virus blitz :(

Printable View

Show 40 post(s) from this thread on one page

February 21st, 2005, 02:20 AM
AnnMarie

1 Attachment(s)

Does EZ AV still report Explorer.exe as infected Dave?

I have uploaded another file for you to download, unzip and doubleclick to merge with your registry. Reboot afterwards and run Killbox. Paste the full file path of the below file in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

D:\My Downloads\nettraffic2cash.zip

Run Hijack This again and post a new Hijack This log. If you are still having problems with Explorer loading, does it load automatically in Safe Mode? If so, I suspect a 3rd party app is preventing it from running. try clean boot troubleshooting to see if you can isolate the problem. See here and here for more information.
February 21st, 2005, 11:05 AM
stargazer777

[QUOTE]Originally posted by AnnMarie
Does EZ AV still report Explorer.exe as infected Dave?

* * * I'm not 100% positive, but I do NOT think it reports it as infected.

[QUOTE]Originally posted by AnnMarie
If you are still having problems with Explorer loading, does it load automatically in Safe Mode? If so, I suspect a 3rd party app is preventing it from running.

*NO*, Annie .... it does NOT load automatically even in Safe Mode. Even then, I must start Explorer manually.

I am about to follow your instructions in your last post, but thought I should provide you with the above info ASAP in case it impacts anything.

- Dave
February 21st, 2005, 01:37 PM
stargazer777

OK, Annie -

I loaded the new registry file, rebooted, used Killbox as you instructed, and also ran a new HJT scan (log pasted below).

Sorry, but Explorer still does not fire up on its own .... I will look at the links you sent me to read about clean bootup, etc.

Also, I cannot remember if I mentioned it ..... Windows Explorer has also been refusing to work. I can only access folders and files using My Computer.

Thanks ....

- Dave

=====================================

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:26:44 PM, on 2/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\SYSTEM32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
C:\WINDOWS2\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS2\System32\devldr32.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Logitech\iTouch\kbdtray.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS2\System32\ctfmon.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Plextor\PlexTool.exe
C:\Documents and Settings\Dave.DGATES1\Desktop\MALWARE Utilities\HijackThis.exe

O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O8 - Extra context menu item: Allow personal info to reach this site - file://D:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://D:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://D:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://D:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://D:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://D:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - D:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104543957578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS2\System32\DRIVERS\WtSrv.exe
February 21st, 2005, 07:46 PM
AnnMarie

Good that fixed those nettraffic2cash entries.

You said that you think that EZ AV does not report Explorer.exe as infected now but you are not 100% sure. Can we do better than that Dave please. I really need to know what I am dealing with and maybe's are not very helpful.

Explorer and Windows Explorer are the same file. Please run a search for Explorer* (with the asterisk) and post back exactly what you find (the full filename and filepath).
February 21st, 2005, 10:34 PM
stargazer777

Sorry, Annie - that was kind of an irresponsible post on my part. I am just kind of brain-fried from multiple PC problems at home, all on top of a list of other things of which I will spare you the details.

I just ran EZ AV again, and it reported nothing at all :) :)

I made a screen shot (cropped) to show the results of the search for " explorer* " ..... I wanted to put it in the body of this post, but from what I'm reading I guess the image has to be on a website. Therefore I am ATTACHING the screen shot file.

Cheers,
- Dave
February 22nd, 2005, 03:06 AM
AnnMarie

Ok, I can see the problem. Your explorer.exe in your C:\Windows2 folder has been deleted.

Your OS is using explorer.exe in C:\Windows instead and this folder is not your default installation folder so it seems.

Boot into Safe Mode but do not start Explorer this time. We are going to start Iexplore.exe instead. Open Task Manager and go to Task > New and type iexplore.exe and OK.

When IE opens, click on View > Explorer Bar > Folders and navigate to C:\Windows. Open the folder and copy Explorer.exe (rightclick to copy). Once you have copied it, navigate to C\Windows2, open the folder, rightclick in a blank space and choose Paste.

Close IE and reboot. Does your Desktop load now?
February 22nd, 2005, 08:35 AM
stargazer777

That did it, Annie ! Looks like we're done :)

That was so simple, I should have seen it long ago. I guess when you're going crackers with a good handful of problems on 3 PCs at home, you just lose your perspective -- and common sense :D

If I could please trouble you with a quick question:

I only recently realized I still haven't installed SP2 for my WinXP Pro. I must admit I'm more than a bit reticent to do so after stories I've heard. What is your comment on doing so -- just the bottom line after weighing the pluses and minuses ? If it will be an extremely significant help in avoiding future problems like what you just helped me get out of, I might install it.

Aside from that, I guess we're done -- THANK YOU!!, Annie, for all your time, trouble and -- especially -- patience :)

Cheers,
- Dave
February 22nd, 2005, 09:15 PM
AnnMarie

That's good news Dave and you are very welcome. :D

Regarding SP2, I wouldnt be without it. I had to install it three times on my PC before I had a satisfactory install but I didnt give up on it (I have a Compaq, need I say more? :D). Numerous security holes have been uncovered since SP1 and plugged in SP2 and later updates. It's a "must have" in my opinion.

I have posted my standard "Prevention" blurb below for you to read when you have a spare minute. :)

Keeping up todate with Windows Critical Updates is a major factor in preventing problems with viruses, hijackers and spyware, more information here Microsoft Security Home Page. Also go here and download and install Spyware Blaster. Adding the MVPS Hosts file will also help block unwanted parasites.

Check IE's security settings. Go to Tools > Internet Options > Advanced and make sure that "Install upon Demand" and "Install upon Demand (other)" are not selected.

Now go to Internet Options > Security > Custom and set "Download Signed ActiveX Controls" to Prompt.

"Initialise and script ActiveX controls not marked as Safe" and "Download unsigned ActiveX controls" should be disabled.

Set "Script ActiveX controls marked safe for scripting" and "Run ActiveX controls and plug-ins" to enable.

Run Ad-Aware or Spybot regularly. NB. It is important to make sure that you go online and install any updates first.

If your OS is Windows XP or Windows Millenium, flush all restore points after cleaning your PC to prevent infected files being restored, see here for more information.
February 23rd, 2005, 08:58 AM
stargazer777

Annie,

Just one more thing -- I didn't realize until later:

While the explorer.exe fix DID get the desktop and MSIE running again, Windows Explorer is still refusing to 'launch'.

I tried copying and pasting the .EXE file for it from WINDOWS to WINDOWS2, but it still isn't working.

- Dave
February 23rd, 2005, 05:39 PM
AnnMarie

From the Accessories Menu Dave? If so, rightclick on the shortcut and choose Properties. Click on Shortcut, what do you see under Target etc.?

Show 40 post(s) from this thread on one page