Spyaxe damage control - Microsoft Money 2002

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

DawnHartsell

Thread Starter
Joined
Jan 3, 2006
Messages
11
I have Windows XP; after getting Spyaxe a few days ago, I've been able to fix almost all the problems except for three

One: Microsoft Money 2002 won't open for me. The Windows Installer begins and says "preparing to install" then "gathering information to begin configuring" and then "need CD". I only have the 2001 CD. I can't find my 2002 CD-ROM. I found a way to open Microsoft Money by opening the upgrade icon in the Microsoft Money "Systems" folder in my program files. But the Windows Installer window keeps popping up again and again and again while Money slowly opens up. Is there any way to fix this without going out and buying a new Money 2002 CD?

Two: The little Windows Update Icon on my bottom bar keeps flashing and showing that stupid "infected" bubble. I can't seem to get rid of it except by hiding it.

Three: I've installed Norton symantec Antivirus to deal with the Spyaxe problem. But every time a quickscan runs, it detects the same two issues over and over again: "Trojan.Zlob" and "Trojan.Zlob.D" and no matter whether I clean the infected file or delete it, the quickscan reads "unknown action" next to the files after the action is complete and they appear again and again. The file names read "nvctrl.exe" and "mssearchnet.exe".

What do I need to give you to help me with these three problems? I've never done a hijackthis thingy that I've read on other threads. Can you walk me through sending that to you if necessary?

Thanks,
Little Dawn
 

DawnHartsell

Thread Starter
Joined
Jan 3, 2006
Messages
11
Here is my HTL:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:06 AM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.churchrez.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: (no name) - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: 2Wire Wireless Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
I've not previously seen spyaxe or any of the smitfraud trojans damage or attack M$ money before BUT !!!


Download smitRem.exe

or HERE and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

then

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:

    • [*]Sweep Memory
      [*]Sweep Registry
      [*]Sweep Cookies
      [*]Sweep All User Accounts
      [*]Enable Direct Disk Sweeping
      [*]Sweep Contents of Compressed Files
      [*]Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Post the contents of smitfiles.txt and the a new HJT log and the spysweeper report .
Let us know if any problems persist.
 

DawnHartsell

Thread Starter
Joined
Jan 3, 2006
Messages
11
Derek,

Thanks for your response. I did all as you instructed. I will coipy the smitfiles.txt, new HJT log and the spysweeper report below. In attempting to open Microsoft Money 2002, the Windows Installer still starts and the result is: "Error 1706 No valid source could be found for product Microsoft Money 2002. The Windows Installer cannot continue"

Smitfiles.txt

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 01/03/2006
The current time is: 12:00:40.54

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SpyAxeFix © by noahdfear

spyaxe directory present

spyaxe uninstaller present

Starting spyaxe uninstaller

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

wbeconm.dll
1024 dir
msvol.tlb
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 908 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

Now here's the sweeper session log:

********
12:26 PM: | Start of Session, Tuesday, January 03, 2006 |
12:26 PM: Spy Sweeper started
12:26 PM: Sweep initiated using definitions version 595
12:26 PM: Starting Memory Sweep
12:37 PM: Memory Sweep Complete, Elapsed Time: 00:10:49
12:37 PM: Starting Registry Sweep
12:37 PM: Found Trojan Horse: antivirus gold
12:37 PM: HKCR\appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}\ (1 subtraces) (ID = 103594)
12:37 PM: HKLM\software\classes\appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}\ (1 subtraces) (ID = 103633)
12:38 PM: Found Adware: spyaxe
12:38 PM: HKCR\appid\spyaxe.exe\ (1 subtraces) (ID = 1005587)
12:38 PM: HKCR\typelib\{2bb3bcbf-411a-4c67-8e69-f4bb301dc333}\ (9 subtraces) (ID = 1005758)
12:38 PM: HKLM\software\classes\appid\spyaxe.exe\ (1 subtraces) (ID = 1005850)
12:38 PM: HKLM\software\classes\typelib\{2bb3bcbf-411a-4c67-8e69-f4bb301dc333}\ (9 subtraces) (ID = 1006052)
12:38 PM: Registry Sweep Complete, Elapsed Time:00:01:05
12:38 PM: Starting Cookie Sweep
12:38 PM: Found Spy Cookie: 2o7.net cookie
12:38 PM: church of the [email protected][2].txt (ID = 1957)
12:38 PM: Found Spy Cookie: adknowledge cookie
12:38 PM: church of the [email protected][2].txt (ID = 2072)
12:38 PM: Found Spy Cookie: pointroll cookie
12:38 PM: church of the [email protected][2].txt (ID = 3148)
12:38 PM: Found Spy Cookie: advertising cookie
12:38 PM: church of the [email protected][1].txt (ID = 2175)
12:38 PM: Found Spy Cookie: atlas dmt cookie
12:38 PM: church of the [email protected][2].txt (ID = 2253)
12:38 PM: Found Spy Cookie: burstnet cookie
12:38 PM: church of the [email protected][2].txt (ID = 2336)
12:38 PM: Found Spy Cookie: centrport net cookie
12:38 PM: church of the [email protected][2].txt (ID = 2374)
12:38 PM: Found Spy Cookie: clickbank cookie
12:38 PM: church of the [email protected][1].txt (ID = 2398)
12:38 PM: Found Spy Cookie: overture cookie
12:38 PM: church of the [email protected][1].txt (ID = 3106)
12:38 PM: Found Spy Cookie: dealtime cookie
12:38 PM: church of the [email protected][2].txt (ID = 2505)
12:38 PM: Found Spy Cookie: ru4 cookie
12:38 PM: church of the [email protected][1].txt (ID = 3269)
12:38 PM: Found Spy Cookie: fastclick cookie
12:38 PM: church of the [email protected][2].txt (ID = 2651)
12:38 PM: church of the [email protected][2].txt (ID = 1958)
12:38 PM: church of the [email protected][1].txt (ID = 1958)
12:38 PM: church of the [email protected][2].txt (ID = 3105)
12:38 PM: church of the [email protected][1].txt (ID = 3106)
12:38 PM: Found Spy Cookie: server.iad.liveperson cookie
12:38 PM: church of the [email protected][1].txt (ID = 3341)
12:38 PM: Found Spy Cookie: serving-sys cookie
12:38 PM: church of the [email protected][2].txt (ID = 3343)
12:38 PM: Found Spy Cookie: spyaxe cookie
12:38 PM: church of the [email protected][1].txt (ID = 6110)
12:38 PM: church of the [email protected][1].txt (ID = 2506)
12:38 PM: Found Spy Cookie: statcounter cookie
12:38 PM: church of the [email protected][1].txt (ID = 3447)
12:38 PM: Found Spy Cookie: webtrendslive cookie
12:38 PM: church of the [email protected][1].txt (ID = 3667)
12:38 PM: Found Spy Cookie: tracking cookie
12:38 PM: church of the [email protected][1].txt (ID = 3571)
12:38 PM: Found Spy Cookie: trb.com cookie
12:38 PM: church of the [email protected][1].txt (ID = 3587)
12:38 PM: church of the [email protected][1].txt (ID = 1958)
12:38 PM: Found Spy Cookie: burstbeacon cookie
12:38 PM: church of the [email protected][2].txt (ID = 2335)
12:38 PM: Found Spy Cookie: myaffiliateprogram.com cookie
12:38 PM: church of the [email protected][1].txt (ID = 3032)
12:38 PM: Found Spy Cookie: yadro cookie
12:38 PM: church of the [email protected][1].txt (ID = 3743)
12:38 PM: Found Spy Cookie: adserver cookie
12:38 PM: church of the [email protected][1].txt (ID = 2142)
12:38 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
12:38 PM: Starting File Sweep
12:40 PM: e3009252-403d-4fe3-b95e-b61c37 (ID = 217736)
12:41 PM: 9c970e74-3862-4e38-a9c2-e0a6d5 (ID = 217736)
12:41 PM: a0035115.exe (ID = 217736)
12:42 PM: 75db7ec4-bc49-4a12-a8b8-556053 (ID = 217736)
12:42 PM: b05b79ed-fb5e-4fce-afb5-2add38 (ID = 217736)
12:49 PM: a0035760.exe (ID = 217736)
1:01 PM: a0034979.exe (ID = 217736)
1:23 PM: Found Trojan Horse: trojan-downloader-zlob
1:23 PM: a0035770.dll (ID = 216906)
1:25 PM: 1048b60b-c139-4247-8a08-47adce (ID = 217736)
1:28 PM: a0035765.lnk (ID = 204550)
1:28 PM: a0035600.lnk (ID = 204550)
1:28 PM: 9a05166d-80e4-4a9c-b1f8-f44d5b (ID = 204550)
1:28 PM: cf23b816-4dcc-4212-a085-79e31c (ID = 204550)
1:28 PM: 411a18c6-45f4-4385-b58e-10a013 (ID = 204550)
1:28 PM: b6a78c75-0448-4ecc-b0e9-e3031c (ID = 204550)
1:28 PM: a0035110.lnk (ID = 204550)
1:28 PM: ab2b03d6-39d3-4fcf-8435-f99b7d (ID = 204550)
1:29 PM: File Sweep Complete, Elapsed Time: 00:51:11
1:29 PM: Full Sweep has completed. Elapsed time 01:03:32
1:29 PM: Traces Found: 74
1:30 PM: Removal process initiated
1:30 PM: Quarantining All Traces: trojan-downloader-zlob
1:30 PM: Quarantining All Traces: antivirus gold
1:31 PM: Quarantining All Traces: spyaxe
1:31 PM: Quarantining All Traces: 2o7.net cookie
1:31 PM: Quarantining All Traces: adknowledge cookie
1:31 PM: Quarantining All Traces: adserver cookie
1:31 PM: Quarantining All Traces: advertising cookie
1:31 PM: Quarantining All Traces: atlas dmt cookie
1:31 PM: Quarantining All Traces: burstbeacon cookie
1:31 PM: Quarantining All Traces: burstnet cookie
1:31 PM: Quarantining All Traces: centrport net cookie
1:31 PM: Quarantining All Traces: clickbank cookie
1:31 PM: Quarantining All Traces: dealtime cookie
1:31 PM: Quarantining All Traces: fastclick cookie
1:31 PM: Quarantining All Traces: myaffiliateprogram.com cookie
1:31 PM: Quarantining All Traces: overture cookie
1:31 PM: Quarantining All Traces: pointroll cookie
1:31 PM: Quarantining All Traces: ru4 cookie
1:31 PM: Quarantining All Traces: server.iad.liveperson cookie
1:31 PM: Quarantining All Traces: serving-sys cookie
1:31 PM: Quarantining All Traces: spyaxe cookie
1:31 PM: Quarantining All Traces: statcounter cookie
1:31 PM: Quarantining All Traces: tracking cookie
1:31 PM: Quarantining All Traces: trb.com cookie
1:31 PM: Quarantining All Traces: webtrendslive cookie
1:31 PM: Quarantining All Traces: yadro cookie
1:31 PM: Removal process completed. Elapsed time 00:00:41
********
12:23 PM: | Start of Session, Tuesday, January 03, 2006 |
12:23 PM: Spy Sweeper started
12:24 PM: Your spyware definitions have been updated.
12:26 PM: | End of Session, Tuesday, January 03, 2006 |

Now here the HTL:
Logfile of HijackThis v1.99.1
Scan saved at 1:39:42 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.churchrez.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: 2Wire Wireless Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Is it possible that during the Nortan Symantec Antivirus scan, that I chose to delete infected files that my Windows Installer needs or Microsoft Money 2002 and Outlook need in order to run?

Any advice you have is helpful.

Thanks,
Little Dawn
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

and reboot

then let us know how it is
 

DawnHartsell

Thread Starter
Joined
Jan 3, 2006
Messages
11
Same problem only it takes longer. Here is the HTL:

Logfile of HijackThis v1.99.1
Scan saved at 5:26:49 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.churchrez.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: 2Wire Wireless Client.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

When I click on Microsoft Money 2002, the Window Installer opens up and says "Preparing to Install" and then "Gathering information" and then "Please wait while Windows configures Microsoft Money 2002" and then a new dialogue box opens that says "The feature you are trying to use is on a CD-ROM or other removable disk that is not available. Insert the Microsoft Money 2002 disk and click OK." Then at the bottom of the new dialogue box it says: "Use Source" and lists: "Microsoft Works Suite 2002 disk 2." When I click on "Cancel" it says: "Error 1706: No valid source could be found for product Microsoft Money 2002. The Windows Installer cannot continue." Then I click on OK and the last dialogue box that pops up says: "Problem with shortcut: Fatal error occurred during installation".

And finally when I open Microsoft Outlook 2002, and I go to Tools and then Email Accounts, I get a dialogue box that reads: "The operation failed due to a registry or installation problem. Restart Outlook and try again. If problem persists, please reinstall."

(I would pop the Microsoft Money 2002 cd in to try to fix this but I lost the cd and only have Microsoft Money 2001 cd in my files) What else can I do?

Feeling helpless,

Little Dawn
 

DawnHartsell

Thread Starter
Joined
Jan 3, 2006
Messages
11
Derek,

I can open Microsoft Money 2002 and start using it if I go to Program Files/Microsoft Money/System/ and click on Upgrade.exe, then the Windows Installer pops up like before, but if I continue to hit cancel, it pops up repeatedly while MM2002 slowly opens, until it's completely open and I can access all my financial records and make changes to it. The Windows Installer dialogue box opens occasionally but MM2002 stays open as long as I hit cancel. Can I do anything to fix this while MM2002 is open on my computer?

Little Dawn
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
The only thing I can suggest is uninstall money 2002 and install 2001, but I'm not certain whether they changed any of the formats between the 2 so you might lose information

it works going up but I'm not certain on going down

or borrow a copy of money 2002 from someone as you have the required licence in the works suite
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
only do what they say
try a repair or reinstall of outlook
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top