Two problems..need help!

hewwingman · 05-30-2005, 04:04 PM

Hi there, I have been scanning through your forums, and you look like a good choice to approach with a request for help.
I am having two problems, and they are driving me nuts!
The first, and possibly the most important, is that my windows ICF is down, and I cannot get it back up again. When I try, I get an error message, telling me that an error occurred while Internet connection sharing was being enabled. The dependency service or group failed to start. So I ran services.msc, and looked at the dependency groups for it, and found that the remote access control manager wasn't started. When I tried to start it, I got error message 5: access is denied. I tried to start it in safe mode, but was told that it couldn't be done in safe mode, so I don't know how to access it.

The second problem is that my BITS system is down, making it impossible to use windows update. every time I try to use the update, I get an error message: Error Code: 80246008 . I have looked at a few web forums on the subject, but none of them seem to do the trick, and a few of them seem a little beyond my capabilities to perform without step by step help

This is my current HJT log:Logfile of HijackThis v1.99.1
Scan saved at 22:20:13, on 30/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/fee...utLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

The only thing that I find really suspicious about it is that on the HJT log, there are two references to svchost.exe, but on my task manager, there are four...
Any help would be greatly appreciated

**jgvernonco** · 05-31-2005, 08:08 AM

Hello, and welcome to TSF!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

When we're done cleaning off your system, i'd recommend that you install all the critical windows updates available from Microsoft, upto service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccuring in the future.

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".
4. Click "Fix ->"

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Web Related

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Post back a new log, and let us know how everything goes.

hewwingman · 05-31-2005, 12:03 PM

Hi there, thanks for the response;
Okay, I went through the steps you listed.
1: enabled the viewing of hidden files. I couldn't find the system/subsystem box, but I made sure that the hide protected system files box was unchecked.
2: I went to Trend micro's site, and ran the virus scanner. Result: No infections detected.
3: Ran the latest updated version of CWshredder. Result: Nothing detected.
4: Ran HJT scan. Found the two 09entries, checked them, closed down all windows except HJT, clicked fixed. They are gone, haven't seen them back.
Tried to see if this had fixed the firewall/BITS problem...no dice
This is my new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 18:42:53, on 31/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/fee...utLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope this helps

**POADB** · 05-31-2005, 01:06 PM

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

hewwingman · 05-31-2005, 01:38 PM

Thanks, downloading now. In the meantime, I ran panda online scan, and came up with the following items:

Incident Status Location

Adware:Adware/PowerScan No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\11A94472-7D00-4C72-98E1-9F73A5\1F2EAA00-5A04-4362-B1E6-C003BF
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.inf
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\DDPLAY~1.EXE
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\ERINIT~1.EXE
I went looking for these items, especially the purityScan exe files, but couldn't find them in the designated folder...I'm wondering what all that is about... Also, I wiped the quarantined items in MS antispyware, so that should have cleared the Adsmart item. But the Gator adware items were not where they were said to be either. I ran a windows search for the CONFLICT folders, and also came up blank...

**POADB** · 05-31-2005, 01:48 PM

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): You should be able to copy paste these all together, and paste them into KillBox so that it can delete them all at once.

C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.inf
C:\WINDOWS\system32\DDPLAY~1.EXE
C:\WINDOWS\system32\ERINIT~1.EXE

C:\Program Files\Microsoft AntiSpyware\Quarantine\ << Empty this folder again. Delete anything inside this folder.

We'll see what the TDS-3 scan brings. Dont forget to update the program.

hewwingman · 05-31-2005, 03:16 PM

Hi again. I used KillBox as instructed..haven't rebooted yet, in case it was important..
Ran TDS. Here are the results:
20:47:40 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
20:47:40 [Init] Started 31-05-05 20:47:40 GMT Standard Time (UTC: 0), Internet Time @866.44
20:47:40 [Init] Loading TDS-3 Systems ...
20:47:40 [Init] Token successfully adjusted.
20:47:40 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
20:47:40 [Init] • Plugins : OK. Loaded 13
20:47:40 [Init] • Exec Protection : Not Installed
20:47:40 [Init] WARNING: Your Radius.TD3 database needs to be updated!
20:47:40 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
20:47:40 [Init] Licensed users can use the Update facility from the TDS menu
20:47:40 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
20:47:45 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
20:47:45 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
20:47:45 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
20:47:45 [Init] TDS-3 Ready. <Adam@82.34.186.126, 127.0.0.1 - United Kingdom>
20:47:46 [Tip Of The Day] Did you know? - DiamondCS are the only anti-trojan company that updates DAILY.
20:47:46 [TDS] Good evening Adam.
20:47:53 [Mutex Memory Scan] Started...
20:47:55 [Mutex Memory Scan] Finished (no trojan mutexes found).
20:47:55 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
20:48:18 [Setup] Configuration saved.
20:53:52 [Quit] Unloading ...
20:58:26 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
20:58:26 [Init] Started 31-05-05 20:58:26 GMT Standard Time (UTC: 0), Internet Time @873.91
20:58:26 [Init] Loading TDS-3 Systems ...
20:58:26 [Init] Token successfully adjusted.
20:58:26 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
20:58:26 [Init] • Plugins : OK. Loaded 13
20:58:26 [Init] • Exec Protection : Not Installed
20:58:26 [Init] WARNING: Your Radius.TD3 database needs to be updated!
20:58:26 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
20:58:26 [Init] Licensed users can use the Update facility from the TDS menu
20:58:26 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
20:58:32 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
20:58:32 [Init] • Systems Initialised [56746 references - 29748 primaries/14723 traces/12275 variants/other]
20:58:32 [Init] Radius Systems loaded. <Databases updated 31-05-2005>
20:58:32 [Init] TDS-3 Ready. <Adam@82.34.186.126, 127.0.0.1 - United Kingdom>
20:58:32 [Tip Of The Day] Can't remember the port that a particular service uses? Or perhaps you can't remember the service that a particular port uses? Try the Port Reference and Reverse Port Reference utilities - available in the Utilities menu!
20:58:32 [TDS] Good evening Adam.
20:58:39 [Mutex Memory Scan] Started...
20:58:40 [Mutex Memory Scan] Finished (no trojan mutexes found).
20:58:40 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
20:58:47 [CRC32] Started - verifying 29 files ...
20:58:49 [CRC32] Test finished.
21:00:51 [Memory Scan] Memory scan started, please wait a moment ...
21:00:54 [Memory Scan] Memory scan complete.
21:00:54 [Mutex Memory Scan] Started...
21:00:55 [Mutex Memory Scan] Finished (no trojan mutexes found).
21:00:55 [Trace Scan] Started...
21:01:00 [Trace Scan] Finished.
21:01:00 [Service\Driver Scan] Scanning for services and drivers ...
21:01:05 [Service\Driver Scan] Scanned 298 services and drivers.
21:01:05 [File Scan] Scanning in A:\ ...
21:01:06 [File Scan] Scanned 0 files: 0 alarms in 1.03125 seconds (Avg 1. files/sec)
21:01:06 [File Scan] Scanning in C:\ ...
21:17:18 [Locked File] Couldn't open c:\windows\system32\d?dplay.exe for read access, file is locked
21:20:03 [Locked File] Couldn't open c:\windows\system32\??erinit.exe for read access, file is locked
21:25:30 [File Scan] Scanned 28873 files: 4 alarms in 1463.719 seconds (Avg 20.73 files/sec)
21:25:30 [File Scan] Scanning in D:\ ...
21:25:30 [File Scan] Scanned 0 files: 4 alarms in 0 seconds (Avg -1.#IND files/sec)
21:25:30 [File Scan] Scanning in E:\ ...
21:53:40 [File Scan] Scanned 13933 files: 4 alarms in 1690.141 seconds (Avg 9.24 files/sec)
21:53:40 [Scan] Finished.

Scan Control Dumped @ 22:13:38 31-05-05
Positive identification: Riskware.ProcessRestart
File: c:\program files\kodak\kodak software updater\7288971\6.1.4.37-7288971l\program\restart.exe

Positive identification <Adv>: Possible WebDownloader
File: c:\windows\helptw.exe

Positive identification (DLL): Adware.PopCap (dll)
File: c:\windows\downloaded program files\popcaploader.dll

Positive identification: Riskware.Dialer.PlayGames
File: c:\windows\downloaded program files\ringtone.exe

hewwingman · 05-31-2005, 03:23 PM

Additional: I am also receiving advice from Majorgeeks.com on this matter. I am currently downloading windows XP SP2, but I am going to hold off on the installation until this matter is cleared up.

**POADB** · 06-01-2005, 02:55 AM

It's not advized to install SP2 while the system is infected. It does cause major issues.

Have killbox delete these files as before. Reboot the computer.

c:\windows\helptw.exe
c:\windows\downloaded program files\popcaploader.dll
c:\windows\downloaded program files\ringtone.exe

Check your computer to see if you are still having problems. Report back with how things are and a new HJT log, analyzed.

hewwingman · 06-01-2005, 04:19 PM

Hi there, sorry for the delay in getting back...Real life intrusion, I'm afraid.
Firstly, a bit of an oops on my part... I installed XP SP2. Fortunately, nothing seems to have gone up the spout too seriously. The only theings that seem to be odd, is that startup and shut down seem to be a lot slower, but that might be due to the copy of Zone Alarm that I have on my system. The firewall problem might well have been cleared up by this, except that of course Zone Alarm has disabled it. It appears to be active though, according to the security centre on XP. Also, I seem to be getting this odd grey screen on desktop for a few seconds, during startup, but then it reverts to my normal desktop. Nothing too threatening, just annoying due to the slowness of startup. I followed your last set of instructions with killbox, and rebooted. Here is my new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 18:59:33, on 01/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/fee...utLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

The Background Intelligence Transfer service is still down, microsoft update seems to just lock up on me now. This seems to be the last majoe hiccup that I wanted to overcome, although help on the slowing down of startup/shutdown would be much appreciated.

MicroBell · 06-02-2005, 03:00 AM

Quote:

The Background Intelligence Transfer service is still down

Meaning...it locks up when looking for updates...or the service is disabled and can not be started?

hewwingman · 06-02-2005, 11:08 AM

Hi there, thanks for replying...
Originally, it would start to try and download, but would fail, and give me an error message. Now it locks up while searching for updates...The only thing that seems to have gone wrong since installing SP2. I'm not quite sure what the problem is, except for the fact that The BITS seems to be inactive on services.Msc when I ran it in start/run. And I get that error message when trying to activate it. That's all I know at present. I would like to give you the error code that I got originally from windows update, but now that it locks up while searching, I can't even get that far...

hewwingman · 06-02-2005, 11:10 AM

Ahhhh, here it is, found it in a an earlier post. The update error code was
80246008

05-30-2005, 04:04 PM	#1 (permalink)
hewwingman Registered User Join Date: May 2005 Posts: 8 OS: windows XP pro	Two problems..need help! Hi there, I have been scanning through your forums, and you look like a good choice to approach with a request for help. I am having two problems, and they are driving me nuts! The first, and possibly the most important, is that my windows ICF is down, and I cannot get it back up again. When I try, I get an error message, telling me that an error occurred while Internet connection sharing was being enabled. The dependency service or group failed to start. So I ran services.msc, and looked at the dependency groups for it, and found that the remote access control manager wasn't started. When I tried to start it, I got error message 5: access is denied. I tried to start it in safe mode, but was told that it couldn't be done in safe mode, so I don't know how to access it. The second problem is that my BITS system is down, making it impossible to use windows update. every time I try to use the update, I get an error message: Error Code: 80246008 . I have looked at a few web forums on the subject, but none of them seem to do the trick, and a few of them seem a little beyond my capabilities to perform without step by step help This is my current HJT log:Logfile of HijackThis v1.99.1 Scan saved at 22:20:13, on 30/05/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\Tablet.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\system32\mmc.exe C:\Program Files\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/fee...utLauncher.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe The only thing that I find really suspicious about it is that on the HJT log, there are two references to svchost.exe, but on my task manager, there are four... Any help would be greatly appreciated

05-31-2005, 08:08 AM	#2 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	Hello, and welcome to TSF! Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). When we're done cleaning off your system, i'd recommend that you install all the *critical windows updates* available from Microsoft, upto service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccuring in the future. =============== Go to www.trendmicro.com, and then: 1. Click "*Free Online Scan". 2. Click "Scan now, it's free". It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down: 1. Select all available drives. 2. Check(tick) "Auto Clean". 3. Click "Scan". When it completes, post back the full filename of any files that cannot be cleaned or deleted. =============== Download, unzip to your desktop CWShredder and run it, then: 1. Click "Check For Update" (If an update isn't available, skip to step #4.) 2. Click "Click here to Download the upate". 3. When the new version has been downloaded, click "Save". 4. Click "Fix ->" =============== Go to Add/Remove programs* and remove(uninstall) the following, if present: Web Related The above could appear anywhere within the entry. Be careful not to remove any personal or system software. =============== Run HiJackThis and click "*Scan", then check(tick) the following, if present: O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm* O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Now, with all windows closed except HiJackThis, click "*Fix checked*". =============== Post back a new log, and let us know how everything goes. __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

05-31-2005, 01:06 PM	#4 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here. __________________

05-31-2005, 01:48 PM	#6 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): You should be able to copy paste these all together, and paste them into KillBox so that it can delete them all at once. C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html] C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.inf C:\WINDOWS\system32\DDPLAY~1.EXE C:\WINDOWS\system32\ERINIT~1.EXE C:\Program Files\Microsoft AntiSpyware\Quarantine\ << Empty this folder again. Delete anything inside this folder. We'll see what the TDS-3 scan brings. Dont forget to update the program. __________________

06-01-2005, 02:55 AM	#9 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	It's not advized to install SP2 while the system is infected. It does cause major issues. Have killbox delete these files as before. Reboot the computer. c:\windows\helptw.exe c:\windows\downloaded program files\popcaploader.dll c:\windows\downloaded program files\ringtone.exe Check your computer to see if you are still having problems. Report back with how things are and a new HJT log, analyzed. __________________

05-31-2005, 12:03 PM	#3 (permalink)
hewwingman Registered User Join Date: May 2005 Posts: 8 OS: windows XP pro	Hi there, thanks for the response; Okay, I went through the steps you listed. 1: enabled the viewing of hidden files. I couldn't find the system/subsystem box, but I made sure that the hide protected system files box was unchecked. 2: I went to Trend micro's site, and ran the virus scanner. Result: No infections detected. 3: Ran the latest updated version of CWshredder. Result: Nothing detected. 4: Ran HJT scan. Found the two 09entries, checked them, closed down all windows except HJT, clicked fixed. They are gone, haven't seen them back. Tried to see if this had fixed the firewall/BITS problem...no dice This is my new HJT log: Logfile of HijackThis v1.99.1 Scan saved at 18:42:53, on 31/05/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\rundll32.exe C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\Tablet.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/fee...utLauncher.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Hope this helps

05-31-2005, 01:38 PM	#5 (permalink)
hewwingman Registered User Join Date: May 2005 Posts: 8 OS: windows XP pro	Thanks, downloading now. In the meantime, I ran panda online scan, and came up with the following items: Incident Status Location Adware:Adware/PowerScan No disinfected Windows Registry Adware:Adware/Adsmart No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\11A94472-7D00-4C72-98E1-9F73A5\1F2EAA00-5A04-4362-B1E6-C003BF Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html] Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.inf Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\DDPLAY~1.EXE Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\ERINIT~1.EXE I went looking for these items, especially the purityScan exe files, but couldn't find them in the designated folder...I'm wondering what all that is about... Also, I wiped the quarantined items in MS antispyware, so that should have cleared the Adsmart item. But the Gator adware items were not where they were said to be either. I ran a windows search for the CONFLICT folders, and also came up blank...

05-31-2005, 03:16 PM	#7 (permalink)
hewwingman Registered User Join Date: May 2005 Posts: 8 OS: windows XP pro	Hi again. I used KillBox as instructed..haven't rebooted yet, in case it was important.. Ran TDS. Here are the results: 20:47:40 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 20:47:40 [Init] Started 31-05-05 20:47:40 GMT Standard Time (UTC: 0), Internet Time @866.44 20:47:40 [Init] Loading TDS-3 Systems ... 20:47:40 [Init] Token successfully adjusted. 20:47:40 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 20:47:40 [Init] • Plugins : OK. Loaded 13 20:47:40 [Init] • Exec Protection : Not Installed 20:47:40 [Init] WARNING: Your Radius.TD3 database needs to be updated! 20:47:40 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 20:47:40 [Init] Licensed users can use the Update facility from the TDS menu 20:47:40 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 20:47:45 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 20:47:45 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 20:47:45 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 20:47:45 [Init] TDS-3 Ready. <Adam@82.34.186.126, 127.0.0.1 - United Kingdom> 20:47:46 [Tip Of The Day] Did you know? - DiamondCS are the only anti-trojan company that updates DAILY. 20:47:46 [TDS] Good evening Adam. 20:47:53 [Mutex Memory Scan] Started... 20:47:55 [Mutex Memory Scan] Finished (no trojan mutexes found). 20:47:55 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 20:48:18 [Setup] Configuration saved. 20:53:52 [Quit] Unloading ... 20:58:26 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 20:58:26 [Init] Started 31-05-05 20:58:26 GMT Standard Time (UTC: 0), Internet Time @873.91 20:58:26 [Init] Loading TDS-3 Systems ... 20:58:26 [Init] Token successfully adjusted. 20:58:26 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 20:58:26 [Init] • Plugins : OK. Loaded 13 20:58:26 [Init] • Exec Protection : Not Installed 20:58:26 [Init] WARNING: Your Radius.TD3 database needs to be updated! 20:58:26 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 20:58:26 [Init] Licensed users can use the Update facility from the TDS menu 20:58:26 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 20:58:32 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 20:58:32 [Init] • Systems Initialised [56746 references - 29748 primaries/14723 traces/12275 variants/other] 20:58:32 [Init] Radius Systems loaded. <Databases updated 31-05-2005> 20:58:32 [Init] TDS-3 Ready. <Adam@82.34.186.126, 127.0.0.1 - United Kingdom> 20:58:32 [Tip Of The Day] Can't remember the port that a particular service uses? Or perhaps you can't remember the service that a particular port uses? Try the Port Reference and Reverse Port Reference utilities - available in the Utilities menu! 20:58:32 [TDS] Good evening Adam. 20:58:39 [Mutex Memory Scan] Started... 20:58:40 [Mutex Memory Scan] Finished (no trojan mutexes found). 20:58:40 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 20:58:47 [CRC32] Started - verifying 29 files ... 20:58:49 [CRC32] Test finished. 21:00:51 [Memory Scan] Memory scan started, please wait a moment ... 21:00:54 [Memory Scan] Memory scan complete. 21:00:54 [Mutex Memory Scan] Started... 21:00:55 [Mutex Memory Scan] Finished (no trojan mutexes found). 21:00:55 [Trace Scan] Started... 21:01:00 [Trace Scan] Finished. 21:01:00 [Service\Driver Scan] Scanning for services and drivers ... 21:01:05 [Service\Driver Scan] Scanned 298 services and drivers. 21:01:05 [File Scan] Scanning in A:\ ... 21:01:06 [File Scan] Scanned 0 files: 0 alarms in 1.03125 seconds (Avg 1. files/sec) 21:01:06 [File Scan] Scanning in C:\ ... 21:17:18 [Locked File] Couldn't open c:\windows\system32\d?dplay.exe for read access, file is locked 21:20:03 [Locked File] Couldn't open c:\windows\system32\??erinit.exe for read access, file is locked 21:25:30 [File Scan] Scanned 28873 files: 4 alarms in 1463.719 seconds (Avg 20.73 files/sec) 21:25:30 [File Scan] Scanning in D:\ ... 21:25:30 [File Scan] Scanned 0 files: 4 alarms in 0 seconds (Avg -1.#IND files/sec) 21:25:30 [File Scan] Scanning in E:\ ... 21:53:40 [File Scan] Scanned 13933 files: 4 alarms in 1690.141 seconds (Avg 9.24 files/sec) 21:53:40 [Scan] Finished. Scan Control Dumped @ 22:13:38 31-05-05 Positive identification: Riskware.ProcessRestart File: c:\program files\kodak\kodak software updater\7288971\6.1.4.37-7288971l\program\restart.exe Positive identification <Adv>: Possible WebDownloader File: c:\windows\helptw.exe Positive identification (DLL): Adware.PopCap (dll) File: c:\windows\downloaded program files\popcaploader.dll Positive identification: Riskware.Dialer.PlayGames File: c:\windows\downloaded program files\ringtone.exe

05-31-2005, 03:23 PM	#8 (permalink)
hewwingman Registered User Join Date: May 2005 Posts: 8 OS: windows XP pro	Additional: I am also receiving advice from Majorgeeks.com on this matter. I am currently downloading windows XP SP2, but I am going to hold off on the installation until this matter is cleared up.

06-01-2005, 04:19 PM	#10 (permalink)
hewwingman Registered User Join Date: May 2005 Posts: 8 OS: windows XP pro	Hi there, sorry for the delay in getting back...Real life intrusion, I'm afraid. Firstly, a bit of an oops on my part... I installed XP SP2. Fortunately, nothing seems to have gone up the spout too seriously. The only theings that seem to be odd, is that startup and shut down seem to be a lot slower, but that might be due to the copy of Zone Alarm that I have on my system. The firewall problem might well have been cleared up by this, except that of course Zone Alarm has disabled it. It appears to be active though, according to the security centre on XP. Also, I seem to be getting this odd grey screen on desktop for a few seconds, during startup, but then it reverts to my normal desktop. Nothing too threatening, just annoying due to the slowness of startup. I followed your last set of instructions with killbox, and rebooted. Here is my new HJT log: Logfile of HijackThis v1.99.1 Scan saved at 18:59:33, on 01/06/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\Tablet.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/fee...utLauncher.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe The Background Intelligence Transfer service is still down, microsoft update seems to just lock up on me now. This seems to be the last majoe hiccup that I wanted to overcome, although help on the slowing down of startup/shutdown would be much appreciated.

06-02-2005, 11:08 AM	#12 (permalink)
hewwingman Registered User Join Date: May 2005 Posts: 8 OS: windows XP pro	Hi there, thanks for replying... Originally, it would start to try and download, but would fail, and give me an error message. Now it locks up while searching for updates...The only thing that seems to have gone wrong since installing SP2. I'm not quite sure what the problem is, except for the fact that The BITS seems to be inactive on services.Msc when I ran it in start/run. And I get that error message when trying to activate it. That's all I know at present. I would like to give you the error code that I got originally from windows update, but now that it locks up while searching, I can't even get that far...

06-02-2005, 11:10 AM	#13 (permalink)
hewwingman Registered User Join Date: May 2005 Posts: 8 OS: windows XP pro	Ahhhh, here it is, found it in a an earlier post. The update error code was 80246008