Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Can't load Update page or virus software pages - Log Attached

2K views 8 replies 2 participants last post by  Rollin' Rog 
#1 ·
Hello,

I detected and removed AGOBOT.GEN from my computer (I think - it's no longer detected.) I still cannot load any pages for virus scanners (I cannot load anything from Symantec - it gets redirected. And cannot download PC-Cillin.) Also, Windows update will not work. These pages are kept from loading. Is there somewhere I should look for the reason for this? I did manage to download ViRobot and it does not find a virus anymore.

Any suggestions? Here's my log:

Logfile of HijackThis v1.98.0
Scan saved at 11:13:57 PM, on 8/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\Program Files\ViRobotXP\vrproxyc.exe
C:\Program Files\ViRobotXP\vrproxyd.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\lauriew\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Guard-IE - {D2F719F3-106A-402B-9996-3A5B12ACA564} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Guard-IE - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrProxyc] C:\Program Files\ViRobotXP\vrproxyc.exe
O4 - HKLM\..\Run: [VrProxyd] C:\Program Files\ViRobotXP\vrproxyd.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: ImageFox.lnk = C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken2004\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - https://quicken.ehosts.net/netagent/objects/custappx3.CAB
O16 - DPF: {2169FE0E-9961-497A-86AE-10AC9209FB08} (SSDLctl.SSDL) - http://download.soapcity.com/sc/ssdl.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/downloaders/hwspades.cab
O16 - DPF: {5C8D0494-02F2-40E9-8EBF-07FED5919629} - https://www.goodcontacts.com/install/Reunion/Reunion.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24BC853C-6C2D-48C8-8A24-503BE3ED15EA}: Domain = stanford.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{24BC853C-6C2D-48C8-8A24-503BE3ED15EA}: NameServer = 171.64.7.55,171.64.7.77,171.64.7.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F15F672-75C0-4B6C-8AD3-B492425F9105}: Domain = stanford.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F15F672-75C0-4B6C-8AD3-B492425F9105}: NameServer = 171.64.7.55,171.64.7.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC7F2E5C-1726-4A42-8809-E83C2CAFD4E2}: NameServer = 171.64.7.55,171.64.7.77,171.64.7.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{F30635C1-BD01-458A-8C2C-5D6E127F4952}: Domain = stanford.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{F30635C1-BD01-458A-8C2C-5D6E127F4952}: NameServer = 171.64.7.55,171.64.7.77
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
 
See less See more
#2 ·
Do a search for the "hosts" file, in Win2K I believe you should find it here:

c:\winnt\system32\drivers\etc\hosts

Open it in Notepad, if it has any associations listed under:

127.0.0.1 localhost

either delete them all or just rename the entire file "ghosts", it is not required. These assoications can be used maliciously to redirect you from appropriate IPs right back to your own "local host"

Trend analysis of Agobot.gen:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.GEN
 
#3 ·
Everytime I delete these, they just come back, then my CPU goes to 100%. I have renamed the file "ghosts", I will see what happens. These are what I delete:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
 
#5 ·
Let's have a look using a later version of HijackThis:

http://www.net-integration.net/tools/hijackthis.html

Are you getting a "dns" or "page cannot be displayed" error trying to connect to Windows update?

And is the "hosts" file not being recreated?

Also can you shed some light on what has installed this protocol?

O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll

does it have anything to do with "g7ps.com"?
 
#6 ·
First of all, thanks for helping. You will find the latest HijackThis log below as well as my StartUp log. I understand that "svchost.exe" is bad? I don't know how to get rid of it.

When I click on Windows Update, I get: "Windows Update has encountered an error and cannot display the requested page."

The "hosts" file is not being recreated. It hast remained "ghosts."

I think the g7ps is something put there by VersaCheck, which is a check writing application. Looks like it is related to g7ps.com. I don't use it and may as well remove it.

Here's the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 9:44:36 PM, on 8/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\notepad.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Guard-IE - {D2F719F3-106A-402B-9996-3A5B12ACA564} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Guard-IE - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: ImageFox.lnk = C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken2004\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - https://quicken.ehosts.net/netagent/objects/custappx3.CAB
O16 - DPF: {2169FE0E-9961-497A-86AE-10AC9209FB08} (SSDLctl.SSDL) - http://download.soapcity.com/sc/ssdl.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/downloaders/hwspades.cab
O16 - DPF: {5C8D0494-02F2-40E9-8EBF-07FED5919629} - https://www.goodcontacts.com/install/Reunion/Reunion.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24BC853C-6C2D-48C8-8A24-503BE3ED15EA}: Domain = stanford.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{24BC853C-6C2D-48C8-8A24-503BE3ED15EA}: NameServer = 171.64.7.55,171.64.7.77,171.64.7.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F15F672-75C0-4B6C-8AD3-B492425F9105}: Domain = stanford.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F15F672-75C0-4B6C-8AD3-B492425F9105}: NameServer = 171.64.7.55,171.64.7.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC7F2E5C-1726-4A42-8809-E83C2CAFD4E2}: NameServer = 171.64.7.55,171.64.7.77,171.64.7.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{F30635C1-BD01-458A-8C2C-5D6E127F4952}: Domain = stanford.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{F30635C1-BD01-458A-8C2C-5D6E127F4952}: NameServer = 171.64.7.55,171.64.7.77
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll

HERE'S THE STARTUP LOG:

StartupList report, 8/17/2004, 9:41:50 PM
StartupList version: 1.52
Started from : D:\Download\startup list\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Download\startup list\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
ImageFox.lnk = C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken2004\bagent.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AtiPTA = Atiptaxx.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
IntelliType = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
Logitech Utility = Logi_MwX.Exe
Synchronization Manager = mobsync.exe /logon
pccguide.exe = "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
PCClient.exe = "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
TM Outbreak Agent = "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=C:\WINNT\System32\DONTTO~1.SCR
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Guard-IE - C:\Program Files\Failsafe\GuardIE\PnIE.dll - {D2F719F3-106A-402B-9996-3A5B12ACA564}

--------------------------------------------------

Enumerating Download Program Files:

[Creative Software AutoUpdate]
InProcServer32 = C:\WINNT\DOWNLO~1\CTSUEng.ocx
CODEBASE = http://www.creative.com/su/ocx/12119/CTSUEng.cab

[eAssist NetAgent Customer ActiveX Control version 3]
InProcServer32 = C:\WINNT\Downloaded Program Files\custappx3.dll
CODEBASE = https://quicken.ehosts.net/netagent/objects/custappx3.CAB

[SSDLctl.SSDL]
InProcServer32 = C:\WINNT\Downloaded Program Files\SSDL1.ocx
CODEBASE = http://download.soapcity.com/sc/ssdl.cab

[{29B2C103-AB53-4971-B765-FC1CE5D8B2D1}]
CODEBASE = http://www.silvercrk.com/downloaders/hwspades.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINNT\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[{5C8D0494-02F2-40E9-8EBF-07FED5919629}]
CODEBASE = https://www.goodcontacts.com/install/Reunion/Reunion.cab

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.7976041667

[{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\Macromed\Flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[EPSImageControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\EPScontrol.dll
CODEBASE = http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

[Creative Software AutoUpdate Support Package]
InProcServer32 = C:\WINNT\DOWNLO~1\CTPID.ocx
CODEBASE = http://www.creative.com/su/ocx/12119/CTPID.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 6,271 bytes
Report generated in 0.160 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
#7 ·
There is nothing in the Scanlog or Startuplist to explain the Windows update error.

However Microsoft has offered a list of checks and possible workarounds:

http://support.microsoft.com/?kbid=836985

Is it possible that the recently installed antivirus program might be conflicting? Try disabling or removing that. Also try adding the windows update site to the "trusted" zone as suggested

... and svchost.exe is a required file as long as it is in the system32 directory.
 
#8 ·
Thanks so much. I didn't know if I needed a "hosts" file so I created one. It remains untarnished as of now. Also, let me clarify the Windows Update thing. The page does actually load, but when it start to scan my computer it isn't able to and posts the message:

"Windows Update Error

Windows Update has encountered an error and cannot display the requested page.

Select from any of the following pages for information about Windows Update services, or send us your feedback.

Windows Update Home Page
About Windows Update
Support Information

You can also get online support if you are having problems with Windows Update.

Send error number to Microsoft 0x8007007E)
Note This sends error information but does not create a support incident; you may or may not receive a response."

I tried all the above suggestions, but it is not working yet. I supposed the Windows Update function has been damaged by the virus and I'm not sure how to re-create it.
 
#9 ·
Have you rebooted after performing all of the above attempts to correct the problem?

I'm not much of a Winup troubleshooter (do ensure that ALL antivirus and firewall applications are disabled when having problems), but go through the drill on this page as well...

http://support.microsoft.com/?kbid=193385

There is also a "request for support" option there as well. From what I've seen in the past they are pretty helpful -- that is if they are still at it.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top