Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Not Cool!

Started by binkerbo , Dec 27 2005 08:31 PM

  • This topic is locked This topic is locked
30 replies to this topic

#1 binkerbo

binkerbo

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 27 December 2005 - 08:31 PM

I caught something nasty today. Please tell me what to delete.

David

This is the Hijack this log

Logfile of HijackThis v1.99.0
Scan saved at 6:00:58 AM, on 1/4/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\David\LOCALS~1\Temp\36.tmp.exe
C:\WINDOWS\system32\private.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\David\Desktop\HijackThis.exe
C:\WINDOWS\system32\ntgh.exe
C:\WINDOWS\apphq32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {9E51B05C-3A1D-6175-2F9B-368F3DF431A5} - C:\WINDOWS\system32\mfcjv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ipqh.exe] C:\WINDOWS\system32\ipqh.exe
O4 - HKLM\..\Run: [36.tmp] C:\DOCUME~1\David\LOCALS~1\Temp\36.tmp.exe
O4 - HKLM\..\Run: [37.tmp] C:\DOCUME~1\David\LOCALS~1\Temp\37.tmp.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\private.exe internat.dll,LoadMouseCarpetProfile
O4 - HKLM\..\Run: [36.tmp.exe] C:\DOCUME~1\David\LOCALS~1\Temp\36.tmp.exe
O4 - HKLM\..\Run: [iepk32.exe] C:\WINDOWS\iepk32.exe
O4 - HKLM\..\Run: [ipjw.exe] C:\WINDOWS\system32\ipjw.exe
O4 - HKLM\..\Run: [37.tmp.exe] C:\DOCUME~1\David\LOCALS~1\Temp\37.tmp.exe
O4 - HKLM\..\RunOnce: [iebv32.exe] C:\WINDOWS\system32\iebv32.exe
O4 - HKLM\..\RunOnce: [ipnp32.exe] C:\WINDOWS\ipnp32.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [ntgh.exe] C:\WINDOWS\system32\ntgh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127168490484
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FAB5E40-A45A-47E2-98AD-DFCE83BC7B03}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{C16B4CB7-FD0B-4CC2-9019-C30DE384818E}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3B4AF51-756A-498C-827A-29BB94DE3FEB}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4CE2456-0ED4-484D-9314-6F92920F9D37}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3FAB5E40-A45A-47E2-98AD-DFCE83BC7B03}: NameServer = 85.255.115.20,85.255.112.133
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\ntsi.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 02 January 2006 - 09:06 PM

Hello binkerbo, welcome to the TC forum

First of all, I want you to download and install another browser, because for the moment I strongly suggest NOT to use Internet Explorer, because everytime you open it, new malware is getting downloaded.
So, I want you to use Firefox instead to browse the web.
When your system is clean again, you can use your IE again.
Here you can find firefox to download: http://www.mozilla.o...oducts/firefox/

°Download AboutBuster.
http://www.malwareby...AboutBuster.zip
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

* Download and install CCleaner
http://www.ccleaner.com/
Do not use it yet.

* Download CWShredder. Don't let it run yet!
http://cwshredder.ne.../CWShredder.exe

* Download this regfix: HSfix
http://users.pandora...tools/HSfix.zip
Unzip it and place it on your desktop, don't use it yet!

* Please download the trial version of ewido anti-malware 3.5 here:
http://www.ewido.net/en/download
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

°First, we will make your hidden files and folders visible.
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide file extensions for known file types.
* Click Yes to confirm.
* Click OK.

open notepad and copy and paste next bold in it:
(do not forget to copy and paste REGEDIT4 in it!)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

Save this as fix.reg , choose to save as *all files and place it on your desktop.


*Please reboot your system into SAFE MODE.
°To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

Doubleclick on fix.reg you made before and when it asks you if you want to add the contents to the registry, click yes/ok


*Start hijackthis and click scan and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kmkfi.dll/sp.html#77035%resultposition.net
R3 - Default URLSearchHook is missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FAB5E40-A45A-47E2-98AD-DFCE83BC7B03}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{C16B4CB7-FD0B-4CC2-9019-C30DE384818E}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3B4AF51-756A-498C-827A-29BB94DE3FEB}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4CE2456-0ED4-484D-9314-6F92920F9D37}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3FAB5E40-A45A-47E2-98AD-DFCE83BC7B03}: NameServer = 85.255.115.20,85.255.112.133
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\ntsi.exe (file missing)

*Close all open windows except hijackthis and click 'Fix Checked'.



*Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service Remote Procedure Call (RPC) Helper
Please don't select Remote Procedure Call (RPC) Locator and/or Remote Procedure Call (RPC), without the word Helper in it, because those are good ones!
Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

*Start Aboutbuster and let it scan. When the scan is done and you choose exit, it will automatically create a log in the same folder where aboutbuster is in.

*Start Cwshredder and click FIX

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Still in safe mode Run Ccleaner and click Run Cleaner (bottom right)

* Now open Ewido Security Suite
* click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.

Close Ewido

*Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.

* Reboot your PC back to normal.

*Post a new hijackthis-log + log from ewido and log from aboutbuster which you'll find in the aboutbuster-folder

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 binkerbo

binkerbo

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 January 2006 - 04:27 PM

LDTate, Thanks for the help. I have done most of the downloading and I have come up with two questions to ask before continuing. 1) I do not see an option to update AboutBuster. Are the updates back on the website? 2) I already have CW Shredder. Is my copy safe to use or should I download again? Thanks again, David

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 January 2006 - 04:57 PM

LDTate,

Thanks for the help. I have done most of the downloading and I have come up with two questions to ask before continuing.

1) I do not see an option to update AboutBuster. Are the updates back on the website?

2) I already have CW Shredder. Is my copy safe to use or should I download again?

Thanks again,

David

1. Sorry, AboutBuster 6.0 is the latest. No updates needed.
2. Check for updates to your version of CW Shredder

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 binkerbo

binkerbo

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 January 2006 - 07:10 PM

Ok here are the logs from the scanning programs.

Logfile of HijackThis v1.99.0
Scan saved at 1:43:25 AM, on 1/6/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\mfcrz32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ntgh.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\David\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05C150CD-544C-36B1-CA46-2353C69AE959} - C:\WINDOWS\ieku32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {33A5FEE4-3FF6-7B7B-0CE7-B124D5388FCA} - C:\WINDOWS\system32\addza.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [37.tmp.exe] C:\DOCUME~1\David\LOCALS~1\Temp\37.tmp.exe
O4 - HKLM\..\Run: [mfcrz32.exe] C:\WINDOWS\system32\mfcrz32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127168490484
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FAB5E40-A45A-47E2-98AD-DFCE83BC7B03}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{C16B4CB7-FD0B-4CC2-9019-C30DE384818E}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3B4AF51-756A-498C-827A-29BB94DE3FEB}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4CE2456-0ED4-484D-9314-6F92920F9D37}: NameServer = 85.255.115.20,85.255.112.133
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3FAB5E40-A45A-47E2-98AD-DFCE83BC7B03}: NameServer = 85.255.115.20,85.255.112.133
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\ntgh.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
-------------------------------------------------------------------------------------------------------------------------------
AboutBuster 6.0
Scan started on [1/3/2006] at [5:59:56 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
Removed File! : C:\WINDOWS\system32\gkztu.dat
Removed File! : C:\WINDOWS\system32\gofi.dll
Removed File! : C:\WINDOWS\system32\ievv32.exe
Removed File! : C:\WINDOWS\system32\ipan32.exe
Removed File! : C:\WINDOWS\system32\iplc.exe
Removed File! : C:\WINDOWS\system32\ipmt32.exe
Removed File! : C:\WINDOWS\system32\kyqwz.txt
Removed File! : C:\WINDOWS\system32\lnzdx.dat
Removed File! : C:\WINDOWS\system32\mfcsl32.exe
Removed File! : C:\WINDOWS\system32\mshz.exe
Removed File! : C:\WINDOWS\system32\ntbo32.dll
Removed File! : C:\WINDOWS\system32\ntdq32.exe
Removed File! : C:\WINDOWS\system32\ntgh.exe
Removed File! : C:\WINDOWS\system32\sdkcv32.exe
Removed File! : C:\WINDOWS\system32\sdkmr.exe
Removed File! : C:\WINDOWS\system32\sdkpg32.exe
Removed File! : C:\WINDOWS\system32\stlsl.log
Removed File! : C:\WINDOWS\system32\syscm.exe
Removed File! : C:\WINDOWS\system32\sysre32.exe
Removed File! : C:\WINDOWS\system32\syssh.exe
Removed File! : C:\WINDOWS\system32\uogch.log
Removed File! : C:\WINDOWS\system32\vzbgv.txt
Removed File! : C:\WINDOWS\system32\ybxem.log
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:04:16 PM
-----------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:54:57 PM, 1/3/2006
+ Report-Checksum: 8FF04430

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{44CE9131-E13C-D36A-083A-FAFF61E866CA} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9C149FC6-86A5-C649-4760-9E20AC138BED} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1417001333-861567501-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1417001333-861567501-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1417001333-861567501-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1C78AB3F-A857-482E-80C0-3A1E5238A565} -> Spyware.iSearch : Cleaned with backup
HKU\S-1-5-21-1417001333-861567501-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\79EE1942-94B4-4ADA-BA13-22D74F\27122EFD-3AE6-4202-ABF6-0BAA54 -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\79EE1942-94B4-4ADA-BA13-22D74F\96571BF0-955E-437C-B6A6-94CCA1 -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\79EE1942-94B4-4ADA-BA13-22D74F\99243BB5-E955-4D9E-AFC8-97F679 -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\79EE1942-94B4-4ADA-BA13-22D74F\D1D43732-E75B-40F7-A9B1-2EDA44 -> Spyware.SpywareNo : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F9FA7C7D-B68A-4FBF-8C47-A1FE22\8A46BDB3-1645-405E-BA0A-485474 -> Spyware.FindSpy : Cleaned with backup
C:\WINDOWS\system32\dial32.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\system32\s.exe -> Downloader.Small.awa : Cleaned with backup
C:\WINDOWS\system32\srpcsrv32.dll -> Downloader.Adload.g : Cleaned with backup
C:\WINDOWS\system32\txfdb32.dll -> Downloader.Adload.g : Cleaned with backup
C:\WINDOWS\system32\voi602.exe -> Dropper.Agent.ii : Cleaned with backup
C:\winstall.exe -> Hijacker.Spywad.n : Cleaned with backup


::Report End
-----------------------------------------------------------------------------------------------------------------------------
I must have something wrong when saving the new the HijackThis scan. That looks like the scan I posted originally, not the scan that I fixed using your instructions. I remember I had already removed all the 017 items myself several days ago. I hope that doesn't mess me up too much.

Please let me know what to do next,

David

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 January 2006 - 07:24 PM

I suggest you do this:


Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


*Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service Network Security Service Helper
Please don't select Network Security Service and/or (NSS), without the word Helper in it, because those are good ones!
Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.




Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\chjoj.dll/sp.html#77035%resultposition.net

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {05C150CD-544C-36B1-CA46-2353C69AE959} - C:\WINDOWS\ieku32.dll

O2 - BHO: Class - {33A5FEE4-3FF6-7B7B-0CE7-B124D5388FCA} - C:\WINDOWS\system32\addza.dll

O4 - HKLM\..\Run: [37.tmp.exe] C:\DOCUME~1\David\LOCALS~1\Temp\37.tmp.exe

O4 - HKLM\..\Run: [mfcrz32.exe] C:\WINDOWS\system32\mfcrz32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O17 - HKLM\System\CCS\Services\Tcpip\..\{3FAB5E40-A45A-47E2-98AD-DFCE83BC7B03}: NameServer = 85.255.115.20,85.255.112.133

O17 - HKLM\System\CCS\Services\Tcpip\..\{C16B4CB7-FD0B-4CC2-9019-C30DE384818E}: NameServer = 85.255.115.20,85.255.112.133

O17 - HKLM\System\CCS\Services\Tcpip\..\{C3B4AF51-756A-498C-827A-29BB94DE3FEB}: NameServer = 85.255.115.20,85.255.112.133

O17 - HKLM\System\CCS\Services\Tcpip\..\{F4CE2456-0ED4-484D-9314-6F92920F9D37}: NameServer = 85.255.115.20,85.255.112.133

O17 - HKLM\System\CS1\Services\Tcpip\..\{3FAB5E40-A45A-47E2-98AD-DFCE83BC7B03}: NameServer = 85.255.115.20,85.255.112.133

O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\ntgh.exe

Close ALL windows and browsers except HijackThis and click "Fix checked"





Restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.



delete these files if listed:
C:\WINDOWS\system32\ntgh.exe
C:\WINDOWS\ieku32.dll
C:\WINDOWS\system32\addza.dll
C:\WINDOWS\system32\mfcrz32.exe



Open C:\Windows\Prefetch\ Delete ALL files in this folder.



Do this also if these Temp Folders are part of your OS.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


Next navigate to the C:\Documents and Settings\(EVERY LISTED PROFILE USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin

I just noticed your HJT is out dated and your PC's clock is 2 years off.

Logfile of HijackThis v1.99.0
Scan saved at 1:43:25 AM, on 1/6/2002


You need to update your version of HijackThis. Open HJT> Open Misc Tools> Pull the side bar down> Check for update online. Download the updates.

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

Edited by LDTate, 03 January 2006 - 08:24 PM.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 binkerbo

binkerbo

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 January 2006 - 09:34 PM

Most of the items you asked me to look for this time were not present. There were a few files in various Temp folders and quite a few in the Prefetch folder. I was not able to update HijackThis in the Safe Mode because there was no internet connection so I rebooted in the normal mode, updated and scanned.

The computer generally works fairly well albeit a little sluggishly. The biggest problems are the constantly hijacked browser and the fact that my desktop image (a photo) has been replaced by a white screen which shows all my program icons but acts more like an open web page. The Display section in Contol Panel at one point showed an IE symbol labeled as desktop as my chosen desktop image. That symbol was removed in one of the many scans I ran before coming to this forum but the white desktop still remains.




Logfile of HijackThis v1.99.1
Scan saved at 9:17:04 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\David\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127168490484
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


once again, thanks for all the help.

David

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 03 January 2006 - 09:38 PM

The biggest problems are the constantly hijacked browser

Are you still getting this?


Please copy the contents of the following quote box into Notepad: Don't forget to add the REGEDIT4

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=-
"Wallpaper"=-
"NoDispBackgroundPage"=-
"NoDispAppearancePage"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-

Save it to your desktop as fixme.reg

Then, locate fixme.reg on your desktop and <double-click> it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully"

Reboot.

Can you access/change the desktop now?
:unsure:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 binkerbo

binkerbo

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 January 2006 - 05:34 PM

At present, my browser appears to have returned to normal. The desktop however, remains blank even after the latest fix. In the Display control it shows my photo as the desktop image but I only see it momentarily when the computer shutting down or rebooting. Thanks, David

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 04 January 2006 - 05:56 PM

Can you Right Click on the desktop> select Properties> Desktop> and change the background? Can you use the Browse and find the picture you want?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove

#11 binkerbo

binkerbo

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 January 2006 - 06:06 PM

My current desktop (blank screen) seems to be an open webpage. The properties page lists the URL as file://C:\WINDOWS\Web\desktop.html is that something I could find in My Computer and try to delete or would that be too easy. David

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 04 January 2006 - 06:07 PM

In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info" if present.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#13 binkerbo

binkerbo

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 January 2006 - 06:18 PM

That seems to have done it! I was able to apply my photo to the desktop. How did the rest of the last HJT log look? David

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 04 January 2006 - 06:20 PM

We're not finished yet.


Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL



I recommend you download RegSeeker. Extract it to it's own folder, open and double click RegSeeker.exe to start the program. Maximize the window and click clean registry. Check all sections and click OK. When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again. Then right click within the search results and select delete. Run it again and again, deleting everything it finds until it finds nothing. Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything). In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back. A reboot may be required for the effects to be seen. Reboot When done.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#15 binkerbo

binkerbo

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 January 2006 - 06:25 PM

I'm getting a message that the Task manager has been disabled by the Administrator.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·