[randomgeek]

Hi guys,

I'm writing this from a crappy second machine on a home network. The trouble on my main machine is the Trojan-Spy.HTML.Smitfraud.c message coming up on a blue background at start up in normal mode.

I can start in safe mode, and in safe mode with networking. Trouble there is my Internet Explorer doesn't load squat. I can't connect to any pages so I can't download stuff from the links found on your "start here" page.

So how can I even get started on the other machine?

Thanks,

rg

Edited by randomgeek, 29 July 2005 - 04:25 PM.

[Advertisements]

Hi RandomGeek, and welcome to Geeks To Go!

For all immediate purposes we wont worry about the guidelines set out in that thread, but I will be asking you to download a few files/applications that are necessary for this specific fix. If you have access to a burner (CD-RW's are best but whatever is available) you can burn the apps etc. to a CD for transfer from another computer, some will fit on a floppy disc - not sure how many though - , or even a USB drive would work Nicely!

your first mission...

Please download HijackThis http://www.greyknigh.../HijackThis.exe - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

Edited by skate_punk_21, 30 July 2005 - 10:14 PM.

[skate_punk_21]

Hi RandomGeek, and welcome to Geeks To Go!

For all immediate purposes we wont worry about the guidelines set out in that thread, but I will be asking you to download a few files/applications that are necessary for this specific fix. If you have access to a burner (CD-RW's are best but whatever is available) you can burn the apps etc. to a CD for transfer from another computer, some will fit on a floppy disc - not sure how many though - , or even a USB drive would work Nicely!

your first mission...

Please download HijackThis http://www.greyknigh.../HijackThis.exe - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

Edited by skate_punk_21, 30 July 2005 - 10:14 PM.

[randomgeek]

Hey!

Thanks for replying. I get the impression my box is dying my many things.

I was pretty frustrated for bit there. My one machine doesn't have a burner and I'm currently investigating why the USBs don't work. It's a pretty crappy box. The other one doesn't have a floppy.

Anyway from the run option in the task manager I finally figured out that I could enter the network name of my crappy machine and get the file that way from the shared folder.

So here's my (rather short!!) HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:53 AM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\SMSSU.EXE
C:\WINDOWS\system32\Tmntsrv32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\winadvt.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\system32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\system32\Tmntsrv32.EXE
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



That's all there was. Hope it helps.

[skate_punk_21]

YOU WILL NEED TO GO THROUGH YOUR NETWORK FOR THIS AS WELL

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:
===================================================
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\winadvt.dll
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\system32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\system32\Tmntsrv32.EXE
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Spyware Vanisher - It’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Please do so now.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\xmllib.dll
C:\WINDOWS\winadvt.dll
C:\WINDOWS\system32\SMSSU.EXE
C:\WINDOWS\system32\Tmntsrv32.EXE
C:\WINDOWS\win32res.exe
C:\spywarevanisher-free\


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows Normal Mode and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[randomgeek]

Well that was interesting.

Ok so I have notes of my own and since the logs are so numerous, I'll start with my stuff so they don't get lost:

I couldn't initiallly delete the following:

C:\WINDOWS\system32\SMSSU.EXE
C:\WINDOWS\system32\Tmntsrv32.EXE

Initially I was told the file(s) might be in use. So I tried killing them in
Task manager but they just respawned! There is a file called smss.exe which is also running and I wonder if it or another might be causing the autospawning
Note though that eventually, something killed the above processes and deleted the files as required.
However, smss.exe still runs and exists.


!!! Near the end, I'm supposed to go to the PANDA link and run a full scan. Unfortunately, my iexplorer.exe is no longe present so I basically wiped out my browser somwhere along the way.
Needless to say I'm still networking stuff to this crappy box in order to post these replies.

Minus the little internet explorer mishap, the system seems to be running pretty well. I just have to get IE back so I can run the PANDA thing. Web access seems to be ok (MSN autoloaded).

Here are my logs:


Smitrem log:
----------------

smitRem log file
version 2.2

by noahdfear

The current date is: Mon 08/01/2005
The current time is: 20:26:51.09

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleadm.dll
wp.bmp


~~~ Windows directory ~~~

uninstIU.exe


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleadm.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ dllcache\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~


~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~


~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~


~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~


~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll Present! ~~~~


~~~~ Checking C:\WINDOWS\ServicePackFiles\i386\wininet.dll for infection ~~~~


~~~~ ServicePackFiles\i386\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from ServicePackFiles\i386 ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! ~~~~


---------------------------------------------------------------------------------------------





EWIDO log:
-------------

smitRem log file
version 2.2

by noahdfear

The current date is: Mon 08/01/2005
The current time is: 20:26:51.09

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleadm.dll
wp.bmp


~~~ Windows directory ~~~

uninstIU.exe


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleadm.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ dllcache\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~


~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~


~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~


~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~


~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll Present! ~~~~


~~~~ Checking C:\WINDOWS\ServicePackFiles\i386\wininet.dll for infection ~~~~


~~~~ ServicePackFiles\i386\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from ServicePackFiles\i386 ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! ~~~~
-----------------------------------------------------------------------------------------------




HJT log before cleanup:
Logfile of HijackThis v1.99.1
Scan saved at 8:15:33 PM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SMSSU.EXE
C:\WINDOWS\system32\Tmntsrv32.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\winadvt.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\system32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\system32\Tmntsrv32.EXE
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

-----------------------------------------------------------------------------------------------






HJT Log after cleanup
Logfile of HijackThis v1.99.1
Scan saved at 9:26:50 PM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

-----------------------------------------------------------------------------------------------


So there you go. That's all there is. Would sure love to get my Internet Explorer back.

Thanks for the help so far! Looks like soon I'll be out of the woods!

rg

[skate_punk_21]

1. you missed the ewido Log and posted the smitrem log 2x, please include ewido in your next post.

So now for IE, lets see if i get you here...
You cant even open the application?? or when you do it wont go anywhere?? - just so know you one infection you had was designed to destroy your settings in IE, but if you can at least open the app, we may be able to recover the settings....

so post the ewido log, and let me know the specific situation with your browser including any error codes you may be getting.

[randomgeek]

Hey I'm glad you were on. Ok sorry about that...so many logs to track hehe. I've included the right one this time. But first about IE:

The application appears to have completely vanished. I ran the basic search and selected "All files and folders" option, looking for iexplorer.exe. It didn't find it. I tried to run it from a couple of different icons and they all say the same thing:

"Windows cannot find 'C:\Program Files\Internet Explorer\iexplorer.exe'. Make sure you typed the name correctly and try again. To search ...etc"

What's weird is although the search doesn't find it, and all my links to it don't find it, I can manually see it in the path specified in the message. When I click on it after finding it though, I get the same message I mentioned above!


One other thing, before everything went screwy, my IE started losing it's homepage reference and going to something called about:blank. Now I noticed my HJT log shows this default homepage 2 times at the top. Are these supposed to be there?


So what do you think doc...is it fatal?

Thanks again,

rg

EWIDO LOG:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:03:02 PM, 8/1/2005
+ Report-Checksum: B6152D67

+ Scan result:

HKU\S-1-5-21-220523388-1897051121-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B} -> Spyware.ASSbar : Cleaned with backup
C:\RECYCLER\S-1-5-21-220523388-1897051121-725345543-1004\Dc2.dll -> Spyware.ToolBand : Cleaned with backup
C:\RECYCLER\S-1-5-21-220523388-1897051121-725345543-1004\Dc3.exe -> Trojan.Agent.fl : Cleaned with backup
C:\WINDOWS\dload.exe -> Trojan.LowZones.bn : Cleaned with backup
C:\WINDOWS\loadclean.exe -> TrojanDownloader.Delf.cb : Cleaned with backup
C:\WINDOWS\system\Loader.dll -> TrojanDownloader.Agent.li : Cleaned with backup
C:\WINDOWS\system32\intrcxzcxzcon.exe -> Trojan.Small.bb : Cleaned with backup
C:\WINDOWS\system32\izxczxcr.exe -> TrojanDownloader.Delf.lf : Cleaned with backup
C:\WINDOWS\system32\izxxzdsafsafczxcr.exe -> TrojanDownloader.Small.aqt : Cleaned with backup
C:\WINDOWS\XMLLIBUI.exe -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End

[skate_punk_21]

Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home

Please remember to close all other windows, including browsers then click Fix checked.

Otherwise your log is clean and your IE Problem is all we have left!

Please Keep your windows XP CD ready...

Go to Start | Run and type "SFC /scannow" then press "ok" this will scan your harddrive for missing files and replace them. Since IE is necessary for windows updates, this should count!

[randomgeek]

Hi. I fixed the entries in hjt. Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 7:37:38 AM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



I ran the SFC utility as suggested. It did a scan and used my XP cd to replace some files. Unfortunately iexplorer still isn't found.
It's odd that I can find it manually where the message says to look but I can't run it from there either...

I tried installing components using my disk because at this point I really don't care about the "favorites" etc. I selected only IE and it said it had trouble building a file list for MSN explorer. It kept going but when it was done, IE still had the same issue.

So basically I can't run IE, and it would seem I can't install it either. Weird.

I've encountered one other scenario where search didn't find a file and that was when the files were in hidden folders. I checked to see if maybe something like that was going on even though I could see all the folders. That's not it.
I could try copying the .exe file either from the CD or over the network if you think that might help me get going but I have a feeling that any executable I put there won't run. Hey...I'll try the HJT one.



That's all I have for now.

rg

[randomgeek]

Some more info which may help.

The file definately exists. It's like there's some setting, maybe corrupted, which makes the file semi hidden, semi deleted. Weird.

I was able to rename the iexplorer file as iexplorerold.exe Weird things happened though. First, the iexplorer.exe reappeared in the directory on it's own, even though I changed it's name. Second, I double clicked iexplorerold.exe and it ran in compatibility mode only. It says it will not be able to run all features.

I browsed a little bit and that seemed to work but I'm far from done with this app. methinks.

rg

[randomgeek]

Hey one last thing before I sign off for now.

I tried renaming the iexplorerold.exe back to iexplorer.exe. It did that and I had 2 files in the same folder with the same name! Neither was a shortcut.

I tried deleting iexplorer.exe repeatedly and it sent it to the recyclebin every time but it recreated it in the path as well, every time.

OK that's truely it until I hear from you. I can't think of how to confuse myself further.

rg

[skate_punk_21]

OK according to microsoft, to repair IE do the following;
Click Start, click Run, and then in the Open box, type the following command, and then click OK:

rundll32 setupwbv.dll,IE6Maintenance "C:\Program Files\Internet Explorer\Setup\SETUP.EXE" /g "C:\WINDOWS\IE Uninstall Log.Txt"

[randomgeek]

Hi. Unfortunately, I don't have that .dll file. Infact, I don't have a setup subdirectory. I get a message saying the module setupwbv.dll could not be found.

rg

[skate_punk_21]

Please Download the IE6 install file from this Link Close all program windows and double click the IE6 install file. follow the prompts to install IE, and if asked where to install it to, select C:\Program Files\Internet Explorer

Edited by skate_punk_21, 04 August 2005 - 08:48 PM.

[randomgeek]

Hi again,

I attempted to do as requested. First just an FYI, the link you gave me wouldn't open until I removed an addtional httplink bit at the beginning.

More importantly, the system told me a more recent version of IE was found on the system and that the installation could not contiue.

rg