Virus Removed, Still Cant Update Windows

[joshstegall]

I used Norton and resolved 1 virus. I still cant update virus definitions or windows. Here is the log file. Thanks!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:35:29 PM, on 4/11/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\atievxx.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\mrofinu1001186.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\rundll32.exe

C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\System32\wpabaln.exe

C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\NORTON~1\IWP\Aleupdat.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL78.tmp

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

O4 - HKCU\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Microsoft Windows Driver] C:\WINDOWS\rundll32.exe (User 'Default user')

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207935888402

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207948535999

O17 - HKLM\System\CCS\Services\Tcpip\..\{5502C19E-B634-45F7-A58E-30E35966212E}: NameServer = 166.102.165.11 166.102.165.13

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 4530 bytes

[jwbirdsong]

Still infected.

Next download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
  

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

REBOOT

Next download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close any open browsers.
  
• If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  (Vista users, please right click on OtScanIt.exe and select "Run as an Administrator")
  
• Leave all the setting to the default except as noted below
  • Check the box for Scan all user accounts
    
  • Under Additional Scans sections, check the following
    • Reg - BotCheck
      
    • File - Additional Folder Scan
      

  [*]Now click the Run Scan button on the toolbar.

  [*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.

  [*]When the scan is complete Notepad will open with the report file loaded in it.

  [*]Save that notepad file

Since the log is too large to post, use the ADDREPLY button, scroll down to the attachments section and attach the notepad file here.

[joshstegall]

Walwarebytes did not find anything. I have attatched the two requested. I will reply with the new hijackthis log in just a minute.

Still infected.

Next download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
  

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

REBOOT

Next download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close any open browsers.
  
• If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  (Vista users, please right click on OtScanIt.exe and select "Run as an Administrator")
  
• Leave all the setting to the default except as noted below
  • Check the box for Scan all user accounts
    
  • Under Additional Scans sections, check the following
    • Reg - BotCheck
      
    • File - Additional Folder Scan
      

  [*]Now click the Run Scan button on the toolbar.

  [*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.

  [*]When the scan is complete Notepad will open with the report file loaded in it.

  [*]Save that notepad file

Since the log is too large to post, use the ADDREPLY button, scroll down to the attachments section and attach the notepad file here.

OTScanIt.Txt

mbam_log_4_12_2008__22_41_19_.txt

[joshstegall]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:03:41 PM, on 4/12/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\atievxx.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\WINDOWS\System32\servupdate.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Windows USB Monitor] servupdate.exe

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\RunServices: [Windows USB Monitor] servupdate.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207971326210

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207972206296

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Windows Task Services (TASKMNGR) - Unknown owner - C:\WINDOWS\system\taskmngr.exe (file missing)

--

End of file - 2454 bytes

[jwbirdsong]

Start OtScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

 [Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> servupdate.exe -> %SystemRoot%\system32\servupdate.exe
[Win32 Services - Non-Microsoft Only]
YY -> (TASKMNGR) Windows Task Services [Win32_Own | Auto | Stopped] -> %SystemRoot%\system\taskmngr.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Windows USB Monitor -> %SystemRoot%\system32\servupdate.exe [servupdate.exe]
< RunServices [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
YY -> Windows USB Monitor -> %SystemRoot%\system32\servupdate.exe [servupdate.exe]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\System32\servupdate.exe -> C:\WINDOWS\system32\servupdate.exe [C:\WINDOWS\System32\servupdate.exe:*:Enabled:Windows USB Monitor]
[Files/Folders - Created Within 30 days]
NY -> av.exe -> %SystemRoot%\System32\av.exe
NY -> servupdate.exe -> %SystemRoot%\System32\servupdate.exe
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 135 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
[Files/Folders - Modified Within 90 days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> i -> %SystemRoot%\System32\i
NY -> servupdate.exe -> %SystemRoot%\System32\servupdate.exe
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 1 C:\Documents and Settings\Josh Stegall\Local Settings\Temp\is-IMRJR.tmp\_isetup\*.tmp files -> C:\Documents and Settings\Josh Stegall\Local Settings\Temp\is-IMRJR.tmp\_isetup\*.tmp
NY -> 1 C:\Documents and Settings\Josh Stegall\Local Settings\Temp\is-LV4V0.tmp\_isetup\*.tmp files -> C:\Documents and Settings\Josh Stegall\Local Settings\Temp\is-LV4V0.tmp\_isetup\*.tmp
NY -> 12 C:\Documents and Settings\Josh Stegall\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Josh Stegall\Local Settings\Temp\*.tmp
[Empty Temp Folders]
[Start Explorer]
[ZipFiles]
[Reboot]

The fix should only take a very short time. You run will take a few minutes because I'm zipping up some files for submition.

When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

If it reboots this may not happen. You need to manually find the file. it is at Desktop\OTScanIt\MovedFiles4112008_163441.log or what ever yours is named(Date/Time you ran the fix)

In your case there will also be a 04112008_163441.ZIP there also. Please upload this zip file to HERE then continue with the following.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Click on the Start Scanning button at bottom of page.
  
• Accept the License Agreement and the ActiveX install.
  
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
  
• The scan will take some time to finish,so please be patient.
  
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report to your Desktop for later posting.
  

Please post

• OTscan it "results" log (described above)
  
• F-Secure log
  
• Fresh OtScanIt log made after F-secure
  

in your next reply here

[joshstegall]

I am having a hard time making it through the e-secure scan without it shutting down. I made it 2 hours in last time. Is there anyway that I could get rid of if by deleting the entire hard drive. I have already installed windows several times and that did not do anything. I am not worried about file loss though, if there are any other possibilities. Thanks so much for all of your help thus far!