|
-
January 7th, 2009, 02:45 PM
#1
amvo.exe
Well, I am here again
Since i can boot my friend's computer I have seen what he got. Is this thing amvo.exe
I get this message at start up
Amvo.exe Application Error
The instruction at "10014201" referenced memory at "0x000000ff" the memory could not be read
every time I try to open IE a little yellow triangle shows up in a tiny browser with an OK button, I click on it then IE opens up. He uses norton internet security.
I did a search on amvo but only found one thread from Jan last year, I could not understand it very well. Any help?
-
January 7th, 2009, 03:23 PM
#2
Driver Terrier
it's a net nasty
What search terms were you using? any way, it sounds like Norton is neutered boot to safe mode and try to get to an online scanner like housecall.trendmicro.com
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
January 7th, 2009, 03:57 PM
#3
Thanks NooNoo.
I was already runing HJT and Spyboy S&D when I posted this thread. That amvo got installed in spite of NIS runing. I have finished runing HJT, S&D and Combofix. HJT found that amvo thing as did S&D. but after runing it again amvo was still there. After that I ran Combofix. THen S&D is asking me to allow some registry changes which I did but there seems to be no end to all those changes I am being asked to allow.
I could not post Combofix log cause it was 50k characteres. I am wondering if I should just restart in safe mode without finish allowing all those changes
-
January 7th, 2009, 04:08 PM
#4
Driver Terrier
it depends what was creating those changes.... had combofix finished before these changes were requested? If so, it's putting itself back and should be denied. If not, combofix is changing the registry. Did you turn off system restore?
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
January 7th, 2009, 04:20 PM
#5
Combofix finished the scan and THEN S&D started asking permissions. I allowed a great many of them. I think system restore is turned on. I don't know where to disable it. What I am fixing to do is disable S&D, restart in safe mode and run combofix again. It can't do no more harm, can it?
-
January 7th, 2009, 04:59 PM
#6
Uhoh!
I think I do not know what I am doing!
I ran Combofix in safe mode, after that the dektop went blank, or should I say black there were no items in it whatsoever. I rebooted it from the start button to normal mode and disabled S&D resident. Ran HJT and here is the log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:18 PM, on 1/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
-
January 7th, 2009, 05:00 PM
#7
Part II
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3279] command.com /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9243] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6881] command.com /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5291] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8915] command.com /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6638] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4676] command.com /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5899] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4703] command.com /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4496] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9932] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3CJPEG.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7187] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3CJPEG.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5906] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3DTACTL.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5725] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3DTACTL.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7553] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3HISTSW.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5645] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3HISTSW.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9315] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8952] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8499] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD16] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3148] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7963] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7194] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3POPSWT.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7206] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3POPSWT.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1985] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2457] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4574] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9329] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9520] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3RESTUB.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8497] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3RESTUB.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4010] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3SCHMON.EXE"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6406] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3SCHMON.EXE"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4653] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2987] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1717] command.com /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9929] cmd.exe /c del "C:\Program Files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9669] command.com /c del "C:\WINDOWS\system32\amvo0.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7014] cmd.exe /c del "C:\WINDOWS\system32\amvo0.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB394] command.com /c del "C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.1.0.inf"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9077] cmd.exe /c del "C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.1.0.inf"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3247] command.com /c del "C:\Program Files\Internet Explorer\msimg32.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2307] cmd.exe /c del "C:\Program Files\Internet Explorer\msimg32.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8654] command.com /c del "C:\WINDOWS\system32\amvo.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3015] cmd.exe /c del "C:\WINDOWS\system32\amvo.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7054] command.com /c del "C:\WINDOWS\system32\amvo0.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4074] cmd.exe /c del "C:\WINDOWS\system32\amvo0.dll"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
-
January 7th, 2009, 05:01 PM
#8
Part III
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 16302 bytes
-
January 7th, 2009, 05:18 PM
#9
Registered User
You have mywebsearch in there so I'm assuming you may have vundo or the antivirus 2009 variant. You said that combofix shut crashed the computer though. I could suggest using malwarebyes found at www.malwarebytes.org and installing that in safemode and running it in safe mode to get this process started. After that then try running combofix again and see if you get farther.
One Script to rule them all.
One Script to find them.
One Script to bring them all,
and clean up after itself.
-
January 7th, 2009, 05:41 PM
#10
Registered User
It looks as if you ran Hijack This before rebooting to allow Spybot to remove all of those files marked 'spybot deleting'
-
January 7th, 2009, 08:35 PM
#11
Registered User
I am not sure killing the hard drive is the best solution. My boss loves this idea and in reality 90% of all infections can be removed with the correct tools and proceedures. I would only fall on this as a last ditch effort because everything else failed.
One Script to rule them all.
One Script to find them.
One Script to bring them all,
and clean up after itself.
-
January 7th, 2009, 09:29 PM
#12
Registered User
I and I"m sure most of the users would agree I'd rather fight for a couple of hours with an infection than have to do a reinstall then rebuild my whole computer setup for the next week or two as I try to remember what I use and where the programs are. Not to mention configuring the settings to exactly to how we like them again. We'll let them choose which they prefer.
One Script to rule them all.
One Script to find them.
One Script to bring them all,
and clean up after itself.
-
January 7th, 2009, 10:39 PM
#13
Registered User
martin-737, you really and truly need to disable System Protection/Tea Timer in your Spybot S&D configuration. Using it will cause you no end of grief, heartache and frustration. Trust me, it's a major flaw in an otherwise outstanding piece of software. You can disable Tea Timer by running MSCONFIG, or you can switch Spybot into Advanced mode, expand the Tools tree, click Resident and then deselect Tea Timer. After you've done one of these reboot, and Tea Timer should be gone.
Once you've confirmed that Tea Timer is disabled, reboot into Safe Mode and run Combofix once more. If it appears to complete without either returning you to your desktop or rebooting the system, just be patient and wait a bit. If there is no drive activity or change in the screen display (I'm assuming you would be looking at a solid black screen in this case) press CTRL-ALT-DEL to open Task Manager, click the Applications tab, click the New Task Button, then type explorer.exe in the Open box and hit OK. At this point, you ought to be back to the desktop, and you should run Combofix again, immediately, without rebooting.
This time, you should see the desktop after Combofix completes, or the system should reboot. In either case, Combofix should generate a logfile, and after you close it out, you should be looking at your normal desktop. You will need to reboot to return to standard mode if Combofix doesn't perform a reboot. Then, I'd run a follow up scan with Spybot S&D, and probably an online scan with Eset's scanner and you should be good to go.
-
January 8th, 2009, 04:18 AM
#14
Driver Terrier
And turn off system restore! Right click my computer, properties, system restore, check the box and apply. Ok the message saying it will delete previous restore points.
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
January 8th, 2009, 08:27 AM
#15
That is a very important advice slgrieb, and thanks for all that info y'all.
I realized that issue with S&D so after the clean up I disabled it and after that I ran Combofix again. Everything seems Ok. No more amvo.exe notices at start up but still that darn little IE browser with a yellow triangle and the OK button opens up everytime I open a new IE. It won't connect to the Internet until I hit the "Ok" button, then the tiny little browser closes and IE gets connected to the home page. At first I thought IE could have been corrupted so I downloaded and installed IE7 but when I ran it, alas, there was that darn triangle again. It does not hapen with netscape. I'll probably have time to do the second part of your advice slgrieb. Unfortunately, I don't do this for a living and I have to wait for my times off to work on this. I'll keep y'all informed.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks