Here is the issue. I am helping a friend fix their PC and it turns out they have done very little to it in terms of protection or maintenance. The comptuer is currently running Windows XP Home Edition SP 1. I have Spy Bot and Ad-Aware running but it is a never ending circle, as they find more stuff every time. I have downloaded and am ready to install Norton 360 but have one problem .... it needs SP2 installed.
I have SP2 downloaded but when I attempt to install it, it tells me that another process is using services.exe, so I can never finish the install. I tried to use procmon from sysinternals, to determine what was using services.exe but you need SP2 to use it.
I think if I can get to SP2, I can get Norton on it, get Windows Update up to date and run from there I might be OK. I am not using Windows Update right now because it is an older version of IE and I am fairly sure it is compromised.
I am very open to any steps or strategy someone has on this. I can successfully get to the internet via normal login or safe mode with networking.
Posted Hijackthis log file below. Please realize that an older version of Norton is half there. Not sure what happened to it but it is not active at startup and I am planning to replace with a clean install.
Thanks
Chris
==========================
=====
Logfile of HijackThis v1.99.1
Scan saved at 6:59:03 AM, on 5/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\csrss.
exe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCE
S.EXE
C:\WINDOWS\system32\LEXPPS
.EXE
C:\WINDOWS\system32\spools
v.exe
C:\PROGRA~1\COMMON~1\AOL\A
CS\acsd.ex
e
C:\PROGRA~1\Iomega\System3
2\AppServi
ces.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
e
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Citrix\GoToMyPC\g2sv
c.exe
C:\Program Files\Citrix\GoToMyPC\g2co
mm.exe
C:\Program Files\Citrix\GoToMyPC\g2pr
e.exe
C:\Program Files\Citrix\GoToMyPC\g2tr
ay.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Netscape\Netsc
ape\Netscp
.exe
C:\WINDOWS\System32\rundll
32.exe
C:\PROGRA~1\CCleaner\CClea
ner.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll
32.exe
C:\DOCUME~1\ZACHAR~1\LOCAL
S~1\Temp\T
EMPOR~1.ZI
P\HIJACK~1
.EXE
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.htmlR1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.comR0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://yahoo.sbc.com/dslR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://yahoo.sbc.com/dslR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL =
http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.comR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.htmlR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.comR0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://yahoo.sbc.com/dslR1 - HKCU\Software\Microsoft\In
ternet Explorer\SearchURL,(Defaul
t) =
http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.comR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
090271D4F8
8} - C:\Program Files\Yahoo!\common\Compan
ion\Instal
ls\cpn\yt.
dll (file missing)
N3 - Netscape 7: user_pref("browser.startup
.homepage"
, "
http://yahoo.sbc.com/dsl"
); (C:\Documents and Settings\Zachary Zerries\Application Data\Mozilla\Profiles\defa
ult\lt4r06
ee.slt\pre
fs.js)
N3 - Netscape 7: user_pref("browser.search.
defaulteng
ine", "engine://C%3A%5CPROGRA%7E
1%5CNetsca
pe%5CNetsc
ape%5Csear
chplugins%
5CSBWeb_01
.src"); (C:\Documents and Settings\Zachary Zerries\Application Data\Mozilla\Profiles\defa
ult\lt4r06
ee.slt\pre
fs.js)
O2 - BHO: (no name) - {29facd7b-65af-4b46-8414-1
409c7adb9a
c} - C:\WINDOWS\System32\iifff.
dll
O2 - BHO: {8c24726a-996b-4ad8-2974-5
a54fb13a42
5} - {524a31bf-45a5-4792-8da4-b
699a62742c
8} - C:\WINDOWS\System32\hekjfh
el.dll
O2 - BHO: (no name) - {75A469FF-0681-4EC3-8CEC-9
5DB40C9A28
5} - C:\WINDOWS\system32\fccyab
b.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
0A0C908246
7} - C:\WINDOWS\System32\msdxm.
ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
859DF00B1D
6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi
n\jusched.
exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
PLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
PEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\da
dapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\PROGRA~1\Dell\QuickSet\
quickset.e
xe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATC
H Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATC
H Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qtta
sk.exe" -atboottime
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2sv
c.exe" -logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump
rep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dump
rep 0 -u
O4 - HKLM\..\Run: [hhtllddh] rundll32.exe "C:\DOCUME~1\AVADEK~1\LOCA
LS~1\Temp\
fnrrfjfrbf
b.dll" WLEntryPoint
O4 - HKLM\..\Run: [BM43b0d93b] Rundll32.exe "C:\WINDOWS\System32\effck
gon.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN
~1\YAHOOM~
1.EXE" -quiet
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.
exe
O4 - HKCU\..\Run: [Cmkp] "C:\Program Files\??pPatch\w?auboot.ex
e"
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Zachary Zerries\cftmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.
htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.
htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\WINDOWS\System32\msjava
.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\WINDOWS\System32\msjava
.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
FC0DE4A789
7} - C:\Program Files\Yahoo!\common\yiesrv
c.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
0C0F0318AF
E} - C:\WINDOWS\System32\Shdocv
w.dll
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-0
0c04f79568
3} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {fb5f1910-f110-11d2-bb9e-0
0c04f79568
3} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\gjehcf
ep.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gjehcf
ep.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C
7C580BBF70
0} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D
4730F4EE49
9} (BDSCANONLINE Control) -
http://download.bitdefender.com/resources/scan8/oscan8.cabO16 - DPF: {6414512B-B978-451D-A0D8-F
CFDF33E833
C} (WUWebControl Class) -
http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209990043369O16 - DPF: {6A344D34-5231-452A-8A57-D
064AC9B786
2} (Symantec Download Manager) -
https://webdl.symantec.com/activex/symdlmgr.cabO16 - DPF: {6E32070A-766D-4EE6-879C-D
C1FA91D2FC
3} (MUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209990307378O17 - HKLM\System\CCS\Services\T
cpip\..\{7
5D80645-7B
A1-4138-A1
A3-D622E68
A0A5B}: NameServer = 208.67.220.220,208.67.222.
222
O17 - HKLM\System\CCS\Services\T
cpip\..\{9
0B36031-83
D4-4AA1-B7
82-D270603
82967}: NameServer = 208.67.220.220,208.67.222.
222
O17 - HKLM\System\CCS\Services\T
cpip\..\{C
E21F381-A2
59-4D60-A4
C1-75D5161
1E959}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\T
cpip\..\{F
7E4D648-DE
7C-4A25-B1
D6-6EA9498
40F74}: NameServer = 208.67.220.220,208.67.222.
222
O17 - HKLM\System\CS1\Services\T
cpip\Param
eters: NameServer = 208.67.220.220,208.67.222.
222
O17 - HKLM\System\CS2\Services\T
cpip\Param
eters: NameServer = 208.67.220.220,208.67.222.
222
O17 - HKLM\System\CS3\Services\T
cpip\Param
eters: NameServer = 208.67.220.220,208.67.222.
222
O17 - HKLM\System\CCS\Services\T
cpip\Param
eters: NameServer = 208.67.220.220,208.67.222.
222
O20 - Winlogon Notify: bipobqpsj - C:\WINDOWS\SYSTEM32\bipobq
psj.dll
O20 - Winlogon Notify: crehcjid - C:\WINDOWS\SYSTEM32\crehcj
id.dll
O20 - Winlogon Notify: fccyabb - C:\WINDOWS\SYSTEM32\fccyab
b.dll
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2Wi
nLogon.dll
O21 - SSODL: UlNNmN - {4083EA09-EA29-40A3-A650-0
D6269D7F7D
6} - C:\WINDOWS\system32\kktmn.
dll
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-C
B9DCF10A42
5} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\A
CS\acsd.ex
e
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.
exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2sv
c.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System3
2\AppServi
ces.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
S.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
2.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN
T~1\SCRIPT
~1\SBServ.
exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
e
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYS
VC.EXE
Start Free Trial
