Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

My Internet Explorer hangs when trying to access s


  • Please log in to reply
57 replies to this topic

#16 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 28 July 2005 - 01:23 PM

spybot.jpg

Hi

I ran Spybot and it came up with this Haxdoor thing that it couldn't delete AND it's the Remote Administrator program again. So I deleted Remote Aministrator and rebooted and ran Spybot again and it was still there so I went to the registry and removed the entire RAdmin entry from the HKEY_LOCAL_MACHINE directory - rebooted and ran Spybot and it's gone.

I can now access www.microsoft.com but not windows updates or http://www.tomcoyote.org/hjt/#Top - wierd!

I ran the HijackThis and got the following:

Logfile of HijackThis v1.99.1
Scan saved at 20:10:05, on 28/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\David Bruford\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://internal.bru...emote/msrdp.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{81EE2F2D-2DAF-4A07-9617-F013DA8BEA7D}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFE346BD-EB6D-4FBB-BCEB-03A80B997E66}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF378717-BC32-4870-985A-D42C2948544E}: NameServer = 192.168.0.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

    Advertisements

Register to Remove


#17 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 28 July 2005 - 03:30 PM

Find this file D:\Setup.exe and check its properties (right click > properties > version tab). Let us know what you find for version, description and copyright as well as any other information you have on that file.
Download Root Kit Detector (click the "old rkdetector v0.6x link at the bottom of the page) then unzip it. Make sure to unzip it or this process will not work.

In the RKDetector folder you unzipped right click and choose New > Text Document and name it RK.BAT.
Open RK.BAT in notepad (right click the file and choose Edit) and past the line from the code box into it.

rkdetector > RESULTS.TXT
Save RK.BAT, close notepad and all other programs you are running.
Double click RK.BAT and a blank command window will open for awhile and then close (be patient, it may take a couple minutes).
You will now see a file called RESULTS.TXT in the rkdetector folder. Post the contents of that file as a reply to this thread.
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#18 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 29 July 2005 - 10:33 AM

Got there... in the end:

RESULTS.TXT is...

. .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright © 2004 - 3wdesign Security
Url: http://www.3wdesign.es


-Gathering Service list Information... ( Found: 308 services )
-Gathering process List Information... ( Found: 31 process )
-Searching for Hidden process Handles. ( Found: 0 Hidden Process )
-Checking Visible Process.............
c:\windows\explorer.exe
c:\program files\microsoft antispyware\gcasserv.exe
c:\program files\symantec_client_security\symantec antivirus\defwatch.exe
c:\windows\system32\cmd.exe
c:\program files\common files\microsoft shared\vs7debug\mdm.exe
c:\program files\symantec_client_security\symantec antivirus\rtvscan.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\slserv.exe
c:\windows\system32\svchost.exe
c:\documents and settings\david bruford\desktop\rk\rkdetector.exe
c:\windows\system32\smss.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\spoolsv.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\microsoft antispyware\gcasdtserv.exe
c:\windows\system32\alg.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\symant~1\symant~1\vptray.exe
c:\windows\system32\notepad.exe
c:\windows\system32\notepad.exe
-Searching again for Hidden Services..
-Gathering Service list Information... ( Found: 0 Hidden Services)
-Searching for wrong Service Paths.... ( Found: 1 wrong Services )
-------------------------------------------------------------------------------
*SV: SLService (SmartLinkService) PATH: slserv.exe
-------------------------------------------------------------------------------
-Searching for Rootkit Modules........
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\imm32.dll
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\program files\trojanhunter 4.2\thsec.dll
-------------------------------------------------------------------------------
*WARNING! MODULE c:\windows\system32\oleaut32.dll SEEMS TO BE HOOKED
-------------------------------------------------------------------------------
*WARNING! MODULE c:\windows\system32\msvcrt.dll SEEMS TO BE HOOKED
-------------------------------------------------------------------------------
*WARNING! MODULE c:\windows\system32\ole32.dll SEEMS TO BE HOOKED
-------------------------------------------------------------------------------
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)

#19 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 29 July 2005 - 10:50 AM

Got there... in the end:

Was there a problem?

Were you able to look at the properties of D:\Setup.exe?

You have Trojan Hunter Gurard running which is normally a good thing. In this case though, we are looking for hooks to system processes, which TH Guard does. Would you disable it please, then reboot and do the RKDetector steps again. I'm sorry, I should have mentioned that last time. :oops:
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#20 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 29 July 2005 - 11:24 AM

Problem... not really, just me being really thick. I got baffled on your typo "and past the line from the code box into it." but eventually dawn broke.

D:\Setup.exe - D: is my CD drive and presently there is nothing in it to look at, is there some particular CD that I should put in there?

I've unloaded Trogan Hunter Guard, rebooted and re-run RKDetector after unloading Trojan Hunter Guard again becuase it automatically re-loaded, the RKDetector result follows:

. .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright © 2004 - 3wdesign Security
Url: http://www.3wdesign.es


-Gathering Service list Information... ( Found: 308 services )
-Gathering process List Information... ( Found: 30 process )
-Searching for Hidden process Handles. ( Found: 0 Hidden Process )
-Checking Visible Process.............
c:\windows\explorer.exe
c:\progra~1\symant~1\symant~1\vptray.exe
c:\program files\symantec_client_security\symantec antivirus\defwatch.exe
c:\program files\netgear\wg511\utility\wg511wlu.exe
c:\program files\microsoft antispyware\gcasserv.exe
c:\program files\common files\microsoft shared\vs7debug\mdm.exe
c:\windows\system32\ctfmon.exe
c:\program files\microsoft antispyware\gcasdtserv.exe
c:\windows\system32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\program files\symantec_client_security\symantec antivirus\rtvscan.exe
c:\windows\system32\svchost.exe
c:\windows\system32\slserv.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wuauclt.exe
c:\windows\system32\alg.exe
c:\documents and settings\david bruford\desktop\rk\rkdetector.exe
c:\windows\system32\cmd.exe
c:\program files\symantec_client_security\symantec antivirus\vpc32.exe
-Searching again for Hidden Services..
-Gathering Service list Information... ( Found: 0 Hidden Services)
-Searching for wrong Service Paths.... ( Found: 1 wrong Services )
-------------------------------------------------------------------------------
*SV: SLService (SmartLinkService) PATH: slserv.exe
-------------------------------------------------------------------------------
-Searching for Rootkit Modules........
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\imm32.dll
-------------------------------------------------------------------------------
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)

#21 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 30 July 2005 - 06:52 PM

-------------------------------------------------------------------------------
*SV: SLService (SmartLinkService) PATH: slserv.exe
-------------------------------------------------------------------------------
-Searching for Rootkit Modules........
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\imm32.dll
-------------------------------------------------------------------------------
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)

View Post

Lets do a couple things here. First, search your computer for slserv.exe. Check the properties of each one you find. Click the version tab.
This is what I have with an up to date XP SP2.
Company:Smart Link
Version: 3.80.01MC15.
Those are the results if you click on the corresponding category in the white box of the version tab.

c:\windows\system32\imm32.dll
Find the above file and check its properties. This is what I have:
Company: Microsoft Corporation
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

Lets get a second opinion.
Go here and scroll to the bottom of the page, unless you want to learn allot about root kits. It is very interesting reading. Click the link labeled "Download RootkitRevealer (190 KB)" and unzip the file once you get it. Run the exe and when the scan finishes click File > Save and save a copy. Paste the contents of the saved scan as a reply here.
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#22 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 30 July 2005 - 07:08 PM

You may need to enable viewing of hidden file as follows: Go to Start>control panel >folder options>view tab Check mark "display the contents of system folders" Select "Show hidden files and folders" Uncheck "Hide extensions for known file types" Uncheck "Hide protected operating system files Click the [ok] button.
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#23 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 31 July 2005 - 03:05 AM

I've got slserv.exe in C:\WINDOWS\system32 73KB Company: SmartLink File Version: 3.80.01MC15 and slserv.exe in C:\WINDOWS\ServicePackFiles\i386 with identical properties to the above. + 2 copies of imm32.dll (one in i386) imm32.dll Company: Mocrosoft Corporation File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) RootkitRevealer result is: HKLM\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun 31/07/2005 08:56 16 bytes Data mismatch between Windows API and raw hive data. C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050727.008\vscanmsx.dat 31/07/2005 09:13 2.02 KB Hidden from Windows API. Over to you Sherlock...

#24 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 31 July 2005 - 08:12 AM

Avator, on this site only one helper responds to each user who needs help. This keeps the threads organized and easy to read. If you would like to help you may post help in this forum but not in the HijackThis logs forum until you have approval from the staff. If you would like to post to HJT logs you first need to complete the classroom training.

Alain, I am working on another thread at the moment, I'll be on this one next.
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#25 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 31 July 2005 - 02:04 PM

Interesting that each of the tools is coming up with different files. Its not uncommon to get hits on services with wrong paths, wrong size regisry keys and suspicious modules are not as common though. These may just be leftovers from what trojan hunter cleaned up.

The registry key is no problem to take care of, the files are a bit harder.

Lets take care of the registry key first.

Go to Start > Run and type regedit into the box and click Ok.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\HKLM\SOFTWARE\Microsoft\SchedulingAgent
Right click the scheduling agent key (the folder icon) and choose export, save as type registraton file (.reg) to your desktop, name it SchedAgent.reg.
In the right pane find the value "LastTaskRun", highlight it, right click it and choose delete. Press your <F5> key (this refreshes regedits window) and make sure "LastTaskRun" doesn't come back on its own.
Close Registry editor.

Now find this file
C:\WINDOWS\system32\Restore\filelist.xml
and open it with notepad
You will see a section that looks like the following.
<PCHealthProtect>
    <VERSION>1.0</VERSION>
    <DEFTYPE>E</DEFTYPE>
    <FILES>
        <Exclude>
There will be some lines with <REC> some file name </REC> which you will see. At the end of that section of the file will be a </Exclude> tag.
We are going to temporarily remove the file protection from IMM32 so we can replace it. Do that by pasting the following line (in the code box) into the file just before the </Exclude> tag. Do this by hitting enter at the end of the line just above the </Exclude> tag and then pasting into the resulting empty line.
Paste this line:
<REC>c:\windows\system32\imm32.dll</REC>
Save filelist.xml and shut down notepad.

Boot into safe mode (tap <F8> as your computer boots, choose safe mode from the menu. This should result in imm32.dll and your AV file not being in use.

Navigate to your i386 folder and find imm32.dll, make sure it is the same version as the one in system32. Right click it and choose "copy".
Navigate to c:\windows\system32 and then click Edit > Paste in the menu bar.
Open the dllcache folder (c:\windows\system32\dllcache) and do the same thing.

Navigate to C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050727.008\vscanmsx.dat and rename vscanmsx.dat to vscanmsx.dat.OLD

Reboot normally and update your antivirus, which should result in a new copy of the dat file.

After all that is done, do another scan with Rootkit Revealer and post it here.
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

    Advertisements

Register to Remove


#26 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 02 August 2005 - 01:59 PM

Scary. Last time someone told me I had an interesting problem I spent two weeks in hospital! I couldn't find SchedulingAgent in HKEY_LOCAL_MACHINE\SOFTWARE\HKLM\SOFTWARE\Microsoft\SchedulingAgent as I haven't got HKLM in there. I found stuff in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent and followed the instructions in there. LastTaskRun was deleted and didn't return on F5. filelist.xml was read only so I had to uncheck the box, then open it. When I went to save it; I did 'Save as' and changed the 'Save as type' to 'All Files' and it defaulted Encoding to ANSI. Otherwise it wanted to save it as a text file. I then changed it back to read only. Rebooted in safe mode, imm32.dll versions were the same. I copied the i386 version and pasted it into c:\windows\system32 and in the dllcache folder. In C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050727.008\vscanmsx.dat and renamed vscanmsx.dat to vscanmsx.dat.OLD I updated the antivirus and ran the Routekit Revealer scan: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050727.008\vscanmsx.dat 02/08/2005 20:10 2.02 KB Hidden from Windows API1. I can now get into MSN Instant Messenger and the tomcoyote web site but not windows updates.

Edited by Alain Toogood, 02 August 2005 - 02:15 PM.


#27 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 02 August 2005 - 05:22 PM

Scary. Last time someone told me I had an interesting problem I spent two weeks in hospital!

Lets hope you don't get carpal tunnel syndrom from all the clicking and typing required to fix this :ph34r:

I couldn't find SchedulingAgent in
HKEY_LOCAL_MACHINE\SOFTWARE\HKLM\SOFTWARE\Microsoft\SchedulingAgent
as I haven't got HKLM in there.
I found stuff in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent

and followed the instructions in there. LastTaskRun was deleted and didn't return on F5.

Sorry about that, my bad copy/paste. You got the right one.

filelist.xml was read only so I had to uncheck the box, then open it. When I went to save it; I did 'Save as' and changed the 'Save as type' to 'All Files' and it defaulted Encoding to ANSI. Otherwise it wanted to save it as a text file. I then changed it back to read only.

Ok, good deal. Do those same steps again except take out the line you put in there ( we only needed it so windows would not interfere while replacing the file, now we want it protected again)..

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050727.008\vscanmsx.dat 02/08/2005 20:10 2.02 KB Hidden from Windows API1.

To be on the safe side send an email to symantec support and ask them if they hide this file from the API. It may be a step they take to keep malicious files from altering it. Let them know Root Kit Revealer shows it as being hidden, give them a link to the Root Kit Revealer page.

I can now get into MSN Instant Messenger and the tomcoyote web site but not windows updates.

View Post

Run System Security Suite, same options as before and accept the reboot. This will clean out all the temp files and help the scans go faster. (run this program on a regular basis from now on, it will help keep your system healthy. Always run it before you install any software)
First update all of the following programs then Run a full system scan with each in the order listed. Reboot after each scan. I know, this will take awhile but we need to make sure you are as clean as these scans can get you. Each one targets some malware that the others don't.
1. Trojan Hunter
2. Norton
3. Spybot S&D
4. Ad-aware

Finally run one or both of the following online virus scans:
(Online scans usually have the most up to date malware definitions)
Make sure you are using Internet Explorer as the scans use ActiveX technology which is only supported by Internet Explorer (fondly know as Internet Exploder by a certain Firefox fan who shall remain unnamed) ;).

Panda ActiveScan
Once you have completed the download of the sites software, a window with "scan options"on the right will come up. Check mark all the options (some will already be checked) then click the "All My Computer" icon to start the scan.
The scan can take a long time if you have allot of files on your computer.
When the scan finishes, click the "See Report" button and then the "Save Report" button. We may want to see it but don't post it unless asked to do so.

And/Or

Trendmicro
If you are prompted for a download from Trendmicro, say yes.
Check the box on the page next to "My Computer" and then click the "Scan" button.
Clean whatever it finds (or you can click the "auto clean" box before starting the scan).

Finally, post a fresh HijackThis log.
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#28 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 04 August 2005 - 12:40 PM

Very interesting results following your last posting:

I Emailed Symantec but am not holding my breath.

I ran Trojan Hunter, Norton, Ad-Aware and Spybot S&D. There was nothing found by any of them which is a revelation. Spybot has always found 4 problems and been unable to delete them, now, there is nothing :D

The fun then started. PandaActiveScan wouldn't access until I ran Trendmicro. After Trendmicro and rebooting I managed to load the PandaActive up to the Active-X loading then it stalled.

Trendmicro came up with loads of stuff. Finally... the Hijackthis report:

Logfile of HijackThis v1.99.1
Scan saved at 19:01:59, on 04/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Bruford\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://internal.bru...emote/msrdp.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{81EE2F2D-2DAF-4A07-9617-F013DA8BEA7D}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFE346BD-EB6D-4FBB-BCEB-03A80B997E66}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF378717-BC32-4870-985A-D42C2948544E}: NameServer = 192.168.0.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

Edited by rand1038, 04 August 2005 - 02:23 PM.


#29 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 04 August 2005 - 02:33 PM

I took the liberty of editing your post to unmangle the HJT log, I could not make sense of it with the lines broken as they were.

Run HijackThis, click "Scan" then put a check next to the following
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
Click "Fix Checked"
Shut down HijackThis.

That is just a little bit of tidying up, its a leftover startup from an HP install.

How is everything running now?
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#30 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 05 August 2005 - 03:22 AM

Picture1.jpg Despite all your efforts this little machine remains defiant. I still can't access Panda ActiveScan or Trendmicro (directly - I can run it via a CD copy) and the original gripe - the Windows Update gripe, remains ellusive. It is almost as if I have some software with a very specific list of 'no-go' areas as virtually every other web site is accessible. The PC that my laptop works through has Norton Personal Firewall but I can't see anything in there that would block specific sites from linked machines. I very much appreciate all your efforts but perhaps my problem is just too 'interesting' ;)

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users