Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help. W2K explorer.exe and iexplore.exe not found

Started by Sivadrad , Oct 08 2005 12:14 PM

  • Please log in to reply

#1
Sivadrad
Posted 08 October 2005 - 12:14 PM

Sivadrad

    New Member

  • Member
  • Pip
  • 5 posts
I have gone through as many of the pre-HJT log post steps as I can. I cannot open IE, but have been able to run updates to Ad-Aware, Spybot, CWShredder, etc.

I was hopeful after finding a number of trojans with TrojanHunter that things would just come back up, but alas... :tazz:

I am running an inherited and poorly maintained W2K mail server. The mail services still work (thankfully), but the desktop icons and taskbar don't come up. I can access apps via the taskmgr, but can't get IE to come up.

Here is my log file. I'd appreciate any help. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 10:29:25 AM, on 10/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\OLDserv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\sfmsvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Exchsrvr\bin\events.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.micro...N-US&pr=kbinfo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.p...quicksilver.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124820449171
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {E19F9330-3110-11d4-991C-005004D3B3DB} (Java Runtime Environment 1.3.0_01) - http://192.168.1.166..._0_01-win-i.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = montgomerycobb.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{84C0BA0D-50C7-47D7-9A63-6343584CEAD3}: NameServer = 206.13.28.12,206.13.30.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{88B7424B-4A3D-482F-BA85-D3AD1EED47A7}: NameServer = 206.13.28.12,206.13.30.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = montgomerycobb.com
O20 - Winlogon Notify: EFS - C:\WINNT\SYSTEM32\sclgntfy.dll
O23 - Service: Localhost Service (Anti-V) - Unknown owner - C:\WINNT\system32\certmngr.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: cmd - Unknown owner - G:\CMD.EXE (file missing)
O23 - Service: dellw3c - Unknown owner - C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
O23 - Service: dellw3j - Unknown owner - C:\Program Files\Dell\OpenManage\OLDiags\bin\OLDserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Access Service (r_server) - Unknown owner - C:\WINNT\system32\discovice.exe" /service (file missing)
O23 - Service: Utility Manager (UtilMan) - Unknown owner - C:\WINNT\System32\UtilMan.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

Advertisements

#2
Armodeluxe
Posted 15 October 2005 - 08:14 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi Sivadrad,

I'm not familiar with servers, but I couldn't find any information on the following services and that implies that they may be malware.

O23 - Service: Localhost Service (Anti-V) - Unknown owner - C:\WINNT\system32\certmngr.exe (file missing)
O23 - Service: cmd - Unknown owner - G:\CMD.EXE (file missing)
O23 - Service: Remote Access Service (r_server) - Unknown owner - C:\WINNT\system32\discovice.exe" /service (file missing)

Please tell if any of them are familiar. As for explorer.exe and iexplore.exe, if they are missing you may have to use the Recovery Console to copy those files from your Windows CD, but that is after removing the malware.

Please report back on those services and we will delete the malware ones from command prompt.
  • 0

#3
Sivadrad
Posted 17 October 2005 - 10:40 AM

Sivadrad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hey Armodeluxe,

Thanks for your reply.

I have checked out the services you pointed out. None are familiar in the traditional sense. The only one I found information on came up on a Chinese bulletin board system that looked similar to Geeks to Go.

What do we have to do to get rid of this stuff?
  • 0

#4
Armodeluxe
Posted 17 October 2005 - 09:55 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Open HijackThis and click Scan. Put a check next to these:

O23 - Service: Localhost Service (Anti-V) - Unknown owner - C:\WINNT\system32\certmngr.exe (file missing)
O23 - Service: cmd - Unknown owner - G:\CMD.EXE (file missing)
O23 - Service: Remote Access Service (r_server) - Unknown owner - C:\WINNT\system32\discovice.exe" /service (file missing)


Close all other windows except HijackThis and click Fix Checked.
  • Open HiJackThis again
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • click on "delete an NT service"
  • Copy and paste this in: Anti-V
  • Click "ok", don't reboot
Repeat the above for cmd and r_server pasting those in place of Anti-V, still don't reboot.

Open a command window and type these lines hitting Enter after each line. Note the spaces before the minus signs and C: and G:

attrib -s -r -h C:\WINNT\System32\certmngr.exe
del C:\WINNT\System32\certmngr.exe
attrib -s -r -h C:\WINNT\System32\discovice.exe
del C:\WINNT\System32\discovice.exe
attrib -s -r -h G:\CMD.EXE
del G:\CMD.EXE
exit

After that reboot and post a new log.

Now tell me this, what exactly happens if you enter explorer.exe and iexplore.exe into taskmanager new task, do you get any error messages or nothing happens?
  • 0

#5
Sivadrad
Posted 18 October 2005 - 11:56 AM

Sivadrad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hey Armodelux,

I did what you suggested, but with no real improvement.

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:52 AM, on 10/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\OLDserv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\sfmsvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Dantz\Client\Remotsvc.exe
C:\Program Files\Dantz\Client\retroclient.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Exchsrvr\bin\events.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\regedit.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.micro...N-US&pr=kbinfo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.p...quicksilver.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124820449171
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {E19F9330-3110-11d4-991C-005004D3B3DB} (Java Runtime Environment 1.3.0_01) - http://192.168.1.166..._0_01-win-i.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = montgomerycobb.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{84C0BA0D-50C7-47D7-9A63-6343584CEAD3}: NameServer = 206.13.28.12,206.13.30.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{88B7424B-4A3D-482F-BA85-D3AD1EED47A7}: NameServer = 206.13.28.12,206.13.30.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = montgomerycobb.com
O20 - Winlogon Notify: EFS - C:\WINNT\SYSTEM32\sclgntfy.dll
O23 - Service: Localhost Service (Anti-V) - Unknown owner - C:\WINNT\system32\certmngr.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: dellw3c - Unknown owner - C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe
O23 - Service: dellw3j - Unknown owner - C:\Program Files\Dell\OpenManage\OLDiags\bin\OLDserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Access Service (r_server) - Unknown owner - C:\WINNT\system32\discovice.exe" /service (file missing)
O23 - Service: Utility Manager (UtilMan) - Unknown owner - C:\WINNT\System32\UtilMan.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)



As you can see the 'r_server' and 'Anti-V' service entries remain. I tried multiple times to remove them from the list via HJT with no luck. The 'cmd.exe' entry came out okay, though.

When I went to delete the .exe files, they weren't there for me to delete.

When I opened regedit and did a search, I did find entries for discovice.exe and certmngr.exe. I almost just went ahead and deleted the entries there, but didn't.

What do you think I should do at this point?

Explorer.exe and iexplore.exe still don't work, either.
  • 0

#6
Armodeluxe
Posted 18 October 2005 - 09:00 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Tell me this, are you using another browser or are you posting from another computer. Are you able to download anything?

Let's try to delete the services with a batch file. Then we will run the System File Checker. Before you proceed, see these pages so you know about System File Checker..

http://support.micro...b/222471/EN-US/

http://support.micro...b/222193/EN-US/


Please run Notepad and copy the following text in the code box into a new file:
@ECHO OFF
cd %windir%
sc config Anti-V start= disabled
sc stop Anti-V
sc delete Anti-V
sc config r_server start= disabled
sc stop r_server
sc delete r_server
exit
Save the file as C:\remove.bat (name it remove.bat and save it to C:\) and make sure the "Save as type" field says "All files". Then please restart your computer and press F8 as it reboots, as though you were going to start in Safe Mode. At the startup menu, choose "Command Prompt Only" or "Safe Mode with Command Prompt". At the command prompt type cd c:\ and press Enter (make sure to put a space between the "cd" and the "c:\"). Then type remove and press Enter. When that is finished, type sfc /scannow (there is a space after sfc). This will replace any missing/damaged system files. Have your Windows CD ready in case it's needed. Wait for the tool to complete.
Restart your computer and post a new HijackThis log.
  • 0

#7
Sivadrad
Posted 24 October 2005 - 11:35 AM

Sivadrad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hey Armodelux,
Sorry for the delayed response. I appreciate your patience.

To answer you question, I do have to post from a separate machine, but I can connect to the problem machine from this and others on the network. I can't get to IE or Windows explorer from the problem machine.

I had to jump through some hoops to do what you suggested. SC.exe wasn't installed on the box; I had to do some tweaking to get it there. Once I ran it though, it seems as if the two services were pulled out.

Here is the log:

Logfile of HijackThis v1.99.1

Scan saved at 10:11:47 AM, on 10/24/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Unable to get Internet Explorer version!



Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\termsrv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\ati2plxx.exe

C:\Program Files\Dell\OpenManage\OLDiags\bin\OLDserv.exe

C:\WINNT\system32\Dfssvc.exe

C:\WINNT\SYSTEM32\DNTUS26.EXE

C:\WINNT\System32\svchost.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\ewido\security suite\ewidoguard.exe

C:\WINNT\System32\sfmsvc.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\system32\ntfrs.exe

C:\WINNT\system32\regsvc.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\Program Files\Dantz\Client\Remotsvc.exe

C:\Program Files\Dantz\Client\retroclient.exe

C:\WINNT\System32\locator.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\tlntsvr.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\wins.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe

C:\WINNT\System32\dns.exe

C:\WINNT\system32\inetsrv\inetinfo.exe

C:\WINNT\System32\ismserv.exe

C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe

C:\WINNT\System32\msdtc.exe

C:\Program Files\Exchsrvr\bin\exmgmt.exe

C:\Program Files\Exchsrvr\bin\mad.exe

C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe

C:\Program Files\Exchsrvr\bin\store.exe

C:\Program Files\Exchsrvr\bin\emsmta.exe

C:\Program Files\Exchsrvr\bin\events.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\system32\taskmgr.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Program Files\HijackThis\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.micro...N-US&pr=kbinfo

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.p...quicksilver.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124820449171

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

O16 - DPF: {E19F9330-3110-11d4-991C-005004D3B3DB} (Java Runtime Environment 1.3.0_01) - http://192.168.1.166..._0_01-win-i.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = montgomerycobb.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{84C0BA0D-50C7-47D7-9A63-6343584CEAD3}: NameServer = 206.13.28.12,206.13.30.12

O17 - HKLM\System\CCS\Services\Tcpip\..\{88B7424B-4A3D-482F-BA85-D3AD1EED47A7}: NameServer = 206.13.28.12,206.13.30.12

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = montgomerycobb.com

O20 - Winlogon Notify: EFS - C:\WINNT\SYSTEM32\sclgntfy.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe

O23 - Service: dellw3c - Unknown owner - C:\Program Files\Dell\OpenManage\OLDiags\bin\Apache.exe

O23 - Service: dellw3j - Unknown owner - C:\Program Files\Dell\OpenManage\OLDiags\bin\OLDserv.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe

O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe

O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Utility Manager (UtilMan) - Unknown owner - C:\WINNT\System32\UtilMan.exe (file missing)

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)



The SFC /SCANNOW command would not run. It gave me an error - "Windows file protection could not initiate a scan of protected system files....RPC server is unavailable".

The desktop is still not visible, and I saw that this was true even running in safe mode.

What do you think I should try now?
  • 0

#8
Armodeluxe
Posted 24 October 2005 - 02:54 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Let's try this if it will work..I found this possible cause..

Just to let everyone know.... While surfing through the internet I found someone who solved this problem and has a way to fix it. There are 2 registry keys in the registry that are causing the problem. It affects the explorer.exe and iexplore.exe files.

This is the key that needs to be deleted...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Once these keys are deleted the desktop and internet explorer should come back to life.


explorer.exe and iexplore.exe subkeys normally don't exist under Image File Execution Options..if you find that they exist, delete them.

If no go, our next option is a repair install. See this thread:

http://www.geekstogo...ws-XP-t138.html

That one also applies to Windows 2000..just do a repair install..

Let's hope this solves it..
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP