Make sure that you download the latest updates too Dave and the extended database options
Printable View
Make sure that you download the latest updates too Dave and the extended database options
Hi all . . . <dismal sigh>
Thanks, AnneMarie ..... I understood about the updates and extended options, but I guess I'm not sure how to do it.
I have downloaded and copied the main Kaspersky program installation file from another PC, and used my flash drive to put it on my computer.
But unless I'm missing something, updates and the "extended database options" can only be downloaded directly from the Internet, from the PC on which Kaspersky is already installed. This is not possible, since MSIE access is being denied.
I'm not sure if it will work, but I am going to try loading the Mozilla browser onto my PC .... I may (again) be missing something, but perhaps it won't be affected like MSIE is.
Thanks again, I look forward to your reply.
- Dave
Is it AVG that is stopping Explorer from running Dave or did you uninstall it as I suggested? This is not a typical sympton of this infection.
If you could post a new Hijack This log, I might get a better picture of what is going on. Hijack This runs in Safe Mode.
I have had more feedback today regarding this parasite. EZ AV can apparently clean it too.
Thanks again, AnneMarie . . .
Nope, Internet is still inaccessible even with AVG uninstalled. NOTE: When you look at my HJT log, please be advised I have also uninstalled the Panda antivirus.
I installed Firefox browser, but it is apparently similarly blocked.
Yet, I *still* can use IRC just fine <shrug> <puzzled look>.
One situation says I don't have Internet, another situation seems to say I do. When I open the Network icon in Control Panel, it is entirely blank !!
IMPORTANT: I installed the CA AV as you suggested, downloading the install file using another PC, copying it to my flash drive and then putting it on my PC. Installation went ok until it reached a point where it tried to access the Internet to perform definition updates, and then said it could not obtain Web access. However, I continued and commanded a Restart. When I tried to run CA AV, it collapsed, and one window indicated the main "engine" was missing !
Well, I've turned another corner and met with yet more frustration. I guess I'll just await more feedback, this is all beyond my knowhow.
You requested another HJT log, please see it pasted below my signature block.
Thanks again,
- Dave
Logfile of HijackThis v1.99.0
Scan saved at 10:04:54 PM, on 2/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS2\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [antiware] C:\windows2\system32\eliteppy32.exe ALREADY DELETED - Dave
O4 - HKCU\..\Run: [Uma] C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Allow personal info to reach this site - file://D:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://D:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://D:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://D:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://D:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://D:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz ALREADY DELETED - Dave
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C83C5C97-CD0D-4C5D-B1F8-EBB7E44F6FD4}: NameServer = 192.168.2.1,38.9.212.2
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O23 - Service: Panda Firewall Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS2\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTab Service - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
Ok, I think that we had better concentrate on getting you online and worry about getting rid of this virus once you have Internet access. We may have to replace Explorer.exe but we will cross that bridge when we come to it.
Go here and download, unzip and run the Registry Search Tool. Type nettraffic2cash in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them.
I wonder if Zone Alarm is blocking IE. Uninstall it for now and enable XP's firewall. See here.
You uninstalled Panda? We need to fix up those entries in your log. I see that a proxy has been added and restrictions have been put in place. Close Internet Explorer and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS2\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [antiware] C:\windows2\system32\eliteppy32.exe ALREADY DELETED - Dave
O4 - HKCU\..\Run: [Uma] C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz ALREADY DELETED - Dave
O17 - HKLM\System\CCS\Services\Tcpip\..\{C83C5C97-CD0D-4C5D-B1F8-EBB7E44F6FD4}: NameServer = 192.168.2.1,38.9.212.2
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O23 - Service: Panda Firewall Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
Still in Safe Mode, run Killbox and use it to delete the below folders/files:
C:\WINDOWS2\EliteToolBar
C:\WINDOWS2\System32\wnim.dll
C:\windows2\system32\eliteppy32.exe
C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe
I dont want you to delete the D:\Program Files\Panda Software folder at this point but have a look and tell me if there are any files in it.
Reboot and post a new log. Also post a new Silent Runners log please. Any luck getting online yet?
BTW Where did all those GhostSurf startups come from?
AnneMarie,
Thanks .... I am using quotes from your most recent post and responding (below):
* * * I use a program called GhostSurf (by Tenebril) to surf anonymously. It re-routes my connection through a long series of proxy servers. It is an "out-of-the-box" program, not downloaded or used online, so it should not be causing any problems.Quote:
Originally posted by AnnMarie
I wonder if Zone Alarm is blocking IE. Uninstall it for now and enable XP's firewall. See here.
You uninstalled Panda? We need to fix up those entries in your log. I see that a proxy has been added and restrictions have been put in place. Close Internet Explorer and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O4 - HKLM\..\Run: [antiware] C:\windows2\system32\eliteppy32.exe ALREADY DELETED - Dave
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz ALREADY DELETED - Dave
* * * Sorry, I guess my bold typeface didn't help ("ALREADY DELETED - Dave"), but the above items you listed for deleting had already been deleted. :)
BTW Where did all those GhostSurf startups come from?
UPDATE: I have my homepage on MSIE back (again), but of course *still* no internet connection, at least with a browser. I will kill Zone Alarm and follow your other instructions, and get back to you this evening (I am posting from work right now). I will include the logs you requested.
Also, I downloaded Microsoft's antispyware app; it seems to do an excellent job of deep scanning and reporting. However, there was one nasty installed which the MS app kept finding and deleting, but same old story ... something somewhere just slaps it right back into Windows again. I forget the name of the nasty but I will include it as well.
Thanks,
Dave
Hi Dave, I did see those entries in your log but I thought I was looking at the most recent log and assumed that you meant they had reinstated themselves.
I knew that you had GhostSurf but as you couldnt get online, I couldnt understand why those entries were there. They did not show in earlier logs. It's possible that the below entry belongs to GhostSurf:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
I would still like you to fix it but you may have to reinstate it if you have problems using GhostSurf.
Hi all . . .
AnneMarie,. did everything you said, *except* the activation of WinXP firewall failed. See attached file of screen shot showing message given. Looking at screen shot: I'd just clicked to check box labeled "Protect my computer ..." then clicked OK, when msg. window at right appeared.
Also following - (1) HJT log & (2) SilentRunner log:
NOTE: After running the report for you, I *deleted* the items in BOLD:
Logfile of HijackThis v1.99.0
Scan saved at 12:33:10 AM, on 2/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\SYSTEM32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\Explorer.EXE
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS2\System32\devldr32.exe
D:\Program Files\Logitech\iTouch\kbdtray.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Plextor\PlexTool.exe
D:\Program Files\SpySubtract\SpySub.exe
C:\WINDOWS2\System32\wuauclt.exe
D:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Uma] C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Allow personal info to reach this site - file://D:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://D:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://D:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://D:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://D:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://D:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C83C5C97-CD0D-4C5D-B1F8-EBB7E44F6FD4}: NameServer = 192.168.2.1,38.9.212.2
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinTab Service - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
===================================
"Silent Runners.vbs", revision RED (R28) (Echo output), launched at: 00:39
Operating System: Windows XP
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Uma" = "C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe" [file not found]
"ctfmon.exe" = "C:\WINDOWS2\System32\ctfmon.exe" [MS]
"LDM" = "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"zBrowser Launcher" = "D:\Program Files\Logitech\iTouch\iTouch.exe" ["Logitech Inc. "]
"RoxioDragToDisc" = ""D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"" ["Roxio"]
"RemoteControl" = "C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe" ["Cyberlink Corp."]
"Logitech Utility" = "Logi_MwX.Exe" [file not found]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"CaAvTray" = ""D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"" ["Computer Associates International, Inc."]
"CAVRID" = ""D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"" ["Computer Associates International, Inc."]
"gcasServ" = ""D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS2\inf\unregmp2.exe /ShowWMP" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{5FFD4A60-C328-128D-44EB-21D258091D15}" = "Delayed Applications Handler"
-> resolves to: {CLSID}\InprocServer32\(Default) = blank [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\System32\stobject.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "AtiExtEvent\DLLName" = "(no data)" [file not found]
Startup items in "Dave" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Startup
"Logitech Desktop Messenger" -> shortcut to: "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" [empty string]
"Microsoft Office" -> shortcut to: "D:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"PlexTools Professional" -> shortcut to: "D:\Program Files\Plextor\PlexTool.exe Startup" ["Plextor SA/NV"]
"SpySubtract" -> shortcut to: "D:\Program Files\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Automatic Updates, wuauserv, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\wuauserv.dll" [MS]}
CAISafe, CAISafe, "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe" ["Computer Associates International, Inc."]
COM+ Event System, EventSystem, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\browser.dll" [MS]}
Cryptographic Services, CryptSvc, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\cryptsvc.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "C:\WINDOWS2\System32\svchost.exe -k NetworkService" {"C:\WINDOWS2\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS2\system32\services.exe" [MS]
Fast User Switching Compatibility, FastUserSwitchingCompatibility, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\shsvcs.dll" [MS]}
Help and Support, helpsvc, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
IPSEC Services, PolicyAgent, "C:\WINDOWS2\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\dmserver.dll" ["Microsoft Corp."]}
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Messenger, Messenger, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\msgsvc.dll" [MS]}
Network Connections, Netman, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\mswsock.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINDOWS2\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINDOWS2\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS2\system32\lsass.exe" [MS]
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS2\system32\svchost -k rpcss" {"C:\WINDOWS2\system32\rpcss.dll" [MS]}
Remote Registry, RemoteRegistry, "C:\WINDOWS2\system32\svchost.exe -k LocalService" {"C:\WINDOWS2\system32\regsvc.dll" [MS]}
Secondary Logon, seclogon, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS2\system32\lsass.exe" [MS]
Server, lanmanserver, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS2\System32\svchost.exe -k LocalService" {"C:\WINDOWS2\System32\ssdpsrv.dll" [MS]}
System Event Notification, SENS, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\sens.dll" [MS]}
System Restore Service, srservice, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\srsvc.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS2\System32\svchost.exe -k LocalService" {"C:\WINDOWS2\System32\lmhsvc.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\shsvcs.dll" [MS]}
Upload Manager, uploadmgr, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
VET Message Service, VETMSGNT, "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe" ["Computer Associates International, Inc."]
WebClient, WebClient, "C:\WINDOWS2\System32\svchost.exe -k LocalService" {"C:\WINDOWS2\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\audiosrv.dll" [MS]}
Windows Management Instrumentation, winmgmt, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, W32Time, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\w32time.dll" [MS]}
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS2\System32\wdfmgr.exe" [MS]
WinTab Service, WinTabService, "C:\WINDOWS2\System32\DRIVERS\WtSrv.exe" ["Tablet Driver"]
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\wkssvc.dll" [MS]}
Cheers,
- Dave
Try this Dave, go to Start > Run and type:
SERVICES.MSC
and hit enter. Scroll down to "Internet Connection Firewall (ICF), rightclick on this service and select "Start". Then go back and enable your firewall.
The Silent Runners log shows me that EZ AntiVirus did a good job of cleaning up your OS. Are you able to get online yet? If not, did you try installing another browser yet, you were considering this.
A final cleanup hopefully. Close Internet Explorer and all open windows and run Hijack This again. Check the below entries and click on Fix Checked. I have not included the items that you have fixed on the assumption that they are no longer there now. When you post your next log, please post a log that was run after you made the changes and rebooted.
O4 - HKCU\..\Run: [Uma] C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{C83C5C97-CD0D-4C5D-B1F8-EBB7E44F6FD4}: NameServer = 192.168.2.1,38.9.212.2
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
Reboot, run another scan and post a new log.
Ann,Quote:
Originally posted by AnnMarie
Try this Dave, go to Start > Run and type:
SERVICES.MSC
and hit enter. Scroll down to "Internet Connection Firewall (ICF), rightclick on this service and select "Start". Then go back and enable your firewall.
I'm dead from the get-go. The ICF isn't even listed in Services!! I am supposing it's "missing in action", and I for one have no idea how to restore it onto the Services list. I'll keep an eye out for your reply, but while I'm waiting, I'll check around on the Web for some ideas.
- Dave
P.S. At what point to I/we hoist the white flag, wipe the C: partition and reinstall Windows ? :confused:
Hi all . . .
Ann, I just did the things you said to. However, when I use HJT to delete
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
and then scan again just seconds later, it's back again !!
===============================
On the brighter side, I happened to try MSIE and it fired up and is working !!!
However, EZ AV popped up while I was resetting MSIE's security level and reported 4 instances of infection by the Win32.Bube virus (you had mentioned earlier) -- please see my attached JPG screenshot.
As you can see, EZ AV cleaned it from the C:\WINDOWS\system32 location, but was unable to clean it from the explorer.exe location.
Am going to try Housecall, then check back here later.
- Dave
Oh, geezz ..... :mad: :mad: :mad:
First of all, I guess explorer.exe is whacked .... I must start it manually by doing a C-A-D and then select NEW TASK and start it.
Anyway ..... I just deleted all kinds of garbage after the a.v. scan, etc. .... did a Restart and then when my blank desktop showed up (only shows the display image, NO icons or taskbar), I performed the manual start for explorer.exe.
Immediately, a DOS window came up with dozens of lines zipping by, saying something like "Executing trojan blah blah blah (filenames etc.)" .... after I got past my shock I immediately hit the "X" button at the upper right on the DOS window.
Something in it cued me to the fact that this was all contained in a file named "tsc.exe". When I did a file search, using the criteria tsc.*, several items came up -- see attached JPG image.
Is this possible ..... someone installing a "seeding file" that executes dozens of trojan items all at once ??
Anne: I assume the items shown in the image file I've attached should all be deleted, but I hate assuming, when I'm not the wizard. I'll wait for your comments, and shut down.
- Dave
Can you send me a copy of that file please Dave. When you find it, copy it to a new folder, zip it up (this is important) and email it to me (include a link to this thread). My address is [email protected]. I will post back when I have checked it out.
A new verson of Hijack This was relased yesterday. Go here and download the latest version. Run Hijack This again and post a new log.
Annie -
I downloaded the new HJT app as you instructed. Below is the resulting log:
Logfile of HijackThis v1.99.1
Scan saved at 11:46:36 PM, on 2/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\SYSTEM32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS2\System32\devldr32.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Plextor\PlexTool.exe
D:\Program Files\SpySubtract\SpySub.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dave.DGATES1\Desktop\MALWARE Utilities\HijackThis.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\SpySubtract\SpySub.exe
O8 - Extra context menu item: Allow personal info to reach this site - file://D:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://D:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://D:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://D:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://D:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://D:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
I keep deleting the entry
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
using HJT, but moments later it is back again.
- Dave
Try fixing the below entries using the latest version of Hijack This Dave. (close IE first).
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
Reboot afterwards and post a new log. I am sure that I mentioned this before but perhaps not, go here and download, unzip and run the Registry Search Tool. Type nettraffic2cash in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them.
I havent received that file yet but there is no evidence of new malware in your log. Can you still get online?
Quote:
Originally posted by AnnMarie
I havent received that file yet but there is no evidence of new malware in your log. Can you still get online?
AnneMarie,
Yes, I still have online access, although I am using Mozilla Firefox instead of MSIE, just in case it is less vulnerable, as I have heard.
I am assuming that procedures performed with HJT and other tools should be done in SAFE mode. If there is anything that does NOT, let me know ... it's a pain switching back and forth between Normal and Safe, and I don't have internet usage in Safe mode.
Also, regarding your use of the term "malware" -- is HJT going to show items related to viruses and trojans ? I have been overrun with them, but I had the idea HJT was only for spyware and hijacking nasties.
Will be posting again soon .... thanks again.
- Dave
Thanks I received the file Dave. It's not a trojan, it's the Trend Micro Damage Cleanup Engine.
Hijack This shows 99% of trojans and most viruses, the exception being file infectors which you currently have.Quote:
is HJT going to show items related to viruses and trojans ? I have been overrun with them, but I had the idea HJT was only for spyware and hijacking nasties.
I need you to be able to use Internet Explorer. Please run the IEfix utility. You can download it here. Close IE first and reboot afterwards.
I have attached a zipped copy of Explorer.exe (SP1) to this post. Download it to your Desktop and upzip it. Once you have confirmed that IE is operative, we are going to replace your infected version of Explorer.exe with a clean one.
Dont forget to post a new Hijack This log and the results of your registry search if the entry is still there.
Thanks, Annie -
1.) I performed the Explorer Fix.
2.) How do I replace Explorer.exe ? I tried an overwrite, and as I expected, it gave me a message something like "Make sure the file or app isn't in use." Seems like a Catch-22 -- I need to replace a file that has to be running while I try to replace it. I'll try again tonight after work.
My new HJT log follows after my sig . . . as you can see, that ruddy 015 - nettraffic2cash.biz entry still shows up . . .
Cheers,
Dave
Logfile of HijackThis v1.99.0
Scan saved at 8:27:42 AM, on 2/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\SYSTEM32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS2\System32\devldr32.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Plextor\PlexTool.exe
D:\Program Files\SpySubtract\SpySub.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
D:\Program Files\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\SpySubtract\SpySub.exe
O8 - Extra context menu item: Allow personal info to reach this site - file://D:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://D:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://D:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://D:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://D:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://D:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinTab Service - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
.I will talk you through the process Dave. I need confirmation from you that Internet Explorer is fully functional first though.Quote:
How do I replace Explorer.exe ? I tried an overwrite, and as I expected, it gave me a message something like "Make sure the file or app isn't in use." Seems like a Catch-22 -- I need to replace a file that has to be running while I try to replace it. I'll try again tonight after work.
Yes, I am waiting for you to post the results of running the Registry Search utility. We need to get rid of that before we replace Explorer.Quote:
My new HJT log follows after my sig . . . as you can see, that ruddy 015 - nettraffic2cash.biz entry still shows up .
OK, thanks Annie -
Yes, MSIE is running fine, it seems.
I'm at work now, and will be out for the evening, but will return later and perform the RegSearch.
I think you're 16 hours ahead of me, so I should be back online around 3 PM your time. I know you have your own schedule and things to do, that's just for your info :) I'll have around 3 hours after that to work on this stuff, but if it doesnt get done, I can continue in the morning.
FYI, EZ AV found another virus, but killed it.
- Dave
Dont worry, if we cannot connect today, we will tomorrow sometime. With a bit of luck your PC will be fine for the weekend. :)
OK, Annie . . .
I got home and MSIE seems to still be working fine. Curiously, however, Windows Explorer is utterly shot.
Here are the RegSearch results you wanted:
===============================
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "finefind.nettraffic2cash.biz" 2/18/2005 12:06:14 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-854245398-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\finefind.nettraffic2cash.biz]
===============================
Sincerely,
- Dave
I have uploaded a file to this post that should get rid of nettraffic2cash Dave. Download nettraffic2cash.zip and unzip it. Doubleclick on nettraffic2cash.reg and Ok any prompt asking if you wish to merge it with your registry. Reboot afterwards.
Before we try to replace Explorer.exe with the version that I uploaded for you, download and install this patch. It contains Explorer.exe and this should overwrite your infected copy. Reboot afterwards, run a scan with EZ AV and let us know the results.
Quote:
Originally posted by AnnMarie
I have uploaded a file to this post that should get rid of nettraffic2cash Dave. Download nettraffic2cash.zip and unzip it. Doubleclick on nettraffic2cash.reg and Ok any prompt asking if you wish to merge it with your registry. Reboot afterwards.
Hi, Annie -
I did as you instructed (including the reboot), but as you can see, a brand new HJT log shows the nettraffic2biz.com listing is *still* showing up. Here is the entire HJT log, for your reference:
Logfile of HijackThis v1.99.1
Scan saved at 12:31:56 AM, on 2/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\SYSTEM32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS2\System32\devldr32.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Logitech\iTouch\kbdtray.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Plextor\PlexTool.exe
D:\Program Files\SpySubtract\SpySub.exe
C:\WINDOWS2\System32\svchost.exe
C:\Documents and Settings\Dave.DGATES1\Desktop\MALWARE Utilities\HijackThis.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\SpySubtract\SpySub.exe
O8 - Extra context menu item: Allow personal info to reach this site - file://D:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://D:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://D:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://D:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://D:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://D:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
***Attached is a shot of the EZ AV results.Quote:
Before we try to replace Explorer.exe with the version that I uploaded for you, download and install this patch. It contains Explorer.exe and this should overwrite your infected copy. Reboot afterwards, run a scan with EZ AV and let us know the results.
- Dave
I think you forgot to post the attachment Dave.Quote:
Attached is a shot of the EZ AV results.
Run Registry Search again but this time, post nettraffic2cash only in the search box. Post the results back here.
No, worse than forgetting to post it -- I forgot what I was supposed to do ! **embarrassed look**
Here is a RegSearch log, after having installed the Zip file you sent to me:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "nettraffic2cash" 2/19/2005 6:52:51 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-854245398-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"d"="D:\\My Downloads\\nettraffic2cash.zip"
[HKEY_USERS\S-1-5-21-854245398-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\zip]
"c"="D:\\My Downloads\\nettraffic2cash.zip"
[HKEY_USERS\S-1-5-21-854245398-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\finefind.nettraffic2cash.biz]
[HKEY_USERS\S-1-5-21-854245398-2000478354-682003330-1003\Software\PowerArchiver\Files]
"Active_File1"="D:\\My Downloads\\nettraffic2cash.zip"
- Dave
OK, we can fix that but before we do, I would like you to have another try running Kaspersky. It can disinfect Explorer and if successful, it will eliminate a lot of stressful manouvers for you.
Disable your AV first and follow the instructions here
Thanks, Annie -
I performed a Kaspersky AV scan as you asked, it took about 3-1/2 hours.
I have assumed you would want the log file from the Kaspersky AV scan attached, instead of copied and pasted -- for some reason -- even after following the directions from the link you gave me -- it is 231,254kb (231 MB) and pasting it would be prohibitive in size/length. I have zipped it down to 9 MB.
NOTE: Kaspersky did NOT clean or delete 3 of the many nasties it found. I'm not sure I can figure out how to determine which ones were not .... can you advise ?
FYI - I scanned in SAFE mode with the Internet cable DETACHED. I am going to leave my CAT-5 cable disconnected until you instruct me to reconnect it -- I don't want any auto-reloading of nasties from the web.
Cheers,
- Dave
==========================
P.S. (UPDATE) I tried to attach the file and post my reply, but apparently it keeps timing out trying to complete the post with that huge attachment. Please tell me how to get around this. Keep in mind, I created the Kaspersky report file (TXT format) exactly according to instructions.
231 MB? Jeepers, I couldnt plow through a txt file that size, it would take weeks.
We need to know if Explorer is still infected. Uninstall Kaspersky now and run Ez AV. It reported the infection last time, so if Explorer is still infected, it will let you know.
Annie -
I am having EZ AV scan as I write this.
Explorer still has a problem, as I must manually start it using Task Manager each time I boot up.
- Dave
Does EZ AV still report Explorer.exe as infected Dave?
I have uploaded another file for you to download, unzip and doubleclick to merge with your registry. Reboot afterwards and run Killbox. Paste the full file path of the below file in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.
D:\My Downloads\nettraffic2cash.zip
Run Hijack This again and post a new Hijack This log. If you are still having problems with Explorer loading, does it load automatically in Safe Mode? If so, I suspect a 3rd party app is preventing it from running. try clean boot troubleshooting to see if you can isolate the problem. See here and here for more information.
[QUOTE]Originally posted by AnnMarie
Does EZ AV still report Explorer.exe as infected Dave?
* * * I'm not 100% positive, but I do NOT think it reports it as infected.
[QUOTE]Originally posted by AnnMarie
If you are still having problems with Explorer loading, does it load automatically in Safe Mode? If so, I suspect a 3rd party app is preventing it from running.
*NO*, Annie .... it does NOT load automatically even in Safe Mode. Even then, I must start Explorer manually.
I am about to follow your instructions in your last post, but thought I should provide you with the above info ASAP in case it impacts anything.
- Dave
OK, Annie -
I loaded the new registry file, rebooted, used Killbox as you instructed, and also ran a new HJT scan (log pasted below).
Sorry, but Explorer still does not fire up on its own .... I will look at the links you sent me to read about clean bootup, etc.
Also, I cannot remember if I mentioned it ..... Windows Explorer has also been refusing to work. I can only access folders and files using My Computer.
Thanks ....
- Dave
=====================================
New HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:26:44 PM, on 2/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\SYSTEM32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
C:\WINDOWS2\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS2\System32\devldr32.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Logitech\iTouch\kbdtray.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Plextor\PlexTool.exe
C:\Documents and Settings\Dave.DGATES1\Desktop\MALWARE Utilities\HijackThis.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O8 - Extra context menu item: Allow personal info to reach this site - file://D:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://D:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://D:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://D:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://D:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://D:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
Good that fixed those nettraffic2cash entries.
You said that you think that EZ AV does not report Explorer.exe as infected now but you are not 100% sure. Can we do better than that Dave please. I really need to know what I am dealing with and maybe's are not very helpful.
Explorer and Windows Explorer are the same file. Please run a search for Explorer* (with the asterisk) and post back exactly what you find (the full filename and filepath).
Sorry, Annie - that was kind of an irresponsible post on my part. I am just kind of brain-fried from multiple PC problems at home, all on top of a list of other things of which I will spare you the details.
I just ran EZ AV again, and it reported nothing at all :) :)
I made a screen shot (cropped) to show the results of the search for " explorer* " ..... I wanted to put it in the body of this post, but from what I'm reading I guess the image has to be on a website. Therefore I am ATTACHING the screen shot file.
Cheers,
- Dave
Ok, I can see the problem. Your explorer.exe in your C:\Windows2 folder has been deleted.
Your OS is using explorer.exe in C:\Windows instead and this folder is not your default installation folder so it seems.
Boot into Safe Mode but do not start Explorer this time. We are going to start Iexplore.exe instead. Open Task Manager and go to Task > New and type iexplore.exe and OK.
When IE opens, click on View > Explorer Bar > Folders and navigate to C:\Windows. Open the folder and copy Explorer.exe (rightclick to copy). Once you have copied it, navigate to C\Windows2, open the folder, rightclick in a blank space and choose Paste.
Close IE and reboot. Does your Desktop load now?
That did it, Annie ! Looks like we're done :)
That was so simple, I should have seen it long ago. I guess when you're going crackers with a good handful of problems on 3 PCs at home, you just lose your perspective -- and common sense :D
If I could please trouble you with a quick question:
I only recently realized I still haven't installed SP2 for my WinXP Pro. I must admit I'm more than a bit reticent to do so after stories I've heard. What is your comment on doing so -- just the bottom line after weighing the pluses and minuses ? If it will be an extremely significant help in avoiding future problems like what you just helped me get out of, I might install it.
Aside from that, I guess we're done -- THANK YOU!!, Annie, for all your time, trouble and -- especially -- patience :)
Cheers,
- Dave
That's good news Dave and you are very welcome. :D
Regarding SP2, I wouldnt be without it. I had to install it three times on my PC before I had a satisfactory install but I didnt give up on it (I have a Compaq, need I say more? :D). Numerous security holes have been uncovered since SP1 and plugged in SP2 and later updates. It's a "must have" in my opinion.
I have posted my standard "Prevention" blurb below for you to read when you have a spare minute. :)
Keeping up todate with Windows Critical Updates is a major factor in preventing problems with viruses, hijackers and spyware, more information here Microsoft Security Home Page. Also go here and download and install Spyware Blaster. Adding the MVPS Hosts file will also help block unwanted parasites.
Check IE's security settings. Go to Tools > Internet Options > Advanced and make sure that "Install upon Demand" and "Install upon Demand (other)" are not selected.
Now go to Internet Options > Security > Custom and set "Download Signed ActiveX Controls" to Prompt.
"Initialise and script ActiveX controls not marked as Safe" and "Download unsigned ActiveX controls" should be disabled.
Set "Script ActiveX controls marked safe for scripting" and "Run ActiveX controls and plug-ins" to enable.
Run Ad-Aware or Spybot regularly. NB. It is important to make sure that you go online and install any updates first.
If your OS is Windows XP or Windows Millenium, flush all restore points after cleaning your PC to prevent infected files being restored, see here for more information.
Annie,
Just one more thing -- I didn't realize until later:
While the explorer.exe fix DID get the desktop and MSIE running again, Windows Explorer is still refusing to 'launch'.
I tried copying and pasting the .EXE file for it from WINDOWS to WINDOWS2, but it still isn't working.
- Dave
From the Accessories Menu Dave? If so, rightclick on the shortcut and choose Properties. Click on Shortcut, what do you see under Target etc.?