sl380
1 Nickel

Titan aftermath

Greetings, I recently got hit with the Titanshield spam/virus. It has been cleaned, but XP is running slow, pages not loading, when they do load, often have to use End Task to close them. Plus, the printer is acting funny, not finishing a print. It finishes the print after the computer is rebooted. I reinstalled the drivers for the printer to no avail. Games rooms I used to get into will not load.
What do I do to get it running fast again?
The virus forum folks said you might want the silent runners log. Here is is.
 
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DellSupport" = ""C:\Program Files\Dell Support\DSAgnt.exe" /startup" ["Gteko Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"MSKDetectorExe" = "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup" ["McAfee, Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" ["McAfee Inc."]
"VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"FLMOFFICE4DMOUSE" = "C:\Program Files\Browser Mouse\mouse32a.exe" [empty string]
"Lexmark 4200 Series" = ""C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"" ["Lexmark International, Inc."]
"FaxCenterServer4_in_1" = ""C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s" [null data]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" ["Sun Microsystems, Inc."]
"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"SigmatelSysTrayApp" = "stsystra.exe" ["SigmaTel, Inc."]
"_AntiSpyware" = "c:\progra~1\mcafee\MCAFEE~1\masalert.exe" ["McAfee, Inc."]
"type32" = ""C:\Program Files\Microsoft IntelliType Pro\type32.exe"" [MS]
"Adware.Srv32" = "C:\WINDOWS\system32\runsrv32.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
                  \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "McBrwHelper Class"
                  \InProcServer32\(Default) = "c:\program files\mcafee.com\mps\mcbrhlpr.dll" ["McAfee, Inc."]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}\(Default) = "McAfee PopupKiller"
 -> {HKLM...CLSID} = "McAfee Privacy Service Popup Blocker"
                  \InProcServer32\(Default) = "c:\program files\mcafee.com\mps\popupkiller.dll" ["McAfee, Inc."]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "McAfee AntiPhishing Filter"
                  \InProcServer32\(Default) = "c:\program files\mcafee\spamkiller\mcapfbho.dll" ["McAfee, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
 -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "Yahoo! IE Services Button"
                  \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "DriveLetterAccess"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "SSVHelper Class"
                  \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "Google Toolbar Helper"
                  \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{CA6319C0-31B7-401E-A518-A07C3DB8F777}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "CBrowserHelperObject Object"
                  \InProcServer32\(Default) = "c:\Program Files\GoogleAFE\GoogleAE.dll" ["Google"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
 -> {HKLM...CLSID} = "Display Panning CPL Extension"
                  \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
 -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
 -> {HKLM...CLSID} = "Portable Media Devices"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
 -> {HKLM...CLSID} = "Portable Media Devices Menu"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
 -> {HKLM...CLSID} = "VersionShellExt Class"
                  \InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
 -> {HKLM...CLSID} = "DriveLetterAccess"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
 -> {HKLM...CLSID} = "Shell Search Band"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
 -> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
                  \InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
 -> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
                  \InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
 -> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
                  \InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
 -> {HKLM...CLSID} = "YMailShellExt Class"
                  \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
 -> {HKLM...CLSID} = "History Band"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
 -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
                  \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
 -> {HKLM...CLSID} = "PDF Shell Extension"
                  \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
 -> {HKLM...CLSID} = "YMailShellExt Class"
                  \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

Active Desktop and Wallpaper:
-----------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Active Desktop web content:
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = "https://admin.instantservice.com/htmlclient/images/spacer.gif"
"SubscribedURL" = "https://admin.instantservice.com/htmlclient/images/spacer.gif"

Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]

Enabled Scheduled Tasks:
------------------------
"McAfee AntiSpyware" -> launches: "c:\progra~1\mcafee\MCAFEE~1\MASCon.exe /SCHEDULEDSCANNOW" ["McAfee, Inc."]
"McAfee.com Scan for Viruses - My Computer (GENTMEYER-Bruce)" -> launches: "c:\program files\mcafee.com\vso\mcmnhdlr.exe /runtask:0" ["McAfee, Inc."]

Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\mclsp.dll ["McAfee, Inc."], 01 - 11, 23
%SystemRoot%\system32\mswsock.dll [MS], 12 - 14, 17 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 15 - 16

Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
 -> {HKLM...CLSID} = "&Google"
                  \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
 -> {HKLM...CLSID} = "McAfee VirusScan"
                  \InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
 -> {HKLM...CLSID} = "&Google"
                  \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "&Yahoo! Messenger"
                  \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "&Yahoo! Messenger"
                  \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "Real.com"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
 -> {HKCU...CLSID} = "Java Plug-in"
                  \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
 -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
                  \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{39FD89BF-D3F1-45B6-BB56-3582CCF489E1}\
"MenuText" = "McAfee AntiPhishing Filter"
"CLSIDExtension" = "{7DD73374-7187-4103-8F29-622AA25E7C40}"
 -> {HKLM...CLSID} = "MyCfgDlgCmdTarget Class"
                  \InProcServer32\(Default) = "c:\program files\mcafee\spamkiller\mcapfbho.dll" ["McAfee, Inc."]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
 -> {HKLM...CLSID} = "Yahoo! IE Services Button"
                  \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
McAfee AntiSpyware Service, McAfee AntiSpyware Service, ""c:\progra~1\mcafee\mcafee antispyware\massrv.exe"" ["McAfee, Inc."]
McAfee Personal Firewall Service, MpfService, "C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe" ["McAfee Corporation"]
McAfee SpamKiller Server, MskService, "C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe" ["McAfee Inc."]
McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]

Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Fax Lexmark 4200 Series Port\Driver = "LXBRPMON.DLL" [null data]
Lexmark Network Port\Driver = "LEXLMPM.DLL" [file not found]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
 launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
 took 15 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
 took 9 seconds.
---------- (total run time: 42 seconds)
0 Kudos
5 Replies
jmwills
6 Gallium

Re: Titan aftermath

Wipe it clean and reload the OS.
0 Kudos
sl380
1 Nickel

Re: Titan aftermath

Are you saying wipe the computer completly clean and start from scratch? It cannot be repaired, saving the programs?
0 Kudos
jmwills
6 Gallium

Re: Titan aftermath

Programs are easily enough installed.  I'd be more concerned baout getting at my data than anything else.  We alwasy take the policy that if a virus did not get quarantined, nothing on the system is safe, thereby demanding a clean install.  That's one reason why we auto update and scan every morning before work.
0 Kudos
sl380
1 Nickel

Re: Titan aftermath

Ok. I have been trying to do this. I start the computer, when the Dell screen appears, I push and hold cntl, then F11, then release. The Restore screen does not appear.  The computer continues to start normally.
0 Kudos
jmwills
6 Gallium

Re: Titan aftermath

http://support.dell.com/support/topics/global.aspx/support/kb/en/document?dn=1091713
http://www.goodells.net/dellrestore/

The operating system CD maker is no longer shipping on systems invoiced after July 14, 2005.
Your option at point of sale is to purchase the operating system CD for $10. After point of sale, contact Dell and request the CD"
Systems shipped after July 15, 2004 came with Symantec PC Restore. This utility restores the computer to an "as-shipped" condition. If you haven't reformatted, repartitioned, or otherwise modified the master boot record, it should work. Click here for instructions about Symantec PC Restore.

If the Symantec PC Restore utility won't work, but still resides on your computer, a Dell customer has figured out some ways to get it to work again. Note - If you removed this partition, it is not recoverable, cannot be downloaded from the internet, and cannot be shipped from Dell. Click here for ways to fix Symantec PC Restore. Users have also reported that the partition can be restored with Ghost 2003, and Ghost 9 using the '03 capabilities of it. If you boot to the Ghost 9 CD, select Advanced Recovery Taks, select Utilities, then Restore Legacy IMage it should work - but you want to verify the image before attempting the restore. It's in a folder called IMG.

You need a Operating System Install CD - This answer was provided by Dell-ChrisM

Please use the Dell OS Recovery CD program to create the OS CD.
* Click Start- All Programs- Dell Accessories- Dell OS Recovery CD

What if the "Dell OS Recovery Utility" fails or wasn't installed by Dell?
Email or Chat with Dell. Explain your situation and the Dell representative will issue whatever CDs (Dell Media Experience, Power DVD, Sonic MyDVD, Windows operating system) you might need.

* CHAT with Dell
http://support.dell.com/support/topics/global.aspx/support/en/chat?c=us&cs=19&l=en&s=dhs&~ck=mn

* EMAIL Dell

http://forums.us.dell.com/supportforums/board/message?board.id=sw_mediaexp&message.id=2495
0 Kudos