PDA

View Full Version : Antivirus driving me daft.



Thomas01
16-10-2009, 04:58 PM
I have used AVG for years but after reading this months PCWorld decided to change to Avira.
I removed AVG
I made sure the Windows firewall was turned off.
I first tried downloading Avira but it refused to install telling me that I should make sure the internet was working (it is) and I may have a firewall in operation.

As far as I know I have deleted all program that may have a firewall but I still have Search and Destroy and Ad-Aware - I don't think (?) they have a firewall.

Desperate I then tried the disk from PCWorld which didn't even start but told me that two of the files were corrupt and I should download a fresh version from the internet.
So back to square one!

After chewing pieces out of my desk I decided to go back to AVG

So AVG went back on - but it informed me that I needed to download an update as I needed to get the database OK.

Did this but after about ten minutes downloading the file it informed me like the previous program that I either was not on the internet (I was) or I had a firewall in operation.

I have fairly recently changed to broadband and wonder if this is causing some confusion.

Or have I got a virus?
Tom

wainuitech
16-10-2009, 05:02 PM
First of all - dont go using the PCworld DVD's - lately there have been a lot of duds, with programs corrupted on them.

Download Hijackthis (http://free.antivirus.com/hijackthis/), run it and select save a log file, copy paste the complete log file back here.

Blam
16-10-2009, 05:07 PM
Some malware is known to block anti virus programs from being downloaded.

As for the CD issue-its PCWorld's fault, has happened to quite a few people.

Download HijackThis then post a log here for analysis.

Also, try Microsoft Security Essentials. Easy to use and very good detection rates for a free product.

Blam

Thomas01
16-10-2009, 05:13 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:15 p.m., on 16/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\VIA Technologies, Inc\Audio Deck\ADeck.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\fast.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\microsoft money\System\reminder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\EurekaMultimedia\Personal Dictionary & Thesaurus\Pdttray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\COPERN~2\DesktopSearch.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://slingshot.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Copernic Desktop Search - Home Toolbar - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - C:\Program Files\Copernic Desktop Search 2\Toolbar\ToolbarContainer101000311.dll
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA Technologies, Inc\Audio Deck\ADeck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Reminder] C:\program files\microsoft money\System\reminder.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [Multi Reminders] "C:\Program Files\Multi Reminders\reminder.exe" -c
O4 - HKCU\..\Run: [LogitechSetup] F:\setup.exe /skip_all_checks /p /start /restart /l:enu
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Copernic Desktop Search - Home] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Personal Dictionary & Thesaurus.lnk = C:\Program Files\EurekaMultimedia\Personal Dictionary & Thesaurus\Pdttray.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FA83E942-B796-46DE-9155-1632ECC5473B} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1061_XP.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca342feffdb2ee) (gupdate1ca342feffdb2ee) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 10826 bytes

Speedy Gonzales
16-10-2009, 08:08 PM
You can tick these then tick fix checked

Close browsers. May pay to disable system restore

Uninstall all versions of java, then update it. Its out of date

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

I dont know what this file belongs to. Whats E? A partition or a cd/dvd?

O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [Reminder] C:\program files\microsoft money\System\reminder.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

Then reboot. Then get something like trojan remover, update it. Then scan. Then select all options under the utilities menu

Speedy Gonzales
16-10-2009, 08:44 PM
Did you uninstall whatever programs (not delete their folders)?? Dont delete folders to programs you dont want. You'll stuff things up

Thomas01
17-10-2009, 10:29 AM
E is a CD/DVD player.

I have uninstalled Java and replaced it with the latest downloaded copy.

I always uninstall programs. I must admit to also sometimes deleting their folders once the program has been uninstalled.
Didn't know I could harm things by doing that.

I tried to get Trojan Remover but got a message that the site would not open - try again later. I will.

I don't understand what you mean by "tick these"

I plan on trying again to get Trojan Remover - and will follow the instructions etc plus rebooting.
And will report progress.
Tom

gary67
17-10-2009, 10:50 AM
You can delete the folders once the programs are un installed I think what Speedy meant was don't delete the folder if you have NOT un installed the program first

Thomas01
17-10-2009, 12:11 PM
Well I did what I think I was supposed to.
I got Trojan Remover from another site then installed it.
Seemed to go OK but I couldn't find it then realized it was part of Search & Destroy - which I already had. So ran it.
It found about 6 thingis and removed them - they mentioned browsers.
So I rebooted and hoped all would be well - no luck - everything went well until the last part of the installation of Alvira when once again I was asked to check my internet connection - it was not working or I had a firewall up.
Well neither. The internet was working in fact I had it on the web site for Alvira when it was telling me it was not working.
All a bit sad really - I have lost my protection of AVG and cannot get Alvira.
I have put back the Windows firewall and now hope that Search and Destroy will assist.

gary67
17-10-2009, 01:04 PM
Trojan remover is not part of search and destroy it is a standalone program, get it from the link in Speedy's signature

mzee
17-10-2009, 01:10 PM
1st of all check the Internet settings under 'connection'. Make sure that Dial Up is not active.

You could try 'Avast' anti-virus, very good & unobtrusive.

Also 'Comodo' which has a Firewall as well. The 'Defense' mode tends to be a pain, so disable it when installing software otherwise it will display dozens of messages.

Speedy Gonzales
17-10-2009, 01:12 PM
Delete this entry if you havent yet

It shouldnt be loading anything from any cd on startup

O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe

Yup I meant dont delete any folder before you uninstall whatever. Its OK if you delete it after

Did you disable system restore before you ticked the entries?

By tick these thats what you do tick the entries I posted then tick fix checked

Thomas01
17-10-2009, 03:38 PM
Strange things always happen to me.
When I tried Speedy's link it would not work - so I tried looking for it elsewhere - I thought I had found it but obviously I had got something that used the same name but was actually Search & Destroy.
Anyway I have tried Speedy's link again and now its working, so downloaded the correct Trojan Remover and ran it. It found two rather insignificant looking problems and sorted them out.
So I tried again to install Avira and got the same result - on what must be the last page of the installation it tells me to check I can get onto the internet. So no progress at all.
Not yet anyway.
I am looking at Avira because of the great write up it got in PCWorld this month. For the same reasons I am avoiding Comodo which got hammered.

Speedy I haven't actually done what you suggested because I do not know where I delete the line from - is it in the Registry - if so that terrifies me and I normally avoid it. I use Registry Mechanic which I have just used to no avail.
I must admit I am a bit out of my depth in following this lot. Oh for the good days of DOS
Tom

Speedy Gonzales
17-10-2009, 03:46 PM
No, its in the hijackthis log you posted. You run hijackthis again. Click on scan the system, then tick the entries I posted. Well if you want get teamviewer (www.teamviewer.com)
install it then run it. Then send the ID and password in to me in a PM. And I'll check your system from here

Well comodo's AV isnt that great, its known for its firewall not the AV program in its security suite (if this is what youre talking about)

Thomas01
18-10-2009, 09:01 PM
No, its in the hijackthis log you posted. You run hijackthis again. Click on scan the system, then tick the entries I posted. Well if you want get teamviewer (www.teamviewer.com)
install it then run it. Then send the ID and password in to me in a PM. And I'll check your system from here

Well comodo's AV isnt that great, its known for its firewall not the AV program in its security suite (if this is what youre talking about)

Sounds simple - hey who am I trying to kid!

But I am going to have a bash - well at least I think I am because you see I solved the problem using a method the experts will all tell me is wrong!!

I went to my little lap top and repeated the exercise. Of course everything went right - no problems.
Then I had my bright idea - I copied the program over to a flash drive, tried the flash drive in the desktop and ran it. Seemed to work Ok so I quickly shut it down and copied it over to the hard drive. Then ran the antivirus from the desktop. It all seems to work as its supposed to.
I'm not even convinced myself that it will continue working - I had the impression that programs that sat in one folder and ran from there were finished when DOS died.
But at the moment I am satisfied - its working - leave well alone (something I have never succeeded in doing for the last 76 years!)
Wish me luck.
Tom