Avast WEBforum
Other => Viruses and worms => Topic started by: stang1127 on October 27, 2005, 06:47:57 AM
-
New to the forum, I had a bug that installed some backdoor stuff as well as changed my windows update settings & microsoft firewall settings.
By following all of the great advice on here I think I licked most of it; but I think I still have a few issues.
The #1 I notice being that in the microsoft security center my firewall is turned off & there is no way to turn it back on.
Any additional advice would be appreciated. Enjoy reading all of the great tips..btw.
-
Hi and welcome,
download this little program and generate a log to submit on your next post.
this will tell us quickly and simply how your system is travelling.
http://www.majorgeeks.com/download3155.html :)
-
Did you traid spybot?
-
my firewall is turned off & there is no way to turn it back on.
Do you have any other firewall besides the windows internal one?
Can't you install one?
-
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\NDP1.1sp1-KB886903-X86.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\SLA9.tmp
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.babiesonline.com/babies/o/octoberbambino
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.babiesonline.com/babies/o/octoberbambino
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - C:\WINDOWS\system32\hlwin.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: BeInSync - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - C:\PROGRA~1\BeInSync\ShellEx.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\ShellEx.dll
O9 - Extra 'Tools' menuitem: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\ShellEx.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: PCPitstop-Tracks-Checker - http://www.pcpitstop.com/privacy/PCPTracks.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122006558031
O16 - DPF: {6CAFBA3E-FB85-11D3-915A-08005ACEEF64} (KPSimDialog Class) - file://E:\plugins\kpsimie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125723089406
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Matt\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O20 - AppInit_DLLs: 4APPINITSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLs,wbsys.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
***I tried installing Panda to see if there was a problem with Avast , but never did because of the 2 AV conflicts. That's why it generated in the log. I like to have about 25 processes running tops, but since I installed all of these programs it got a little out of control.
-
my firewall is turned off & there is no way to turn it back on.
Do you have any other firewall besides the windows internal one?
Can't you install one?
I'm sure I could, I tried ZA some time ago & it just seemed to bog my comp. down. I am behind a router though if that makes a difference.
-
I tried ZA some time ago & it just seemed to bog my comp. down.
But you won't get the Windows Security warning with a firewall installed...
I am behind a router though if that makes a difference.
It could make it... some routers act as a firewall, others not... Maybe some hardware expert (Eddy ?) could give us some light on it.
-
Just ran a virus scan, even though it was not picked up before, it just picked up Win32:ConHook-c. I'm not sure why it was not recognized before, but it is now. Also I installed a program called Windows Worm Doors & even though I close it, port 445 keeps getting opened. What would be a good firewall program?
-
hi there, there`s one i have just reviewed in general topics which seems to me to work well. with the problems you are having now i suggest you want one thats reasonably simple to run and this certainly is that. Name is Comodo Personal firewall . only new on the market so if malware is stopping you installing one then maybe this will work because of that.
I also see a entry in your log file from Trend micro (C:\Program Files\Trend Micro\Tmas\Tmas.exe) this might be the cause of some of your problems perhaps.
good luck :)
-
I also see a entry in your log file from Trend micro (C:\Program Files\Trend Micro\Tmas\Tmas.exe) this might be the cause of some of your problems perhaps.
Isn't that a trend micro file? Trend micro is a spyware program I'm using.
Another interesting thing I just found. I decided to take a look @ my hidden files in C drive, there was a few that I thought looked suspicious, so I did a scan of the with ewido about 10 came up as trojans. I scanned the same files with Avast, 1/2 of them were detected.
Here's there file name's
tb.exe
zdrivers.exe
zxvcc73x.exe
ielower.exe
mmxateam.exe
xe.xe
low.exe
Only zdrivers.exe & zxvcc73x.exe were detected by AVAST.
-
that looks a decent payload, i would be tempted to try an online scan at KAV just to be 100% sure you got it all.
good luck :)
-
Hi Stang1127,
Could you do a boot time scan with avast! (if you haven't done so already.)
Then could you try Ewido and Trend Micro Sysclean?
Ewido will not conflict with avast! and Sysclean is a stand alone program and does not actually install, so that will be fine too.
Ewido anti-Trojan:
http://www.ewido.net/en/
Install and update before running.
Edit: Oops! see you have Ewido already! Ignore that!
Trend Micro Sysclean:
For the TSC package to be effective, you must download and use the latest pattern file. Place the pattern file in the same folder as the Trend Micro System Cleaner Package.
http://uk.trendmicro-europe.com/enterprise/support/tsc.php
Select the one which says: If you are not a Trend Micro customer...
Sysclean definitions (pattern file):
http://uk.trendmicro-europe.com/enterprise/support/pattern.php
Then post another HijackThis! log so we can see if you're clean.
-
Apologies for my previous and rather too hasty posting: an attempt to offer some generic advice before my wife physically dragged me away from the computer for breakfast.
It would be a good idea to do a double check with the Kaspersky scanner as Cloussau suggested. Sysclean is also a good double-check. Run in safe mode if possible.
You appear to have at least some elements of Panda installed alongside Bitdefender. It would be a good idea to get rid of the AV components you don't want. Of course, you could always get rid of both and install avast! ;)
A registry check with TuneUp Utilities would be a good idea here.
Then do a boot time scan with avast! and see what it finds.
You HijackThis! log shows signs of spyware infection. Have you tried Ad-Aware and Spybot Search & Destroy? These would be a good double check in addition to the TM anti-spyware program you have.
When you have finished, post a fresh HijackThis! log so we can tidy up your system.
-
*****Updated Log*****
Logfile of HijackThis v1.99.1
Scan saved at 10:39:01 AM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Comodo Personal Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Comodo\Comodo Personal Firewall\CPF.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: BeInSync - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - C:\PROGRA~1\BeInSync\ShellEx.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Comodo Personal Firewall] C:\Program Files\Comodo\Comodo Personal Firewall\CPF.exe sysrestart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\ShellEx.dll
O9 - Extra 'Tools' menuitem: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\ShellEx.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: PCPitstop-Tracks-Checker - http://www.pcpitstop.com/privacy/PCPTracks.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122006558031
O16 - DPF: {6CAFBA3E-FB85-11D3-915A-08005ACEEF64} (KPSimDialog Class) - file://E:\plugins\kpsimie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125723089406
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Matt\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O20 - AppInit_DLLs: 4APPINITSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLs,wbsys.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - Comodo Research Lab., Inc. - C:\Program Files\Comodo\Comodo Personal Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
-
:) I see you have added Spyware Doctor, a very good
antispyware program; has it helped with your problems ?
Since I come from an antispyware "orientation", I would
encourage you to seek assistance from the Experts from
www.landzdown.com ; this forum is staffed by all the
experts who provided advise on the now-defunct Lavasoft
Ad-Aware Support forums, which included HijackThis
program experts. I noticed in your HijackThis log that your
Java Runtime Environment program is "way-out-of-date"
and quite a while ago security "alerts" were issued that
the version you have should be uninstalled and replaced
with the latest version available at www.java.com .
-
R3 - Default URLSearchHook is missing
Fix here:
http://forum.hijackthis.de/archive/index.php/t-720.html
Run HijackThis! again, tick the box next to these items press fix and reboot:
O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - (no file)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
I cannot find any information on this item:
O16 - DPF: {6CAFBA3E-FB85-11D3-915A-08005ACEEF64} (KPSimDialog Class) - file://E:\plugins\kpsimie.cab
Do you recognise it? Is it something you use? I assume you've run Ad-Aware and Spybot, so it may well be legitimate.
And upgate Java as Spiritsongs has noticed!
-
I updated java, but now IE will not load @ all. It just hangs, I tried to un-install it, & nothing will work. What happened?
**NM, it seems like Comodo blocked something caussing the issue...all fixed now.. I think.
-
Scan saved at 2:06:46 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Comodo\Comodo Personal Firewall\CPF.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Comodo Personal Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: BeInSync - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - C:\PROGRA~1\BeInSync\ShellEx.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Comodo Personal Firewall] C:\Program Files\Comodo\Comodo Personal Firewall\CPF.exe sysrestart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\ShellEx.dll
O9 - Extra 'Tools' menuitem: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\ShellEx.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: PCPitstop-Tracks-Checker - http://www.pcpitstop.com/privacy/PCPTracks.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122006558031
O16 - DPF: {6CAFBA3E-FB85-11D3-915A-08005ACEEF64} (KPSimDialog Class) - file://E:\plugins\kpsimie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125723089406
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Matt\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O20 - AppInit_DLLs: 4APPINITSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLs,wbsys.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - Comodo Research Lab., Inc. - C:\Program Files\Comodo\Comodo Personal Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
Could not get the fix for that search hook to work it kept giving me an error about importing binary data.
I highly recommend spyware doctor to anyone, it has a lot of different uses & is very handy. I also am planning to purchase Ewido. it picked up some stuff the other scanners did not...very impressed. I think I got about all of the crap out of my computer.
-
If you fixed everything FreewheelinFrank was saying, you are in trouble.
He told you to fix perfectly normal and harmless services.
-
Hi stang1127,
I told you to fix the Bitdefender services because I assumed you had removed Bitdefender with a view to installing avast! This is the avast! forum after all. My apologies if you do actually intend to keep Bitdefender.
You can fix the reghook thing my a manual edit of the registry: you just need to re-enter the default value in the location given in the link:
It should look like this:
(http://donaldbroatch.users.btopenworld.com/urlsearchhook.jpg)
!Backing up the registry is advisable before making any changes.
-
So does everything else look good? What else can I do to make sure I have no more infected files? Besides re-format...that is.
-
Hi stang1127,
You can fix this entry:
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
Everthing looks OK. Have you still got symptoms?
You may want to restore the Bitdefender entries I asked you to delete if you haven't in fact removed the program. (You can do this inside HijackThis! as long as it isn't in a temp directory.) Bitdefender free doesn't have on-access scanning so it works OK alongside avast!
If Bitdefender isn't working, try uninstalling and reinstalling, or reinstalling to repair entries if the program won't uninstall. Apologies again for asking you to delete those entries.
As a final check, you can visit the Kaspersky online scan site, or one of the other online scanners.
http://www.geocities.com/dontsurfinthenude/antivir2.htm
-
:) I recommend you uninstall that new-on-the-market
"Comodo" firewall and let others be the guinea pigs;
you be better off using an "established" product, like
Zone Alarm, Sygate, Kerio, Outpost, etc . And if your
anti-trojan emphasis is on "real-time" protection, meaning
you BUY a product, choose A-squared instead of Ewido.
A-squared has the better "real-time" protection and
Ewido the better scanner.
And the HijackThis Experts on antiSPYWARE forums always
advise placing the program in a folder, NOT the desktop .
-
So does everything else look good? What else can I do to make sure I have no more infected files? Besides re-format...that is.
I suggest you give yourself a fighting chance in the future and use an alternative browser, firefox or opera which are less suceptable to malware.
Also, whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator.
-
You may want to restore the Bitdefender entries I asked you to delete if you haven't in fact removed the program. (You can do this inside HijackThis! as long as it isn't in a temp directory.) Bitdefender free doesn't have on-access scanning so it works OK alongside avast!
I actually wasn't that impressed with it & uninstalled it.
I suggest you give yourself a fighting chance in the future and use an alternative browser, firefox or opera which are less suceptable to malware
I installed Opera, but now A2 is recognizing it as a trojan, is this normal? I downloaded it from their main web page.
So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
I noticed when I boot into safemode, their is actually the administrator account, & then my account. So I don't think I put myself as the administrator. Could be wrong though.
-
:) I recommend you uninstall that new-on-the-market
"Comodo" firewall and let others be the guinea pigs;
you be better off using an "established" product, like
Zone Alarm, Sygate, Kerio, Outpost, etc . And if your
anti-trojan emphasis is on "real-time" protection, meaning
you BUY a product, choose A-squared instead of Ewido.
A-squared has the better "real-time" protection and
Ewido the better scanner.
And the HijackThis Experts on antiSPYWARE forums always
advise placing the program in a folder, NOT the desktop .
Going to take a look @ sygate tonight.
-
I suggest you give yourself a fighting chance in the future and use an alternative browser, firefox or opera which are less suceptable to malware
I installed Opera, but now A2 is recognizing it as a trojan, is this normal? I downloaded it from their main web page.
So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
I noticed when I boot into safemode, their is actually the administrator account, & then my account. So I don't think I put myself as the administrator. Could be wrong though.
1. You could also check the offending/suspect file (assuming it isn't to big at: Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html)
2. Even though it shows the Administrator account and yours, you too are likely to have administrator privileges, can you install programs? If so it is likely you have admin privileges. To check go to control panel, user accounts and you should be able to see what privileges you have.
-
Anyone have nay idea if there is a registery setting in windows firewall that may disable it from bein used? I un-installed Camodo in favor of sygate; but, because of an issue with Panda antivirus am having problems getting it installed. So at this point even Microsofts firewall would be better then nothing.
-
With regard to windows firewall,you can control that in security centre.
It should come on by default if there is no other working, however having said that windows didnt recognise Comodo and had its firewall on as well for me.
-
:) Hi :
Your recent post is the 1st mention of "Panda Antivirus"
( before you mentioned about having Bit Defender ); have
you recently installed Panda's "Titanium 2006 Antivirus +
Antispyware" ? As have been mentioned previously,
should have ONLY 1 antivirus product "resident"
(providing "real-time" protection ) on a computer.
And found the following on the sygate forums :
"You need to uninstall both reinstall Sygate. Then reinstall panda titanium 2005 using a 'Custom installation' and when you get to the 'Choose protection types' screen uncheck 'Firewall protection'. " This was by their "Super Moderator" "Peter UK".
I have Sygate Personal Firewall 5.6 with Avast and have
experienced NO conflicts .
-
Stang, are you buing all these antivirus?
Please, forget piracy as antivirus need to be updated and fine tunned to work.
-
Avast I had already, yeah I am slowly priortizing which ones I am going to buy. I want to try them for the full 30 days b4 I comitt to buying one or another. A lot of them are similar; yet, different.
I unistalled Panda some time ago, there was some registery entries that were screwing up sygate from installing. All fixed now. With my Windows Firewall, I can't even select on or off, it's like it is permanetly off. I can't select the box...nothing. I'm wondering if maybe the trojan de-activated my firewall through a registery setting.
I like a2, but I like the GUI of Ewido it seems simpler. But maximum protection is better then convenince.
-
Windows firewall is easy for malware to disable. What is worse is that malware can leave a hole in the firewall, so that although it seems to be running, a hacker can connect in through the hole.
-
Windows firewall is easy for malware to disable. What is worse is that malware can leave a hole in the firewall, so that although it seems to be running, a hacker can connect in through the hole.
How can you tell? How can you fix it?
-
That's the problem you can't tell and as far as I'm aware you have to find the hacked registry entry to close the hole.
-
Low down here:
http://www.spywareinfo.com/newsletter/archives/2005/oct27.php#winfirewall
-
Couldn't find an answer on there, maybe this will explain better.
(http://members.cox.net/matt_jacobson/pic.jpg)
-
Anyone? I have tired searching for this & am unable to find any answers.
-
Hi FwF,
You say that spyware can alter the registry, so that the user cannot see a hole in the Windows FW, but if you analyze with netstat you must see this suspicious traffic or with a good monitoring software. It is a bit of a dodgy approach to firewalling, don't you think so?
greets,
polonus
-
My picture above shows that my registery was hacked & that my settings for my firewall were altered. I have checked Microsoft & have been unable to find a solution.
I did the opposite of this person in this article, with no luck.
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21293094.html
-
:) Perhaps it is time to ask the Microsoft Most Valuable
Professionals on the forums at www.aumha.net for
help !?
-
Your picture only shows that the windows firewall is off, not how it came to be switched off, or hacked as you say.
There are many reasons why it could be off, if you install another firewall windows or the firewall may switch it off by default to avoid conflict. I have also been surprised at the amount of times that my computer settings change without my intervention, it could be as a result of a crash or something that loads defaults and the default fir the firewall used to be off.
So there are many potential reasons other than being hacked or malicious switching off the windows firewall, which logically doesn't make sense, why draw attention to what you have done by switching it off.
The difficult part would be identifying what caused this and if your registry has been altered to leave ports open. I feel the experience available here may not bring a resolution or identify the cause and as has been mentioned aumha.net is an excellent start point.
-
So there are many potential reasons other than being hacked or malicious switching off the windows firewall, which logically doesn't make sense, why draw attention to what you have done by switching it off.
It's greyed out, I would like to have it on, but I can't even turn it on if I wanted to. I used to always have it on, once I got hit with this virus my Microsoft firewall turned off & I had no protection, leading me to install sygate. As I pointed out at the beginnig of the topic, my automatic updates were turned off as well, & I couldn't even access the update site.
I think you missed part of the point I was trying to make. I am trying to draw attention to the fact that something altered my freaking firewall settings.
-
Windows firewall is easy for malware to disable. What is worse is that malware can leave a hole in the firewall, so that although it seems to be running, a hacker can connect in through the hole.
How can you tell? How can you fix it?
The difficult part would be identifying what caused this and if your registry has been altered to leave ports open.]The difficult part would be identifying what caused this and if your registry has been altered to leave ports open.
Following the links in the spywareinfo.com provides the answers to that:
http://www.pcworld.com/news/article/0,aid,122927,00.asp
http://www.microsoft.com/technet/security/advisory/897663.mspx
It's greyed out, I would like to have it on, but I can't even turn it on if I wanted to.
Well, now you have told us exactly what the problem is, maybe we can help!
I feel the experience available here may not bring a resolution or identify the cause...
This is a tricky problem which can be hard to solve, even in other places:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21293094.html
As mentioned in this link, stang1127, you need to check for all registry changes made by the malware you were infected by.
The link above mentions changes made by the spybot worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html
You need to look back and identify your infection, find a similar link from Symantec or Sophos and undo the changes.
You may find entries similar to these:
# May modify the values:
"UpdatesDisableNotify" = "1"
"AntiVirusDisableNotify" = "1"
"FirewallDisableNotify" = "1"
"AntiVirusOverride" = "1"
"FirewallOverride" = "1"
in the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
to disable Microsoft Security Center.
May modify the value:
"Start" = "4"
in the registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
to disable various services.
# May modify the value:
"EnableFirewall" = "0"
in the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
StandardProfile
to disable the Microsoft Windows XP firewall.
As mentioned in the link, check that services required by Windows firewall are enabled and running.
If you do manage to re-enable Windows firewall, apply the Microsoft update (see PCWorld link) to fix any hidden holes.
Windows Firewall still remains less secure than a good free firewall, so you'd be well advised to stick with Sygate, but good luck in the hunt!
-
Well, now you have told us exactly what the problem is, maybe we can help!
Reviewing the thread I can see that you've been telling us what the problem was from the beginning! It might be a case of 'Too many cooks...'
Apologies that you didn't get an answer to your question, but it really is a case of combing the registry looking for changes.
The obvious one to look for would be:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
StandardProfile
Reading the write-ups for malware you have had will give you an idea where to look. Searching for any malware which disables the firewall might also help, as the methods used will probably be similar. A good place to start would be looking for the changes mentioned in the Symantec write-up above.
-
Well my friend google comes up with lots of hits for 'XP firewall grayed options out' http://www.google.co.uk/search?q=XP+firewall+options+grayed+out The first hit looks promising as do some others. These however are probably dealing with the systems reasons why the options are grayed out not malicious reasons, but armed with FWFs links and the google search you should have plenty to get on with. Not to mention the other windows based forums and info on aumha.org.
-
lsass.exe which you had indicates a worm infection. These tools will undo registry changes made by worms which use lsass.exe, and would be worth running.
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom@mm.removal.tool.html
http://www.sophos.com/support/cleaners/mydoogui.com