Dont worry, if we cannot connect today, we will tomorrow sometime. With a bit of luck your PC will be fine for the weekend. :)
Printable View
Dont worry, if we cannot connect today, we will tomorrow sometime. With a bit of luck your PC will be fine for the weekend. :)
OK, Annie . . .
I got home and MSIE seems to still be working fine. Curiously, however, Windows Explorer is utterly shot.
Here are the RegSearch results you wanted:
===============================
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "finefind.nettraffic2cash.biz" 2/18/2005 12:06:14 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-854245398-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\finefind.nettraffic2cash.biz]
===============================
Sincerely,
- Dave
I have uploaded a file to this post that should get rid of nettraffic2cash Dave. Download nettraffic2cash.zip and unzip it. Doubleclick on nettraffic2cash.reg and Ok any prompt asking if you wish to merge it with your registry. Reboot afterwards.
Before we try to replace Explorer.exe with the version that I uploaded for you, download and install this patch. It contains Explorer.exe and this should overwrite your infected copy. Reboot afterwards, run a scan with EZ AV and let us know the results.
Quote:
Originally posted by AnnMarie
I have uploaded a file to this post that should get rid of nettraffic2cash Dave. Download nettraffic2cash.zip and unzip it. Doubleclick on nettraffic2cash.reg and Ok any prompt asking if you wish to merge it with your registry. Reboot afterwards.
Hi, Annie -
I did as you instructed (including the reboot), but as you can see, a brand new HJT log shows the nettraffic2biz.com listing is *still* showing up. Here is the entire HJT log, for your reference:
Logfile of HijackThis v1.99.1
Scan saved at 12:31:56 AM, on 2/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\SYSTEM32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS2\System32\devldr32.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Logitech\iTouch\kbdtray.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Plextor\PlexTool.exe
D:\Program Files\SpySubtract\SpySub.exe
C:\WINDOWS2\System32\svchost.exe
C:\Documents and Settings\Dave.DGATES1\Desktop\MALWARE Utilities\HijackThis.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\SpySubtract\SpySub.exe
O8 - Extra context menu item: Allow personal info to reach this site - file://D:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://D:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://D:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://D:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://D:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://D:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
***Attached is a shot of the EZ AV results.Quote:
Before we try to replace Explorer.exe with the version that I uploaded for you, download and install this patch. It contains Explorer.exe and this should overwrite your infected copy. Reboot afterwards, run a scan with EZ AV and let us know the results.
- Dave
I think you forgot to post the attachment Dave.Quote:
Attached is a shot of the EZ AV results.
Run Registry Search again but this time, post nettraffic2cash only in the search box. Post the results back here.
No, worse than forgetting to post it -- I forgot what I was supposed to do ! **embarrassed look**
Here is a RegSearch log, after having installed the Zip file you sent to me:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "nettraffic2cash" 2/19/2005 6:52:51 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-854245398-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"d"="D:\\My Downloads\\nettraffic2cash.zip"
[HKEY_USERS\S-1-5-21-854245398-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\zip]
"c"="D:\\My Downloads\\nettraffic2cash.zip"
[HKEY_USERS\S-1-5-21-854245398-2000478354-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\finefind.nettraffic2cash.biz]
[HKEY_USERS\S-1-5-21-854245398-2000478354-682003330-1003\Software\PowerArchiver\Files]
"Active_File1"="D:\\My Downloads\\nettraffic2cash.zip"
- Dave
OK, we can fix that but before we do, I would like you to have another try running Kaspersky. It can disinfect Explorer and if successful, it will eliminate a lot of stressful manouvers for you.
Disable your AV first and follow the instructions here
Thanks, Annie -
I performed a Kaspersky AV scan as you asked, it took about 3-1/2 hours.
I have assumed you would want the log file from the Kaspersky AV scan attached, instead of copied and pasted -- for some reason -- even after following the directions from the link you gave me -- it is 231,254kb (231 MB) and pasting it would be prohibitive in size/length. I have zipped it down to 9 MB.
NOTE: Kaspersky did NOT clean or delete 3 of the many nasties it found. I'm not sure I can figure out how to determine which ones were not .... can you advise ?
FYI - I scanned in SAFE mode with the Internet cable DETACHED. I am going to leave my CAT-5 cable disconnected until you instruct me to reconnect it -- I don't want any auto-reloading of nasties from the web.
Cheers,
- Dave
==========================
P.S. (UPDATE) I tried to attach the file and post my reply, but apparently it keeps timing out trying to complete the post with that huge attachment. Please tell me how to get around this. Keep in mind, I created the Kaspersky report file (TXT format) exactly according to instructions.
231 MB? Jeepers, I couldnt plow through a txt file that size, it would take weeks.
We need to know if Explorer is still infected. Uninstall Kaspersky now and run Ez AV. It reported the infection last time, so if Explorer is still infected, it will let you know.
Annie -
I am having EZ AV scan as I write this.
Explorer still has a problem, as I must manually start it using Task Manager each time I boot up.
- Dave
Does EZ AV still report Explorer.exe as infected Dave?
I have uploaded another file for you to download, unzip and doubleclick to merge with your registry. Reboot afterwards and run Killbox. Paste the full file path of the below file in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.
D:\My Downloads\nettraffic2cash.zip
Run Hijack This again and post a new Hijack This log. If you are still having problems with Explorer loading, does it load automatically in Safe Mode? If so, I suspect a 3rd party app is preventing it from running. try clean boot troubleshooting to see if you can isolate the problem. See here and here for more information.
[QUOTE]Originally posted by AnnMarie
Does EZ AV still report Explorer.exe as infected Dave?
* * * I'm not 100% positive, but I do NOT think it reports it as infected.
[QUOTE]Originally posted by AnnMarie
If you are still having problems with Explorer loading, does it load automatically in Safe Mode? If so, I suspect a 3rd party app is preventing it from running.
*NO*, Annie .... it does NOT load automatically even in Safe Mode. Even then, I must start Explorer manually.
I am about to follow your instructions in your last post, but thought I should provide you with the above info ASAP in case it impacts anything.
- Dave
OK, Annie -
I loaded the new registry file, rebooted, used Killbox as you instructed, and also ran a new HJT scan (log pasted below).
Sorry, but Explorer still does not fire up on its own .... I will look at the links you sent me to read about clean bootup, etc.
Also, I cannot remember if I mentioned it ..... Windows Explorer has also been refusing to work. I can only access folders and files using My Computer.
Thanks ....
- Dave
=====================================
New HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:26:44 PM, on 2/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\SYSTEM32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
C:\WINDOWS2\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS2\System32\devldr32.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Logitech\iTouch\kbdtray.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Plextor\PlexTool.exe
C:\Documents and Settings\Dave.DGATES1\Desktop\MALWARE Utilities\HijackThis.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O8 - Extra context menu item: Allow personal info to reach this site - file://D:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://D:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://D:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://D:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://D:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://D:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
Good that fixed those nettraffic2cash entries.
You said that you think that EZ AV does not report Explorer.exe as infected now but you are not 100% sure. Can we do better than that Dave please. I really need to know what I am dealing with and maybe's are not very helpful.
Explorer and Windows Explorer are the same file. Please run a search for Explorer* (with the asterisk) and post back exactly what you find (the full filename and filepath).
Sorry, Annie - that was kind of an irresponsible post on my part. I am just kind of brain-fried from multiple PC problems at home, all on top of a list of other things of which I will spare you the details.
I just ran EZ AV again, and it reported nothing at all :) :)
I made a screen shot (cropped) to show the results of the search for " explorer* " ..... I wanted to put it in the body of this post, but from what I'm reading I guess the image has to be on a website. Therefore I am ATTACHING the screen shot file.
Cheers,
- Dave