Make sure that you download the latest updates too Dave and the extended database options
Printable View
Make sure that you download the latest updates too Dave and the extended database options
Hi all . . . <dismal sigh>
Thanks, AnneMarie ..... I understood about the updates and extended options, but I guess I'm not sure how to do it.
I have downloaded and copied the main Kaspersky program installation file from another PC, and used my flash drive to put it on my computer.
But unless I'm missing something, updates and the "extended database options" can only be downloaded directly from the Internet, from the PC on which Kaspersky is already installed. This is not possible, since MSIE access is being denied.
I'm not sure if it will work, but I am going to try loading the Mozilla browser onto my PC .... I may (again) be missing something, but perhaps it won't be affected like MSIE is.
Thanks again, I look forward to your reply.
- Dave
Is it AVG that is stopping Explorer from running Dave or did you uninstall it as I suggested? This is not a typical sympton of this infection.
If you could post a new Hijack This log, I might get a better picture of what is going on. Hijack This runs in Safe Mode.
I have had more feedback today regarding this parasite. EZ AV can apparently clean it too.
Thanks again, AnneMarie . . .
Nope, Internet is still inaccessible even with AVG uninstalled. NOTE: When you look at my HJT log, please be advised I have also uninstalled the Panda antivirus.
I installed Firefox browser, but it is apparently similarly blocked.
Yet, I *still* can use IRC just fine <shrug> <puzzled look>.
One situation says I don't have Internet, another situation seems to say I do. When I open the Network icon in Control Panel, it is entirely blank !!
IMPORTANT: I installed the CA AV as you suggested, downloading the install file using another PC, copying it to my flash drive and then putting it on my PC. Installation went ok until it reached a point where it tried to access the Internet to perform definition updates, and then said it could not obtain Web access. However, I continued and commanded a Restart. When I tried to run CA AV, it collapsed, and one window indicated the main "engine" was missing !
Well, I've turned another corner and met with yet more frustration. I guess I'll just await more feedback, this is all beyond my knowhow.
You requested another HJT log, please see it pasted below my signature block.
Thanks again,
- Dave
Logfile of HijackThis v1.99.0
Scan saved at 10:04:54 PM, on 2/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS2\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [antiware] C:\windows2\system32\eliteppy32.exe ALREADY DELETED - Dave
O4 - HKCU\..\Run: [Uma] C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Allow personal info to reach this site - file://D:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://D:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://D:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://D:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://D:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://D:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz ALREADY DELETED - Dave
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C83C5C97-CD0D-4C5D-B1F8-EBB7E44F6FD4}: NameServer = 192.168.2.1,38.9.212.2
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O23 - Service: Panda Firewall Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS2\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTab Service - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
Ok, I think that we had better concentrate on getting you online and worry about getting rid of this virus once you have Internet access. We may have to replace Explorer.exe but we will cross that bridge when we come to it.
Go here and download, unzip and run the Registry Search Tool. Type nettraffic2cash in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them.
I wonder if Zone Alarm is blocking IE. Uninstall it for now and enable XP's firewall. See here.
You uninstalled Panda? We need to fix up those entries in your log. I see that a proxy has been added and restrictions have been put in place. Close Internet Explorer and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS2\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [antiware] C:\windows2\system32\eliteppy32.exe ALREADY DELETED - Dave
O4 - HKCU\..\Run: [Uma] C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz ALREADY DELETED - Dave
O17 - HKLM\System\CCS\Services\Tcpip\..\{C83C5C97-CD0D-4C5D-B1F8-EBB7E44F6FD4}: NameServer = 192.168.2.1,38.9.212.2
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS2\System32\wnim.dll
O23 - Service: Panda Firewall Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service - Unknown - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - D:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
Still in Safe Mode, run Killbox and use it to delete the below folders/files:
C:\WINDOWS2\EliteToolBar
C:\WINDOWS2\System32\wnim.dll
C:\windows2\system32\eliteppy32.exe
C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe
I dont want you to delete the D:\Program Files\Panda Software folder at this point but have a look and tell me if there are any files in it.
Reboot and post a new log. Also post a new Silent Runners log please. Any luck getting online yet?
BTW Where did all those GhostSurf startups come from?
AnneMarie,
Thanks .... I am using quotes from your most recent post and responding (below):
* * * I use a program called GhostSurf (by Tenebril) to surf anonymously. It re-routes my connection through a long series of proxy servers. It is an "out-of-the-box" program, not downloaded or used online, so it should not be causing any problems.Quote:
Originally posted by AnnMarie
I wonder if Zone Alarm is blocking IE. Uninstall it for now and enable XP's firewall. See here.
You uninstalled Panda? We need to fix up those entries in your log. I see that a proxy has been added and restrictions have been put in place. Close Internet Explorer and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS2\EliteToolBar\EliteToolBar.dll ALREADY DELETED - Dave
O4 - HKLM\..\Run: [antiware] C:\windows2\system32\eliteppy32.exe ALREADY DELETED - Dave
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz ALREADY DELETED - Dave
* * * Sorry, I guess my bold typeface didn't help ("ALREADY DELETED - Dave"), but the above items you listed for deleting had already been deleted. :)
BTW Where did all those GhostSurf startups come from?
UPDATE: I have my homepage on MSIE back (again), but of course *still* no internet connection, at least with a browser. I will kill Zone Alarm and follow your other instructions, and get back to you this evening (I am posting from work right now). I will include the logs you requested.
Also, I downloaded Microsoft's antispyware app; it seems to do an excellent job of deep scanning and reporting. However, there was one nasty installed which the MS app kept finding and deleting, but same old story ... something somewhere just slaps it right back into Windows again. I forget the name of the nasty but I will include it as well.
Thanks,
Dave
Hi Dave, I did see those entries in your log but I thought I was looking at the most recent log and assumed that you meant they had reinstated themselves.
I knew that you had GhostSurf but as you couldnt get online, I couldnt understand why those entries were there. They did not show in earlier logs. It's possible that the below entry belongs to GhostSurf:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
I would still like you to fix it but you may have to reinstate it if you have problems using GhostSurf.
Hi all . . .
AnneMarie,. did everything you said, *except* the activation of WinXP firewall failed. See attached file of screen shot showing message given. Looking at screen shot: I'd just clicked to check box labeled "Protect my computer ..." then clicked OK, when msg. window at right appeared.
Also following - (1) HJT log & (2) SilentRunner log:
NOTE: After running the report for you, I *deleted* the items in BOLD:
Logfile of HijackThis v1.99.0
Scan saved at 12:33:10 AM, on 2/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\SYSTEM32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\Explorer.EXE
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS2\System32\devldr32.exe
D:\Program Files\Logitech\iTouch\kbdtray.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Plextor\PlexTool.exe
D:\Program Files\SpySubtract\SpySub.exe
C:\WINDOWS2\System32\wuauclt.exe
D:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Uma] C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Allow personal info to reach this site - file://D:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://D:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://D:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://D:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://D:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://D:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C83C5C97-CD0D-4C5D-B1F8-EBB7E44F6FD4}: NameServer = 192.168.2.1,38.9.212.2
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinTab Service - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
===================================
"Silent Runners.vbs", revision RED (R28) (Echo output), launched at: 00:39
Operating System: Windows XP
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Uma" = "C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe" [file not found]
"ctfmon.exe" = "C:\WINDOWS2\System32\ctfmon.exe" [MS]
"LDM" = "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"zBrowser Launcher" = "D:\Program Files\Logitech\iTouch\iTouch.exe" ["Logitech Inc. "]
"RoxioDragToDisc" = ""D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"" ["Roxio"]
"RemoteControl" = "C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe" ["Cyberlink Corp."]
"Logitech Utility" = "Logi_MwX.Exe" [file not found]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"CaAvTray" = ""D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"" ["Computer Associates International, Inc."]
"CAVRID" = ""D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"" ["Computer Associates International, Inc."]
"gcasServ" = ""D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS2\inf\unregmp2.exe /ShowWMP" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{5FFD4A60-C328-128D-44EB-21D258091D15}" = "Delayed Applications Handler"
-> resolves to: {CLSID}\InprocServer32\(Default) = blank [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS2\System32\stobject.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "AtiExtEvent\DLLName" = "(no data)" [file not found]
Startup items in "Dave" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Startup
"Logitech Desktop Messenger" -> shortcut to: "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" [empty string]
"Microsoft Office" -> shortcut to: "D:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"PlexTools Professional" -> shortcut to: "D:\Program Files\Plextor\PlexTool.exe Startup" ["Plextor SA/NV"]
"SpySubtract" -> shortcut to: "D:\Program Files\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Automatic Updates, wuauserv, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\wuauserv.dll" [MS]}
CAISafe, CAISafe, "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe" ["Computer Associates International, Inc."]
COM+ Event System, EventSystem, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\browser.dll" [MS]}
Cryptographic Services, CryptSvc, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\cryptsvc.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "C:\WINDOWS2\System32\svchost.exe -k NetworkService" {"C:\WINDOWS2\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS2\system32\services.exe" [MS]
Fast User Switching Compatibility, FastUserSwitchingCompatibility, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\shsvcs.dll" [MS]}
Help and Support, helpsvc, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
IPSEC Services, PolicyAgent, "C:\WINDOWS2\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\dmserver.dll" ["Microsoft Corp."]}
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Messenger, Messenger, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\msgsvc.dll" [MS]}
Network Connections, Netman, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\mswsock.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINDOWS2\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINDOWS2\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS2\system32\lsass.exe" [MS]
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS2\system32\svchost -k rpcss" {"C:\WINDOWS2\system32\rpcss.dll" [MS]}
Remote Registry, RemoteRegistry, "C:\WINDOWS2\system32\svchost.exe -k LocalService" {"C:\WINDOWS2\system32\regsvc.dll" [MS]}
Secondary Logon, seclogon, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS2\system32\lsass.exe" [MS]
Server, lanmanserver, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\shsvcs.dll" [MS]}
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS2\System32\svchost.exe -k LocalService" {"C:\WINDOWS2\System32\ssdpsrv.dll" [MS]}
System Event Notification, SENS, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\sens.dll" [MS]}
System Restore Service, srservice, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\srsvc.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS2\System32\svchost.exe -k LocalService" {"C:\WINDOWS2\System32\lmhsvc.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\shsvcs.dll" [MS]}
Upload Manager, uploadmgr, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
VET Message Service, VETMSGNT, "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe" ["Computer Associates International, Inc."]
WebClient, WebClient, "C:\WINDOWS2\System32\svchost.exe -k LocalService" {"C:\WINDOWS2\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\audiosrv.dll" [MS]}
Windows Management Instrumentation, winmgmt, "C:\WINDOWS2\system32\svchost.exe -k netsvcs" {"C:\WINDOWS2\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, W32Time, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\w32time.dll" [MS]}
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS2\System32\wdfmgr.exe" [MS]
WinTab Service, WinTabService, "C:\WINDOWS2\System32\DRIVERS\WtSrv.exe" ["Tablet Driver"]
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS2\System32\svchost.exe -k netsvcs" {"C:\WINDOWS2\System32\wkssvc.dll" [MS]}
Cheers,
- Dave
Try this Dave, go to Start > Run and type:
SERVICES.MSC
and hit enter. Scroll down to "Internet Connection Firewall (ICF), rightclick on this service and select "Start". Then go back and enable your firewall.
The Silent Runners log shows me that EZ AntiVirus did a good job of cleaning up your OS. Are you able to get online yet? If not, did you try installing another browser yet, you were considering this.
A final cleanup hopefully. Close Internet Explorer and all open windows and run Hijack This again. Check the below entries and click on Fix Checked. I have not included the items that you have fixed on the assumption that they are no longer there now. When you post your next log, please post a log that was run after you made the changes and rebooted.
O4 - HKCU\..\Run: [Uma] C:\Documents and Settings\Dave.DGATES1\Application Data\tbtm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{C83C5C97-CD0D-4C5D-B1F8-EBB7E44F6FD4}: NameServer = 192.168.2.1,38.9.212.2
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
Reboot, run another scan and post a new log.
Ann,Quote:
Originally posted by AnnMarie
Try this Dave, go to Start > Run and type:
SERVICES.MSC
and hit enter. Scroll down to "Internet Connection Firewall (ICF), rightclick on this service and select "Start". Then go back and enable your firewall.
I'm dead from the get-go. The ICF isn't even listed in Services!! I am supposing it's "missing in action", and I for one have no idea how to restore it onto the Services list. I'll keep an eye out for your reply, but while I'm waiting, I'll check around on the Web for some ideas.
- Dave
P.S. At what point to I/we hoist the white flag, wipe the C: partition and reinstall Windows ? :confused: