Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help cleaning off malware

Started by overworked , Jan 02 2005 07:32 PM

  • Please log in to reply

#1
overworked
Posted 02 January 2005 - 07:32 PM

overworked

    New Member

  • Member
  • Pip
  • 4 posts
:tazz: I'm another victim of spyware or something. All the sudden I get this desktop page (that i can't remove) that says "Warning! You're in DANGER!" I also get "Task Manager has been disabled by the system administrator" when I CNTL+ALT Delete.

I've tried shredder but it didn't seem to do anything. Neither did VShield. I even edited the desktop file but upon restart it came back as it was originally. Whatever this is aslo made my desktop "active" which it never was before. Of course I can't figure out how to get it back to being "normal" (not active)

I hope you all can help me fix this. Man this really sucks!
Scan saved at 8:04:42 PM, on 1/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Grant at Home\Application Data\Mozilla\Profiles\default\rn4c18ya.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Grant at Home\Application Data\Mozilla\Profiles\default\rn4c18ya.slt\prefs.js)
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {168F8D30-0BD0-45EB-9463-294BFEF1F543} - C:\WINDOWS\System32\jefjeaa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [eRoom 6] C:\Program Files\eRoom 5\erclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - https://pf1.ford.com...etup/client.cab
O18 - Filter: text/html - {597BE433-60AA-4C32-B97F-1260D8EA145C} - C:\WINDOWS\System32\jefjeaa.dll
O18 - Filter: text/plain - {597BE433-60AA-4C32-B97F-1260D8EA145C} - C:\WINDOWS\System32\jefjeaa.dll
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NICSer_WPC54GS - Unknown - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
  • 0

Advertisements

#2
LineOFire
Posted 03 January 2005 - 01:01 AM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Welcome to GeeksToGo Forums. :tazz:

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Go to the Control Panel and double-click on Display.
  • If not already selected, go to the Desktop tab.
  • Click Customize Desktop... and then go to Web tab.
  • Click on the Security or similar entry and click Delete to remove the entry.
  • This should get rid of the advertisement on your desktop.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\GRANTA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O2 - BHO: (no name) - {168F8D30-0BD0-45EB-9463-294BFEF1F543} - C:\WINDOWS\System32\jefjeaa.dll
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O18 - Filter: text/html - {597BE433-60AA-4C32-B97F-1260D8EA145C} - C:\WINDOWS\System32\jefjeaa.dll
O18 - Filter: text/plain - {597BE433-60AA-4C32-B97F-1260D8EA145C} - C:\WINDOWS\System32\jefjeaa.dll

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\System32\jefjeaa.dll
C:\WINDOWS\System32\kernels32.exe

Now you can restart the computer normally.
  • Download DLLCompare.
  • Double-click on DllCompare.exe to run the program.
  • Click "Run Locate.com" and it will scan your system for files.
  • Once the scan has finished click "Compare" to compare your files to valid Windows files.
  • Once it has finished comparing click "Make a Log of what was found".
  • Click "Yes" at the View Log file? prompt to view the log.
  • Copy and paste the entire log into this topic.
  • If you accidentally close out of the log it is also saved as log.txt to where you saved DllCompare.exe.
  • Click "Exit" to exit DLLCompare.
Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. ;)

Edited by LineOFire, 03 January 2005 - 01:01 AM.

  • 0

#3
overworked
Posted 04 January 2005 - 08:09 PM

overworked

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you LineOfire. I've done as instructed. The desktop is behaving normally and system files are viewable. Files C:\WINDOWS\System32\jefjeaa.dll was not present and
C:\WINDOWS\System32\kernels32.exe was deleted. I also deleted another .exe that had a porn icon. Also, have had HijackThis fix the list you provided.

I ran dllcompare in it's default settings (filetype: *.dll and include subdirectories - unchecked) This is the log.
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :tazz:"
________________________________________________

1,136 items found: 1,136 files, 0 directories.
Total of file sizes: 196,285,512 bytes 187.19 M

Administrator Account = True

--------------------End log---------------------

THIS IS THE NEW HIJACKTHIS LOG

Logfile of HijackThis v1.99.0
Scan saved at 8:41:41 PM, on 1/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Grant at Home\My Documents\My Downloads\DllCompare.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Grant at Home\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Grant at Home\Application Data\Mozilla\Profiles\default\rn4c18ya.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Grant at Home\Application Data\Mozilla\Profiles\default\rn4c18ya.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D0C7598C-5703-48F5-B477-20853EE68F70} - C:\WINDOWS\System32\ccdk.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [eRoom 6] C:\Program Files\eRoom 5\erclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - https://pf1.ford.com...etup/client.cab
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NICSer_WPC54GS - Unknown - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE

I've noticed at two obviouse remaining issues.
1. When I Cntl-Alt-Del I still get that message about it being disabled by the administrator
2. The computer tries to use a dialup "TIBS42" connection when I reboot even though I'm access the internet via cable modem/wireless router.

I've deleted that TIBS42 thing twice and disabled it once and it keeps coming back.

Should I post a log of dllcompare set to all file types and include subdirectories?

I really appreciate you help in this matter.

Respectfully,
Overworked
  • 0

#4
overworked
Posted 04 January 2005 - 09:52 PM

overworked

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I followed these direction from http://www.annoyance...nxp/t1103976707 and it seems to have fixed the ctrl-alt-delete problem.

re: Task manager disabled
Saturday, January 1, 2005 at 3:56 pm
Posted by UrbanOne (1 messages posted)

What you need to do is run; "gpedit.msc" at the command line. Now, choose the following
path
-User Configuration - Administrative Templates - System - Ctrl+Alt+Del Options.

Once you have done that, you want to disable all of the options in this sections.
Then you will have you task manger option and other's if you need them.!!

UrbanOne
  • 0

#5
LineOFire
Posted 04 January 2005 - 09:58 PM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {D0C7598C-5703-48F5-B477-20853EE68F70} - C:\WINDOWS\System32\ccdk.dll (file missing)

Fix those two entries with HijackThis.

Copy and paste this code box text into a text editor such as Notepad.

Save this text as RestoreRegTasks.inf. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Right-click on RestoreRegTasks.inf and select Install.
[Version]
Signature=$CHICAGO$
Provider=LineOFire

[DefaultInstall]
DelReg=RegTaskService

[RegTaskService]
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKCU,Software\Microsoft\WindowsNT\CurrentVersion\Policies\System,DisableRegistryTools
HKCU,Software\Microsoft\WindowsNT\CurrentVersion\Policies\System,DisableTaskMgr
HKLM,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKLM,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKLM,Software\Microsoft\WindowsNT\CurrentVersion\Policies\System,DisableRegistryTool
HKLM,Software\Microsoft\WindowsNT\CurrentVersion\Policies\System,DisableTaskMgr
The TIBS42 connection can usually just be deleted. I'm wondering as to why it doesn't work for you. Do you have a C:\Program Files\WebSiteViewer dirECTORY?
  • 0

#6
overworked
Posted 05 January 2005 - 06:58 PM

overworked

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
TIBS42 seems to be staying gone now and no, I don't have a WebSiteViewer directory anywhere.

As far as I can tell everything is back to normal.

thanks for the help.

Overworked
  • 0

#7
LineOFire
Posted 06 January 2005 - 01:02 AM

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Glad that we could help. Thanks for cooperating with me! ;)

Here are some tips, in order to reduce the potential for future malware infections. :tazz:
  • Secure Internet Explorer - The most common reason that malware installs itself is that your Internet Explorer security settings are set too low.
    • Open Internet Explorer.
    • Click on the "Tools" menu and select "Internet Options...".
    • If not already selected, select the "Security" tab.
    • Click on "Internet" so that it becomes highlighted and then click "Custom Level...".
    • In the "Reset to:" drop-down menu select "Medium".
    • Click "Reset" and choose "Yes" at the prompt to reset the security settings.
    • Click "OK" to return to the Security menu.
    • Repeat the same steps for "Local intranet", "Trusted sites", "Restricted sites" with these security settings:
      • "Local intranet" - "Medium-low"
      • "Trusted sites" - "Low"
      • "Restricted sites" - "High"
    • Finally, click "Apply" and then "OK" to apply the settings that you set.
  • Windows Update - It is absolutely imperative that you stay on top of all updates to your operating system and browser. Malware authors and hackers make use of the many loopholes found in Microsoft's code. Keeping your system up to date is one of the most important steps in preventing infection.
  • Spybot - Search & Destroy - Spybot - Search & Destroy is an excellent general anti-malware tool. It has the ability to scan your system for all kinds of malware and even offers TeaTimer and SDHelper in order to provide real-time protection from malware.
  • Ad-Aware SE - Ad-Aware SE, like Spybot - Search & Destroy, is another general anti-malware solution which offers scanning. Both programs will often catch something the other cannot. It is best to use both of these wonderful programs in tandem so that you maximize the detection capabilities.
  • SpywareBlaster - SpywareBlaster offers real-time protection against malicious ActiveX controls. This will stop most of the drive-by malware installations that have been very common recently. The best part is, this program does not need to run in the background, so it uses no resources!
  • IE-SpyAd - IE-SpyAd attempts to stop malware infections by placing a huge list of known malicious sites into Internet Explorer's Restricted Sites list. If you accidentally come upon a harmful site, the Restricted Sites zone will hinder its maliciousness.
  • HOSTS - The HOSTS file is the Windows solution to malware prevention. By placing harmful sites in the HOSTS file, you are effectively denying your computer access to the site, and denying the site access to your computer.
  • Update Programs Regularly - Just as with your operating system and browser, the five aforementioned utlitlies are in need of constant updating. Malware changes everyday and is critical to be prepared at all times.
  • Get A New Browser - The recent outburst of malware that has taken the Internet and the world by storm. More and more people are realizing that Internet Explorer is a terribly insecure browser. Since then, several great browsers have been developed to dull the blow of malware. Besides offering improved security, alternate browers supply many new features. These are the browsers I currently recommend: Mozilla Firefox and Opera.
I encourage you to at least consider following some of these steps. It is important that everyone learn how to combat these evil creations.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP