Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

smitRem - runthis.bat


  • This topic is locked This topic is locked

#1
phoam

phoam

    Member

  • Member
  • PipPip
  • 26 posts
I can normally solve these problems, but the ones I've encountered lately are a pest. The latest infection has affected my desktop wallpaper and will not allow me to run Internet Explorer (using Mozilla Firefox right now).

The latest infection does not show up in a HijackThis scan, but Norton 2005 detects it (but is unable to fix/clean it). It's located in my wininet.dll file (in my system32 folder).

The older infections, I have attempted to remove numerous times, but they continue to come back.

Thanks for any help...(it will be a miracle to see all of this removed!)

Logfile of HijackThis v1.99.1
Scan saved at 6:57:52 PM, on 7/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

//Edit: Removed logfile. Posted below

Edited by phoam, 19 July 2005 - 08:52 AM.

  • 0

Advertisements


#2
phoam

phoam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
So I'm dealing with bloodhound, farmmext, and whatever else may be on my PC and as suggested in past threads, I've...

Booted in safe mode.
Deleted winstall.exe and combo.dll
Run smitRem (runthis.bat)

--at this point wininet.dll is detected as an infected file, searches for a clean copy to replace it with, but a clean copy for replacement is not found.


Once I know of a way to successfully complete the above and have the infected wininet.dll removed, I'll run Ad-Aware SE and Ewido. Then reboot and run an online virus scan. Until then, can somone suggest a solution for replacing the infected wininet.dll file?
  • 0

#3
phoam

phoam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I simply need advice. I can't for the life of me solve the issues with my PC. Any help...

Logfile of HijackThis v1.99.1
Scan saved at 11:58:54 PM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\System32\DeltTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.etree.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
F3 - REG:win.ini: load=??? ??? ??? ? ? ?????
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Taylor Caine\My Documents\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PNtask Services] C:\WINNT\System32\pntask.exe
O4 - HKLM\..\Run: [System Update] sysupdt32.exe
O4 - HKLM\..\Run: [MMtask Service] mmtask.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [vjOSw0] c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe
O4 - HKLM\..\Run: [f4B77n] c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKLM\..\Run: [pgvoutm] C:\WINNT\System32\pgvoutm.exe
O4 - HKLM\..\Run: [mpnpmgru] C:\WINNT\System32\mpnpmgru.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [dfsshlex] C:\WINNT\System32\dfsshlex.exe
O4 - HKCU\..\Run: [tgbcde] C:\WINNT\tgbcde\module32.exe arg1
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINNT\System32\mmtask.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Taylor and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated. Let’s see what we can do with the first sweep.

Firstly could you please disable both SpyKiller and Spyware Doctor from running during the fix, they may just hinder our attempts to change anything. Please note that you should only have one anti spyware programme running in “real-time” Please use any other spyware detecting programmes as “on demand” programmes.

The same applies to antivirus programmes too. You have both AVG and Norton antivirus running in real-time. Please uninstall one of them; they will cause conflicts and slow down your PC.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CWShredder
CCleaner

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
F3 - REG:win.ini: load=?????? ?????? ????
O4 - HKLM\..\Run: [PNtask Services] C:\WINNT\System32\pntask.exe
O4 - HKLM\..\Run: [System Update] sysupdt32.exe
O4 - HKLM\..\Run: [MMtask Service] mmtask.exe
O4 - HKLM\..\Run: [vjOSw0] c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe
O4 - HKLM\..\Run: [f4B77n] c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKLM\..\Run: [pgvoutm] C:\WINNT\System32\pgvoutm.exe
O4 - HKLM\..\Run: [mpnpmgru] C:\WINNT\System32\mpnpmgru.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKCU\..\Run: [dfsshlex] C:\WINNT\System32\dfsshlex.exe
O4 - HKCU\..\Run: [tgbcde] C:\WINNT\tgbcde\module32.exe arg1
O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINNT\System32\mmtask.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete this folder (if present) using Windows Explorer:

C:\WINNT\tgbcde\

Please delete these files (if present) using Windows Explorer:

c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe
c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe
C:\WINNT\System32\ap9h4qmo.exe
C:\WINNT\System32\dfsshlex.exe
C:\WINNT\System32\dp-him.exe
C:\WINNT\System32\mpnpmgru.exe
C:\WINNT\System32\pgvoutm.exe
C:\WINNT\System32\pntask.exe
C:\WINNT\farmmext.exe
sysupdt32.exeuse SEARCH to find these two files
mmtask.exe

Close Windows Explorer and Reboot normally

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Just in case any remain and to be certain, please delete your temporary files.

Double Click My Computer (WinXP: Navigate to Start >My Computer)

You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window.

On the very first tab (General) you will see a button labelled "Disk Cleanup"...click that button.

Make sure the following are checked:Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder).

Post back a fresh HijackThis log and I will take another look.
  • 0

#5
phoam

phoam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Thank you for the detailed instructions. However, problems still exist. The following steps were taken:

1. Removed AVG
2. Ran Fix on the noted files listed in HijackThis
3. Reboot in Safe Mode
4. tgbcde was present and deleted
5. Of the others, only mmtask.exe was present (& deleted)
6. Reboot
7. Ran CCleaner
8. Ran Disk Cleanup
9. In the Temp folder, only present file was "hpotdd000.txt" and was not removable

Everything listed in a HijackThis scan is replacing itself. Every step in your instructions was taken. The only change is the style of my windows explorer appearance. I still can not open internet explorer and my desktop wallpaper is affected.

Logfile of HijackThis v1.99.1
Scan saved at 9:40:16 AM, on 7/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\System32\DeltTray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.etree.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
F3 - REG:win.ini: load=??? ??? ??? ? ? ?????
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Taylor Caine\My Documents\Winamp\winampa.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Update] sysupdt32.exe
O4 - HKLM\..\Run: [MMtask Service] mmtask.exe
O4 - HKLM\..\Run: [PNtask Services] C:\WINNT\System32\pntask.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [vjOSw0] c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe
O4 - HKLM\..\Run: [f4B77n] c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKLM\..\Run: [pgvoutm] C:\WINNT\System32\pgvoutm.exe
O4 - HKLM\..\Run: [mpnpmgru] C:\WINNT\System32\mpnpmgru.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [dfsshlex] C:\WINNT\System32\dfsshlex.exe
O4 - HKCU\..\Run: [tgbcde] C:\WINNT\tgbcde\module32.exe arg1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINNT\System32\mmtask.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Taylor

Thanks for the info. It is uncanny that your fresh HJT log is quite similar to the last one. It is therefore evident that something is preventing the proposed changes. Generally this behaviour is caused by antispyware programmes (sometimes antivirus) not allowing the registry to be altered.

In my previous fix, I requested that you disable both antispyware programmes for the fix, however, I note that they are still both active in start-up. Perhaps we can start there and work on it from that point.

The other point I need to check is that you have administrator’s rights and that this PC is a single identity with no one else having their own settings.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
Spybot S&D
Ad-Aware
cwsserviceemove.reg file

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

MMtask Engine (MMtaskEngine)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

MMtaskEngine

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Please copy the text from this link into Notepad Smitfraud.reg save it as Smitfraud.reg to your Desktop, right click on it and choose MERGE

Please open the trial version of Ewido Security Suite, and update the definitions to the latest files. Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch ewido, there should be an icon on your desktop double-click it.
  • The programme will now go to the main screen
  • Click on Start
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the programme scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop and include it in your reply.
Please install Spybot search & destroy, open it, update it, immunize it, and perform a scan. When it has completed, ensure that you check everything it finds coloured Red only before clicking Fix Selected Problems. If Spybot requests starting again at reboot to clear memory resident malware, please ensure you click YES, giving it permission to do so.

Install Ad-Aware and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page.

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
F3 - REG:win.ini: load=?????? ?????? ????
O4 - HKLM\..\Run: [System Update] sysupdt32.exe
O4 - HKLM\..\Run: [MMtask Service] mmtask.exe
O4 - HKLM\..\Run: [PNtask Services] C:\WINNT\System32\pntask.exe
O4 - HKLM\..\Run: [vjOSw0] c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe
O4 - HKLM\..\Run: [f4B77n] c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKLM\..\Run: [pgvoutm] C:\WINNT\System32\pgvoutm.exe
O4 - HKLM\..\Run: [mpnpmgru] C:\WINNT\System32\mpnpmgru.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKCU\..\Run: [dfsshlex] C:\WINNT\System32\dfsshlex.exe
O4 - HKCU\..\Run: [tgbcde] C:\WINNT\tgbcde\module32.exe arg1
O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINNT\System32\mmtask.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

sysupdt32.exe
mmtask.exe
C:\WINNT\System32\pntask.exe
c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe
c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe
C:\WINNT\System32\dp-him.exe
C:\WINNT\System32\pgvoutm.exe
C:\WINNT\System32\mpnpmgru.exe
C:\WINNT\System32\ap9h4qmo.exe
C:\WINNT\farmmext.exe
C:\WINNT\System32\dfsshlex.exe
C:\WINNT\tgbcde\module32.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HijackThis log and I will take another look.
  • 0

#7
phoam

phoam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Thanks for continuing to help. One question before I begin the new list of steps...the only place on my PC that SpyKiller or Spyware Doctor show up, is in the HijackThis scan. Therefore, I am unable to find a way to disable them. And fwiw, they appeared on my PC with a previous virus/spyware infection. Numerous Ad-Aware SE & Hijack This scans have not removed them.

If you can provide steps for disabling them, I will proceed with the other steps. Much thanks...
  • 0

#8
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Taylor

It is always difficult to read a victim's ability in terms of computing experience, and so we tend to make things very simple and stay away from registry hacking.

Could you please indicate what you would assess your abilty to be? Are you able to backup the registry and delete items within it? I do not wish to ask you to perform tasks that you would not be comfortable doing.

Thanks for the info.
  • 0

#9
phoam

phoam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Could you please indicate what you would assess your abilty to be?  Are you able to backup the registry and delete items within it?

View Post


I am familiar with moving around in the registry. Virus infections force one to learn. :tazz: Do not hesitate to throw just about anything at me.

However, I would appreciate any tips on backing up the registry and avoiding damage.

Once again, your help is greatly appreciated.
  • 0

#10
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Taylor

I suspected that you were familiar with registry from your evident knowledge. I was going to write a batch file to do the job, but since I don't have those programmes on my PC, I would not be able to test its efficiency when written, so let's just delete them.

Let's follow the logic here, HJT sees these entries which are physically not on your PC. HJT reads portions of the registry, ergo there entries are registry resident only. If HJT sees them, then it can also delete them.

Before we go into the registry, let's just do a "belt and braces" approach and ensure that these two programmes are no longer on your PC. Please use the search facility to locate any remnants of SpyKiller and Spyware Doctor. Delete anything found.

Go to START>RUN>type in msconfig>hit ENTER>STARTUP. Remove the checkmark or tick from both of those entries if present. APPLY>OK.

Open HJT and select Open miscellaneous tools section>Generate a startup list log (do not check either box). Examine the log created and look for those two entries again. If they are not there, then our job is done.

Go to START>RUN>type in regedit and hit ENTER. Click FILE>EXPORT>insert the date in your usual format (200705 for me, probably 072005 for you) and save it to a place you'll remember. Click SAVE and wait whilst your registry is exported (backed-Up)

Click EDIT>FIND and type into the box that opens SPYKILLER, ensure the 3 boxes below are checked, Click FIND NEXT. Delete every instance of SPYKILLER and press F3 key to find the next until a full search has been completed. Repeat for SPYWARE DOCTOR.

Reboot normally.

Please download and run Silent Runners

* Please right click this link and choose save (link) as to download:Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Reboot normally and submit a fresh HJT log.
  • 0

Advertisements


#11
phoam

phoam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I'm apparently unable to remove these issues without them recreating themselves. Thanks for sticking with me, but the haulting problem is that these guys are deleted and reappear.
(Two scan listings pasted below: HijackThis Startuplist & Silent Runners)

Steps taken:

1. General search for Spykiller & Spyware Doctor. No results.
2. msconfig -> Unchecked conflicting programs
3. HijackThis startuplist -> Results listed below
- (Spyware listed as Autorun)
4. Searched registry and deleted all conflicting entries
- (The entries come right back under: HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
5. Silent Runners results at very bottom

StartupList report, 7/20/2005, 10:12:38 AM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\System32\DeltTray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\SYSTEM32\Userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HP Software Update = C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
DeviceDiscovery = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
DeltTray = DeltTray.exe
AWMON = "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
Write DVD-R! = C:\Program Files\Write DVD!\saimon.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
NAV CfgWiz = C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
NeroCheck = C:\WINNT\system32\NeroCheck.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
WinampAgent = C:\Documents and Settings\Taylor Caine\My Documents\Winamp\winampa.exe
PNtask Services = C:\WINNT\System32\pntask.exe
System Update = sysupdt32.exe
MMtask Service = mmtask.exe
ADUserMon = C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
LaCie USB2 Auto Loader = C:\WINNT\TPPALDR.EXE
vjOSw0 = c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe
f4B77n = c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe
Dsi = C:\WINNT\System32\dp-him.exe
pgvoutm = C:\WINNT\System32\pgvoutm.exe
mpnpmgru = C:\WINNT\System32\mpnpmgru.exe
ap9h4qmo = C:\WINNT\System32\ap9h4qmo.exe
farmmext = C:\WINNT\farmmext.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Weather = C:\Program Files\AWS\WeatherBug\Weather.exe 1
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
tgbcde = C:\WINNT\tgbcde\module32.exe arg1
dfsshlex = C:\WINNT\System32\dfsshlex.exe
SpyKiller = C:\Program Files\SpyKiller\spykiller.exe /startup
BestPopUpKiller = C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
Spyware Doctor = "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) =

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=??? ??? ??? ? ? ?????
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

------------------------------------------------------------------------------------
------------------------------------------------------------------------------------

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Weather" = "C:\Program Files\AWS\WeatherBug\Weather.exe 1" ["AWS Convergence Technologies, Inc."]
"BestPopUpKiller" = "C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup" [file not found]
"dfsshlex" = "C:\WINNT\System32\dfsshlex.exe" [file not found]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [file not found]
"tgbcde" = "C:\WINNT\tgbcde\module32.exe arg1" [file not found]
"Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" [file not found]
"SpyKiller" = "C:\Program Files\SpyKiller\spykiller.exe /startup" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [null data]
"HPDJ Taskbar Utility" = "C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe" ["HP"]
"DeviceDiscovery" = "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"DeltTray" = "DeltTray.exe" ["Doug Fetter Software Wizardry"]
"AWMON" = ""C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"" ["Lavasoft Sweden"]
"Write DVD-R!" = "C:\Program Files\Write DVD!\saimon.exe" [null data]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NAV CfgWiz" = "C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R" ["Symantec Corporation"]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\navapw32.exe" [null data]
"NeroCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"WinampAgent" = "C:\Documents and Settings\Taylor Caine\My Documents\Winamp\winampa.exe" [null data]
"PNtask Services" = "C:\WINNT\System32\pntask.exe" [file not found]
"System Update" = "sysupdt32.exe" [file not found]
"MMtask Service" = "mmtask.exe" [file not found]
"ADUserMon" = "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [file not found]
"LaCie USB2 Auto Loader" = "C:\WINNT\TPPALDR.EXE" [file not found]
"vjOSw0" = "c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe" [file not found]
"f4B77n" = "c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe" [file not found]
"Dsi" = "C:\WINNT\System32\dp-him.exe" [file not found]
"pgvoutm" = "C:\WINNT\System32\pgvoutm.exe" [file not found]
"mpnpmgru" = "C:\WINNT\System32\mpnpmgru.exe" [file not found]
"ap9h4qmo" = "C:\WINNT\System32\ap9h4qmo.exe" [file not found]
"farmmext" = "C:\WINNT\farmmext.exe" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINNT\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{649C8E72-A449-4E70-B098-604AF17AB2FB}" = "SAI Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Write DVD!\SAIShx.DLL" [null data]
"{090FD2DB-CFBE-47FF-A4B1-D84ACECD0FE0}" = "SAI Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Write DVD!\SAIShx.DLL" [null data]
"{ECD1124D-89F0-11D7-B9F5-00A0CC541DE9}" = "SAI Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Write DVD!\SAIShx.DLL" [null data]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SmartFTP\smarthook.dll" ["SmartFTP"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "load" = "??? ??? ??? ? ? ?????" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
INFECTION WARNING! iexplore.exe\Debugger = "C:\WINNT\iexplore_dbg.exe" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Active Desktop web content:

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = "Security info v3"
"Source" = "C:\WINNT\screen.html"
"SubscribedURL" = ""

Startup items in "Taylor Caine" & "All Users" startup folders:
--------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINNT\System32\wdfmgr.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 71 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 12 seconds.
---------- (total run time: 374 seconds)

Edited by phoam, 20 July 2005 - 09:51 AM.

  • 0

#12
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Taylor

I found this today whilst trying to work out what is happening:

http://www.computing...orum/15755.html

You’ve been suffering for a while, let’s see if an old man can sort it out.

Thanks for the logs. It is still evident that something is preventing the proposed changes. Generally this behaviour is caused by antispyware programmes (sometimes antivirus) not allowing the registry to be altered.

It would appear to me to be the actions of:

O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"

So let’s be conventional and try again, but this time disable Ad-Aware’s Ad-Watch or remove it for the fix. N.B. the fix may be out of date for Ewido, but just make sure you s update in normal mode and scan in safe mode.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
Spybot S&D
cwsserviceemove.reg file

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

MMtask Engine (MMtaskEngine)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

MMtaskEngine

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Please copy the text from this link into Notepad Smitfraud.reg save it as Smitfraud.reg to your Desktop, right click on it and choose MERGE

Please open the trial version of Ewido Security Suite, and update the definitions to the latest files. Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch ewido, there should be an icon on your desktop double-click it.
  • The programme will now go to the main screen
  • Click on Start
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the programme scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop and include it in your reply.
Please install Spybot search & destroy, open it, update it, immunize it, and perform a scan. When it has completed, ensure that you check everything it finds coloured Red only before clicking Fix Selected Problems. If Spybot requests starting again at reboot to clear memory resident malware, please ensure you click YES, giving it permission to do so.

Install Ad-Aware and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page.

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
F3 - REG:win.ini: load=?????? ?????? ????
O4 - HKLM\..\Run: [System Update] sysupdt32.exe
O4 - HKLM\..\Run: [MMtask Service] mmtask.exe
O4 - HKLM\..\Run: [PNtask Services] C:\WINNT\System32\pntask.exe
O4 - HKLM\..\Run: [vjOSw0] c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe
O4 - HKLM\..\Run: [f4B77n] c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKLM\..\Run: [pgvoutm] C:\WINNT\System32\pgvoutm.exe
O4 - HKLM\..\Run: [mpnpmgru] C:\WINNT\System32\mpnpmgru.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKCU\..\Run: [dfsshlex] C:\WINNT\System32\dfsshlex.exe
O4 - HKCU\..\Run: [tgbcde] C:\WINNT\tgbcde\module32.exe arg1
O23 - Service: MMtask Engine (MMtaskEngine) - Unknown owner - C:\WINNT\System32\mmtask.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

sysupdt32.exe
mmtask.exe
C:\WINNT\System32\pntask.exe
c:\documents and settings\taylor caine\local settings\temp\vjOSw0.exe
c:\documents and settings\taylor caine\local settings\temp\f4B77n.exe
C:\WINNT\System32\dp-him.exe
C:\WINNT\System32\pgvoutm.exe
C:\WINNT\System32\mpnpmgru.exe
C:\WINNT\System32\ap9h4qmo.exe
C:\WINNT\farmmext.exe
C:\WINNT\System32\dfsshlex.exe
C:\WINNT\tgbcde\module32.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HijackThis log and I will take another look.
  • 0

#13
phoam

phoam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I think we're starting to make some headway here. I've posted my latest HijackThis scan. After unloading Ad-Watch, the HijackThis scan removed a lot of the problem files. I successfully ran through most of your recent post. However, at least two problems still occur - InternetExplorer still comes up 'null' (a windows update attempt will not complete due to "finding a newer version of IE" and my desktop is affected (will not show desktop wallpaper and there's a casual flicker - not the screen, but the wallpaper).

Logfile of HijackThis v1.99.1
Scan saved at 2:50:35 PM, on 7/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\System32\DeltTray.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.etree.org/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Taylor Caine\My Documents\Winamp\winampa.exe
O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#14
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Taylor

That log is actually clean.

Let's have a look at your other problems.

Internet Explorer (I don't use it myself, far too dangerous) but if I recall correctly, we can fix that via the control Panel Add/Remove Programs (please excuse Bill Gates's spelling of the word Programmes).

Find Internet Explorer and choose REMOVE. A little box will open with the option to repair Internet Explorer. Try that. I had this problem about 3 years ago, I just can't remember how I cured it; I may even have uninstalled and reinstalled it and then updated it.

Desktop:

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as FixDesktop.reg and save it on your Desktop. Make sure that under File Types in the save dialog box it says "All".

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"SetVisualStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
  00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
  6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
  00,00,00


Locate FixDesktop.reg on your Desktop and double-click on it. It will ask you for confirmation and then tell you that it was done.

Once that is finished, please reboot your computer and try to change your background.

How's it going now?

Edited by Crustyoldbloke, 20 July 2005 - 02:23 PM.

  • 0

#15
phoam

phoam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Internet Explorer (I don't use it myself, far too dangerous) but if I recall correctly, we can fix that via the control Panel Add/Remove Programs (please excuse Bill Gates's spelling of the word Programmes).


Believe it or not, it's not listed in the Add/Remove Programs list. In its folder under Program Files, the uninstall folder contains w2kexcp.exe, but it does nothing.

Desktop:

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as FixDesktop.reg and save it on your Desktop. Make sure that under File Types in the save dialog box it says "All".

View Post


I performed those tasks, but it did not solve the problem. The desktop wallpaper can be changed and will show itself during the boot-up process. But as stated, it doesn't show itself on the desktop background as it should.

Makes me wonder if my PC could still be infected in some way.

Edited by phoam, 20 July 2005 - 03:02 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP