Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected by Zotob, cleaned now cannot run Windows Update

  • Please log in to reply
1 reply to this topic

#1 swen1984


  • Members
  • 1 posts
  • Local time:10:35 PM

Posted 14 September 2005 - 06:54 PM

Thanks in advance:

I was infected with Zotob virus that was cleaned by using McAfee VirusScan. Now on rescan, no virus, however when I try to use Windows Update the program does not run while online via the network. Instead it acts as though there is not an internet connection and the Dial-up Networking Dialog box opens up. If I use dial-up networking to connect via a modem, Windows Update will run successfully and update the OS.

Other data of interest.

Immediately prior to recognizing this behavior, I had downloaded Speechi, an add in to PowerPoint that records audio. At the time of installing Speechi, a message box came up telling me that I had installed old versions of Windows files and to reinstall current files to keep the system stable. The CD requested was Win 2K SP4. I don't have an SP4 CD, so I tried to download a network installation SP4 file on CD and inserted it into the drive, but this did not allow me to fix the problem.

I have up to date Virus definition files and scan is negative

I'm using Internet Explorer Version 6.0.2800.1186IS although my usual browser is Firefox.
Windows 2000 Professional

Thanks in advance.

Ron Swensen

HijakThis log follows:

Logfile of HijackThis v1.99.1
Scan saved at 4:37:33 PM, on 9/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\One Guy Coding\Automachron\achron.exe
C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ZipGenius 6\zipgenius.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [PspContr] PspContr.Exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Automachron.lnk = C:\Program Files\One Guy Coding\Automachron\achron.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: Yahoo! Desktop Search System Tray.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
O4 - Startup: Yahoo! Desktop Search.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.washington.edu/uwin/
O16 - DPF: {2976BDAD-30FD-4ADD-B6AD-DF7BC54767FA} (AMI Conferencing Control 6.0) - http://uwradweb.medical.washington.edu/ami...iconference.cab
O16 - DPF: {2A421AA6-9EC4-422B-BBBB-4FBDF23D9B81} (AMI Pictorial Control WV 6.0 (SPA2)) - http://uwradweb.medical.washington.edu/ami...l/amiviewer.cab
O16 - DPF: {323E2CC5-F545-11D5-B84D-00B0D0F623B1} (LoginPageControl Control) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://support.mcis.washington.edu/downloa...lient/msrdp.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MSSQL$MICROSOFTBCM - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SQLAgent$MICROSOFTBCM - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE (file missing)
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINNT\SYSTEM32\ssoftsrv.exe

Mod Edit - Topic moved to appropriate forum - Leurgy

Edited by Leurgy, 14 September 2005 - 08:28 PM.

BC AdBot (Login to Remove)


#2 OldTimer


    Malware Expert

  • Members
  • 11,092 posts
  • Gender:Male
  • Location:North Carolina
  • Local time:11:35 PM

Posted 19 September 2005 - 06:34 PM

Hello swen1984 and welcome to the BC HijackThis forum. After reviewing the HijackThis log I do not see any signs of viruses or malware at this time. The log is clean.

If the problem started after installing older versions of key system components then that is mor than likely where the problem is. By downloading SP4 it must be installed, the system will not pick up the files simply by putting the CD into the CD drive. However, by bringing the system back up to date I cannot say if the software that was installed that broke it will work. It will simply have to be tested to see and if not then a decision will need to be made what is more important.

Since this is not a malware issue I would suggest working with the people in the Windows 2k forum to see if the system can be brought back to proper working order.


I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users