Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Dr. Watson Got me.........Please help

Started by pnthr30 , Feb 21 2005 12:24 PM

  • Please log in to reply

#1
pnthr30
Posted 21 February 2005 - 12:24 PM

pnthr30

    New Member

  • Member
  • Pip
  • 4 posts
Hey guys, first of all, I am sorry if this is in the wrong section.....please move if needed. Anyways, I recently (this morning) started having some serious "issues", but I am not positive what the root of it is (pretty sure it is the Dr. Watson thing), thus I don't even have the slightest idea where to start problem solving.

I can't open up the "My Computer" folder and I think I have some unwanted systems running at startup, but I don't know what (I am pretty much a computer noob, so please bear with me). I ran Spyware X-terminator, CWS, and Spybot search and destroy, but it didn't help. This is a work computer, and I need to get into the "My computer" icon to access the network. I can get my files by opening up the appropriate program and opening the file that way, but I can't get it the other way. I am sure that there are other problems, but this is the first one I saw and I immediately started looking for help. ANY suggestions? Thanks a bunch!

CoolWebSearch was found, but I couldn't get rid of all of it.......
when I try to click on the "My Computer" icon, I get a message about Dr. Watsons Postmortem Debugger encountering a problem........and then everything pretty much locks up.

and
computer is running slooooow.... thanks

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:18 PM, on 2/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
C:\WINDOWS\system32\tibs5.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUMENTS AND SETTINGS\PMM\DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.excite.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B5A0B57E-BE5F-BB13-6317-E2FCAB757146} - C:\WINDOWS\iewr.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [3F.tmp] C:\DOCUME~1\PMM\LOCALS~1\Temp\3F.tmp.exe 2 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe
O4 - HKLM\..\Run: [atlcv.exe] C:\WINDOWS\atlcv.exe
O4 - Startup: sync.bat
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {10CA218C-B5AF-45D5-9B00-EE5BB8147FC7} - (no file) (HKCU)
O9 - Extra button: (no name) - {9D30273F-CF00-48E9-80BD-A7F6B697C23C} - (no file) (HKCU)
O9 - Extra button: (no name) - {B4D7803E-FCBF-4D1E-95AE-1F2CD7DAB72E} - (no file) (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.bro...tings/vroom.CAB
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,30
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095952135546
O16 - DPF: {CF1A5BDE-732F-49B7-AD1F-51010E37F9EB} (MSN Money Portfolio Manager) - http://fdl.msn.com/p...12/invinstl.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.ho...ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{86583147-AAE3-4131-A11E-36A2199B4135}: NameServer = 192.168.254.254
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

Advertisements

#2
Guest_thatman_*
Posted 21 February 2005 - 03:26 PM

Guest_thatman_*
  • Guest
Hi pnthr30

Welcome to geekstogo ;)

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
1. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
2. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
3. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
4. Once the definitions have been updated:
5. Reconfigure Ad-Aware for Full Scan as per the following instructions:
* Launch the program, and click on the Gear at the top of the start screen.
* Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
o "Automatically save logfile"
o Automatically quarantine objects prior to removal"
o Safe Mode (always request confirmation)
o Prompt to update outdated confirmation) - Change to 7 days.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives"
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left hand side).
* Under "Shell Integration", select "Move deleted files to Recycle Bin".
* Under "Log-file detail", select all options.
* Click on the "Defaults" button on the left.
* Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
* Click the "Tweak" button (Again, on the left hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Unload recognized processes during scanning."
o "Obtain command line of scanned processes"
o "Scan registry for all users instead of current user only"
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "During removal, unload explorer and IE if necessary"
o "Let Windows remove files in use at next reboot."
o "Delete quarrantined objects after restoring"
* Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
6. Close all programs except ad-aware.
7. Click on "Next" in the bottom right corner to start the scan.
8. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
9. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) - {B5A0B57E-BE5F-BB13-6317-E2FCAB757146} - C:\WINDOWS\iewr.dll
O4 - HKLM\..\Run: [3F.tmp] C:\DOCUME~1\PMM\LOCALS~1\Temp\3F.tmp.exe 2 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe
O4 - HKLM\..\Run: [atlcv.exe] C:\WINDOWS\atlcv.exe
O9 - Extra button: (no name) - {10CA218C-B5AF-45D5-9B00-EE5BB8147FC7} - (no file) (HKCU)
O9 - Extra button: (no name) - {9D30273F-CF00-48E9-80BD-A7F6B697C23C} - (no file) (HKCU)
O9 - Extra button: (no name) - {B4D7803E-FCBF-4D1E-95AE-1F2CD7DAB72E} - (no file) (HKCU)
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)


Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\ tibs5.exe <--Delete this file
C:\WINDOWS\iewr.dll <--Delete this file
C:\DOCUME~1\PMM\LOCALS~1\Temp\3F.tmp.exe 2 10001 <--Delete this file
C:\WINDOWS\atlcv.exe <--Delete this file

Reboot into normal mode (simply restart your computer as you normally would),
Please run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

Kc :tazz:
  • 0

#3
pnthr30
Posted 21 February 2005 - 03:35 PM

pnthr30

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks a lot for your reply........I think I got things taken care of before I followed your suggestions......but nonetheless, here is my new HJT log. How does it look? What do you see/think?

Thanks again for your help!

Logfile of HijackThis v1.99.1
Scan saved at 2:46:51 PM, on 2/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\PMM\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.excite.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {10CA218C-B5AF-45D5-9B00-EE5BB8147FC7} - (no file) (HKCU)
O9 - Extra button: (no name) - {9D30273F-CF00-48E9-80BD-A7F6B697C23C} - (no file) (HKCU)
O9 - Extra button: (no name) - {B4D7803E-FCBF-4D1E-95AE-1F2CD7DAB72E} - (no file) (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,30
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095952135546
O16 - DPF: {CF1A5BDE-732F-49B7-AD1F-51010E37F9EB} (MSN Money Portfolio Manager) - http://fdl.msn.com/p...12/invinstl.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.ho...ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{86583147-AAE3-4131-A11E-36A2199B4135}: NameServer = 192.168.254.254
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#4
Guest_thatman_*
Posted 22 February 2005 - 08:07 AM

Guest_thatman_*
  • Guest
Hi pnthr30

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
1. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
2. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
3. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
4. Once the definitions have been updated:
5. Reconfigure Ad-Aware for Full Scan as per the following instructions:
* Launch the program, and click on the Gear at the top of the start screen.
* Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
o "Automatically save logfile"
o Automatically quarantine objects prior to removal"
o Safe Mode (always request confirmation)
o Prompt to update outdated confirmation) - Change to 7 days.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives"
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left hand side).
* Under "Shell Integration", select "Move deleted files to Recycle Bin".
* Under "Log-file detail", select all options.
* Click on the "Defaults" button on the left.
* Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
* Click the "Tweak" button (Again, on the left hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Unload recognized processes during scanning."
o "Obtain command line of scanned processes"
o "Scan registry for all users instead of current user only"
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "During removal, unload explorer and IE if necessary"
o "Let Windows remove files in use at next reboot."
o "Delete quarrantined objects after restoring"
* Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
6. Close all programs except ad-aware.
7. Click on "Next" in the bottom right corner to start the scan.
8. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
9. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

Reboot into normal mode (simply restart your computer as you normally would),
Please run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

Kc :tazz:
  • 0

#5
pnthr30
Posted 22 February 2005 - 02:18 PM

pnthr30

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ThatMan - Thanks a lot for your help. I did what you suggested (as best as I could anyways :tazz: haha). How do things look now? Am I good to go?

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:16:58 PM, on 2/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\PMM\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.excite.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {10CA218C-B5AF-45D5-9B00-EE5BB8147FC7} - (no file) (HKCU)
O9 - Extra button: (no name) - {9D30273F-CF00-48E9-80BD-A7F6B697C23C} - (no file) (HKCU)
O9 - Extra button: (no name) - {B4D7803E-FCBF-4D1E-95AE-1F2CD7DAB72E} - (no file) (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,30
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095952135546
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CF1A5BDE-732F-49B7-AD1F-51010E37F9EB} (MSN Money Portfolio Manager) - http://fdl.msn.com/p...12/invinstl.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.ho...ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{86583147-AAE3-4131-A11E-36A2199B4135}: NameServer = 192.168.254.254
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

XXXXXXXXXXXXXX

Here is my About:Buster Log:

Scanned at: 9:58:41 AM on: 2/22/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


Removed Data Streams:
C:\WINDOWS\EPSON 2400 Installer.ini:adzxb
C:\WINDOWS\INRES.DLL:dgxlo


Removed 2 Random Key Entries
Removed! : C:\WINDOWS\system32\nthst32.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16


Removed Data Streams:
C:\WINDOWS\EPSON 2400 Installer.ini:adzxb
C:\WINDOWS\INRES.DLL:dgxlo


Attempted Clean Of Temp folder.
Pages Reset... Done!
  • 0

#6
Guest_thatman_*
Posted 22 February 2005 - 06:07 PM

Guest_thatman_*
  • Guest
Hi pnthr30

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :thumbsup:

Kc ;)
  • 0

#7
pnthr30
Posted 23 February 2005 - 08:38 AM

pnthr30

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks a lot, thatman............YOU DA MAN!! :thumbsup: ;)

I really appreciate your help! You guys provide a great service here, I am glad I found this site! :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP