Norton won't run & ISTVC.exe installed
A friend of mine has a huge problem with her business computer and unfortunately she is running off a 56k modem so downloading security software is like watching paint dry.
I ran Adaware for her and recovered 408 critical errors. Most were deleted but not all (some could not be). I ran Spybot, cleaned up her temp files etc. Installed her new version of Norton Antivirus and that won't run (the computer asks her to reboot when this is done it still requests for a system reboot). Interestingly Norton didn't ask for a registration key on installation???
Her system has not been maintained ever and the whole system is a mess (even basics such as defrag and system scan have never been run).
Unfortunately, she needs the computer for her business accounting, booking in customers etc. It is critical this is fixed as soon as possible.
I noticed she has the ISTSVC.exe executable on her system and know this is likely part of the problem but get the feeling there is going to be a host of cleaning up to do.
I will try and copy HJT to her computer tomorrow and get a register log for you (tomorrows job) but in the meantime do you have any clues what may be stopping Norton Anti-virus running and also how do I delete ISTSVC from her system? (Uninstall only works in safe mode).
I will post a HJT log tomorrow sometime but if you can help in the meantime that would be a huge help.
Regards
Zola
I ran Adaware for her and recovered 408 critical errors. Most were deleted but not all (some could not be). I ran Spybot, cleaned up her temp files etc. Installed her new version of Norton Antivirus and that won't run (the computer asks her to reboot when this is done it still requests for a system reboot). Interestingly Norton didn't ask for a registration key on installation???
Her system has not been maintained ever and the whole system is a mess (even basics such as defrag and system scan have never been run).
Unfortunately, she needs the computer for her business accounting, booking in customers etc. It is critical this is fixed as soon as possible.
I noticed she has the ISTSVC.exe executable on her system and know this is likely part of the problem but get the feeling there is going to be a host of cleaning up to do.
I will try and copy HJT to her computer tomorrow and get a register log for you (tomorrows job) but in the meantime do you have any clues what may be stopping Norton Anti-virus running and also how do I delete ISTSVC from her system? (Uninstall only works in safe mode).
I will post a HJT log tomorrow sometime but if you can help in the meantime that would be a huge help.
Regards
Zola
0
Comments
Here's what I was able to find.
Istsvc.exe is related to spyware ISTBar. The file is located in "C:\Program Files\ISTsvc\". And it adds an entry that points to 'ISTsvc.exe' into the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Download HijackThis, run it and delete the entry for this app. Or Perform the following steps:
1. Go to Start>Run> then in the Open field type 'regedit' (without quotes), then press Enter.
2. Select the Hive labeled 'HKEY_LOCAL_MACHINE'.
3. Choose 'Edit', then 'Find' and in the 'Find What' field type 'istsvc', then click 'Find'.
4. Delete the registry key that contains the value returned for your search.
5. Choose 'Find Next' just to be safe and let it search for other entries.
6. Then go to C:\Program Files and delete the 'ISTsvc' directory.
Norton won't run
HJT won't run (other than in safe mode)
Regedit would not run (other than in safe mode)
I have run:
Adaware 286 critical objects found
Spybot (1776 bad products and 19 problems fixed)
CWShredder (CWS nothing found)
Pop-ups are really bad after the latest crash.
This HJT log was after the last reboot unfortunately but perhaps there are things that can be fixed. It will only run in safe mode.
Thanks for your prompt response so far.
Logfile of HijackThis v1.99.1
Scan saved at 1:53:05 p.m., on 3/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\user\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [IPOT USB Service DRIVER] hpsebc087.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliterrn32.exe
O4 - HKLM\..\Run: [geYrcKcw] C:\WINDOWS\nupau.exe
O4 - HKLM\..\Run: [ª#Ÿe„šVnRÖ§j÷©OVó×C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nupau.exe
O4 - HKLM\..\Run: [ª#Ÿe„š/‚²ÆßfÏNb*»1C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nupau.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [IPOT USB Service DRIVER] hpsebc087.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\spybotsd.exe" /autocheck
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/Bridge-c139.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsysmgr.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
go to start> run msconfig disable all startup items plz.
(if msconfig doesnt work skipp)
try run with sysclean.com from
http://www.trendmicro.com/ftp/products/tsc/sysclean.com
extract the vpn* virus pattern file in same folder.
http://www.trendmicro.com/download/pattern.asp [Unzip lattest pattern file to *.vpn extension plz b4 run sysclean.com in same folder.]
I see you also need to download sp2 for your friend
[ http://www.microsoft.com/downloads/details.aspx?FamilyId=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en ]
put this on cd or something so you can install there.
Ms antispyware you can find here
[ [url] http://download.microsoft.com/download/8/1/5/815d2d60-49b5-44dc-ae35-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe [/url] ]
if you all done scanning you can try and enable all your startup items on msconfig again.
If you exp. any problems just post.
What a nightmare this is turning out to be.
I managed to delete the ISVTC.exe file by going to Program files but it simply self extracts and re-inserts itself as soon as you get back on to the internet (or so it seems). Loads of pop-ups, some look like genuine MS security protection ones but as I can't be sure I deleted them. Internet disconnects intermittently. This is made all the more frustrating because of the 56k modem (hence I have to do everything on my home PC and transfer it across town via CD).
The computer won't allow me to log off (other than by hard boot).
Tonight I have downloaded all the files you reference (including SP2) and will give it another go tomorrow evening.
Stay tuned for tomorrow's exciting episode.
make sure you run the viruscan first.
above links were fixed yesterday.
http://www.trendmicro.com/ftp/products/pattern/lpt540.zip
ty.
Hold off on the TrendMicro scan, since the user's computer is on dialup and that will take forever. I can tell you a few things from that HJT log, such as the fact that one of the items in there is a virus that can block access to the Trend Micro website:
http://securityresponse.symantec.com/avcenter/venc/data/w32.donk.q.html
This is probably what is preventing Norton from running as well.
It is also what is preventing MSCONFIG and SYSCLEAN from running.
There is a removal tool designed specificall for this virus, download it from Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.donk.q.removal.tool.html
Try that first, download it on the other PC and burn it to a CD or copy to a floppy. Run that, then also try the manual fixes I give you below, in case you have a new variant this removal tool can't completely solve.
Also, please DISREGARD THE ADVICE GIVEN REGARDING UPGRADING TO WINDOWS XP SP2 AT THIS TIME. It is NOT a good idea to do a service pack install while you know you have problems like this, it is better to clean the problems first, then upgrade to SP2 later.
So, rather than download a bunch of apps right away, please follow these instructions. If you are not sure how to do some of the things I tell you, check the links I provide for instructions. You may want to print these instructions out for easy reference, or copy and paste to Notepad. Do not leave your browser open while performing these fixes.
Please make sure that HijackThis.exe is in its own folder, as explained here. When you boot up in safe mode, items on your desktop from normal mode may not be accessible, so it is best to put HJT into its' own folder, such as C:\HJT. Additionally, as explained in that link, HJT creates a folder to back up data it fixes, so it is best to have that in its' own dedicated folder instead of on the desktop.
Set your system to Show Hidden Files and folders.
For Windows XP or ME, Disable System Restore.
Reboot into Safe Mode.
Make sure that all Internet Explorer or any other browser windows or internet applications are closed. Do not have any other unnecessary programs running.
Run Hijack This. FIX THE FOLLOWING (place a checkmark beside the entries, and then press the Fix Checked button) :
**************
02 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [IPOT USB Service DRIVER] hpsebc087.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliterrn32.exe
O4 - HKLM\..\Run: [geYrcKcw] C:\WINDOWS\nupau.exe
O4 - HKLM\..\Run: [ª#Ÿe„šVnRÖ§j÷©OVó×C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nupau.exe
O4 - HKLM\..\Run: [ª#Ÿe„š/‚²ÆßfÏNb*»1C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nupau.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [IPOT USB Service DRIVER] hpsebc087.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...Bridge-c139.cab
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsysmgr.exe
**************
Stay in Safe mode, manually locate each of the exe files in the entries above, and quarantine them.
Then, go into C: -> Windows -> Downloaded Program Files, and delete everything in there. Anything you really need will be re-downloaded on demand when you visit the website that needs them.
Reboot normally, check things out, and come back to let us know how it turned out. Post a fresh HJT log for review. If things looks clean, re-enable your system restore and set a new restore point.
Dexter...
Adaware - zilch critical objects
Spybot found two problems: Roings (embedded in Sys32 as objsafe.tlb) and Avenue A. Inc (a tracking cookie). This cookie seems to be persistent.
I will now print out your computer security advice for my friend and am going to talk to all her staff about the need for caution etc on the internet (especially if downloading .exe programmes).
One interesting snippet. She is running an accounting package call Shoestring or Shoebox (I can't remember the actual name) and said the guy who installed it told her she could not run it through a firewall. This seems completely bonkers to me and not true at all. I personally would advise that she gets Norton Internet Security (rather than SP2 or the MS firewall). Do you have anything to offer? She does have Norton antivirus and I will register that tomorrow and get it up and schedule it to run for her.
Again, a huge thanks for your expert advice. She now has the business as usual sign up and running!
HJT log follows:
Logfile of HijackThis v1.99.1
Scan saved at 7:58:41 p.m., on 6/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\scrtkfg.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\zorr\zorrm.exe
C:\PROGRA~1\COMMON~1\zorr\zorra.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\COMMON~1\zorr\zorrl.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Soeperman\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [IPOT USB Service DRIVER] hpsebc087.exe
O4 - HKCU\..\Run: [zorr] C:\PROGRA~1\COMMON~1\zorr\zorrm.exe
O4 - HKCU\..\RunServices: [IPOT USB Service DRIVER] hpsebc087.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsysmgr.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Prof, thanks for the tip!
Almost the same drill as before, start by disabling System Restore.
Make sure you are still set to Show Hidden Files and folders.
This time, rather than a normal reboot, please PULL THE PLUG on the computer. Do not use the Start menu or front power switch to reboot. This is to prevent file names from changing on shutdown.
Plug the power back in, and boot into Safe Mode.
Make sure that all Internet Explorer or any other browser windows or internet applications are closed. Do not have any other unnecessary programs running.
Run Hijack This. FIX THE FOLLOWING (place a checkmark beside the entries, and then press the Fix Checked button) :
**************
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKCU\..\Run: [zorr] C:\PROGRA~1\COMMON~1\zorr\zorrm.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsysmgr.exe (file missing)
**************
Stay in Safe mode, manually locate the exe files in the entries above, and quarantine them.
Again, pull the plug on the computer, then plug it back in. When it starts up, let it boot normally, check things out, and come back to let us know how it turned out. Post a fresh HJT log for review. If things looks clean, re-enable your system restore and set a new restore point.
The firewall thing sounds goofy. A hardware firewall would just need to know what TCPIP ports to forward. A software firewall would just need to have the program authorized, maybe have a return data port authorized as well. Any program can work through a firewall if properly enabled. That is just some times used as a poor excuse by tech support people who don't know their software well enough to know what ports it needs opened.
I would personally try it through a firewall and see how it works. Let me know what the program is called for sure, I'll see what I can find out. If you can't find out the ports needed, I can point you to a network analysis tool called Active Ports, it will tell you in detail what ports are in use on the system by what programs, which direction the traffic is in, what external IP's are being connected to or from, etc. A very handy tool.
Let us know how this cleaning step goes.
Dexter...
By the way, my friend called today to say the machine was working ok. She has had one pop-up and worryingly "dealt with it". Not sure what that means ! She is also away for a couple of days so I have no more details. More to come later.
Zola25
OK, I've followed your instructions. Wierd thing is that despite hard reboots and deleting registry entries the erroneous objects are still embedded there after system start-up (see HJT log). zorrm.exe was not found. Quarenteed all the other entries though.
Interestingly, when I tried a search using IE for zorrp.exe, the computer locked completely and needed a reboot. Followed your instructions for a second time and the system runs fine again.
Ran Spybot, Norton and Adaware. System all clean apart from the Roings entry. System defrag ran fine and the machine seems ok but I'm not convinced it is clean yet.
I ran a search for zorr* and noted a whole bunch of files and a couple of directories that included the following:
Zorrp.EXE
Zorra.EXE
Zorr
Zorrd
Zorrl.Ick
Zorrp.exe
There were a couple of others but you get the gist.
Incidently the accounting system is called Shoebox Accounts.
Follows is the HJT log for your interest.
Zola25
Logfile of HijackThis v1.99.1
Scan saved at 1:06:46 p.m., on 10/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\scrtkfg.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Soeperman\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [IPOT USB Service DRIVER] hpsebc087.exe
O4 - HKCU\..\Run: [zorr] C:\PROGRA~1\COMMON~1\zorr\zorrm.exe
O4 - HKCU\..\RunServices: [IPOT USB Service DRIVER] hpsebc087.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsysmgr.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Put that in same folder that you have Hijack This in.
Hard reboot the computer again, boot up in SAFE MODE.
Run HJT. Fix the following entry:
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
***This entry is NEW from the previous logs, and looks suspiciously like some sort of "porn dialer" program, which often get installed without the user's knowledge when surfing questionable websites, often porn ones. I would speak to the owner of this computer regarding who else uses thiscomputer, and what their browsing habits might include. Please have them refrain from using this computer for questionable activities until you get the current problems solved. It is pointless and a waste of your time and ours to try and fix a computer that has new and seemingly unrelated problems on each log, agreed?
OK, once that entry is fixed in HJT, exit HJT and then locate and run Killbox.
In Killbox, look to the bottom right hand side where there s a drop-down list that says System Process. Use that drop-down and check to see if scrtkfg.exe is listed. If it is, select it, then hit the yellow exclamation mark! to end that process.
Then, whether you were able to fnd that in the process list or if it was not there, either way, use the browse feature to locate the following file:
C:\WINDOWS\System32\scrtkfg.exe
Set Killbox to use the options to delete on Reboot. Then press the red X button to delete the file. It will tell you give you confirmation box, press NO (if you press Yes it will reboot right away...we don't want to reboot just yet.) It will then tell you that the file has been flagged to be deleted on the next reboot.
Repeat this process, except this time point to the following folder:
C:\Program Files\Common Files\zorr
With that one, use the option Deltree (include subdriectories) and also the option to delete on reboot. Make sure to hit NO again so that you do not reboot instantly, we will reboot a little later.
Now, all those files you found:
Zorrp.EXE
Zorra.EXE
Zorr
Zorrd
Zorrl.Ick
Zorrp.exe
If those files were in the folder C:\Program Files\Common Files\zorr they are all going to be deleted on the next rebbot, but if they were not in that folder, please re-find each one of those using Killbox, and repeat the first file deletion we did, each time choosing Delete on Reboot, and clicking NO to the "reboot now?" question.
When you have flagged all those files for deletion, close Killbox.
(***Warning - this next step uses the Regedit tool. Be very cautious, making a mistake here can seriously foul up your computer!***)
Go to the Start Menu, select RUN, and type REGEDIT and press Enter .
Click the + signs next to the folders to navigate the registry folder:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Highlight Services on the left hand side of the window. In the right hand side pane, look for the entry named
NT login service (ntlogin32)
Right click on that entry, and delete it.
Then, naviagte through the registry to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root on the left side. Look for any of these:
LEGACY NT login service (ntlogin32)
If it is there, also right click on it and delete it.
Exit the Regedit program.
Now, do a SOFT reboot by using the Start button to restart the computer.
Boot up normally, run HJT and check things out. Post a fresh log for review.
Dexter...
It's been over a week I know. Anyway, it now turns out one of her staff has admitted to browsing inappropriate web sites (as suspected) and having looked at her system since it seems my friend has at last got the message across to them.
I followed your instructions to the letter. This is what I found.
LEGACY NT login service (ntlogin32) could not be deleted
C:\WINDOWS\System32\scrtkfg.exe was also not found
I ran Killbox as per your instructions and a lot of the junk disappeared however, there was a folder called Zorr and a file called zorr.dat that would not go away.
A search showed the following files also still are on her system:
zorra.Ick
Zorrd
Zorrh
Zorrl.Ick
zorrm.Ick
zorrp
zorrp.Ick
zorrp.dll
The HJT log below is from April 13th. On the plus side she informs me that her system is still working fine.
I'm happy to close this episode but you may have things you want me to do for completion. Please advise.
Regards
Zola25
Logfile of HijackThis v1.99.1
Scan saved at 8:00:22 p.m., on 13/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\scrtkfg.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Soeperman\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [IPOT USB Service DRIVER] hpsebc087.exe
O4 - HKCU\..\Run: [zorr] C:\PROGRA~1\COMMON~1\zorr\zorrm.exe
O4 - HKCU\..\RunServices: [IPOT USB Service DRIVER] hpsebc087.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe