Windows Legacy OS forum

General discussion

system restore comes up blank, cant connect to MS support

by lmn1220 / April 2, 2009 2:24 AM PDT

hi all,

where can i start: did almost everything, ran in safemode ran virus scans, ms malicious tool remover, looked in services.msc, spoke to MS via another computer they could not log on to the infected computer, couldnt run online scans.

basically it seems that on most sites especially MS, aol mail, places where we have to put in a password we are unable to click. when i ran a scan it did find 2 worms and i have no idea what they were because i thought that was the end of it. this has been going on for about 3 weeks.

i did find out that java.exe may have the infection.

the computer runs wind xp media center, compaq presciario.

see below i did the hijack this on the infected computer.

thanks in advance..

p.s. MS stated there's nothing else they can do and the computer has to be formatted but i'm not giving up yet.

******************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:24 PM, on 4/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\e-Trends\etrnd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchPerks! Perk Counter -
{2787EA8E-8D87-48af-88AD-B30246C917AB} - C:\Program Files\SearchPerks!
Perk Counter\Bmbho.dll
O2 - BHO: McAfee Phishing Filter -
{27B4851A-3207-45A2-B947-BE8AFE6163AB} -
c:\PROGRA~1\mcafee\msk\mskapbho.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer
- {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program
Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program
Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper -
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft
Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -
C:\Program Files\McAfee\VirusScan\scriptsn.dll (file missing)
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program
Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} -
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO -
{B164E929-A1B6-4A06-B104-2CD0E90A88FF} -
c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch -
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program
Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SearchPerks! Perk Counter -
{2787EA8E-8D87-48af-88AD-B30246C917AB} - C:\Program Files\SearchPerks!
Perk Counter\Bmbho.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar -
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -
c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F}
- C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot
Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking]
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\InstallHelper.exe
/uninstalltrackingvendor=Verizon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common
Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting]
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting]
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default
user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User
'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User
'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq
Connections\5577497\Program\Compaq Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help -
{E2D4D26B-0180-43a4-B05F-462D6D54C789} -
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help -
{E2D4D26B-0180-43a4-B05F-462D6D54C789} -
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.facebook.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) -
http://sympatico.zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data
Collection Control) -
https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) -
https://www.e-trends.com/Config/packages/et/etsetup.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation
Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher
Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ? Buddy
Invite) - http://sympatico.zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object)
- http://sympatico.zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) -
http://sympatico.zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games -
Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ? Game
Communicator) -
http://sympatico.zone.msn.com/binframework/v10/StProxy.cab55579.cab
O18 - Protocol: grooveLocalGWS -
{88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft
Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -
c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: e-Trends - C:\Program Files\e-Trends\etls.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ,
s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program
Files\McAfee\SiteAdvisor\McSACore.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner -
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner -
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner -
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner -
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner -
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner -
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown
owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - Unknown owner
- C:\Program Files\McAfee\MSK\MskSrver.exe (file missing)
O23 - Service: Norton Protection Center Service (NSCService) -
Symantec Corporation - c:\Program Files\Common Files\Symantec
Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation -
C:\Program Files\Viewpoint\Common\ViewpointService.exe

Discussion is locked
You are posting a reply to: system restore comes up blank, cant connect to MS support
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: system restore comes up blank, cant connect to MS support
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
I see more than one protection installed.
by R. Proffitt Forum moderator / April 2, 2009 3:01 AM PDT

McAfee, AVG and I stopped reading since the moment you install more than one Antivirus all bets are off.

Try moving to just one.

Collapse -
running avg only
by lmn1220 / April 2, 2009 3:13 AM PDT

that mcafee is old stuff.

that's not the issue. running avg 8

can you see ANYTHING else that might be causing this?>

Collapse -
The old stuff is still in there.
by R. Proffitt Forum moderator / April 2, 2009 3:23 AM PDT
In reply to: running avg only
Collapse -
Just a note.
by MarkFlax Forum moderator / April 2, 2009 7:06 AM PDT
In reply to: running avg only

Those HJT 02 entries, (BHOs or Browser Helper Objects).

There are a lot there, and McAfee phishing alert and McAfee SiteAdvisor both appear to be listed as active.

BHOs often cause problems with IE so you could try resetting IE7 back to default, no BHO's, no 3rd party toolbars, no ActiveX, by going to Internet Options, Advanced tab, then the Reset button, but beware this will remove logins and passwords saved through IE as well as all cookies, history and temporary internet files.

In addition, if those McAfee BHOs updated themselves recently there may be a problem with the update for SiteAdvisor. I updated mine recently and it caused instability in my system, so I had to change to something else. I'm not saying that the upgrade would cause such instability in all systems, but there does seem to be a theme going on there.

Mark

Collapse -
AVG, McAfee & Norton's Protection Center Service?
by Carol~ Moderator / April 2, 2009 10:45 AM PDT
In reply to: running avg only

Imn..

In order to level the playing field, I too would suggest you do some clean up work first. There are some suggestions I could make relating to your original post, but you're only going to confuse the issue/s, with bits and pieces of 2 additional A/V's installed. Not to mention what else is installed. If you don't know how to remove "what needs be", you can post your log at any of the below forums. They would be more than happy to assist you in all areas.

If you feel these tools are unnecessary, you can bypass them and move on to the list of HJT forums below. As noted in the sticky at the top of CNET's Spyware, Viruses & Security Forum, we don't analyze logs here.

McAfee Consumer Products Removal tool (MCPR.exe)
The Norton Removal Tool

Forums which analyze HJT logs:

http://www.bleepingcomputer.com/forums/forum22.html

http://www.spywareinfoforum.com/index.php?s=5028cc67f4e5562d636b9a77c9017749&showforum=18

http://forums.subratam.org/index.php?showforum=7

Or you can pick a different forum, from the list on left side of this page.

Best of luck..
Carol

Collapse -
Re: system restore comes up blank, cant connect to MS suppor
by Tufenuf / April 2, 2009 10:35 PM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.