Virus or malware affecting WinXP

[z-lite]

I have a computer that I'm working that was brought in for pop-up problems. I went through the system and removed everything that was found to be related to malware. I used Norton Antivirus Corporate Edition and HouseCall from Trend Micro to remove viruses and it found some and were deleted. Now whenever I click on the Control Panel from the Start Menu, it comes up with the little flashlight icon (meaning it's searching for the Control Panel icons) then closes along with explorer.exe, then after 2-3 seconds explorer reloads. Nothing in Task Manager shows up that's suspicious. Has anyone had this problem before? Any idea on how to fix it?

 

[hulksterjoe]

you didnt mention if you'd run adaware or spybot?

you could try those and then if its still there try hijackthis and post your results

 

[z-lite]

Used Microsoft AntiSpyware, Ad-Aware SE, Spybot S&D, HiJackThis and Winsockfix. Nothing funny comes up from HJT but here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 1:29:55 PM, on 9/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
F:\Misc\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n=0vi80a3nj6a9n%26l=c0d38d6eyy/o%26p=m1v0mlrd13080b00%26jb=35|158|%26r=2v%26lg=us%26intl=us&.t=T=z=cYqR/Ace/R/AXqoEsWxGPBPTjIGNTc2TzJPMU43Tw--%26a=QAE%26sk=DAAHQHneXcrID5%26d=c2wBT1RVQk1qQXhPRFU0Tmprd09BLS0BYQFRQUUBdGlwAXNhWmhaQQF6egFjWXFSL0FnV0E-&.ver=2&.done=http%3a//edit.yahoo.com/config/edit_identity%3f.src=pg%26.done=http%3a//messenger.yahoo.com/%26.l=mandingo88
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

[hulksterjoe]

Didnt notice anything .. but why do you have norton and trend micro virus scans both running

 

[dx2]

back up any data then wipe it out and start from scratch. only sure fire way to ensure all the system files are there, the registry is kosher, and doesn't have any malware spreading like cancer.

EDIT:

you could try doing a system repair install...but those always go SNAFU on me.

 

[Mister Natural]

Didnt notice anything .. but why do you have norton and trend micro virus scans both running

Yep, 2 AV programs running at the same time will do some screwy things. Uninstall one of them and see what happens.

 

[djnes]

I may be wrong here, but isn't HouseCall just the online scanner?

 

[The Bryophyte]

^^ Housecall is just the online scanner indeed. I would try a repair install. I have never had one make a computer worse or cause data loss so it certainly can't hurt to try it. This is, of course, assuming that you are not running 2 AV programs simultaneously.

 

[Mister Natural]

Nevermind, I thought his hijack this log showed 2 av programs, it doesn't.

 

[hulksterjoe]

Nevermind, I thought his hijack this log showed 2 av programs, it doesn't.

you right the Nvcpl line had me thinking norton
HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

looks like its just pc cillian
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"

My bad..

 

[The Bryophyte]

^^ nvcpl is an nvidia video driver component I am pretty sure.

 

[Lozer]

http://support.microsoft.com/?kbid=221153&sd=RMVP

I know it doesn't say for XP, but worth a shot?

 

[z-lite]

I ended up doing a clean install, ah well thanks anyways guys But I'll keep that in mind next time (moving the .cpl files)

 

[Tordek]

I ended up doing a clean install, ah well thanks anyways guys But I'll keep that in mind next time (moving the .cpl files)

the more experience you earn the less you will find yourself resorting to clean installs.