[illin]

Excal, thanks for re-opening this. I guess I'd better get this over with, besides, I think my spouse is about to call in help on me

Here's what I was able to do:

-copied all the programs over
-unzipped SpSeHjfix
-ran cleanup installer
-set up about:buster but "check for updates" did nothing (IE problem still?)
-opened cwshredder, but check for updates did nothing
-confirmed could see hidden files, etc.
-rebooted in safe, ran cwshredder, it didn't find any "CW..."'s, but it did remove 2 IE links (?) and did two other one-line items at the end
-ran hjt and checked as listed, except 1,2,4,5,6, and 8 items do not appear anymore to check. I also checked three O9 comcast items that were associated with some stuff that was removed a while ago
-ran about:buster, log attached
-ran SpSeHjfix, log attached
-ran cleanup!, rebooted (actually re-logged on first, still in safe mode, then rebooted into normal mode)
-tried activescan link again- got blank IE window again at first, then file called "redir" tried to download. I cancelled, then re-clicked on link. This time file called "activescan.html" or something tried to download, to which I said yes. Nothing more happened, so repeated, including re-boot- no change.
-ran hjt again, log attached
-in general, IE opens, but still no search bar. no longer auto-opens on boot (good). file search and control panel still not working.

Thanks again for the help,
illin

about:buster log:
AboutBuster 5.0 reference file 28
Scan started on [8/28/2005] at [11:01:24 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\dasetup.log:jtwxv
Removed Stream! C:\WINDOWS\Gone Fishing.bmp:wmzjr
Removed Stream! C:\WINDOWS\hauvd.dat:pjxwl
Removed Stream! C:\WINDOWS\hpomdl03.dat:oihwz
Removed Stream! C:\WINDOWS\Instlog.lyt:iwamnr
Removed Stream! C:\WINDOWS\KB823980.log:tbsct
Removed Stream! C:\WINDOWS\KB825119.log:lulioz
Removed Stream! C:\WINDOWS\KB835732.log:yxcrld
Removed Stream! C:\WINDOWS\KB837001.log:qoccsz
Removed Stream! C:\WINDOWS\KB840374.log:ipvimj
Removed Stream! C:\WINDOWS\KB841533.log:bqfngu
Removed Stream! C:\WINDOWS\KB873339.log:tjysiw
Removed Stream! C:\WINDOWS\KB873376.log:majtmp
Removed Stream! C:\WINDOWS\ocgen.log:avxwep
Removed Stream! C:\WINDOWS\ODBCINST.INI:svpjyz
Removed Stream! C:\WINDOWS\ozbqb.txt:yewtdr
Removed Stream! C:\WINDOWS\Q327979.log:hbkvd
Removed Stream! C:\WINDOWS\Q331958.log:uvgvi
Removed Stream! C:\WINDOWS\sessmgr.setup.log:mmmqw
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:hxrlgy
Removed Stream! C:\WINDOWS\tbsct.dat:aykqij
Removed Stream! C:\WINDOWS\tsc.ptn:sycedt
Removed Stream! C:\WINDOWS\vb.ini:lzvjfw
Removed Stream! C:\WINDOWS\vmuninst.log:suvsqz
Removed Stream! C:\WINDOWS\wiaservc.log:kmnytj
Removed Stream! C:\WINDOWS\WindowsUpdate.log:cngdnt
Removed Stream! C:\WINDOWS\_default.pif:ebvtb
Removed Stream! C:\WINDOWS\_default.pif:mekwb
Removed Stream! C:\WINDOWS\_default.pif:zxamn
------------------------------------------------
Removed File! : C:\Windows\hauvd.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:02:00 AM


SPSeHjFix log:

(8/28/05 11:05:10 AM) SPSeHjFix started v1.1.2
(8/28/05 11:05:10 AM) OS: WinXP Service Pack 1 (5.1.2600)
(8/28/05 11:05:10 AM) Language: english
(8/28/05 11:05:10 AM) Win-Path: C:\WINDOWS
(8/28/05 11:05:10 AM) System-Path: C:\WINDOWS\System32
(8/28/05 11:05:10 AM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(8/28/05 11:05:24 AM) Disinfection started
(8/28/05 11:05:24 AM) Bad-Dll(IEP): (not found)
(8/28/05 11:05:24 AM) Bad-Dll(IEP) in BHO: (not found)
(8/28/05 11:05:24 AM) UBF: 7 - UBB: 1 - UBR: 12
(8/28/05 11:05:24 AM) UBF: 7 - UBB: 1 - UBR: 12
(8/28/05 11:05:24 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(8/28/05 11:05:24 AM) Stealth-String not found
(8/28/05 11:05:24 AM) Not infected->END

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:31:11 PM, on 8/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Keyboard Mouse Tool\mouse32a.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Keyboard Mouse Tool\MMKEYBD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

[Advertisements]

Edit - do the updates one below......

Edited by Excal, 29 August 2005 - 08:55 AM.

[Excal]

Edit - do the updates one below......

Edited by Excal, 29 August 2005 - 08:55 AM.

[illin]

Excal, oops on the IE- I meant address bar. I just get the window title and "File/Edit/View/etc" line, no buttons or address bar or google tool bar. I'll try the regedit tonight when I get home- thanks,

illin

[Excal]

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at or above REGEDIT 4.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFind"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoControlPanel"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoControlPanel"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Do404Search"=hex:01,00,00,00
"Search Page"="http://www.microsoft...ie&ar=iesearch"
"Search Bar"="http://search.msn.co...om/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsof...earch.asp?p=%s"
"provider"=""
" "="+"
"&"="%26"
"+"="%2B"
"#"="%23"
"?"="%3F"
"="="%3D"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft...ie&ar=iesearch"
"Search Bar"="http://search.msn.co...om/spbasic.htm"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn...t/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn...t/srchcust.htm"
"Default_Search_URL"="http://www.microsoft...ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft...ie&ar=iesearch"
"Search Page"="http://www.microsoft...ie&ar=iesearch"

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

reboot and let me know.


thanks,



Excal

[illin]

Excal, ok, it asked me if I wanted to add the contents of the file to my registry, which I did. I rebooted, but the file search, control panel, and IE address bar are all still not working. I also tried the pandascan link, but it didn't work either.

illin

[Excal]

go to start>run and copy and paste this in.

regedit /e C:\search.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies"

Paste the results in your next post (file will be C:\ search.txt)

[illin]

Ok, here it is:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoControlPanel"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[Excal]

Do you have this problem on your other accounts?

go to start>run and copy and paste this in.

regedit /e C:\search1.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies"

Paste the results in your next post (file will be C:\ search1.txt)

[illin]

Excal, I guess some background is in order. I have only one machine at home. We have two work laptops which we bring home occasionally that I've been using to work on this. The internet connection at home is via a Comcast cable modem and 802.11b hub (but via a wired ethernet connection, not wireless for the sick machine). The sick computer is an HP P4, about a year old, running XP with SP1a. When the virus crashed everything I initially tried to remove it manually. I may have deleted one or two registry keys (eek!) if something is missing that you are looking for. I don't use any logon name or password- it only has one windows "account" if that's what you mean. As far as I-net goes, it is auto-logon as far as I understand. I'm not sure- does this help answer your question? Thanks! Here's the last search results:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=hex:00,00,00,00
"NoFind"=dword:00000000
"NoControlPanel"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\System]

[Excal]

Are the control panel and search feature grayed out? or you just can't use them....i am a little confused on that now.



Excal

[illin]

Excal, when I click on Start and then mouse over "Settings" or "Search", the sub-directories appear normally, including the words "Control Panel" and "For Files or Folders...", but if I click on either of them, nothing happens.

illin

[Excal]

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme2.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at or above REGEDIT 4.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoFind"=-
"NoControlPanel"=-

Locate fixme2.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

reboot and please test them out.

[illin]

Excal, ok, I was able to merge the text, but when I rebooted there was no change -argh!

illin

[illin]

Excal, is there some way I should check to see if the registry was properly updated? On your question earlier on the matter of log-ins, I do get a screen during boot-up in safe mode where I have the option of logging in as Administrator or Owner. I've tried both, but the Owner setting gets the longer list of stuff when I run an HJT log, so I've been using that. The option only appears when using safe mode though.

As a matter of curiosity, is the loss of search and the control panel typical of smitfraud or one of the other programs that it allows in? I did notice that nvidia's desktop manager was trying to run (or install- can't remember?) when I was trying to initially get my desktop back. I don't remember whether HP shipped the computer with this software, but its not something I've ever used or want to see running on the computer. To my understanding, this program has the ability to create mirror desktops and transparent desktops. Could this be a factor?

Thanks,
illin

[Excal]

Lets just double check this.

Please right-click:

HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt

reboot and check the status.


Thanks,



Excal