Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smithfraud (I think?) [RESOLVED]


  • This topic is locked This topic is locked

#31
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I have gone back to the experts for their opinion. I am trying to save you from installing what is called the .NET Framework if possible. I have it on my system, but not everyone needs it.

We'll see

Off to bed for me

Trevuren
  • 0

Advertisements


#32
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts

Go to Start > Control Panel then double-click Add/Remove programs

Scroll download the list and look for "Microsoft .NET Framework v#####" and find out what those numbers are and you will see if they have 1.1 or not. If not, then they need to download .NET framework 1.1 from windowsupdate site then apply that patch.


Info from Bananafanafo.


Trevuren

  • 0

#33
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
Ok, I do not have anything that has that in my add/remove programs, this is what I have:
Ad-Aware SE Personal, Adobe Download Manager 2.0 (remove only), Adobe Photoshop Album 2.0 starter edition, Adobe Reader 7.0, AOL Instant Messenger, Broadjump Client Foundation, Canon S300, DiamondCS TDS-3, Display Utility, Ewido Security Site, HijackThis 1.99.1, LiveReg (Symantec Corporation), LiveUpdate 2.6 (Symantec Corporation), Microsoft Office XP Standard for Teachers and Students, Norton Antivirus 2005 (Symantec Corporation), Spybot - Search & Destroy 1.4, SpyCatcher 3.0, TrojanHunter 4.2, Websearch Toolbar, Windows Installer 3.1 (KB893803), Windows XP Hotfix (KB842773), Yahoo! Extras, Yahoo! Toolbar, Yahoo! Internet Mail, Yahoo! Messenger Explorer Bar, Yahoo! Messenger

Where do I go to find this .NET framework 1.1 to download/install the patch...and are there specific instructions for me to follow? I dont want to make any mistakes. Thanks a bunch,
Summer
  • 0

#34
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Microsoft .Net Framework can be downloaded from HERE

2. The patch can be found on the link I provided yesterday.


Trevuren
  • 0

#35
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
Ok, I got both of those successfully downloaded for you. Whats next?
  • 0

#36
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please run the following program:
  • Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
    http://www.mvps.org/.../DelDomains.inf
  • Save the file to the desktop.
  • Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.
  • Then please restart your computer, and post a new HijackThis log.
Trevuren
  • 0

#37
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:44:24 PM, on 7/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Toolbar\TBPS.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\PROGRA~1\Toolbar\PIB.exe
d:\PROGRA~1\Toolbar\radio.exe
D:\Program Files\SpyCatcher\DeleteSatellite.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
D:\PROGRA~1\AIM\aim.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\Program Files\SpyCatcher\Protector.exe
D:\Program Files\SpyCatcher\Scheduler daemon.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\PROGRA~1\Toolbar\TBPSSvc.exe
D:\WINDOWS\TEMP\QXaCAhep.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "D:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Protector.lnk = D:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = D:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121549626671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - D:\PROGRA~1\Toolbar\TBPSSvc.exe
  • 0

#38
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please, if you are unable to complete a part of the procedure, STOP and ask questions. This procedure is essential.

1. We want to stop, disable and delete an added service (023)

To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>WebSeach Toolbar support NT service
  • Click once on the service to highlight it.
  • Click Stop (There are two items of text in the upper right hand corner of the "pane"). They are start (in blue) and Resume (in blue).
  • Once the stop link is clicked, Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


2. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe /boot
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - D:\PROGRA~1\Toolbar\TBPSSvc.exe


Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

D:\PROGRAM FILES\Toolbar<===Folder and all its content
D:\WINDOWS\TEMP\QXaCAhep.exe

Exit Explorer.

3. We will now delete the service:

1. Open HJT
2. Click on Config>>Misc Tools>>Delete an NT Service
3. Type TBPSSvc in the space provided and click OK
4. The program will ask you to REBOOT --- Accept
5. REBOOT back into Normal Mode


4. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#39
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
I tried to stop the program again and got the message: "could not stop the websearch toolbar support NT service service on local computer. Error 1053: the service did not respond to the start or control request in a timely fashion." ???

I can get it stopped, but everytime I click on the disabled button, it changes it back to "automatic."

Edited by Summer_24, 20 July 2005 - 09:42 PM.

  • 0

#40
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I am running out of solutions. Before going back to the experts, I need you to provide me with a list of installed programs.

To Provide a List of Installed Programs
  • Run HijackThis.
  • Click Config>>Miscellaneous Tools>>Open Uninstall Manager>>Save List
  • Save list to Desktop
  • Copy the Notepad list and Paste it into this thread.
Trevuren
  • 0

Advertisements


#41
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
AOL Instant Messenger
BroadJump Client Foundation
Canon S300
ccCommon
DiamondCS TDS-3
Display Utility
ewido security suite
Hijackthis 1.99.1
HijackThis 1.99.1
Internet Worm Protection
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Office XP Standard for Students and Teachers
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
SPBBC
Spybot - Search & Destroy 1.4
SpyCatcher 3.0
Symantec
Symantec Script Blocking Installer
SymNet
TrojanHunter 4.2
WebSearch Toolbar
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB842773
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar
  • 0

#42
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I hate to suggest this because it goes against everything I stand for. I usually refuse to use uninstallers from the company that did the infection in the first place. It is like looking for more trouble.

Have you tried using Add/Remove programs? If it works, it may be easier for us to clean up your system with smaller stuff.

Think about it. I gave you the pros and the cons. I have to leave this one up to you.

Trevuren
  • 0

#43
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
I am willing to try whatever I can since nothing else seems to work.
  • 0

#44
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Try and Uninstall it through Add/Remove Programs, then Reboot and post a log please.


Trevuren
  • 0

#45
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
What is the name of the file that I am supposed to delete, because I dont see anything with that specific name.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP