Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hi Jack Log and EWI log Please assists

Started by rmoore8538 , Jun 02 2005 02:32 AM

  • Please log in to reply

#1
rmoore8538
Posted 02 June 2005 - 02:32 AM

rmoore8538

    New Member

  • Member
  • Pip
  • 3 posts
I cannot remove an item from my desktop that is centered with large words that links to http://www.antivirus-gold.com/?wm=. Can someone please assist me with this issue.

Logfile of HijackThis v1.99.1
Scan saved at 12:17:28 AM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
E:\CFusionMX7\runtime\bin\jrunsvc.exe
E:\CFusionMX7\db\slserver54\bin\swagent.exe
E:\CFusionMX7\runtime\bin\jrun.exe
E:\CFusionMX7\db\slserver54\bin\swstrtr.exe
E:\CFusionMX7\db\slserver54\bin\swsoc.exe
E:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
e:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
E:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
E:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\system32\SLClient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\USBToolbox\Res.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\DIGStream\digstream.exe
E:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
E:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
E:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://fwa.ak.pac.army.mil/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://fwa.pac.army.mil
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by 59th Signal Bn
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] E:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] E:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [vs9Q3qX] ltwcrt20.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\winnook.exe
O4 - HKCU\..\Run: [eBq4RkbqS] lapfgwmi.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [Spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=https://fwa.pac.army.mil
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103798793516
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ap.ds.army.mil
O17 - HKLM\Software\..\Telephony: DomainName = ak.ap.ds.army.mil
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ap.ds.army.mil
O20 - AppInit_DLLs: AMInit.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - E:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 ODBC Agent - Unknown owner - E:\CFusionMX7\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion MX 7 ODBC Server - Unknown owner - E:\CFusionMX7\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - E:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "E:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\SYSTEM32\SLClient.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:17:54 PM, 6/1/2005
+ Report-Checksum: C49435F4

+ Date of database: 6/2/2005
+ Version of scan engine: v3.0

+ Duration: 44 min
+ Scanned Files: 204455
+ Speed: 76.06 Files/Second
+ Infected files: 19
+ Removed files: 19
+ Files put in quarantine: 19
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
E:\

+ Scan result:
C:\Documents and Settings\Big Daddy\Cookies\big daddy@33436415[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Big Daddy\Cookies\big daddy@47780556[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Big Daddy\Cookies\big daddy@63198470[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Big Daddy\Cookies\big [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Cookies\ronald.moore@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Cookies\ronald.moore@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Desktop\spyware doctor 3.2\crack.exe -> TrojanDownloader.IstBar.is -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Local Settings\Temp\sidefind.exe -> TrojanDownloader.IstBar.jm -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Local Settings\Temp\uninstall.exe -> TrojanDownloader.IstBar.gi -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Local Settings\Temporary Internet Files\Content.IE5\APUFWDIF\sahagent[1].exe -> Spyware.Sahat.m -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Local Settings\Temporary Internet Files\Content.IE5\APUFWDIF\X[1].exe -> Dialer.Generic -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Local Settings\Temporary Internet Files\Content.IE5\CDEFG9IJ\cxtpls_loader[1].exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Local Settings\Temporary Internet Files\Content.IE5\CDEFG9IJ\istsvc[1].exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Local Settings\Temporary Internet Files\Content.IE5\CHEJKTUV\kliksoftware[1].exe -> TrojanDownloader.Small.awd -> Cleaned with backup
C:\Documents and Settings\ronald.moore\Local Settings\Temporary Internet Files\Content.IE5\CHEJKTUV\sidefind[1].exe -> TrojanDownloader.IstBar.jm -> Cleaned with backup
C:\WINDOWS\system32\msxct.exe -> Spyware.BargainBuddy -> Cleaned with backup
E:\Program Files\crack.exe -> TrojanDownloader.IstBar.is -> Cleaned with backup
E:\Program Files\Spyware Doctor\crack.exe -> TrojanDownloader.IstBar.is -> Cleaned with backup


::Report End
  • 0

Advertisements

#2
Wizard
Posted 02 June 2005 - 03:38 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi rmoore8538 and Welcome to Geeks to Go!!!

If you will,please Download thi Registry Search Tool

http://www.billsway.com/vbspage/

Scroll down the page
and download the "Registry Search Tool"

Unzip RegSrch.zip to the desktop

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.

I need you to enter 2 different searches

The first to search for is winnook.exe

The Second is desktop.html

Please Save the returns from those 2 searches and Post them back here!

Also,if you can,send me a sample if winnook.exe!

To do this,right click the file and select "Send To" then Select "Compressesd (Zip) Folder!

Once its all Zipped up,Check you private Messages here at the forum and I will send you my email address!
  • 0

#3
rmoore8538
Posted 02 June 2005 - 12:02 PM

rmoore8538

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Here are the searches

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "winnook.exe" 6/2/2005 9:57:09 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-3307934722-3952226031-1939962083-68189\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel system tool"="C:\\WINDOWS\\system32\\winnook.exe"

[HKEY_USERS\S-1-5-21-3307934722-3952226031-1939962083-68189\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\winnook.exe"="winnook"

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "desktop.html" 6/2/2005 10:00:01 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-3307934722-3952226031-1939962083-68189\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\WINDOWS\\desktop.html"
  • 0

#4
Wizard
Posted 02 June 2005 - 04:41 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry it took so long to Respond!

If you havent allready,download Ad Aware SE 1.06>>Please wait until Safe Mode to run it!
AdawareSE 1.05
http://www.bleepingc...showtutorial=48

The link will tell you how to Install>Update>Configure and Scan!

CleanUp! 4.0
http://downloads.ste...p/CleanUp40.exe

Right-Click Here and Save As to download DelDomains.inf to your desktop.
To use: "RIGHT-CLICK" DelDomains.inf on your desktop and select "Install"

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Locate and Delete

C:\WINDOWS\system32\winnook.exe<< File!

C:\WINDOWS\desktop.html<< File!

C:\WINDOWS\system32\lapfgwmi.exe<< File!

C:\WINDOWS\system32\ltwcrt20.exe<< File!

C:\Program Files\AntiVirus Gold<< If it exist!!!

For anything you have troubles locating>>Click Start>>Click Search>>Configure like this:

Select All Files and Folders>>Select Advanced Options>>Make sure there is a check by these 3:

Search System Folders
Search hidden files and folders
Search Subfolders

Now under All Files and Folders,enter the entry you cant locate!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank



R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O4 - HKLM\..\Run: [vs9Q3qX] ltwcrt20.exe

O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\winnook.exe

O4 - HKCU\..\Run: [eBq4RkbqS] lapfgwmi.exe

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Now Scan the PC with Ad Aware and Remove all it finds and make sure to delete all quaratine files!

Run CleanUp!

Click "Cleanup" and it will Scan and Remove all available Temp files>Click "Close">Click "Yes" to Logoff!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post the Results from Panda and Post them along with a fresh HijackThis log!
  • 0

#5
rmoore8538
Posted 02 June 2005 - 11:20 PM

rmoore8538

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I got it!! After doing all you stated above, I was able to select my properites tab again from the desktop. The fix you gave me got rid of the large words on my desktop but the background was still gray and changed to white whenever I moved my cursor. I was able to select properties, customize desktop, then web and there it was plain as day. A locked icon named SecurityV2. I deleted it and back came my beautiful desktop. Thanks for all the assistance and please not the fix for others along with your assistance.

ron
  • 0

#6
Wizard
Posted 03 June 2005 - 02:13 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Well done Mr Ron!!!! :tazz:

If you navigate to this key in the registry
HKEY_USERS\S-1-5-21-3307934722-3952226031-1939962083-68189\Software\Microsoft\Internet Explorer\Desktop\Components

Can you tell me how many folders labeled with a Number?

After you look,go ahead and Merge Grinlers Reg Fix for these bugs into you registry

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt

Install these 2 programs

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Disable System Restore
http://service1.syma...src=sec_doc_nam

Restart the PC and lets have a look at the Panda Scan Results!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP