Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Missing Explorer and Desktop [RESOLVED]


  • This topic is locked This topic is locked

#1
bpmurray

bpmurray

    New Member

  • Member
  • Pip
  • 5 posts
When I boot into eny of the 4 users on the system, including in safe mode, no explorer bar appears and my desktop is blank and doesn't respond to right-clicking. I ran the usual checks - AdAware, SpyBot, etc. as described in the "Do this first" document. here. I think the problem may stem from the fact that I found a bunch of infected files in the IE cache of my son's username. Norton AV says they were:

Bloodhound.Exploit.6
Download.Trojan
Downloader.Trojan
MHTMLRedir.Exploit
Trojan.ByteVerify
Trojan.Dropper
Virus Name
W32.Mota.B@mm
W32.Netsky.P@mm
W32.Netsky.P@mm!enc

I immediately logged in as him and cleaned the browser cache. I reran NAV and found no further infections.

Anyway. my system is pretty much useless now. I can start taskman and then manually execute the programs. I've attached my hijackthis log. Any ideas?

Logfile of HijackThis v1.99.1
Scan saved at 23:27:13, on 12/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\lotus\AT&TNE~1\NetCfgSv.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
E:\Development\Java\Tomcat 5.5\bin\tomcat5.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
E:\Tools\Mozilla\FireFox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ctfmon.exe
L:\All\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\Tools\FlashFXP\IEFlash.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] "e:\tools\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ApacheTomcatMonitor] "E:\Development\Java\Tomcat 5.5\bin\tomcat5w.exe" //MS//Tomcat5
O4 - HKLM\..\Run: [Google Desktop Search] "X:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Startup: BTTray.lnk = ?
O4 - Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - F:\Ciaran\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\Ciaran\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094202624515
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - E:\DEVELOPMENT\DB2EVERYPLACE\bin\db2syscs.exe
O23 - Service: DB2 JDBC Applet Server - Control Center (DB2ControlCenterServer) - Unknown owner - E:\development\db2everyplace\bin\db2ccs.exe
O23 - Service: DB2 - DB2CTLSV (DB2CTLSV) - International Business Machines Corporation - E:\DEVELOPMENT\DB2EVERYPLACE\bin\db2syscs.exe
O23 - Service: DB2 - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - E:\DEVELOPMENT\DB2EVERYPLACE\bin\db2syscs.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - E:\development\db2everyplace\bin\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - E:\development\db2everyplace\bin\db2jds.exe
O23 - Service: DB2 License Server (DB2LICD) - International Business Machines Corporation - E:\development\db2everyplace\bin\db2licd.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - E:\development\db2everyplace\bin\db2sec.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - E:\lotus\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Ethernet Packet Service (npacketservice) - Nokia - C:\WINDOWS\system32\npacketsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - E:\Development\Java\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Warehouse server (vwkernel) - Unknown owner - E:\DEVELO~1\DB2EVE~1\bin\IWH2SERV.EXE
O23 - Service: Warehouse logger (vwlogger) - Unknown owner - E:\DEVELO~1\DB2EVE~1\bin\IWH2LOG.EXE
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Uninstall Viewpoint via the Add/Remove panel.

Do you know what these two are for?

O23 - Service: Warehouse server (vwkernel) - Unknown owner - E:\DEVELO~1\DB2EVE~1\bin\IWH2SERV.EXE
O23 - Service: Warehouse logger (vwlogger) - Unknown owner - E:\DEVELO~1\DB2EVE~1\bin\IWH2LOG.EXE

Download FixO http://users.telenet.../tools/FixO.exe and double click on it to install it. Open up the folder it created and run FixO.bat. Post the log it generates in your next reply.

Restart. If that doesn't fix up the desktop problem, try this:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"XMLlibADutid"=-
"XMLlibBnxt"=-
"XMLlibID"=-
"XMLlibiftid"=-
"XMLlibistid"=-
"XMLlibittid"=-


Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\Windows\explorer32dbg.exe
C:\Windows\iexplore_dbg.exe


Restart and post a new HijackThis log.
  • 0

#3
bpmurray

bpmurray

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Uninstall Viewpoint via the Add/Remove panel.
Done, using appwiz.cpl from DOS prompt (no start menu). BTW, waht is ViewPoint Manager? I think it's something my son installed.

Do you know what these two are for?

O23 - Service: Warehouse server (vwkernel) - Unknown owner - E:\DEVELO~1\DB2EVE~1\bin\IWH2SERV.EXE
O23 - Service: Warehouse logger (vwlogger) - Unknown owner - E:\DEVELO~1\DB2EVE~1\bin\IWH2LOG.EXE

Yes - they're DB2 processes. Should be OK

Download FixO http://users.telenet.../tools/FixO.exe and double click on it to install it. Open up the folder it created and run FixO.bat. Post the log it generates in your next reply.
OK, here it is:

running from ---
C:\Temp\FixO

StartPAge.O Removal batch 1.00

by miekiemoes

같같같같같같같같같같같같같같같같같같같같같같같같같같
existing bad files:
-----------------------------------------------------


existing important bad keys:
-----------------------------------------------------


Merging Registry----------


Deleting Files-------------


Searching for files not deleted:
-----------------------------------------------------


Searching for keys not deleted:
-----------------------------------------------------


Restart. If that doesn't fix up the desktop problem, try this:

Still wrong

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"XMLlibADutid"=-
"XMLlibBnxt"=-
"XMLlibID"=-
"XMLlibiftid"=-
"XMLlibistid"=-
"XMLlibittid"=-


Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\Windows\explorer32dbg.exe
C:\Windows\iexplore_dbg.exe


Restart and post a new HijackThis log.


Still no go. Here's the log ....

Logfile of HijackThis v1.99.1
Scan saved at 00:45:04, on 13/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskmgr.exe
E:\Tools\Mozilla\FireFox\firefox.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\lotus\AT&TNE~1\NetCfgSv.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
E:\Development\Java\Tomcat 5.5\bin\tomcat5.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
L:\All\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\Tools\FlashFXP\IEFlash.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [mmtask] "e:\tools\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ApacheTomcatMonitor] "E:\Development\Java\Tomcat 5.5\bin\tomcat5w.exe" //MS//Tomcat5
O4 - HKLM\..\Run: [Google Desktop Search] "X:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Startup: BTTray.lnk = ?
O4 - Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - F:\Ciaran\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\Ciaran\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\xmlspy\spy.htm (HKCU)
O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094202624515
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - E:\DEVELOPMENT\DB2EVERYPLACE\bin\db2syscs.exe
O23 - Service: DB2 JDBC Applet Server - Control Center (DB2ControlCenterServer) - Unknown owner - E:\development\db2everyplace\bin\db2ccs.exe
O23 - Service: DB2 - DB2CTLSV (DB2CTLSV) - International Business Machines Corporation - E:\DEVELOPMENT\DB2EVERYPLACE\bin\db2syscs.exe
O23 - Service: DB2 - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - E:\DEVELOPMENT\DB2EVERYPLACE\bin\db2syscs.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - E:\development\db2everyplace\bin\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - E:\development\db2everyplace\bin\db2jds.exe
O23 - Service: DB2 License Server (DB2LICD) - International Business Machines Corporation - E:\development\db2everyplace\bin\db2licd.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - E:\development\db2everyplace\bin\db2sec.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - E:\lotus\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Ethernet Packet Service (npacketservice) - Nokia - C:\WINDOWS\system32\npacketsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - E:\Development\Java\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Warehouse server (vwkernel) - Unknown owner - E:\DEVELO~1\DB2EVE~1\bin\IWH2SERV.EXE
O23 - Service: Warehouse logger (vwlogger) - Unknown owner - E:\DEVELO~1\DB2EVE~1\bin\IWH2LOG.EXE
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Viewpoint is just a video player bundled with some of the popular programs like AOL. It's not harmful, per se, but we ask users to remove it since it's not necessary to have :tazz:

Try this:

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:


REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{60371670-81B9-4d06-9C42-4DEC1AABE62B}]

[-HKEY_CLASSES_ROOT\TypeLib\{4947DDCC-D549-4D0B-9685-AA58B20E9642}]

[-HKEY_CLASSES_ROOT\Interface\{0B6EF17E-18E5-4449-86EA-64C82D596EAE}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ATLASSstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\HTASSstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\MSMsgSvc]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SEHLPstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\WTLBAstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

[-HKEY_CLASSES_ROOT\BHOASS.BHDP]

[-HKEY_CLASSES_ROOT\BHOASS.BHDP.1]


Save the file as "fix.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

If that still won't work, run the system file checker:

Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.
  • 0

#5
bpmurray

bpmurray

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I did all of this, and still no desktop nor explorer. Actually IE doesn't work either - maybe that's related?

When I try to launch explorer manually, the toolba flashes & vanishes again.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you try to remove any infection before the desktop problem occurred? I know of a few infections that may do this, but if you recall what was removed, that might speed things up here.

See if this helps:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop (or Appearance)->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Then post the Panda log here along with the logs for HijackThis, smitfiles.txt and Ewido.
  • 0

#7
bpmurray

bpmurray

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Yes - I removed the new.net infection. It was a real pain since it infects the Winsock settings, and I had to rebuild the TCP/IP stack.

After that I scanned some suspicious areas, to see if NAV triggered a virus warning, and I found a load of infections in the browser cache for my son's username. I simply removed the files by using IE to delete the temp internet files.

My suspicion is doing one or both of these nuked something in the loading of IE and/or explorer, which now cannot be started. This results in a lost desktop too since that depends on explorer.

Anyway, after taht I ran a NAV scan & found nothing new; then I ran Ad-Aware, and then spybot s&d. AdAware found some things that shouldn't impact anything.

I'll run what you suggest above, but I'm poretty certain it won't uncover anything. I think it may be time to bite the bullet & reinstall. I'd love to be able to pull appplication-specific pieces from the registry to allow me to merge the information back once the installation is complete. Any tools available that'll help with that?
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, there is a program that can move your programs over, but I'm not sure if it moves all the registry entries or just the specific ones. I haven't used it before, but heard that AlohaBob is very good.

OK, since it's come down to this, then we'll just try a Windows repair. Before doing this, make sure you backup all your data first (either do it through dos or slave this hard drive on another computer and copy your files over to the computer that way). Boot from your Windows XP CD and let it load the blue setup screen. Hit ENTER key to enter setup. Now choose the option to repair Windows.

See if that will repair the desktop.
  • 0

#9
bpmurray

bpmurray

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
OK - got it back. I tried all the usual tools, and then it hit me: a checkpoint recovery with a more controlled repair might be the solution, so I fired up windows\system32\restore\rstrui.exe and selected a checkpoint from about 10 days ago. Then I ran NAV to isolate anything naughty, uninstalled new.net, ran netsh to rebuild the TCP/IP stack and then AdAware & SpyBot. A little tidying up and strategic explicit checkpoints and it's all solid as a rock. Well, as solid as Windows ever is. I just wish those games ran on Linux, then I could dump that inherently unsafe and unstable Windows.

Thanks, Grey, for your attention: just goes to show - you can use all the tools you like, but if you don't take the right approach, you end up heading down somewhere from which there is no recovery available.
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP