TechSpot

Windows Media & Explorer Error After Trojan Clean-up

By marbles
Jul 20, 2007
  1. Hi

    I just had a Virus problem and i followed the instructions on the link Viruses/Spyware/Malware, preliminary removal instructions - and now all the viruses and spyware have gone from my pc.

    But now whenever i try to open a media file the windows explorer error report screen comes back, and and error report screen for WMP comes up. I re-installed WMP v10 but it's still the same...

    I had the double-click windows explorer problem, when i double-clicked the C drive it would say cannot find 'romven' or something like that, can't remember...

    Can anyone help?
     
  2. bobby123

    bobby123 TS Rookie Posts: 336

    post your logs.
     
  3. marbles

    marbles TS Rookie Topic Starter

    aah, yeah, well i deleted them after the viruses and trojans were deleted and fixed, i didn't think i needed them any longer...

    shall i post the hijackthis log?
     
  4. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Please post fresh HijackThis, ComboFix, and AVG Anti-Spyware logs as attachments into this thread. Also post the results of the AVG Anti-Rootkit scan.

    Regards :)

    This thread is for the use of marbles only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  5. marbles

    marbles TS Rookie Topic Starter

    This is the log file from HijackThis, will bring the rest up later:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:52:26 AM, on 7/21/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Paltalk Messenger\palstart.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\hijackThis\HijackThis.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {13FC4B22-9712-0C98-8750-6C5578D7293C} - C:\WINDOWS\System32\klgc.dll (file missing)
    O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EA Downloader\Core.exe -silent
    O4 - HKUS\S-1-5-19\..\Run: [Microsoft Update] wumgrd.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Microsoft Update] wumgrd.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] wumgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wumgrd.exe (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\Program Files\PopupPopper\SiteList.exe
    O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c6.cab
    O16 - DPF: {4C82BFF1-4904-4DD9-9DD3-992D13442376} - http://www.qurancomplex.com/Downloads/fonts.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://207.226.177.98/gba2218.exe
    O20 - AppInit_DLLs:
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    --
    End of file - 6072 bytes
     
  6. tomrca

    tomrca TS Rookie Posts: 1,000

    please edit your post by removing the log. all logs are required to be posted as an attachment
     
  7. tomrca

    tomrca TS Rookie Posts: 1,000

    there are many problems in your log. you must go to THIS LOCATION and follow all the instructions, after which post all the required logs as attachments. a pasted log will be most likely removed and ignored
     
  8. marbles

    marbles TS Rookie Topic Starter

    Here's the attachment for the hijackthis log, i already followed the instructions in that link, the problems came about after i had done everything, i just need explorer & WMP to work fine again...

    Thanks
     
  9. tomrca

    tomrca TS Rookie Posts: 1,000

    hi marbles.
    please post as requested by kitty500cat
    in addition you have not changed the name of 'hijackthis'. the instruction to do this is in the procedure's is necessary to change the name of hjt because there are a couple of common bugs that hide from it under its original name. suggestion: change to 'analysethis', then post a fresh hjt with the logs that kitty500cat needs. it is important that allinstructions must followed in order to be successfully helped, shortcuts rarely work fully.
    you also need to update your service pack. dont give up! by the way welcome to techspot
     
  10. almcneil

    almcneil TS Guru Posts: 1,277

    Although you run anti-malware utilities (anti-virus, anti-spyware, anti-rootkit), and they remove all the malware, there can still be residual corruption left behind. And the corruption can be more than just from the malware, these anti-malware utilities can sometimes cause corruption when removing the malware.

    What you need to do is run an XP repair installation. Although the error is reported as Windows Media Player, it may actually be deeper in the OS than that. That's why simply re-installing WMP doesn't solve the problem. There may be corruption elsewhere as well. The Xp repair often is able to fix corruption but it's not a guarantee. Also, once the XP repair is done, you probably will have to re-install Windows Updates as they often get removed as part of the repair (that means you'll probably have to re-install WMP! ;) )
     
  11. bobby123

    bobby123 TS Rookie Posts: 336

    If you are with dell try the dell recovery cd.
     
  12. marbles

    marbles TS Rookie Topic Starter

    Hi

    Thanks for the feedback guys, i appreciate the help, this is a pretty impressive board, great service!

    I changed the name of HijackThis to analyse.exe when i was following the instructions, after i had done it all i changed it back.

    Almcneil thanks for the tip, where can i get the XP repair installation file from? Do u have the link? Will check that out, hopefully that'll sort things out i hope.

    Will post fresh logs, they just take a lot of time to do some of the scanning, funny thing is, everything was going fine until i installed Avast Antivirus on my PC as i didn't have a AV software installed, that scanned some viruses and then it went haywire from there, before that i didn't even know that i had viruses on my pc, Ignorance is Bliss, eh?

    Attached is the log for ComboFix, will try and do the AVG Anti-virus & AVG Anti-root ones within 24 hours...
     
  13. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    There are nasties in your HJT and ComboFix logs.

    Please post the other logs/results as soon as possible.

    Regards :)
     
  14. marbles

    marbles TS Rookie Topic Starter

    Hi

    Here is the AVG Anti-Spyware Log, the logs for Combofix & HijackThis are in the previous posts, i tried AVG Antiroot kit and the results came back clear, no problems.

    I followed the instructions to remove Viruses/Spyware/Malware and followed all the steps...

    How do i run the XP repair installation process? Where can i get the file from, i need the link for that.

    I installed AVast Antivirus, is that the reason my computers slowed down also? Shall i delete it? Please help...
     
  15. marbles

    marbles TS Rookie Topic Starter

    Erm, anyone?
     
  16. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    There is some pretty nasty stuff in your logfiles.

    Malware infections can lead to identity theft, loss of funds from bank accounts, misuse of credit card information, etc since they can send sensitive information from your computer to their creators. Please read this thread before deciding what course of action to take regarding your infection.

    Please let me know what you decide.

    Regards :)

    This thread is for the use of marbles only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  17. almcneil

    almcneil TS Guru Posts: 1,277

    Marbles, the XP repair installation feature is part of the XP installation CD. The process is almost identical to a regular XP installation except that repair feature checks the current installation system files against what's on the installation CD. Any files that are missing or corrupt are replaced with a new copy from the CD. The repair feature does not touch your person files, settings or temporary files. It works most of the time in resolving system corruption.

    All you need is an XP installation CD and a producte key. If XP came with your system, there should be a Microsoft Windows sticker on your chassis with a Product Key. Make sure the XP installation CD you use has the service pack that matches your current installtion. That is, if you originally had SP1 but upgraded to SP2, make sure the XP CD is for SP2. I accidentally used a customer's XP CD that was had SP1 while he had upgraded to SP2. Messed up his system WORSE!!

    Edited by Moderator: No need for a double post if there are no replies between your current post and the last post, unless bumping the thread. In that case, please wait at least 24 hours before doing so. Otherwise, simply use the "Edit post" button instead.

    Sorry, forgot to mention there are two ways to invoke the XP repair feature. One is from the Windows Desktop. You insert the CD and when the setup program starts, select "upgrade" and it will take over from there. Or, you can boot to the XP installation CD, select "install a new copy" (do NOT select repair using recovery console) The next screen will then ask if you want to repair the current installation, press 'R'. Then it will take over.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...