Infected - Have followed all FAQ steps

Hi,

I've got a P4 running Windows XP Pro.

I've been battling multiple trojans for a couple of weeks. Someone
helped me get rid of one but it appears there are more.

When I try to run Trend Micro's Free Scan when not in safe
mode, I can't check the 'my computer' box. If I try, nothing happens.
In safe mode, it ran and didn't detect anything.

When I tried to run Panda's online scan, it literally runs
three seconds and tells me no virus found. Normally, a Panda scan will
take several hours on my machine.

When I try to run virus detection on Symantec's site, after
loading definitions, I get a warning that says "Unable to run Virus
Detection", in order to run virus detection you must be using
Microsoft Internet Explorer 5.0 or higher with ActiveX and Scripting
enabled." I'm running the latest MS Explorer and have all the
recommended activex and scripting enabled. Same results in regular and
safe mode.

Also, I installed Panda Titanium 2005 last week. The program
will not allow me to update to the latest version. When I do, it tells
me that I must first uninstall Norman Virus control. Don't have
Norman, never did and it's not in add/remove programs.

Panda's tech support told me they had a similar problem with another
customer. They felt a virus was simulating Norman Virus control to
prevent the latest version from loading. They suggested I run their
online scan. I've emailed them after the scan wouldn't run but haven't
heard back yet.

Ran McAfee Stinger and it didn't find anything.

Ran CC Cleaner.

Ran AdAware SE with VX2 Cleaner Plug-in, nothing found. I have
noticed on shutdown, brief warning notices saying something along the
lines of Centinel VXD could not be closed... This happens when doing a
shutdown. The window only displays briefly, it doesn't wait for a
response.

Spybot, which I regularly use, says the system is clean.
Everything is immunized.

CW Shredder found nothing.

Kill2Me reported that the Look2Me infection is about to be
removed, if it was present.

I wasn't having about:blank problems but ran the next two anyway.

About:Buster didn't find anything scanning twice. There was
this line but I don't know if it means anything:

ADS not scanned System(FAT)

HS Remove removed 8 items.

Rebooted in normal mode.

Tried to run Panda online scan again. Same result as earlier.

Ran RAV Antivirus scan. Results: Viruses found: 0
Suspicious files: 0 Disinfected files: 0 Mail files: 2 (not
sure what this means, no explanation given) Ran TrojanScan
online scan. (and note that TrojanScan's database was last updated
10/18/04!) 201,537 files scanned, 0 trojans detected.

Note: As I shut Trojan scan down and started a-squared, tea
timer gave me a warning that a value had been deleted for an ActiveX
Distribution unit. [2a32b14F-4d29-4ea3-ac54-e9b19f436ce7... (couldn't
see the entire key) Could only choose 'allow' as 'deny' was greyed
out. Microsoft AntiSpyware brought up an alert at the same time
telling me a script file C:\temp\unregister.bat was trying to execute.

A-squared - Scanned objects, malware files: 27 (all of these
were considered adware. In reality, they're all ebooks, one of which I
wrote myself. All have been on the machine long before this trojan
appeared)

Avast! Cleaner found no virus bodies but identified the
following files could not be scanned:
C:\Windows\System32\CatRoot2\edb.log
C:\Windows\System32\CatRoot2\test.edb

According to Microsoft, a corrupt edb.log file could cause some
programs not to install. So this could be our trojan or the cause of
the problems running the panda and other scans. Details:
http://support.m
icrosoft.com/kb/822798

Finally, I ran ADS Spy, or tried to, but it said it only works
on NTFS systems.

I'll be glad to post a HiJack this log when requested. It's
already installed on my machine.

One last note, since this started, something keeps trying to access my
A: drive every 20 minutes or so. I rarely use the A drive but the
rattling noise this makes is annoying. I thought it might be Panda but
it only checks the A drive when rebooting or shutting down and then
it's a silent scan.

Thanks in advance for your help,

Bill

 

Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Ok, hijack this log attached.

Also, I just saw the error message when I rebooted.
This time it stayed on long enough for me to confirm
that XP was telling me that the following program was
still running: Centinel VxD.

Bill

 

I notice you are running Panda Titanium Antivirus 2005 & Norton SystemWorks. If possible I would uninstall Norton AntiVirus that comes along with NSW because running 2 antivirus programs will cause conflicts on your system.

Scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: ConferenceRoom Java Client - http://irc.ev1.net/java/cr.cab
O16 - DPF: {626FE447-E830-4F76-A024-41A20EEECF1A} (RyzeAddrCtrl Class) - http://www.ryze.com/RyzeAddr.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs2b.instantservice.com/jars/customerxsigned41.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {F3D69634-67FF-4CA6-B39E-7DC11ED9676F} (VoiceRecCtrl Class) - http://www.instantaudio.com/activerecorder/SoundRecControl.cab

Make sure All Browser Windows are Closed when you Click FIX.


NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After doing ALL of the above REBOOT and then scan with HijackThis and attach the new log. Also, let me know what problems remain.

 

Hi,

I removed all NAV components from System Works before installing Panda.

That round of scans and cleaning I did when posting my first log seems to have taken a toll on my machine. Before rebooting from that session, I pulled up my computer and selected one of my drives, My computer locked up and I had to use Ctrl alt del to end my computer. That essentially shut windows down.

It locked up when I tried to reboot hanging on the 'saving your settings' screen for half an hour. When I hit reset, it ran a check on my hard drive and took a long time fully rebooting.

Since then, it hangs up the same way every time. I also noticed the Centinel VxD shut down screen after applying the fixes you recommended and rebooting.

The computer is becoming more unstable.

The latest scan is attached.

Thanks,

Bill

 

Your HJT log is clean!

Since this doesnt seem to be Malware related, I recommend posting your problem in the Software and Hardware forum. Those guys will assist you in resolving this problem.

Good Luck!