Possible infection?

Norton Security | Norton Internet Security
1

This morning, I noticed a file symbol (icon) about in the exact center of the desktop with the name "Document Scrap '$3_95 and then a...'".  When I tried to delete it, it refused claiming to be open in another program.   I spotted an otherwise invisible  WinWord.exe in the Task Manage process list.  I killed that,  and then I tried to delete the link and again (slowly) got the same message about it being open in another program.  

 

I went to a command prompt and found these two files:

C:\Documents and Settings\adminname\Desktop\Document Scrap '$3_95 and then a...'.shs
and
C:\Documents and Settings\adminnameRecent\Document Scrap '$3_95 and then a...'.lnk

 

I was able to delete these in the command prompt.

 

A Norton Full Scan didn't report anything.

 

 I got a Microsoft update KB2541763, rebooted, and I haven't seen it since, but I'm nervous.  

 

Has anyone else seen anything like this?

 

2
yogesh_mohan wrote:

Hi Zathrus,

 

Thanks for your detailed description about the problem. I think, the infection has corrupted your Host files and that is why you are unable to update the definitions for the security programs. Hope, you will be running the Malwarebytes AntiMalware/SuperAntiSpyware. In addition, to check whether any programs is accessed by some threat, download Hijackthis: 

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

You need download the third in the list (Excutable), install it and click "Do a system scan and save a log". Then open the log in Notepad. Either post the log in this same message board or send it as a private message to me.

 

Yogesh

 

I would suggest Malwarebytes also and SUPERAntiSpyware.  Also, please make sure you Update the Malwarebytes and SUPERAntiSpyware before doing a Full Scan in Safe Mode and then in Normal Mode with both Products (not at the same time!), Dis-connected from the Internet and of all Drives.

 

 

Malwarebytes' Anti-Malware for Windows: http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=contentBody;mostPopTwoColWrap&cdlPid=10984636.

 

SUPERAntiSpyware for Windows: http://www.download.com/1770-20_4-0.html?query=SUPERAntiSpyware&tag=srch&searchtype=downloads&filterName=platform%3DWindows&filter=platform%3DWindows.

 

Starting your Computer in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam.

Message Edited by Floating_Red on 01-14-2009 09:40 PM
3

Did you get there in fixing the problem??

 

 

Quads 

4

Not yet. Thanks for asking. I installed Malwarebytes Anti-malware last night. And sure enough, when I tried downloading updated definitions for Anti-malware, it gave me an error message saying the Source file was corrupt and updates could not be downloaded. Soon as I installed it, this thing on my computer had messed with it. Nonetheless I restarted in safe mode and did a scan. It detected and removed 17 infections in the registry.

 

That is as far as I got yesterday. I won't get back to this until the weekend probably. When I get back on the computer, I'll try reinstalling Malwarebytes Anti-malware and I'll see if it will now allow me to download updates. Then I'll scan in safe mode.

I'll do the same with SuperAntiSpyware, Norton 360 and Windows Defender - reinstall, try to download updates, scan in safe mode - and I will let you know how that goes.

 

The computer is not on a network, and I'm only connecting to the internet when I try to download updates. Otherwise, the cable is pulled out.

 

Thanks for all the helpful info, everyone.

Message Edited by Zathrus on 01-15-2009 08:11 AM
5

Hi Zathrus,

 

Didn't you try the Hijackthis tool?

 

Yogesh

6

Yogish

 

Sounds like NO

 

Quads 

7

Should I run that first before the antiMalware application?
I can run that first next time I get on the computer.

8

Hi

 

That's up to you, but sometimes, doing a hijackthis log first helps before using Antimalware software to see what's bad on the system,  Then if the likes of Malwarebytes doesn't work, etc you or someone can see why.

 

Quads 

9

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:59 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\M-Audio Fast Track\GBInst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Owner\My Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thickazabrick.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: NCO 2.0 IE BHO -

10

Hijack this log cont'd

{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://home.peoplepc.com/home/
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0AB5CBCF-6984-4122-BCF7-BE33BF5B1CF1} - http://www.topmoxie.com/external/builds/upromise/upro1050.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Fast Track Installer (FastTrackInstallerService) - Nemesis - C:\Program Files\M-Audio Fast Track\GBInst.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - http://www.mkemarketplace.com/fanhof/2004/images/img_titlebanner.gif

--
End of file - 8302 bytes

11

Malwarebytes log:

 


Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3

1/15/2009 12:22:55 AM
mbam-log-2009-01-15 (00-22-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 106192
Time elapsed: 56 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
12

Still working on it.

I saw in one of the other threads that a iexplore.exe process is bad. Out of curiosity I checked Task Manager and sure enough I've got that running.

 

Thanks for all the help and support so far! I'll let you know how far I get this evening!

13

NOOOOOOO

 

Depends where the iexplore.exe is the legit one belongs to internet explorer.   There is one recently about "explore.exe" see the difference.

 

There are still entries in your Hijackthis log

 

coming

 

Quads 

14

Hi

 

Start Hijackthis again and tick (check) these entries.

 

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k           (not needed on startup)

O4 - Global Startup: hpoddt01.exe.lnk = ?

O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\ProgramFiles\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=https://home.peoplepc.com/home/

23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)

O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)

O24 - Desktop Component 0: (no name) - http://www.mkemarketplace.com/fanhof/2004/images/img_titlebanner.gif

 

 

Now click "Fix Checked"

 

Secondly you have 2 Antivirus softwares installed Norton and another, Plus Ad-aware also installed, not a good idea.  having those installed all realtime.

 

Your Malwarebytes is out of date,  It's now up to version 1.33,   database version  1659 (yours 1616), you may have to uninstall version 1.32 and install 1.33 from http://www.malwarebytes.org/mbam.php

 

Also there is SuperAntispyware Free http://www.superantispyware.com/download.html

 

Quads 

15
Quads wrote:

...you may have to uninstall version 1.32 and install 1.33 from http://www.malwarebytes.org/mbam.php

No need to.  When you hit the "Update" button in Malwarebytes, it will Automatically un-install and then install the Latest Version for you.

 

16
Floating_Red wrote:
Quads wrote:

...you may have to uninstall version 1.32 and install 1.33 from http://www.malwarebytes.org/mbam.php

No need to.  When you hit the "Update" button in Malwarebytes, it will Automatically un-install and then install the Latest Version for you.

 

Maybe Yes, cos some people are stating on the web freezing during scan, I being one, we have found that unistalling and dong a clean install fixes that problem.
Via the update feature, it doesn't fully uninstall everything.
Quads 

 

17
Quads wrote:
Floating_Red wrote:
Quads wrote:

...you may have to uninstall version 1.32 and install 1.33 from http://www.malwarebytes.org/mbam.php

No need to.  When you hit the "Update" button in Malwarebytes, it will Automatically un-install and then install the Latest Version for you.

 

Maybe Yes, cos some people are stating on the web freezing during scan, I being one, we have found that unistalling and dong a clean install fixes that problem.
Via the update feature, it doesn't fully uninstall everything.
Quads 

 

 

Ah, okay; that's a possible.

 

18

Quads,

Thanks much.

The second anti-virus program that you see is most likely just remnants of the one I uninstalled before putting 360 on the computer. I'd been running 360 on another computer, decided to try io__ antivirus on this one because it also comes with a PC tuneup program, and this slow old computer needed tuning up. And I got it on sale. When I found that it had failed to detect this infection I uninstalled it and installed 360.

There is another process running, dvpapi.exe, that didn't look familiar. Control Panel->Administrative Tools->Services says it is Dynamic Virus Protection. I'm not sure if that's part of Windows, but Norton 360 is supposed to be providing that so I stopped the process in Task Manager. Then lo and behold, MalwareBytes was finally able to get updates! It had given me an error up until now saying it could not retreive them.

Scans with Malwarebytes and SUPER Anti Spyware detected no maliscious software other than tracking cookies.

I have fixed the items you suggested using Hijack this, also, though I could not find

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k (not needed on startup)

on the Hijack this report anymore when I ran it this morning. However, I do see that listed as a startup item in msconfig. I unchecked it there and did a selective startup.

Scans by Norton 360 and Windows Defender both crashed the computer (blue screen error) this weekend. I haven't been able to get one to compete. I did use the intelligent updater to manually get the 1-16 Symantec virus definitions on my computer.

One other thing looks suspicious: the BOOT INI in msconfig reads: multi(0)disk(0)rdsik(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal"/fastdetect/NoExecute=OptIn

 

Whistler Personal? Shouldn't it just read "XP Home"?

Thanks.

19

Hi. I'm new. I was surfing the Symantec/Norton site looking for info that will help me get my home inernet computer up and running again when I came across the forums. As some of you have found, sometimes corporate tech help is not as helpful as informed users. I am so glad to have found this forum! It's already been helpful.

 

Not all of you may have problems loading updates and virus definition due to an infection, but I'm convinced that I and probably others do.

 

On the computer I use at home for e mail, banking, and internet, I had been running a competitor's antivirus product. I'll just say it was a Pro at maintaining Mechanic-al functions on my System, and I'd give it an 8 :manwink: .

 I noticed the antivirus program would fail to download definitions. Later the real time protection would not come on when I started up the computer. It also started crashing when I tried to run scans.

 

I took the computer to a local computer sales and service place and their diagnosis was viruses. I think they are right, since whatever is on my computer seems to be focusing attacks on whatever antivirus program I'm running, shutting down its ability to load definitions, and shutting down its real time protection.

 

After that diagnosis, I uninstalled the competitor's program and installed Norton 360 v2. This thing fought me and crashed the computer a few times during installation. Norton's install disk is quite robust, with a repair utility that runs if an installation partially completes and you try again.

 

After successfully installing 360 v2, a scan did catch 2 instances of an "InfoStealer" virus.

 

But now 360 v2 displays a message that my definitions are out of date. When I'm successfully able to load them without the computer crashing, 360 displays a message that it had a problem applying the updates. On one occasion the Auto-protect has spontaneously shut off. This behavior is just like what had been happening with the other antivirus product I'd been using.

 

In addition to trying 360 v2 against this infection, I've also loaded Windows Defender and a free program intended to raise Aware-ness of Ad-ware. The free program now also gives me messages saying it cannot find definitions. Scans by Windows Defender and the anti-adware product crashed the computer yesterday. They ran successfully after the first installation (the adware product found an instance of some type of malware) but then whatever is on my computer got wise to them and won't permit them to run.

 

I also downloaded and ran the Windows Maliscious software Removal tool. It scanned my computer and pronounced it clean as a whistle!

 

I have downloaded the two free products recommended earlier in this thread. I'll install those and try them later today. First however, I am going to try the intelligent updater for 360, install the definitions myself from the desktop, and scan the computer in safe mode with 360 v2.

 

This is my first experience with becoming infected. I have no idea how the infection got on the computer and I'm kind of fumbling my way trying to get it off the computer. I appreciate all of you sharing your knowlege, and I hope my confirming the idea that malware may at least in some cases be responsible helped a few here.

 

Thanks again for everyone's input, and good luck Symantec in keeping up with these threats.

(Message moved from other thread and subject edited.)
Message Edited by Dave_Coleman on 01-14-2009 11:51 AM
20

Hi

 

The file "dvpapi.exe " belongs to "Authentium Antivirus" , so you have or had N360, Io Antivirus and something of a 3rd antivirus program installed.  Plus Ad-Aware.   Not good I would say conflicts between them. Possible reason for one security program crashing with parts of others running as services so in realtime.

 

With Hijackthis, this is the entry, 

 

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe 

 

Windows Whistler was the code name for Windows 2000 family (5.0)  XP (5.1)

 

Quads