[sumitk]

Hi DK. Looks like we are almost there. I skipped the smitfraud step that you recommended (I skipped the message by mistake).

I did the last registry step that you recommended and now my Task Mager is active :-)

The only thing that looks a little funky is that the icons on the desktop have a ble background. Could this be harmful?

What should be my next step? Should I post a log for you to confirm that my system is finally CLEAN!

I cant thank you enough for your help.

Regards

[Advertisements]

Hmm...Please post a new HijackThis log.

As to the blue backround on the icons...Try looking through the desplay properties for it....

dk

[Danny]

Hmm...Please post a new HijackThis log.

As to the blue backround on the icons...Try looking through the desplay properties for it....

dk

[sumitk]

Hi DK. Please find attached the latest HijackThis log below.

As far as the desktop Icons, I tried changing the desktop properties but that did not help. It almost looks like the icons have been "clicked on". So instead of the usual transparent background, the icon has a blue background. If there is a way for me to send you a screen snapshot of this, please let me know. Thanks!

------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:08:35 PM, on 6/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Netropa\OSD.exe
C:\Documents and Settings\Sumit Khanna\Desktop\VIRUS REMOVAL\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://offers.turbot...con.htm?id=amol
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
O4 - HKLM\..\Run: [DellTouch] "C:\WINDOWS\DELLMMKB.EXE"
O4 - HKLM\..\Run: [POINTER] "point32.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...416/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9083052-2F13-4CEE-8213-6CB611437D72}: NameServer = 69.50.184.84,195.225.176.37
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-----------------------------------
Thanks!

[Danny]

Hi,

Everything looks great --- your HijackThis log is completely clean.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections.

Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems:

1) Please navigate to http://update.microsoft.com/ and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. Your current versions are outdated. I cannot stress enough how important this is.


2) In order to protect yourself against spyware, you should consider installing and running the following free programs:



Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.


Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.


SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Keeping these programs up-to-date and running them regularly can prevent a great deal of spyware hassle.


3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. A good free firewall is ZoneAlarm.
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

dk

[sumitk]

Hi DK. Thanks a ton. I am very grateful to you for helping me with my issues. I will definitely take the steps you have recommended.

One last question for you... while I was searching the microsoft website for why my desktop icons appear funky... this is an article I found but the solution that they have recommended does not work on my PC.

http://support.micro...kb;en-us;305117

Any ideas?

And lastly, would you recommend that I delete any of the virus removal tools that I have installed over the last week.. example hijackthis & smitfraud?

Thanks & Regards

Edited by sumitk, 15 June 2005 - 10:15 PM.

[Danny]

Hi,

It might be a good idea to delete the .reg's, because you can always get them back. It's a good idea to keep HijackThis.

About your other problem, try this:

Go to your display properties, then click on the "Desktop" tab. Now click on the "Customize Desktop" button. Then click on the "Web" tab. Uncheck anything that's inside the box.


See if that works...

dk

[sumitk]

Just tried it. There is nothing under the "Web" tab so I guess thats not the issue.

As far as removing the reg's should I just delete it from the folder where I was saving them or is there a better way ("Add/remove Programs")?

Thanks & Regards!

[Danny]

Hmm...Interesting..You can just delete the .reg's...

If there is a way for me to send you a screen snapshot of this, please let me know

Ok..Just press the "Print Screen" button at the top of your keyboard (This won't print your screen). Then open up your favorite image editor, and then press "Control + V".

Then save it and attach the image here.

[sumitk]

Hi again. I am attaching a screen shot of the desktop as requested:


Thanks!

Attached Thumbnails

• 

[Danny]

Hm...I searched for the answer...so try this:

Right click on My Computer > select Properties > Advanced tab> Performance > Settings > Visual Effects tab > scroll down to Use Drop Shadows for Icon Labels on Desktop > check the box > click Apply.

dk

[sumitk]

Hi DK. I tried the above step but it didnt help.

I have several "User Accounts" on this PC and I logged into another one and the Icons are fine!

So I went ahead and setup a new account for myself and manually moved all the files that I needed.

Then I tried to delete the old user account from the PC using the control pannel but the function keeps hanging up on me. I get a "Not Responding" after a few minutes!

So I set up yet another dummy account and then tried deleting it... and it worked! So looks like that windows is having trouble deleting the infected account.
I then tried looging into the safe mode to delete this account but this account does not even show up as one of the existing accounts! But when I go back to the normal mode, I see it as one of the existing accounts.

Any suggetions?

Thanks!

Edited by sumitk, 19 June 2005 - 07:31 AM.

[njustice]

Hello sumitk,

Download THIS file to your desktop.

Reboot to safe mode.

Double click the exe to unzip it to the desktop

Open the new smitfraud folder and double click on sm.bat, its the one with the gear icon.

Reboot to Normal mode and post a HijackThis log.