Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.Smitfraud [RESOLVED]


  • This topic is locked This topic is locked

#91
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Well, i figured it was because you wanted it off the puter...and i certainly like things nice and clean, but i was wondering if it was more specific...say, like a particular virus -- or 60 or 70 of them -- that had a strong ability to launch from quarantined files....

and i did 'Delete on Reboot' for the 13 items listed in post 81....as for the Norton Quarantine folder, i deleted everything manually...and it is currently empty except for two empty folders Incoming and Portal ...i left them there...

...okay, i'll wait for a response to this message before i start MWav again as i'll let that go while i go off to work for a bit...so, i think this is Goodnight :tazz: ...agreed, or...I can set the alarm for two hours and come back and post again...just ask if you'd like me to do that, i will...you're in charge here!!

....you never did say how much of a donation you've received in the past...yes, i got the 9999$ message...joshua

oh..safe mode while running MWav??

Edited by joshuageeks6999, 26 April 2005 - 12:35 AM.

  • 0

Advertisements


#92
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Empty the Recycle Bin before running MWav otherwise it's going to pick up those 1405 items again!

I'll go ahead and let you go for the night, I think you've done enough work for the moment :tazz:

Why do you want to know how much I have received? Donations are certainly appreciated but I'm not in this for the money! If you want to donate, donate however much you want $1, $10, $100, whatever! I'm thankful for any amount. You are under NO obligation to donate anything! ;)
  • 0

#93
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
I am twitching a bit, and sort of afraid that I'll seize again...the drooling you know, sortofawarningsign...

...and i'm so new at this, i'm real clear i want to donate even though i fully understand that i don't have to do that...and i thought if you gave me a range, i'd be able to give a just amount

...you've been tremendous!! and i do think a bit of compensation is in order...if i was close by...say New Orleans or something, i'd offer a big kiss right on your sweet icon:whopsmack!@....course, the money will last longer!...anyhow, i do understand that you're not expecting compensation...i think that's nice and sweet and generous of you and of all of your compatriots out here...WHAT A SERVICE!!!

...so, we'll meet tomorrow is it???i'll post the MWav log again...night for now!...

btw, if i seem sort of down, my apologies!! I'm quite pleased at the progress!! It's just that, well...a patient of mine that i'd had in the ICU for 6 weeks (THAT"S A LONG TIME), he was doing a bit better...transferred him to a different facility last week.....he just died a few minutes ago....thought he was going to pull thru for a while...maybe even make it home..............
  • 0

#94
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts

btw, if i seem sort of down, my apologies!! I'm quite pleased at the progress!! It's just that, well...a patient of mine that i'd had in the ICU for 6 weeks (THAT"S A LONG TIME), he was doing a bit better...transferred him to a different facility last week.....he just died a few minutes ago....thought he was going to pull thru for a while...maybe even make it home..............

I'm sorry to hear that ;) There is certainly no need to apologize!!

I will be here tomorrow with bells on!

Good night, Joshua! :tazz:
  • 0

#95
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
:) :) :tazz: ;) :) ;)

....MWav log # 2 .... No Viruses Found!!!!!

...........wow, i'm not a drinking man, but i might make an exception!!!


So, before we bid this problem-focused relationship ado, i have questions!!??

1) How'd you get so smart?
2) What part of Texas breeds such cuties?
3) My isp provider states that one of my problems is that my email address is so short (three letters), what do you think...i chose it for simplicity for my patients?
4) Are we going to go clean out the other account?
5) I actually have three other accounts, 2 are entirely unused; does it work to simply delete those? or do viruses,etc still lurk out there effectively messing with other accounts?
6) You said you could fix my Norton; how's about Symantec in general?
7) Should I switch away from IE to Mozilla or something?
8) Which of the many tools that you've introduced should be run regularly? Adaware, Spybot, Microsoft Anti, MWav, Ewido Security Suite, Panda, CWShredder, DelDomains, Registrar Lite, Hoster...???

....actually, I think we're at the Other Account stage....I'm happy! Off to work on the new system too....Today/tonight...let me know your plans if you like...my day is sort of going to get busy by about 2pm my time....joshua
  • 0

#96
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Let me see one more HiJackThis log before I answer your questions :tazz:
  • 0

#97
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Boy, you're always out here working!! I'm honored!! I know, I know...don't take it personally...

...thought you'd be on Later!...

Here it is!

Logfile of HijackThis v1.99.1
Scan saved at 8:05:04 AM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dane\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Microsoft® JavaScript® Console - {F1C82202-A967-4244-A191-441F2D029901} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {F1C82202-A967-4244-A191-441F2D029901} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:...va/cfs31229.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D6C6BBA-79AC-4A08-B60D-280829FFE112}: NameServer = 207.115.64.2,207.115.64.3
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#98
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Run HiJackThis. Place a check next to the following item, and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

Close HiJackThis.

1) How'd you get so smart?
Exceptional training from Geeks to Go, research, and whatever else I taught myself.

2) What part of Texas breeds such cuties?
New Mexico haha

3) My isp provider states that one of my problems is that my email address is so short (three letters), what do you think...i chose it for simplicity for my patients?
I've never heard of a short e-mail address causing problems with anything. But, since I've never heard it I can't say no, but I'm definitely not going to say yes!

4) Are we going to go clean out the other account?
YES!

5) I actually have three other accounts, 2 are entirely unused; does it work to simply delete those? or do viruses,etc still lurk out there effectively messing with other accounts?
Absolutely, you can just delete them! The virus scans we have run scans the whole computer not just one account.

6) You said you could fix my Norton; how's about Symantec in general?
I can fix auto-protect and e-mail scanning, but if you're having problems getting Norton to even scan - it's time to uninstall it and use another Anti-virus program. A good one is AVG - I'll give you the link to it shortly.

7) Should I switch away from IE to Mozilla or something?
After we clean your computer, I'm going to give you some tips to help prevent infection. They effectively lockdown IE pretty tight. That's up to you, I use IE.

8) Which of the many tools that you've introduced should be run regularly? Adaware, Spybot, Microsoft Anti, MWav, Ewido Security Suite, Panda, CWShredder, DelDomains, Registrar Lite, Hoster...???
I'll give you a list of items I recommend to prevent future infection at the end.

....actually, I think we're at the Other Account stage....I'm happy! Off to work on the new system too....Today/tonight...let me know your plans if you like...my day is sort of going to get busy by about 2pm my time....joshua
I'll be on most of the day. :tazz:

Edited by bananafanafo, 26 April 2005 - 02:07 PM.

  • 0

#99
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I doubt there is anything on the other account, but we're going to look anyway!

Download HiJackThis to the OTHER account.

Click Here to download HiJackThis (1.99.1). Please save it in a permanent folder (such as C:\HJT). This is to ensure that backups are saved and accessible in the event you should need it.

Run HiJackThis on the OTHER account and post the log. :tazz:

Edited by bananafanafo, 26 April 2005 - 09:20 AM.

  • 0

#100
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Excellent!! New Mexico changes EVERYTHING!!!......jk

Okay, ran HJT and Fixed R1...now, i hope i'm wrong, but i'm going to attempt to log on to my other acct and I suspect i won't have IE access...i'll be back at the smitfraud stage, blue screen etc...and I'll have to work for awhile to get the IE up...oh, and the Taskmgr, which i'll need to get IE up...that won't be working either....

...and i do have to stop for a bit...so, if its a bear over there in the other account, i'll come back here...joshua
  • 0

Advertisements


#101
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
;) :tazz: ;) WOW!!!!!!!!!!!

up and running on the 'other' account!!!

Here's the log!

And i do still have an altered desktop...black, only Screen Saver and Settings under Properties...but i havn't tried to correct it yet...joshua

Logfile of HijackThis v1.99.1
Scan saved at 8:38:10 AM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Documents and Settings\owner\Start Menu\Programs\Startup\netdb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\owner\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - Startup: netdb.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O15 - Trusted IP range: 64.127.104.144
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:...va/cfs31229.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D6C6BBA-79AC-4A08-B60D-280829FFE112}: NameServer = 207.115.64.2,207.115.64.3
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#102
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
To get your desktop properties back on that account:

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

And I'm going to look at your log while you do that :tazz:
  • 0

#103
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Desktops! back...my theme is now going to be Flying Bananas....as soon as i find that!!... :tazz:
  • 0

#104
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
This part is important! If you do not do this part, you will lose Explorer and Internet Explorer as in GONE - reinstallation of windows!! Make sure to copy it EXACTLY as I have it!
Launch Notepad, and copy/paste the box below into a new notepad file. Change the "save as" type to "All Files". Save it as regfix.reg on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

Make sure there is no blank line above "REGEDIT4".

Locate regfix.reg on your Desktop and double-click on it. If you receive any message, let me know BEFORE following the next steps!!

Press CTRL ALT DELETE and end the following process:

netdb.exe

Exit Task Manager.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - Startup: netdb.exe

O15 - Trusted IP range: 64.127.104.144


Close HiJackThis.

I need you to copy all of these instructions and paste them into a notepad and save it for use while in safe mode.

1) Please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

2) Once in Safe Mode, please run Killbox.

3) Select "Delete on Reboot".

4) Open the notepad file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing CTRL + C:

C:\Documents and Settings\owner\Start Menu\Programs\Startup\netdb.exe
C:\WINDOWS\System32\netdc.exe
C:\WINDOWS\System32\MSIMN32.EXE
C:\WINDOWS\System32\TASKMGRU.EXE


5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Let the system reboot. Post a new HiJackThis log.

Edited by bananafanafo, 26 April 2005 - 10:29 AM.

  • 0

#105
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Ok, now i need a cup of coffee...brb...okay, yes ,,,...okay?!?@

Now, i don't know how to 'Launch' Notepad, so here's what i did...actually, had never used Notepad until i met you...

I highlighted the field in question from your post, did a ctrl C, went to the desktop and did a ctrl V which opened Notepad, seems to have just what you asked for...i then changed the file type to All Files, and the name to remove.bat and closed.

I now have a desktop file with a little cogwheel on it and its name is remove; however, i'm unable to view the contents of that file. I did verify, no blank line above regedit4.

when i double clicked on remove, it sent about 5 messages up from MS Antispyware, i closed or blocked those actions and stopped, came back here...

and here i am...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP