1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

NAV, IE and OE malfunction: looking for the culprit

Discussion in 'Virus & Other Malware Removal' started by timjhl, Jul 31, 2005.

Thread Status:
Not open for further replies.
  1. timjhl

    timjhl Thread Starter

    Joined:
    Jul 31, 2005
    Messages:
    2
    Hi everyone,

    I'm having some strange problems with a Windows XP computer. I suspect some kind of virus/malware program/..., but am unable to find what it is.

    The symptoms
    • Norton AntiVirus can not be started and is disabled at startup
    • Internet Explorer can be started normally, but it's not possible to reach any site at all. No error occurs, the blank page just doesn't change (about:blank is set as the home page)
    • Outlook Express can be started normally, but when trying to use it (i.e. checking for mail) it stops responding

    When this was the case, I stopped alls stopable services with the standard task manager. After killing all instances of svchost.exe (7 on one count), I wait for Windows to pop up saying it has to reboot because the RPC service failed. I then abort the shutdown. The Windows XP look is gone after this and we're back to a more basic GUI, like the Windows 2000 one. The number of colors dropped as well.
    Now, we've got a lot more functionallity:
    • Inernet Explorer works again, full Internet access
    • OE still doesn't seem to work right, however
    • Norton AntiVirus can be started
      • auto-update is disabled and cannot be enabled
      • e-mailscan is disabled and cannot be enabled
      • live update does not work

    What I've tried
    • creating a new hosts file
    • disabling Windows XP's protection of critical files
    • Running the updated version of Spybot's Search & Destroy
    • Running the updated version of Lavasoft's Ad-Aware
    • Norton AV on-line virus scan
    • Trend Micro's Housecall (virus scan and spyware/... detection)

    S&D and Ad-Aware found some items on the first run, but afterward they didn't find anything anymore. The virus scanners didn't find anything either.

    It could just be a NAV problem, since the NAV knowledge base suggested removing and installing live update. It didn't make a difference, so the next step was to remove and install NAV again. Removing went fine (after killing off all services and starting the Windows Installer service, otherwise the install doesn't want to run), but I haven't been able to install it again. I couldn't get the installer to run...

    Afterwards, I ran HijackThis with the following results:
    Logfile of HijackThis v1.99.1
    Scan saved at 18:28:03, on 31/07/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\PROGRA~1\SYMNET~1\SNDMon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
    C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\HPBPRO.EXE
    C:\Documents and Settings\Eddy\Bureaublad\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pandora.be:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
    O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
    O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    I didn't see anything abnormal there, but I haven't got a clue what I'm looking for either...

    If anyone has an idea what the problem could be, I would be very grateful.


    Thanks,
    Tim
     
  2. VanillaFro

    VanillaFro

    Joined:
    Aug 5, 2005
    Messages:
    1
  3. timjhl

    timjhl Thread Starter

    Joined:
    Jul 31, 2005
    Messages:
    2
    Thanks a lot! The problem's solved, everything working like we want it.

    Phew, thanks for the tip, it would have taken me some time to come up with that...


    Cheers,
    Tim
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - malfunction looking culprit
  1. Brokenjunk
    Replies:
    0
    Views:
    317
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/386150

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice