[jtstp]

I have read and attempted to follow the "You Must Read This Before Posting a Hijackthis Log..." section.

Norton detected Bloodhound.W32.EP on 9/20/05, but could not remove it because access to the file was denied. The virus definitions were not up to date when Norton detected the virus. Subsequent attempts to update the virus definitions online were unsuccesful.

The computer crashed and rebooted, and initially, for a period of time, many System Idle Process took up a large amount of system resources. During this period of time, I was able to access the Internet using Internet Explorer.

I am currently completely unable to access the Internet using Internet Explorer. Other programs (such as CDDB, which retrieves CD title and track information) are able to successfully connect.

From my office computer, I downloaded and burned to CD all of the programs in the "You Must Read This Before Posting a Hijackthis Log..." section. I have had difficulty installing/running these programs on my home computer, however, because the virus is apparently intermittently affecting my ability to access my CD drive (I get the error message "D:\ is not accessible. The request is not supported").

After several attempts, I was able to run the WinsockXPFix utility in Safe Mode, however, I am still unable to connect using Internet Explorer.

Any suggestions for next steps are greatly appreciated!

[Advertisements]

We'll need to transport some files from the computer you are now using, to your infected computer.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.

On your infected computer, boot again in safe mode and open your task manager again.
Now insert the cd, floppy or usb-stick where you saved the smitrem folder in your infected computer.

In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.

Now browse to the drive where your floppy, usb-stick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitrem folder.
Right click on the smitrem folder and choose: Copy

Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there, right click and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.

Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.

When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a hijackthis log in your next reply.

[tampabelle]

We'll need to transport some files from the computer you are now using, to your infected computer.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.

On your infected computer, boot again in safe mode and open your task manager again.
Now insert the cd, floppy or usb-stick where you saved the smitrem folder in your infected computer.

In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.

Now browse to the drive where your floppy, usb-stick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitrem folder.
Right click on the smitrem folder and choose: Copy

Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there, right click and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.

Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.

When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a hijackthis log in your next reply.

[jtstp]

Successfully ran smithRem as instructed. Also ran CleanUp!, Ad-aware, Spybot S&D, and installed Ewido (all without updates because IE is still not connecting).

Ran Hijack This and generated a log. I am having difficulty (even from Safe Mode) in burning the log to CD in order to transfer the log from my home computer to my office computer.

Any suggestions? Also, any risk in transfering the virus by transfering the log? Thanks!

[jtstp]

Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:19:53 PM, on 9/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://sympatico.zon...UI.cab34120.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://sympatico.zon...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://sympatico.zon...at.cab32846.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://sympatico.zon...tz.cab37625.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akama...ol/SymDlBrg.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://sympatico.zon...xy.cab35645.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[tampabelle]

Do you have the Widnows XP CD with you ????

[jtstp]

Unfortunately not.

[tampabelle]

ok, lets try this first -

Click on Start ---> Run. Type in

sfc /scannow

and hit enter.

This will check your system files for their integrity.

Let me know how it goes.

[jtstp]

Got the following prompt:

"Files that are required for Windows to run properly must be copied to the DLL Cache. Insert your Windows XP Professional CD-ROM now."

[tampabelle]

Windows Protection Files are usually stored in:C:WINDOWS\System32\Dllcache (C: in most cases is the root drive)

The dllcache folder is extremely important so Windows XP hides it from you! To view it go to:

* My Computer -> Tools -> Folder Options -> View -> "uncheck" Hide protected operating system files.

There is normally no need for the original XP CD to be inserted as your computer has a copy it can get hold of in this cache.

But, if the Dllcache folder, or part of it, has become corrupted for some reason then you will be prompted for the XP CD - so your computer can get a clean copy!

However, not ALL installations of Windows XP have ALL the system files cached into this folder! You may only have around 25-50MB of files in this folder under Windows XP depending on the settings in the registry.

HOW TO WORK AROUND THIS

As well as having a cache of all the system files on your PC, you should have the I386 folder from the XP CD installed on your hard drive. After doing this, it is quite simple to modify the registry to tell it the source path for these files.

This prevents 99% of requests for the the XP CD with Windows File Protection and the I386 folder also contains many other files that are sometimes needed by the operating system and this stops those requests for the XP CD,as well.

HOW TO PUT I386 ON YOUR ROOT DRIVE:

Step 1

You will need to get your XP CD and locate the folder called: I386

This is a major folder and should be one of the first you see, now copy this onto your hard drive into the system root. For most of you that is going to be C: so you should end up with a folder that looks like: C:I386

Step 2

Your computer needs to know that you now have the necessary files on your PC. This is done by editing the registry. Here's how: (type regedit in the Run box on the start menu)

By navigating to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

You will see various entries here on the right hand side.

The one we want is called: SourcePath

It probably has an entry pointing to your CD-ROM drive,(usually D:) and that is why it is asking for the XP CD. All we need to do is change it to: C: Now, double click the SourcePatch setting and a new box will pop up allowing you to make the change to the drive letter of your root drive, probably C:

Now restart your computer and try sfc /scannow again![B]

[jtstp]

Located the i386 folder and copied it to the root drive. Location is now C:\i386. Modified the registry Source Path file to point to C:\ instead of D:\. Still getting the same prompt. Do I also need to modify the Installation Sources file to point to D:?

[tampabelle]

Can list for me all the keys under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

and list for all the keys - name, type and Data

[jtstp]

Name Type Date

(Default) REG_SZ (value not set)
BootDir REG_SZ C:\
CDInstall REG_DWORD 0x00000001 (1)
DriverCachePath REG_EXPAND_SZ %SystemRoot%\Driver Cache
Installation Sourcs REG_MULTI_SZ D:\Driver\WinXP D:\
LogLevel REG_DWORD 0x20000000 (536870912)
PrivateHash REG_BINARY c1 e3 f8 eb da e9 b3 e9 0f d0 e7 e1 28 06 d4
ServicePackCachePath REG_SZ c:\windows\ServicePackFiles\ServicePackCache
ServicePackSourcePath REG_SZ C:\
SourcePath REG_SZ C:\

[tampabelle]

OK,

Edit the following keys -

1) Installation sources

Add the following paths -

c:\windows\inf
C:\WINDOWS\SYSTEM32


2)ServicePackSourcePath

Modify the path to show -

c:\windows\ServicePackFiles

Reboot the PC.

Now try sfc /scannow

[jtstp]

Made the modifications as instructed. Still receiving the insert CD prompt when attempting to scan.

Edited by jtstp, 25 September 2005 - 07:24 PM.

[tampabelle]

Can you alter this Key -

CDInstall

and make it 0