Parents' computer...
Garg
Purveyor of Lincoln Nightmares Icrontian
Howdy folks. This is in the emergency forum because I need a quick response: the timeframe for the fix needs to be in the next 16 hrs or so. Thanks in advance for helping me on a challenging fix.
A guest of my parents used their main computer and loaded it up with tons of spy/ad/malware. I uninstalled dozens of search programs, and Ad-Aware SE (using month old definitions) still found over 1200 objects. Some programs can't be uninstalled, because they require an internet connection to do so for some reason. The computer is connected to the internet, but no programs can access it (not just browsers - nothing can access it). Norton Antivirus isn't launching the scan program for some reason. I've quaranteened everything that I can with Ad-aware, and the computer runs better now, but I still can't find a way to connect to the internet. It's running Windows 2000 SP3. The only clue I have is the address that comes up in the bar when I try to go to a site in Internet Explorer:
res://eshub.dll/http_404.html
I haven't been using IE recently, but I'm pretty sure that's not normal. Firefox also fails to bring up sites, but nothing shows up in the address bar.
I would just reinstall Windows, but I don't have the CDs with me, and I won't be back down to help them for months, since I'm moving to New Mexico in just over a week and starting a new job.
If there's anything I can do to get this thing back on the Internet using only what's already on it, that would be awesome. I have a floppy drive on this computer I could use to transfer files over to it, but no CD burner.
There... easy isn't it?
A guest of my parents used their main computer and loaded it up with tons of spy/ad/malware. I uninstalled dozens of search programs, and Ad-Aware SE (using month old definitions) still found over 1200 objects. Some programs can't be uninstalled, because they require an internet connection to do so for some reason. The computer is connected to the internet, but no programs can access it (not just browsers - nothing can access it). Norton Antivirus isn't launching the scan program for some reason. I've quaranteened everything that I can with Ad-aware, and the computer runs better now, but I still can't find a way to connect to the internet. It's running Windows 2000 SP3. The only clue I have is the address that comes up in the bar when I try to go to a site in Internet Explorer:
res://eshub.dll/http_404.html
I haven't been using IE recently, but I'm pretty sure that's not normal. Firefox also fails to bring up sites, but nothing shows up in the address bar.
I would just reinstall Windows, but I don't have the CDs with me, and I won't be back down to help them for months, since I'm moving to New Mexico in just over a week and starting a new job.
If there's anything I can do to get this thing back on the Internet using only what's already on it, that would be awesome. I have a floppy drive on this computer I could use to transfer files over to it, but no CD burner.
There... easy isn't it?
0
Comments
second, post a HJT log if you can
log:
Logfile of HijackThis v1.99.0
Scan saved at 8:11:44 AM, on 12/25/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\addkq.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\WINNT\services.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\MediaFACE 4.0\SetHook.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINNT\apiqu.exe
C:\documents and settings\rush family\local settings\temp\h2tSg.exe
C:\documents and settings\rush family\local settings\temp\RHyMAVBZ.exe
C:\WINNT\System32\tukelge.exe
C:\WINNT\System32\psaefilt.exe
C:\WINNT\System32\wsxsvc\wsxsvc.exe
C:\WINNT\System32\vmss\vmss.exe
C:\Documents and Settings\Rush Family\Application Data\aeau.exe
C:\WINNT\System32\l?gonui.exe
C:\WINNT\System32\prfisupd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Documents and Settings\Rush Family\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bfxfh.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\bfxfh.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bfxfh.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bfxfh.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r3.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r3.attbi.com
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\fservice.exe
O2 - BHO: (no name) - {D6D47933-A180-EAAE-1E58-AAF53F45681A} - C:\WINNT\msse.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PMXInit] C:\WINNT\System32\pmxinit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [apiqu.exe] C:\WINNT\apiqu.exe
O4 - HKLM\..\Run: [h2tSg.exe] C:\documents and settings\rush family\local settings\temp\h2tSg.exe
O4 - HKLM\..\Run: [RHyMAVBZ.exe] C:\documents and settings\rush family\local settings\temp\RHyMAVBZ.exe
O4 - HKLM\..\Run: [4NXZJ3@5QB657L] C:\WINNT\System32\HvgkmB.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvsmr32.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [nqkumfsjcfo] C:\WINNT\System32\tukelge.exe
O4 - HKLM\..\Run: [pFsk3nS] psaefilt.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\System32\vmss\vmss.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [wuauserv] C:\WINNT\System32\wuauserv.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Uore] C:\Documents and Settings\Rush Family\Application Data\aeau.exe
O4 - HKCU\..\Run: [Borejrne] C:\WINNT\System32\l?gonui.exe
O4 - HKCU\..\Run: [Yo3qRhe6X] prfisupd.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ComcastHSI - {25E15B96-8D3D-460D-BFEE-3E37286B8DC7} - http://www.comcast.net/ (file missing) (HKCU)
O9 - Extra button: Support - {2A0A9CD4-33CD-4ACC-94CA-67B3BF5403D2} - http://www.comcastsupport.com/ (file missing) (HKCU)
O9 - Extra button: Help - {9719479D-A0D3-4F01-B3E2-61A9CE8DBA83} - http://online.comcast.net/help/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bargain-buddy.net/cashback/cab/installer_ICMEDIAX.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://start1.aaa1screensavers.com/10036.exe
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ISEXEng - Unknown - C:\WINNT\System32\angelex.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\system32\addkq.exe
http://www.intermute.com/spysubtract/cwshredder_download.html
run it and post a new log.
edit - got it to fit on two disks. I'll run it and re-post HJT log. Thanks!
The computer is slow as crap (it hits virtual memory like it's going out of style), so I'm still working on it, but with the internet restored, it'll be a lot easier. I'll post another HJT log after lunch.
Yea, there was other stuff, but I hoped that would take care of the main part.
As for being beautiful...how come I didn't get any praise when I posted in the christmas picture thread :d