Hello,

I just formatted my computer and I have to start with Windows Me then upgrade to XP Home. As you see I have plenty of steps to do without putting back the programs on the computer.

The last time I did this I made a s master dvd with all the programs and made it easier to put it all back on--There must be a virus on that disk. I keep getting a pop up of restorefix--

I guess my question is do I format again or can this be removed? Thanks in advance and here is my log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:14 AM, on 5/18/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NavNT\VPC32.EXE
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: Win32 Classes -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242655414796
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--
End of file - 4436 bytes

2
Contributors
10
Replies
11
Views
9 Years
Discussion Span
Last Post by pcmic

If I have to format my computer again do I have to strip it down to WindowsME again. Right now it has no sevice packs on it and I wanted to know if I could reinstall just the windows XP and start over with putting programs on? I was thinking of downloading malewarebytes and downloading it onto my computer in safe mode. run it and see if it takes it off--from seeing on the web restoreFix is not a virus it is malware look forward to your help and Thanks again
Chris

As you see I have plenty of steps to do without putting back the programs on the computer.

Sorry, but this doesn't appear to be the case. You have installed XP but NOT updated it. You should FULLY update XP before putting anything else, including the printer on the computer but I see many programs running on the machine which have nothing to do with Windows, so this tells me you HAVE installed other programs...and you say so pretty much by saying this:

I made a s master dvd with all the programs and made it easier to put it all back on--There must be a virus on that disk.

In addition to the printer and all of it's software I see the following:
QuickTime
iTunes
Real Player
iPod (and all of it's software)
Southwest Airlines\Ding (whatever that is)
Nero Burning Software
and at least a portion of a Norton Anti-virus program.
NONE of those should be on the computer until the computer is fully updated to XP SP3. Then ALL drivers should be updated also.
AFTER the computer is Fully Up to Date THEN is when you would install additional programs and items like printers, iPods, burning software, etc.

If you KNOW this DVD is infected then throw it away. You shouldn't take a chance with it.
But one reason for easy infection is the fact that the os is not updated and therefore very insecure.
Every time you go online with this "non-updated" XP the more risk you have of getting more infections. I see several bits of malware on the computer all ready showing in the log.

jholland1964,

Thank you for the information. Can I put the XP disk back in and erase everything and start over or do I have to start from the Windows Me disk?

Thanks Chris

Is this a FULL LEGAL copy of XP or is it an Upgrade?

I bought the computer with Windows ME and they sent me the upgrade later because it wasnt out yet. I had to strip it down and put Me on then drivers then put the XP disk on next.

Yes it is a legal copy of upgrade

Not sure what to advise here, but if it were MY computer since there is definitely malware showing there and the fact that you are fairly certain this back up DVD you have used has infection on it I think I would wipe EVERYTHING and begin at the beginning only this time follow correct procedure, ME, XP Upgrade, XP Updates, All Driver updates and THEN install programs you want, but sorry to say, NOT using that infected DVD.
This way you will know the computer is clean and updated fully. Leaving that ME on there and just redoing XP doesn't assure that the infection also isn't there. I would hate to get clear to the end and find out that the system is fully infected and I have to start over again.
One of the main requirements for upgrading and then updating the newly upgraded system is absolute assurance the computer is fully clean and has NO infection anywhere. I cannot say positively there is or is not infection on there but I CAN say positively there IS malware showing in your HJT log.

You asked earlier about installing MBA-M in safe mode, this really isn't recommended unless there are absolutely no other options. Honestly don't know the reason for asking this, unless it wouldn't download. I is supposed to be run in NORMAL as that is the way the program is configured. In and "emergency" it can be run in safe mode but because of it's configuration to run in normal mode all files wouldn't be scanned, and before you ask, it does NOT run on ME so that wouldn't be an option either.

jholland1964,

I just read your message this morning--we are in the process of moving the computer and I just did a few things to see if it works--If I have to format at least I tried it!!

I put the Windows XP reinstallation disk in the computer and ran the program over but it didnt wipe everything out. I then upgraded service pack 2 and 3--after all was updated I put on some other programs. I ran malwarebytes and no malware--I ran adaware (it took 4 hours) and it found nothing--playing around on the computer none of the pop ups came up so it looks clear so far. If I get that pop up again I will strip it down and start over. I did get rid of the disk!! could you please take a look and see if you think anything should be removed. Thank you again and I appreciate your time--Chris

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:52 AM, on 5/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cox.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242655414796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

Hello,

One more question--It may sound dumb but I must ask? If I have some programs on disks and my computer and I would like to burn them to a dvd or a cd as a master disk. Can I run my symantec and check the disk drive and run a scan over the disk to see if there are any viruses. Is this possible? do the hidden malware and viruses come up in a scan? I dont want to make another disk and run into this problem again--I thought the old disk was fine.

Thanks,

Chris

Two things for sure I would get rid of, Spyware Terminator, not highly recommended really. Malwarebytes' is a much better program, updates sometimes multiplte times a day and pretty much the Top of the Line today. Use the Quick Scan option at least a couple times a week, always updating first. Then if the Quick Scan finds something then remove it of course, update the program and do an immediate Full Scan. This way you can be sure whatever it was on there didn't bring along some hidden friends.

Also get rid of AdAware. It just isn't what it used to be. For one thing there is no reason under the sun an AdAware scan should take 4 hours, that alone would do it for me.
Add SpywareBlaster. A FREE, MUST have program. Great thing about it is it doesn't run in the background but it blocks, tracking cookies, unwanted activex installs and has a great Restricted Sites portion so you cannot stumble in some place you don't want to be.

Now you need to uninstall, in addition to the Spyware Terminator and AdAware, AskBar. This is looked upon by most sites as adware because if often is installed without your permission and can bring in some things you really don't want. Look in Add/Remove and see if it is listed there with the other two I noted.
Finally,
Run HJT again and place check marks next to the following entries if they remain:
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

After you have placed the check marks Exit HJT.

Can I run my symantec and check the disk drive and run a scan over the disk to see if there are any viruses.

NOT a dumb question either, a very sensible one.
Yes, you should be able to do that. I don't run Norton anymore but I am certain there is someplace and option where you can manually scan the disk in the drive. Of course I don't believe it wouldn't be able to remove it but it certainly can tell you if there is an infected file on there.
Judy

Hello,

Fingers crossed but it seems to be running fine now!!! Thank you for you information--Hopefully next time I will do everything in the order you showed me. Thanks again, Chris