis3anti-spywareis3lsp.dll' missing
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: karna.dat
[/color:hgbdcd1j]
--
End of file - 6839 bytes[/quote:hgbdcd1j]
These are the entries that concern me. The toolbars are probably nothing to worry about and there are a few that I would need to check on, but xvyu5i4c.exe, karna.dat, and nwprovau.dll (which can be a windows file if you are actually using NetWare)are more than likely your problems.
I know that it seems moot at the moment, but when they say an ounce of prevention is worth a pound of cure it really is true. Several years ago spyware would drop a file on your computer and display popups. Delete the file and fix the infection. Today's spyware is MUCH more advanced. Almost any infection (today) does it's thing, but also installs other spyware.
Kind of like if a burglar broke into your house and went through your things to get what he wanted. Then he would pick up his cell phone and call all of his criminal friends and invite them to your house. In turn, they do the same. Lather, rinse, repeat.
Of course we haven't even scanned for rootkits at this point, so there are probably a few of those hiding.
I would recommend copying his personal files off to a flash drive or external HD. Reinstalling the OS and all updates. Installing one good antivirus program (ESET). Scanning the files on the flash or external drive and reinstalling his software. When everything is scanned, updated, and installed make a backup using True Image so he doesn't get to this point again.
What else is connected to this PC that cause the default drive to be 'I' - not being 'C' drive can cause all sort of problems with updates, etc. I have struck this before with inbuilt card readers - they take first drive allocations and leave boot drive to become 'I'. This has caused some people a lot of problems when they load an application which expects default boot drive to be 'C'. I have fixed it by disconnecting internal card reader, reinstalling Windows XP and then reconnecting card readers. Card readers are connected by internal USB on motherboard.
Success is the ability to go from one failure to another with no loss of enthusiasm. (Winston Churchill)
2 Guest(s)