Can't see the wallpaper that I know is there [RESOLVED]

Welcome Guest ( Log In | Register )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

2 Pages

1 2 >

Can't see the wallpaper that I know is there [RESOLVED], legacy of (mostly) removed hijacking/malware

Options

jjsant View Member Profile	Dec 26 2005, 09:57 AM Post #1
Member Posts: 23 OS: XP	I posted this problem in the NON-malware forum and received help but still have the problem so ended that thread and I'm posting it here which is more appropriate. Norton AV wasn't running the other day (for whatever reason) and I got hit with the spysheffif & co. hijack. Pop ups and all the rest. I did the following: -Ran spybot and removed the bad stuff. (It wouldn't update 1st.) -Ran Ad aware after updating and removed more bad stuff. -Downloaded Spy Sweeper, updated, removed bad stuff, and have it running. I like it so I registered it. -Uninstalled and re-installed Norton, updated it, ran full system scan, cleaned viruses, etc. It's running fine now. Downloaded Ewido, updated, and removed bad stuff. Downloaded Security Task Manager and used it to find/confirm some more bad stuff and removed it. It's a great program for someone like me who's a mere novice with computers. It combines the related functions of the task manager, msconfig, and even google all in one place. One window instead of 3. Downloaded HJT Between some of these I also manually deleted or changed the names of some files I'm 99% certain are nasty. I was able to spot many of them from the date stamps on them matching the time of attack and from google hits and stuff. I rebooted all along the way to ensure each step was ok. The good news is that the hijack is gone and I haven't seen a pop up for about 6 hours of use with several reboots. Bad news is a few features within IE may not be working (some gifs on yahoo don't show.) What really is frustrating me is that the desktop will not allow me to see the wallpaper I know is there. When I shutdown, I see the correct wallpaper on the screen for only a flash. The current desktop allows me to choose any color I want and it works. The problem is that Display Properties / Desktop tab has the "background" phrase grayed out. The list of backgroud files (to choose from) is visible but I can't click on them and cannot click on the scroll bar for them. The desktop was hijacked with a blue background and a bogus banner in the middle of it during the attach. All that is gone but I can't see the wallpaper file behind the solid color background I am limited to at the moment. Below is the HJT log. Many of the "file missings" are because I deleted or renamed them during the learning I've gone thru on this whole registry/running task thing. ("support.com" folder was renamed a while ago when I noticed the program was "backing up" much web activity as a favor to me by comcast.) Almost everything I know about PCs is because of problems over the years. This has been another traumatic experience with important lessons learned. I know I need to do some more cleaning and I greatly appreciate the help. Logfile of HijackThis v1.99.1 Scan saved at 10:55:14 AM, on 12/26/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Citrix\ssonsvr.exe C:\WINNT\Explorer.EXE C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Exif Launcher\QuickDCF.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Microsoft Works\WkDStore.exe C:\Program Files\HIJACK THIS\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {8F4CAE8C-641C-13EC-3CC7-15F3BC346FC1} - C:\WINNT\system32\oiio.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Internet PopUp Stopper\Pop-Up Stopper\CCHelper.dll O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Internet PopUp Stopper\Pop-Up Stopper\pstopper.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: www.reranch.com O15 - Trusted Zone: http://www.reranch.com O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\lpcdll.dll (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll O21 - SSODL: fldrsys - {3ED1F82B-7BE5-4662-B87F-E566F0FDD7DE} - fldrsys.dll (file missing) O23 - Service: Aardvark Professional Audio Manager (aardvarkpm) - Aardvark Computer Systems, Inc. - C:\Program Files\Aardvark\aardvark.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj.exe (file missing) O23 - Service: hpdj5600 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj5600.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINNT\wanmpsvc.exe (file missing)

infaddict View Member Profile	Dec 29 2005, 12:23 PM Post #2
Visiting Staff Posts: 734 From: Newcastle, UK OS: XP Home SP2	Hi and welcome to Geeks to Go Apologies for the delay in responding to you. The forums are very busy and so are all the helpers, especially over the holiday period. If you still require assistance, please reply to this topic with a fresh HijackThis log, as if you have any infections they will have most probably changed by now. If you do not require further assistance, please reply so I can close this topic. Thanks

jjsant View Member Profile	Dec 29 2005, 06:16 PM Post #3
Member Posts: 23 OS: XP	Thanx for replying. I've done a little cleaning in the interim but only on stuff that was clearly appropriate to "check and fix." Current related problems: -can't see wallpaper except for a flash during boot and shutdown. can't choose wallpaper from list. -don't see some (macromedia) "flash" on some sites. Can see them on their own site and I upgraded to 8.0 to no avail. -can't see some gifs (links) on some sites I downloaded and installed the "Kelly" fix for the desktop settings stuff (properties.) It changed the desktop to the default XP theme but did not fix the problem of not being able to choose wallpaper from list and not being able to see the wallpaper that I know is there. I ran ewido again and it found only fldrsys.dll in the winnt\system32 folder and I had it removed. I think it may have been re-created since I think I had removed it at some point earlier. Not sure. Also noticed that iecont.dll and iecontlc.dll are "missing" do I need them? Logfile of HijackThis v1.99.1 Scan saved at 7:01:05 PM, on 12/29/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Citrix\ssonsvr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Exif Launcher\QuickDCF.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HIJACK THIS\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Internet PopUp Stopper\Pop-Up Stopper\CCHelper.dll O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Internet PopUp Stopper\Pop-Up Stopper\pstopper.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: www.reranch.com O15 - Trusted Zone: http://www.reranch.com O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\lpcdll.dll (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll O23 - Service: Aardvark Professional Audio Manager (aardvarkpm) - Aardvark Computer Systems, Inc. - C:\Program Files\Aardvark\aardvark.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj.exe (file missing) O23 - Service: hpdj5600 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj5600.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel� Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe This post has been edited by jjsant: Dec 29 2005, 06:26 PM

infaddict View Member Profile	Dec 30 2005, 06:26 AM Post #4
Visiting Staff Posts: 734 From: Newcastle, UK OS: XP Home SP2	Hi jjsant Ok, lets get started cleaning up some of the things in your log. We can visit your IE problems once we get you cleaned up I notice you have a trusted web site in your internet explorer settings. The site www.reranch.com is in your trusted list which means it will not be subjected to you normal internet security rules - it will be given more permissions. Does this sound correct to you? If not, please let me know and we can fix this. Please print these instructions (or copy them and save in NotePad) as you will not have access to the internet during the fix Preparation Download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Place a shortcut to Panda ActiveScan on your desktop. Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Please read Ewido Setup Instructions Install it, and update the definitions to the newest files. Do NOT run a scan yet. If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup Don't run it yet! The Fix Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED: =================================================== R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\lpcdll.dll (file missing) O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj.exe (file missing) O23 - Service: hpdj5600 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj5600.exe (file missing) =================================================== Close HiJackThis. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Open Ad-aware and do a full scan. Remove all it finds. Run Ewido: Click on scanner Click on Complete System Scan and the scan will begin. NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action. DO NOT select "Perform action on all infections" If you are unsure of any entry found select none for now. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop Close Ewido Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Reboot back into Windows and click the Panda ActiveScan shortcut. - Once you are on the Panda site click the Scan your PC button - A new window will open...click the Check Now button - Enter your Country - Enter your State/Province - Enter your e-mail address and click send - Select either Home User or Company - Click the big Scan Now button - If it wants to install an ActiveX component allow it - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) - When download is complete, click on Local Disks to start the scan - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply. Let us know if any problems persist.

jjsant View Member Profile	Dec 30 2005, 09:06 PM Post #5
Member Posts: 23 OS: XP	Hi infaddict Thanx for the reply. www.reranch.com is a valid trusted site for me. I performed all of the tasks in the order you listed. I did not take any action of the 15 viruses and the 4 spywares found by the final scan (Panda) since you mentioned only to save that log. The desktop still does not allow me to choose wallpaper although I noticed the option was available when I was in safe mode. I still cannot see some gif link and some flash. One of the programs I ran said it would clean out the recycle bin and temp folders but I think that may not have happened. The recylce bin is still full and you'll see the "deleted" spysherrif in there below. I manually changed names and/or deleted some files after the attack before I learned about the proper ways to remove them. I don't use Netscape email anymore but I still have the general program since I use it's html editor to edit my own web page occasionally. The Panda scan seems to have found some bad stuff in the old Netscape email section. Here is the Panda scan report: Incident Status Location Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Owner\Application Data\Sskuknwrd.dll Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba448-218e0523.zip[GetAccess.class] Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba448-218e0523.zip[Installer.class] Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba448-218e0523.zip[NewSecurityClassLoader.class] Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba448-218e0523.zip[NewURLClassLoader.class] Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe Virus:Exploit/iFrame Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[~0000001.~] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[height.exe] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[2.scr] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[height.scr] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[ALT.exe] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[SRC.pif] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[href.pif] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[SRC.scr] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[szLang.bat] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[get[1].pif] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[target.exe] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[demo.exe] Virus:W32/Klez.I Not disinfected C:\Program Files\Netscape_4.5\Users\john\Mail\Inbox[target.scr] Adware:Adware/SpySheriff Not disinfected C:\RECYCLER\S-1-5-21-750008304-24598261-986896887-1003\Dc1058\SpySheriff.exe Here is the smitfiles.txt: smitRem � log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Fri 12/30/2005 The current time is: 18:43:57.53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright� 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 852 'explorer.exe' Killing PID 852 'explorer.exe' Starting registry repairs Deleting files Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! The ewido did not save a log this time. I guess I goofed. It's the 3rd time I have run it this week and the other 2 logs are there. It did find and I removed 2 items this time. I see them listed in the Quarantine list from this 3rd run so I can type them freehand: c:\documents and setting\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar\-1dbf9af3-3937e78e.zip ( Risk-High Infected with Downloader.OpenStream.c ) c:\documents and setting\Owner\Local Settings\Temp\a.exe (Risk High Infected with Backdoor.Small.jg ) Here is a fresh HJT log: Logfile of HijackThis v1.99.1 Scan saved at 10:04:06 PM, on 12/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Citrix\ssonsvr.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\spoolsv.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINNT\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Exif Launcher\QuickDCF.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINNT\System32\alg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\system32\NOTEPAD.EXE C:\WINNT\system32\NOTEPAD.EXE C:\Program Files\HIJACK THIS\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Internet PopUp Stopper\Pop-Up Stopper\CCHelper.dll O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Internet PopUp Stopper\Pop-Up Stopper\pstopper.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: www.reranch.com O15 - Trusted Zone: http://www.reranch.com O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Filter: text/html - (no CLSID) - (no file) O18 - Filter: text/plain - (no CLSID) - (no file) O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll O23 - Service: Aardvark Professional Audio Manager (aardvarkpm) - Aardvark Computer Systems, Inc. - C:\Program Files\Aardvark\aardvark.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel� Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe I greatly appreciate your help and look forward to the next steps. Thanx! This post has been edited by jjsant: Dec 30 2005, 09:58 PM

infaddict View Member Profile	Dec 31 2005, 06:46 AM Post #6
Visiting Staff Posts: 734 From: Newcastle, UK OS: XP Home SP2	Hi jjsant Ok, we've made a little progress I think... let's carry on... Please open HijackThis, perform a scan and place a check next to the following items : R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) Then close ALL other windows and browsers except HijackThis and click Fix Checked. Close HijackThis. Re-open HijackThis and click Config then Misc Tools. Click Open Uninstall Manager and then click Save List. Save the list somewhere safe and include it in your next post. Please manually empty your recycle bin and then, using Windows Explorer or My Computer, find and delete the following files : C:\Documents and Settings\Owner\Application Data\Sskuknwrd.dll C:\Documents and Settings\Owner\Local Settings\Temp\a.exe In terms of some of your system files being missing, this is worrying. This may well be causing your IE problems and may also be related to your desktop problems. There is a way to get Windows to scan and fix any missing or corrupt system files : Click Start Select Run At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow. Typing this will start the program, and a box should appear telling you how much longer the process should take. Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files: My Computer Tools Folder Options View "Uncheck" Hide protected operating system files. Then rerun the scan. If this still asks you to put in your windows XP CD, and you do not have the CD (If you bought it preinstalled) post back for more tips, otherwise enter Windows CD and continue. Once the scan is complete: Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates. Please reboot, and let me know if anything has changed. Also, please rehide the protected files: My Computer Tools Folder Options View "Check" Hide protected operating system files. Please post back with the HijackThis Uninstall List and also a fresh HijackThis log. Also let me know what symptoms/problems you are still having

jjsant View Member Profile	Dec 31 2005, 02:03 PM Post #7
Member Posts: 23 OS: XP	Hi infaddict I performed the tasks in order. The sfc /scannow program prompts me for the disc that I do not have since it's a factory installation and I don't have a Windows disk. It says it wants to copy files into the DLL Cache. I tried the "operating system" ROM (Gateway) that came with it but Windows doesn't like it. The rom appears to have thousands of compress versions of system files but I'm guessing that wouldn't help. The program tried to access a Windows disc about 150 times or so while the program was running and I clicked "cancel" then "no" each time to allow it to move on. No "list" or log was created that was shown to me however the Event Log was written to about 130 times with this type of notice: Source: Windows File Protection Category: None Event ID: 64021 The system file c:\winnt\system32\kbd106n.dll could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability. I did some random searches for those filenames w/o the extension (e.g. �kbd106n� from above) and find that all of the files referencing the �:\winnt\system32\� folder, that I searched for, appear to ONLY be in the C:\I386 folder and in compressed format (e.g. �kbd106n.dl_�.) Many of the compressed-version files it is trying to copy to folders other than �:\winnt\system32\� don�t seem to be on the hard drive at all. I installed SP2 when it came out and recall that it was not a smooth process. I think I may have had to run it twice but not sure. From a google hit I see that I can edit the registry to have sfc look to the C:\I386 folder for the files to copy from. I would like you to help me do that assuming it is appropriate. I have run regedit before to do searches and I know how to navigate to a �folder� but I would like you to help me with the exact steps and words to make the edit. Or maybe there is a �Kelly� fix? A menu to �browse� would be nice. Should I copy over some/all of the related folder from the �Operating System� disc I have before running sfc again? I would think that the original compressed files are still on the hard drive that are on the CD but maybe SP2 (which is not on the CD) has newer (compressed) files it wrote to the C:\I386 folder when I downloaded SP2? Can I download the SP2 compressed dll�s and such from a site if I am missing some of them after the 1st round? Am I asking too many questions Let me know the way to go. I already had "hide protected operating sys files" unchecked in the "folder options, view" screen . I have now re-checked that box assuming it may be a security risk. Did having it uncheck leave me more vulnerable to attack or is it just to prevent accidental manual deletion/changes? I ran Windows updates which had me upgrade to "Microsoft Update" 1st. No new critical updates were available. Nor any updates that appear relevant to me. I had updated a few days ago. The overall boot time has shortened a little and I can see (only) the wallpaper for about 20 seconds near the end of the boot. Previously I saw it for only a flash. Then the whole screen flips to the solid-color background and all the desktop icons appear simultaneously. The IE problems remain and I noticed that when I am on a site with some of those missing graphic/link items, the bottom of the window shows that it is still trying to download a few items. The overall functionality of IE is good. Still don�t see some flash on some sites. I really appreciate the help. You may have also lead me to the source of my other PC problem which I posted in the Hardware forum. I�ve had that problem for some time and it may have started around the time of SP2. Or it may be from the change from one cable-internet system (and cable modem) to another. (I think I have 2 �networks� trying to run.) The problems related to that other thread (Red HD light stays bright/cant's find HD/system crashes sometimes) occur intermittently whereas the problems in this thread all started when the hijacking/spysheriff etc attack. I have not had the system-crash-red-light problem today. Here is the HJT Uninstall file. (I had already deleted the �Yazzle Sudoku� related files I have found but did not use �Uninstall� since I feared it may explode my computer.) Aardvark Audio Professional Cards Manager Aark Manager Ad-Aware SE Personal Adobe Acrobat 5.0 Adobe Reader 6.0 Ahead Nero BurnRights America Online (Choose which version to remove) AOL Coach Version 1.0(Build:20030807.3) ArcSoft PhotoBase ArcSoft PhotoStudio 2000 Blackhawk Striker from Gateway (remove only) Blasterball 2 from Gateway (remove only) Bounce Symphony from Gateway (remove only) Caere Scan Manager 5.1 Canon ScanGear Toolbox CS 2.2 CC_ccStart ccCommon Citrix ICA Client ( Citrix ) ColorSwap ComcastSUPPORT Contextual Tool DoMore DVD ewido anti-malware Excavation from Gateway (remove only) Exif Launcher Ver.1.0 Exif Viewer Ver.1.1 Five Card Frenzy from Gateway (remove only) Forte Agent FreshDiagnose Gateway Drivers and Applications Recovery Gateway Ink Monitor Gateway Rhapsody HammerHead Rhythm Station HijackThis 1.99.1 Home Improvement 1-2-3 hp deskjet 5600 hp deskjet 5600 series HP Memories Disc HP Photo and Imaging 2.0 - Deskjet Series hp print screen utility Intel� 537EP Data Fax Modem Intel� Extreme Graphics 2 Driver Intel� PRO Network Adapters and Drivers Intel� PROSet iTunes Java 2 Runtime Environment, SE v1.4.2 Learn2 Player (Uninstall Only) LiveReg (Symantec Corporation) LiveUpdate 1.90 (Symantec Corporation) Macromedia Flash Player 8 Macromedia Shockwave Player MAGIX audio studio 7 deLuxe MAGIX Media Manager silver Merriam-Webster 3.0 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB886903) Microsoft Data Access Components KB870669 Microsoft Encarta Encyclopedia Standard 2004 Microsoft Learning and Research Plus Support Files Microsoft Money 2004 Microsoft Money 2004 System Pack Microsoft Picture It! Express 7.0 Microsoft Picture It! Photo Premium 9 Microsoft Streets and Trips 2004 Microsoft Word 2002 Microsoft Works Microsoft Works 2004 Setup Launcher Microsoft Works Suite Add-in for Microsoft Word MID Converter 3.1 MSN Internet Software MSN Messenger 5.0 MSRedist MUSICMATCH� Jukebox Nero OEM Norton AntiVirus 2004 Norton AntiVirus 2004 (Symantec Corporation) Norton AntiVirus Parent MSI Norton WMI Update OmniPage Pro 9.0 Orbital from Gateway (remove only) Otto from Gateway (remove only) Overball from Gateway (remove only) Panda ActiveScan Panicware Pop-Up Stopper PC-Doctor for Windows Polar Bowler from Gateway (remove only) Quicken 2004 QuickTime RealPlayer Basic Security Task Manager 1.6f Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Shockwave Slyder from Gateway (remove only) Smart Link 56K Modem Spy Sweeper Symantec Script Blocking Installer SymNet TaxCut 2003 Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB910437) Viewpoint Media Player Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 XoftSpy Yazzle Sudoku by OIN ZipScan Evaluation 2.0 The R3 listing is back and I manually changed the name of msmsgs.exe a few days ago when I was attacking the hijacking on my own with google and stuff. Here is the current HJT log Logfile of HijackThis v1.99.1 Scan saved at 2:43:43 PM, on 12/31/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Citrix\ssonsvr.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\spoolsv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Exif Launcher\QuickDCF.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Microsoft Works\WkDStore.exe C:\WINNT\system32\mmc.exe C:\Program Files\HIJACK THIS\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Internet PopUp Stopper\Pop-Up Stopper\CCHelper.dll O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Internet PopUp Stopper\Pop-Up Stopper\pstopper.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: www.reranch.com O15 - Trusted Zone: http://www.reranch.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll O23 - Service: Aardvark Professional Audio Manager (aardvarkpm) - Aardvark Computer Systems, Inc. - C:\Program Files\Aardvark\aardvark.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel� Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Thanx! This post has been edited by jjsant: Dec 31 2005, 02:15 PM

infaddict