[jjsant]

Howdy folks! This is my 1st post and I'm hoping someone can help. Norton AV wasn't running the other day (for whatever reason) and I got hit with the spysheffif & co. hijack. Pop ups and all the rest. I did the following:

-Ran spybot and removed the bad stuff. (It wouldn't update 1st.)

-Ran Ad aware after updating and removed more bad stuff.

-Downloaded Spy Sweeper, updated, removed bad stuff, and have it running. I like it so I registered it.

-Uninstalled and re-installed Norton, updated it, ran full system scan, cleaned viruses, etc. It's running fine now.

Downloaded Ewido, updated, and removed bad stuff.

Downloaded Security Task Manager and used it to find/confirm some more bad stuff and removed it. It's a great program for someone like me who's a mere novice with computers. It combines the related functions of the task manager, msconfig, and even google all in one place. One window instead of 3.

Downloaded HJT

Between some of these I also manually deleted or changed the names of some files I'm 99% certain are nasty. I was able to spot many of them from the date stamps on them matching the time of attack and from google hits and stuff. I rebooted all along the way to ensure each step was ok. The good news is that the hijack is gone and I haven't seen a pop up for about 6 hours of use with several reboots. Bad news is a few features within IE may not be working (some gifs on yahoo don't show.) What really is frustrating me is that the desktop will not allow me to see the wallpaper I know is there. When I shutdown, I see the correct wallpaper on the screen for only a flash.

The current desktop allows me to choose any color I want and it works. The problem is that Display Properties / Desktop tab has the "background" phrase grayed out. The list of backgroud files (to choose from) is visible but I can't click on them and cannot click on the scroll bar for them.

The desktop was hijacked with a blue background and a bogus banner in the middle of it during the attach. All that is gone but I can't see the wallpaper file behind the solid color background I am limited to at the moment.

Below is the HJT log. Many of the "file missings" are because I deleted or renamed them during the learning I've gone thru on this whole registry/running task thing. ("support.com" folder was renamed a while ago when I noticed the program was "backing up" much web activity as a favor to me by comcast.)

Almost everything I know about PCs is because of problems over the years. This has been another traumatic experience with important lessons learned.

Any help would be greatly appreciated!

jjsant


Logfile of HijackThis v1.99.1
Scan saved at 11:43:06 PM, on 12/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Citrix\ssonsvr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {8F4CAE8C-641C-13EC-3CC7-15F3BC346FC1} - C:\WINNT\system32\oiio.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Internet PopUp Stopper\Pop-Up Stopper\CCHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Internet PopUp Stopper\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.reranch.com
O15 - Trusted Zone: http://www.reranch.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\lpcdll.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: fldrsys - {3ED1F82B-7BE5-4662-B87F-E566F0FDD7DE} - fldrsys.dll (file missing)
O23 - Service: Aardvark Professional Audio Manager (aardvarkpm) - Aardvark Computer Systems, Inc. - C:\Program Files\Aardvark\aardvark.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: hpdj5600 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj5600.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINNT\wanmpsvc.exe (file missing)

[Advertisements]

Hello jjsant,

Judging by what you wrote, it looks like you did a great job!

Something may have corrupted your display property tab settings, so please go to Kelly's site and scroll down the list to line 285. In the right hand panel you will see Restore All Display Tabs - Remove All Display Tabs & Icon. These are two separate items on this line and we only want Restore All Display Tabs. You need to right click Restore All Display Tabs and save the file to your desktop.

The file you are saving is a registry key. This will restore the functionality of the Display Properties panel. Whether or not it will fix your problem, I do not know. This is meant to fix "missing" panels, but it may also work to restore what's wrong with yours.

Once you get the registry key on the desktop, just double click on it. You will get some warnings, but just confirm yes to merge the file.

This has been another traumatic experience with important lessons learned.

Trauma is what makes computers all the more fun! Learning is always traumatic!

[makai]

Hello jjsant,

Judging by what you wrote, it looks like you did a great job!

Something may have corrupted your display property tab settings, so please go to Kelly's site and scroll down the list to line 285. In the right hand panel you will see Restore All Display Tabs - Remove All Display Tabs & Icon. These are two separate items on this line and we only want Restore All Display Tabs. You need to right click Restore All Display Tabs and save the file to your desktop.

The file you are saving is a registry key. This will restore the functionality of the Display Properties panel. Whether or not it will fix your problem, I do not know. This is meant to fix "missing" panels, but it may also work to restore what's wrong with yours.

Once you get the registry key on the desktop, just double click on it. You will get some warnings, but just confirm yes to merge the file.

This has been another traumatic experience with important lessons learned.

Trauma is what makes computers all the more fun! Learning is always traumatic!

[physician]

Hi,
your log still has a few things that need cleaning up. You did a good job. If you post it on the malware forum here, you can finalize the cleanup. Then you can go to Kellys Corner and get that fix - its the one you need from what I am reading on your post...doc

[jjsant]

I tried Kelly's fix and it didn't work. It did change the desktop back to the default XP Theme (after reboot) so I know it loaded, but I guess I'm still a little infected since I still can't choose wallpaper files. I still see the "real" wallpaper for a flash when shutting down.

I gonna take this to the malware forum since it's more appropriate.

I really appreciate the help!