Not having noticeable problems

[Bama19642]

I ran a new trial program called RemoveIt yesterday, after running AdAware and Spybot, and it left the following warning...The entire warning is ...Infected file (Sys32.install) C:\WINDOWS\system32\install.exe.

None of my other antivirus or malware removal tools indentified this file as bad, so I posted a question on the board asking about it. Roadrage said it was " a baddie " and instructed me to do the HJT thing, posting the logfile. I'm glad I decided to ask the pros, I wasnt sure if it truly was malware since no other program picked it up. Maybe RemoveIt is worth purchasing after all.
Anyway, here is the logfile from HJT.

Logfile of HijackThis v1.99.1
Scan saved at 10:46:32 AM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\JAM Software\SpaceObServer\service\SOServiceApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.al.com/alabamafootball/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: WASAY - {7CC7BC40-F3C1-11d5-92DC-0050BADF3970} - www.wasay.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SpaceObServerListener - JAM Software - C:\Program Files\JAM Software\SpaceObServer\service\SOServiceApp.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

[roadrage]

Hi bama19642

You may get a warning from your browser that a file is trying to download to your computer let it.

Download SUPERantispyware

• Load SUPERantispyware and click the check for updates button.
• Once the update is finished click the scan your computer button.
• Check Perform Complete Scan and then next.
• Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
• Make sure that they all have a check next to them and press next.
• Click finish and you will be taken back to the main interface.
• Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
• Copy and paste the log to this thread.

[Bama19642]

SuperAntiSpyware? Your going to let a dummy have access to secret technology that only those with top level clearance know about? Thanks man! Dont worry, if I'm caught I'll never tell who my source is. BTW is there any reason to keep AdAware and Spybotalong with S-A-S?

[roadrage]

Hi bama

There are no dummy's here just people who want to increase their knowledge. I strongly suggest to keep AD-Aware and SpyBotSearch&Destroy as these will help to keep your computer free and clean of any unwanted garbage and should be run on a regular basis.
Where is the SAS Log I asked for.

You have one real nasty one that needs to go immediately.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.al.com/alabamafootball/

It needs to be replaced with this one.
http://gohuskies.cstv.com/sports/m-f...otbl-body.html

[Bama19642]

I'm sorry, I didnt see how to make a logfile with SAS, and my nephew wanted to play right after the scan ended. But funny thing is it didnt ID the Sysinstall file either. The only really bad thing I noticed was an SVCHost (?) on drive f that it said was a trojan. I watched it scan the sys32 files to see if it picked up the install, but no luck. RemoveIt is the only one so far to say its bad (besides you). I guess I should manually locate it (again) and incinerate it with permanent removal software huh? The other two were not picked up by SAS either, I looked at the list and they looked like what AdAware finds.

Is there a log thats kept automatically from SAS? I'll post it if there is.

[Bama19642]

Wait a minute.... thats my homepage . You almost got me there.

If the Tide doesnt do something after getting the 4 million $ man I will change pages. I've always admired the Huskies. Well, while Dr. O was there anyway .

[roadrage]

Hi bama

Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.

Are you saying this did not show up

[roadrage]

Hi bama

my nephew wanted to play right after the scan ended.

Please keep him off there for now, we could go round and round trying to clean your computer and my time is limited for now so I need you to do this.

Download: CCLeaner do not run it yet.

Download AVG Anti-Spyware:
AVG Anti-Spyware

Note:
After the installation, a free 30-day trial version containing all the extensions of the full version will be activated. At the end of the trial, these extensions will be deactivated and the program will turn into a feature-limited freeware version.

Set up AVG Anti-Spyware program by doing the following, do not run it yet we will use it later.

• Double-click on the AVG Anti-Spyware install file to launch the installation process.
• Follow the prompts and be sure that Launch AVG Anti-Spyware is checked.
• Once the AVG Anti-Spyware main program screen has opened, click on Update now.
• You will see an update progress bar, followed by an Update Succesful message when updating is complete.
• Once updating is 100% complete close AVG Anti-Spyware.

Let's empty the temp files:
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.
Open CCleaner.

1. CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.
CCleaner should be run with the above settings for each User Account!

Next, please reboot your computer into Safe Mode by doing the following:

1. Restart your computer

2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3. Instead of Windows loading as normal, a menu should appear

4. Select the first option, to run Windows in Safe Mode.

When your computer has started in safe mode and you see the desktop.
Close all open Windows.

Next:
Perform the AVG Anti-Spyware scan by doing this:
Scan with AVG Anti-Spyware as follows:

· Click on the "Scanner" button and choose the "Settings" tab.

· Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

· Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.

· Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

· Click the "Scan" tab to return to scanning options.

· Click "Complete System Scan" to start.

This will take several minutes or longer.
When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report.
So be sure you save it only AFTER clicking the "Apply all actions" button.Click on "Save Report" to view all completed scans.

Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop.

A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ Exit AVG Anti-Spyware.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

Post back with the AVG log and a new HJT log file you may have to do this in two reports and let me know how the computer is running.

[Bama19642]

I'm sorry, I didnt know you were waiting on me. Please dont stay on top of this for any length of time, I cant stay at my pc for very long periods due to a disabling back condition. I wont be able to finish your requests right now, but I have downloaded the files you suggested. BTW should I remove any other antivirus before running AVG? I have Norton, Avast and assorted adware/spyware programs.

I'll finish the rest of your instructions later, after resting my aching back. But keep in mind what I said before, I'm not having any noticeable problems, at least not yet.

Thanks for your time, I dont want to keep you from anything. But I will follow up in an hour or so, just get back when its convient.

Oh yeah, if you were asking did the SAS not find the sysinstall, thats right. Maybe the RemoveIt is worth buying huh? Of course as long as it tells the location cant the problem be removed manually, as long as its securely deleted?

I'll check for a response a little later, go enjoy TGIS. Thanks again!

[roadrage]

Hi bama no problem

You do have some bad stuff going on here although it does not show in your HJT Log yet it may be disguised, but the sooner you do the above the sooner we can fix you. I will delete the above SAS report as well.