Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

download.trojan and desktop.html[RESOLVED]

Started by moorerp , May 15 2005 06:40 PM

  • This topic is locked This topic is locked

#1
moorerp
Posted 15 May 2005 - 06:40 PM

moorerp

    New Member

  • Member
  • Pip
  • 9 posts
Hi, I've been through all the steps in your Malware directions. Below is my Highjackthis file.

Symantec Antivirus detected and quarantined desktop.html and told me the file was associated with download.trojan. Since this happened, my desktop wallpapaer has been an off-white blank and I have no right-click functions (like ceate a new folder, etc., which is really annoying not to have). As far as I can tell, this is the only thing wrong; all the desktop icons are there and functional.

I deleted the desktop.html and gotten rid of everything the various cleaning programs have told me to do away with.

Thanks very much in advance for any help! This frowny is directed at the subhuman particles that create and distribute malware :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 5:30:13 PM, on 5/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Randallicious\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {169328C6-2B46-4D8F-999D-E81FE4BA6D23} - C:\WINDOWS\System32\fepj.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [B] C:\windows\temp\B.exe
O4 - HKLM\..\Run: [fSXm7] C:\Documents and Settings\Randallicious\Local Settings\Temp\fSXm7.exe
O4 - HKLM\..\Run: [xgA] C:\Documents and Settings\Randallicious\Local Settings\Temp\xgA.exe
O4 - HKLM\..\Run: [0Rz28Z] C:\documents and settings\randallicious\local settings\temp\0Rz28Z.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Dialpad Webphone - https://www.dialpad....update/cham.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109304296100
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_03) - http://bbapp1.ucsadm...e-1_4_1-win.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements

#2
Crustyoldbloke
Posted 17 May 2005 - 09:34 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello morrerp and welcome to Geeks to Go.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the Internet, or my instructions!

In your reply, could you please tell me if you have a Lexar jump drive or a flash card for a digital camera? Now if you are ready, let’s get fixing!

I just want to check a couple of points with you. Please ensure you have administrator rights on this PC (User Accounts in the Control Panel will confirm this), and that this is a single identity PC, if not please inform me in your next reply.

You are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else!

The first job is to disable SpySweeper from running in real time; it may hinder our attempts to fix some problems. Please disable the programme from operating until after the fix.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
Ewido Security Suite

Install Ewido Security Suite (it is a 14-day trial version of the programme).
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The programme will prompt you to update click the OK button
  • The programme will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the programme scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop and include it in your reply.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {169328C6-2B46-4D8F-999D-E81FE4BA6D23} - C:\WINDOWS\System32\fepj.dll (file missing)
O4 - HKLM\..\Run: C:\windows\temp\B.exe
O4 - HKLM\..\Run: [fSXm7] C:\Documents and Settings\Randallicious\Local Settings\Temp\fSXm7.exe
O4 - HKLM\..\Run: [xgA] C:\Documents and Settings\Randallicious\Local Settings\Temp\xgA.exe
O4 - HKLM\..\Run: [0Rz28Z] C:\documents and settings\randallicious\local settings\temp\0Rz28Z.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these files (if present) using Windows Explorer:

C:\WINDOWS\System32\fepj.dll
C:\windows\temp\B.exe
C:\Documents and Settings\Randallicious\Local Settings\Temp\fSXm7.exe
C:\Documents and Settings\Randallicious\Local Settings\Temp\xgA.exe
C:\documents and settings\randallicious\local settings\temp\0Rz28Z.exe

Close Windows Explorer and Reboot normally.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Post back a fresh HijackThis log and also an Uninstall Log:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click Save List (generates uninstall_list.txt)
Click [b]Save, copy and paste the results in your next post.

and I will take another look.
  • 0

#3
moorerp
Posted 17 May 2005 - 10:52 PM

moorerp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Phil, thanks very much for the help! This whole geeks to go thing is a marvellous global community idea. :tazz:

cheers,
randall



"In your reply, could you please tell me if you have a Lexar jump drive or a flash card for a digital camera? Now if you are ready, let’s get fixing!"

I have both a Lexar jump drive and an Hitachi 1GB microdrive for my digital camera.

"I just want to check a couple of points with you. Please ensure you have administrator rights on this PC (User Accounts in the Control Panel will confirm this), and that this is a single identity PC, if not please inform me in your next reply."

I do have admin. rights and it's a single ID laptop PC (I think; I do connect to a network at work).

I followed all of your other instructions carefully. The files that I was to remove while in safe mode (if present) weren't present. Highjackthis is great, by the way; it found and removed two files that spysweeper kept detecting but couldn't remove. When I tried to remove them manually, I found that they weren't in the folders that spysweeper told me they were in- some malware hanky-panky, I think, but highjack this found 'em.

Here is the ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:59:08 PM, 5/17/2005
+ Report-Checksum: 302C169E

+ Date of database: 5/18/2005
+ Version of scan engine: v3.0

+ Duration: 170 min
+ Scanned Files: 74319
+ Speed: 7.25 Files/Second
+ Infected files: 10
+ Removed files: 10
+ Files put in quarantine: 10
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Randallicious\Cookies\randallicious@58066387[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Randallicious\Cookies\randallicious@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Randallicious\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-2596871679-2244346736-3100991366-500\Dc1.exe -> Trojan.TopAntiSpyware.h -> Cleaned with backup
C:\WINDOWS\SYSTEM32\CABVIEW4.exe -> Spyware.AdSrve.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\CMPROPS2.exe -> Spyware.AdSrve.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\j5kt.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\qdd45l8.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\srpcsrv32.dll -> Trojan.TopAntiSpyware.h -> Cleaned with backup
C:\WINDOWS\SYSTEM32\txfdb32.dll -> Trojan.TopAntiSpyware.h -> Cleaned with backup


::Report End




And here is the next highjackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:37:55 PM, on 5/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\LxrJD31s.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Dialpad Webphone - https://www.dialpad....update/cham.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109304296100
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_03) - http://bbapp1.ucsadm...e-1_4_1-win.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



and here is the uninstall log:

AC3Filter (remove only)
AccessDirect
Actiontec MD56ORD V92 MDC Modem
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe MPEG Encoder
Adobe Photoshop 6.0
Adobe Premiere 6.5
Advanced Batch Converter
Advanced RealMedia Export Plug-in for Premiere 6.0
ArcGIS Desktop
Bazooka Scanner
CCleaner (remove only)
Chameleon Control
CleanUp!
Context Display
Dell Modem-On-Hold
Dell Solution Center
Dell Support
DialpadChameleon
DivX
DivX Player
Easy CD Creator 5 Basic
EndNote
ewido security suite
GoldWave v5.06
HijackThis 1.99.1
IE Host
IE Host
ImageJ 1.32j
InterVideo WinDVD
ISI ResearchSoft - Export Helper
Java 2 Runtime Environment, SE v1.4.1_03
Java Web Start
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Office 2000 Premium
Modem Helper
Mozilla (1.7.2)
NVIDIA Windows 2000/XP Display Drivers
Odyssey Client
Palm Desktop
Pop-Up Stopper Free Edition
QuickTime
RealPlayer
Roxio EasyWrite Reader
Skype 1.2
S-PLUS 6.1 ACADEMIC SITE Edition Release 1
Spy Sweeper
SpywareBlaster v3.2
Symantec AntiVirus Client
Synaptics TouchPad
URL Display
WebWasher
Wildlife Counts
WinAce Archiver
Winamp (remove only)
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Wireless-G Notebook Adapter
WordPerfect Office 2002
WordPerfect Office 2002
  • 0

#4
Crustyoldbloke
Posted 18 May 2005 - 02:53 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Randall

Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection. Remember to enable Spysweeper.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one.

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one spyware detector/prevention programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep Windows and your Anti-Virus updated. ;)
  • 0

#5
moorerp
Posted 18 May 2005 - 11:52 AM

moorerp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks, Phil, I feel better knowing most of that crap is gone from my system. :tazz:

I still don't have wallpaper or right-click capabilities on my desktop- any other ideas?

cheers,
randy
  • 0

#6
Crustyoldbloke
Posted 18 May 2005 - 02:21 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Randy

Try this:

Download the following file and unzip it to your desktop. Then doubleclick it and grant permission to merge the registry entries.

Wallpaper

********************************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSetTaskbar"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

********************************************************************************

Please save the content of the box above to an empty file in Notepad.
Save it as rightclick.reg
to your desktop
type: all files
Close Notepad.
Doubleclick the file rightclick.reg and grant permission to merge the registry entries.

Let me know how its going

Edited by Crustyoldbloke, 18 May 2005 - 02:24 PM.

  • 0

#7
moorerp
Posted 18 May 2005 - 08:21 PM

moorerp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Phil,
Followed the directions to no avail.

Is the following helpful? When I right click the desktop screen, I get the same pulldown menu that comes up when I right click a web page in explorer. When I select 'properties,' it gives me the following info (under the general tab):

***********************************************************
Not available

Protocol: File Protocol

Type: Html Document

Connection: Not encrypted

Address: file://C:WINDOWS\Web\desktop.html (which is the original file quarantined by Symantec and which I deleted)

Size: Not Available

Created: Not Available

Modified: Not Available
***************************************************************

It seems to be treating my desktop as a web page???

thanks,
randall
  • 0

#8
Crustyoldbloke
Posted 19 May 2005 - 02:40 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Randall

Let's try this.

Backup Windows Registry by doing this:

Back Up Reg.

Download ERUNT and install it.

ERUNT

Run ERUNT, backup the entire registry (select all the modules System, Current User, etc) to a Folder (that can be specified while backing up).

Then go to Start>Run and type regedit and press ENTER

Then navigate to this key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

and right-click on the Wallpaper and click Delete

Then reboot and check the Desktop problem.
  • 0

#9
moorerp
Posted 19 May 2005 - 01:29 PM

moorerp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Phil,

I should have checked first to see if wallpaper was in the folder! Backed up the registry, etc., and then found nothing called wallpaper in this folder:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

is that significant?
  • 0

#10
Crustyoldbloke
Posted 19 May 2005 - 01:59 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Randall

That should have worked - did it?

Have you rebooted?

Please tell me that you have checked the Customize Desktop settings in Display Settings>Properties?

What's happening now?

Can you right click?

From what I understand, the file://C:WINDOWS\Web\desktop.html is the one that causes the problem.
  • 0

#11
moorerp
Posted 19 May 2005 - 07:47 PM

moorerp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Phil,

I did all of the stuff below:

"Back Up Reg.

Download ERUNT and install it.

ERUNT

Run ERUNT, backup the entire registry (select all the modules System, Current User, etc) to a Folder (that can be specified while backing up).

Then go to Start>Run and type regedit and press ENTER

Then navigate to this key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"

all the way to right here, but there was no wallpaper in the above folder to delete. The only thing in there is an "ab" file icon of file type "REG_SZ"


"and right-click on the Wallpaper and click Delete"

I rebooted just for the heck of it but nothing changed. Sorry this is such a pain, and thanks again for your help so far.
  • 0

#12
Crustyoldbloke
Posted 20 May 2005 - 01:52 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Randall

I was trying to get a definitive answer from you in the last post. This was the question: Please tell me that you have checked the Customize Desktop settings in Display Settings>Properties?

I need to know that before I go looking for more answers. Please humour me on this point.

If I'm not mistaken, it sounds like something has set the computer to show an Active Desktop.

The computer has been set to show a certain webpage as the Desktop and when you right click and select properties, you are showing the Properties of that webpage. So we need to delete that webpage. So go to C:\WINDOWS\Web\ and delete desktop.html, but I think you have already done this part.

Then go to the Control Panel and double click Display. Go to the Desktop tab and at the bottom click Customise Desktop. Then go to the Web tab. There should be a box with a list of Active Desktops. Remove the checkmark from next to all of them and delete each one except My Current Home Page which cannot be removed. Then reset your Desktop Wallpaper.

Did that do it?
  • 0

#13
moorerp
Posted 20 May 2005 - 01:00 PM

moorerp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sorry Phil, wasn't ignoring your question on purpose, I'm just a bit absent-minded at times.

I had checked the display settings, but not really knowing what I was looking for, I didn't find the check box which solved the problem when I unchecked it 2 minutes ago! Apparently when something hijacks your desktop to display a webpage, either symantec or windows checks a "security" box in the "web" section of the customize desktop display. When that box is checked, the desktop displays a blank web page. I can hear your groan from here :tazz:

I had a feeling it would turn out to be something stupid that I just didn't know about, a common problem with me and computers (cars too). Thank you for all your help and sorry it was such a mundane problem.

cheers,
randall
  • 0

#14
Crustyoldbloke
Posted 20 May 2005 - 05:12 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Randall

I am going to miss our chats. Well as I always say, I can fix it, but I can't say when.

Glad I was able to offer you help (BTW I never groan) but it is very difficult to guage somebody's knowledge from a web forum.

Strangely, I discussed your case in open forum with other fellow Geeks, and one of them didn't know that active desktop was available as an option in Windows XP. I was saying, "this is beating me, I'm sure I have done this correctly and all should be well. Am I missing something here?" Then I decided to ask the question.

The rest is as you know.

Happy safe surfing! I'll leave the thread open for a few days just in case.

Edited by Crustyoldbloke, 22 May 2005 - 06:20 AM.

  • 0

#15
Crustyoldbloke
Posted 22 May 2005 - 06:20 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP