Post by: flora on March 26, 2005, 03:26:48 PM
1 - SmartSecurity virus-thing
2 - Taking over my desktop. I can't change my Background (still) - When Igo into Display Settings. - (I can't select any of the default pictures or select "Browse" or anything???)
3 - The Daosearch thing with PopUps and taking over webpages with certain words in them, and redirecting to www.daosearch.com/...
4 - Also, I can no longer Right-Click on a file in any Explorer browser window (to Open, or Open With..., or Cut, Copy, Paste, etc...) or even right click in the window itself (to "View", "Arrange Icons", or create a "New" File, etc.). I haven't seen anything on this anywhere.....which really makes me nervous. ????
Since it started, I've updated Norton System Works to 2005, downloaded and installed Ad-Aware and SpyWareBlaster, and run everthing several times, including HJT.
I still have all of the problems, even though Norton and all the others have made several corrections, deletions, quaratines, etc. Now, Norton finds Backdoor.Haxdoor.D everytime I restart the computer.
I know there's a lot wrong in the HJT log, I just don't know what to do. I'm almost begging at this point for some help....
Thank you in advance for your advice!!!
Flora
Logfile of HijackThis v1.99.1
Scan saved at 3:05:40 PM, on 3/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319}\SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\r?gsvr32.exe
C:\WINNT\System32\dcet.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/ (http://\"http://espn.go.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A20D0D39-B5D1-C151-AD2F-C8C9DEB03FE0} - C:\WINNT\System32\icnvnjct.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Service Host] C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319}\SVCHOST.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PayTime] C:\WINNT\System32\paytime.exe
O4 - HKCU\..\Run: [Sonp] C:\WINNT\System32\rror.exe
O4 - HKCU\..\Run: [Ptyygs] C:\WINNT\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [gwotRTNsh] mpg2fw95.exe
O4 - HKCU\..\Run: [Mta] C:\WINNT\System32\Uao.exe
O4 - HKCU\..\Run: [Sav] C:\WINNT\Bfo.exe
O4 - HKCU\..\Run: [Sbv] C:\WINNT\System32\Efg.exe
O4 - HKCU\..\Run: [Jjk] C:\WINNT\System32\Lvg.exe
O4 - HKCU\..\Run: [Suh] C:\WINNT\System32\Mov.exe
O4 - HKCU\..\Run: [Cmv] C:\WINNT\Gli.exe
O4 - HKCU\..\Run: [Ajp] C:\WINNT\Agr.exe
O4 - HKCU\..\Run: [Etl] C:\WINNT\Jve.exe
O4 - HKCU\..\Run: [Oau] C:\WINNT\System32\Tbr.exe
O4 - HKCU\..\Run: [Jfp] C:\WINNT\System32\Ubd.exe
O4 - HKCU\..\Run: [Jef] C:\WINNT\System32\Vqf.exe
O4 - HKCU\..\Run: [Lhb] C:\WINNT\System32\Bjp.exe
O4 - HKCU\..\Run: [Tnp] C:\WINNT\Qts.exe
O4 - HKCU\..\Run: [Vpt] C:\WINNT\System32\Tld.exe
O4 - HKCU\..\Run: [Tqr] C:\WINNT\System32\Lqm.exe
O4 - HKCU\..\Run: [Jvq] C:\WINNT\System32\Ojm.exe
O4 - HKCU\..\Run: [Tcst] C:\WINNT\System32\dcet.exe
O4 - HKCU\..\Run: [Hufsu] C:\WINNT\System32\??plorer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe (http://\"http://www.ipswitch.com/_installs/wsftp_le/setup.exe\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx (http://\"http://iframedollars.biz/tb/loader2.ocx\")
O16 - DPF: {AD5F3C4B-BD73-11D5-838B-0050042DF1E4} (HOOPS 3D Stream Control Class) - http://www.hoops3d.com/downloads/hoopsatlcontrol.cab (http://\"http://www.hoops3d.com/downloads/hoopsatlcontrol.cab\")
O16 - DPF: {D3D53657-4115-11D2-B73A-00805F85736F} (HOOPS 3D Stream Control) - http://www.hoops3d.com/downloads/hoops3daf.cab (http://\"http://www.hoops3d.com/downloads/hoops3daf.cab\")
O20 - Winlogon Notify: drct16 - C:\WINNT\SYSTEM32\drct16.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)
Post by: guestolo on March 26, 2005, 04:30:40 PM
I'll be back later too take a look
Please be patient, thanks
Post by: guestolo on March 27, 2005, 12:10:52 AM
===Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, recylebin
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
===Download and UNZIP to desktop
HSFIX.zip (http://\"http://www.atribune.org/downloads/HSFix.zip\")
HSFix directory will be created
We'll need this later
===Download and save to deskop
DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\")
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Restart your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
Find and delete these files or folders if found
C:\WINNT\SYSTEM32\drct16.dll <-file
C:\WINNT\System32\icnvnjct.dll
C:\WINNT\System32\paytime.exe
C:\WINNT\System32\rror.exe
C:\WINNT\System32\r?gsvr32.exe
mpg2fw95.exe
C:\WINNT\System32\Uao.exe
C:\WINNT\Bfo.exe
C:\WINNT\System32\Efg.exe
C:\WINNT\System32\Lvg.exe
C:\WINNT\System32\Mov.exe
C:\WINNT\Gli.exe
C:\WINNT\Agr.exe
C:\WINNT\Jve.exe
C:\WINNT\System32\Tbr.exe
C:\WINNT\System32\Ubd.exe
C:\WINNT\System32\Vqf.exe
C:\WINNT\System32\Bjp.exe
C:\WINNT\Qts.exe
C:\WINNT\System32\Tld.exe
C:\WINNT\System32\Lqm.exe
C:\WINNT\System32\Ojm.exe
C:\WINNT\System32\dcet.exe
C:\WINNT\zeta.exe
C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319} <-folder
Look for these next ones too, delete files in bold if found
Let me know if you find any of them
•C:\WINDOWS\desktop.html '
-C:\WINDOWS\Web\desktop.html
•C:\WINDOWS\SSICO.ICO
•C:\Documents and Settings\<current user>\Desktop\! Protect Your Data.url
•C:\Documents and Settings\<current user>\Favorites\! Smart Security.url
• C:\Documents and Settings\<current user>\Recent\! Smart Security.url
• C:\Documents and Settings\<current user>\Start Menu\! Secure Yourself.url
Note* <current user>= user name having a problem with the desktop issue
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {A20D0D39-B5D1-C151-AD2F-C8C9DEB03FE0} - C:\WINNT\System32\icnvnjct.dll
O4 - HKLM\..\Run: [Service Host] C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319}\SVCHOST.EXE
O4 - HKCU\..\Run: [PayTime] C:\WINNT\System32\paytime.exe
O4 - HKCU\..\Run: [Sonp] C:\WINNT\System32\rror.exe
O4 - HKCU\..\Run: [Ptyygs] C:\WINNT\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [gwotRTNsh] mpg2fw95.exe
O4 - HKCU\..\Run: [Mta] C:\WINNT\System32\Uao.exe
O4 - HKCU\..\Run: [Sav] C:\WINNT\Bfo.exe
O4 - HKCU\..\Run: [Sbv] C:\WINNT\System32\Efg.exe
O4 - HKCU\..\Run: [Jjk] C:\WINNT\System32\Lvg.exe
O4 - HKCU\..\Run: [Suh] C:\WINNT\System32\Mov.exe
O4 - HKCU\..\Run: [Cmv] C:\WINNT\Gli.exe
O4 - HKCU\..\Run: [Ajp] C:\WINNT\Agr.exe
O4 - HKCU\..\Run: [Etl] C:\WINNT\Jve.exe
O4 - HKCU\..\Run: [Oau] C:\WINNT\System32\Tbr.exe
O4 - HKCU\..\Run: [Jfp] C:\WINNT\System32\Ubd.exe
O4 - HKCU\..\Run: [Jef] C:\WINNT\System32\Vqf.exe
O4 - HKCU\..\Run: [Lhb] C:\WINNT\System32\Bjp.exe
O4 - HKCU\..\Run: [Tnp] C:\WINNT\Qts.exe
O4 - HKCU\..\Run: [Vpt] C:\WINNT\System32\Tld.exe
O4 - HKCU\..\Run: [Tqr] C:\WINNT\System32\Lqm.exe
O4 - HKCU\..\Run: [Jvq] C:\WINNT\System32\Ojm.exe
O4 - HKCU\..\Run: [Tcst] C:\WINNT\System32\dcet.exe
O4 - HKCU\..\Run: [Hufsu] C:\WINNT\System32\??plorer.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx (http://\"http://iframedollars.biz/tb/loader2.ocx\")
O20 - Winlogon Notify: drct16 - C:\WINNT\SYSTEM32\drct16.dll
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
===Open Hijackthis>>Open Misc Tools Section>>Open "Delete an NT Service"
Copy and Paste the next entry in bold to the blank box and hit OK
ZESOFT
===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries
Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DON'T log off or restart yet
Instead
===Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt. <--we'll need this later
Restart your computer back to Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page,
Afterwards post back a fresh Hijackthis log,
Could you also post the log from HSFix.bat>>C:\hslog.txt <-this log
Could you also let me know what else you see in the following folder
C:\WINNT\System32\Services <-folder
Post by: flora on March 27, 2005, 08:55:32 AM
I deleted all of the files I found. I wasn't able to delete the first one listed:
C:\WINNT\SYSTEM32\drct16.dll <-file
It was in-use. Also, I didn't find any that were listed in the "Look for these next ones too, delete files in bold if found" section.
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 8:42:19 AM, on 3/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A20D0D39-B5D1-C151-AD2F-C8C9DEB03FE0} - C:\WINNT\System32\icnvnjct.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Service Host] C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319}\SVCHOST.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe (http://\"http://www.ipswitch.com/_installs/wsftp_le/setup.exe\")
O16 - DPF: {AD5F3C4B-BD73-11D5-838B-0050042DF1E4} (HOOPS 3D Stream Control Class) - http://www.hoops3d.com/downloads/hoopsatlcontrol.cab (http://\"http://www.hoops3d.com/downloads/hoopsatlcontrol.cab\")
O16 - DPF: {D3D53657-4115-11D2-B73A-00805F85736F} (HOOPS 3D Stream Control) - http://www.hoops3d.com/downloads/hoops3daf.cab (http://\"http://www.hoops3d.com/downloads/hoops3daf.cab\")
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
HSLOG.TXT
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
WINLOW
[SC] DeleteService SUCCESS
vdmt16
[SC] DeleteService SUCCESS
-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
vdmt16.sys
winlow.sys
drct16.dll
mszx23.exe
cz.dll
w32tm.exe
-
4. Deleting files that were found.
-
unable to remove drct16.dll
unable to remove mszx23.exe
-
5. Checking for and Removing Winupdate
-
-
-
In the following (C:\WINNT\System32\Services) folder, I found the (4) files below.
These were all created at the time I downloaded all of this.....stuff.
{1CCF6605-BBCE-4103-9262-03B16E5A9030}
{10FF35E4-42EF-47EB-8A19-F148EC20E6B5}
{73BBEE32-B23C-431A-B12A-CC226D15BB67}
{87C05DD0-B0FA-4FE3-BA7E-62607262AE75}
I'm guessing these should all be deleted? Also, I'm still not able to right-click on files or in folders - have you heard of this before?
Thanks again!
Post by: guestolo on March 27, 2005, 01:36:44 PM
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop, well need this later, don't run it yet
Code: [Select]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoViewContextMenu"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSetTaskbar"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice
Save these instructions to a Notepad file on your desktop
Disconnect from the Internet (Close down all browser windows) and all unnecessary programs running in the background
Run Pocket KillBox>>Now you have Killbox and this notepad file open
click on Tools --> Select Delete Temp Files. Click OK.
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold
C:\WINNT\SYSTEM32\mszx23.exe
Select the radio button to
Replace on Reboot
Additionally, select the "Use Dummy" option
Click The Red circle and a white X
When prompted to Replace on Reboot, click YES
If prompted to Reboot Now, Click NO
Do the same for this file
C:\WINNT\SYSTEM32\drct16.dll
But this time allow the computer to Reboot
or reboot anyways
Try and restart into safe mode, you can do this by tapping the F8 key as the system is first booting up
In safe mode
Delete these subfolders inside the Services folder
{1CCF6605-BBCE-4103-9262-03B16E5A9030}
{10FF35E4-42EF-47EB-8A19-F148EC20E6B5}
{73BBEE32-B23C-431A-B12A-CC226D15BB67}
{87C05DD0-B0FA-4FE3-BA7E-62607262AE75}
Also ensure you removed this folder
C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319} <-folder
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {A20D0D39-B5D1-C151-AD2F-C8C9DEB03FE0} - C:\WINNT\System32\icnvnjct.dll (file missing)
O4 - HKLM\..\Run: [Service Host] C:\WINNT\System32\Services\{B575DF10-2D02-46AA-8785-2AE5949C8319}\SVCHOST.EXE
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on fix.reg
Allow it to merge to the Registry
Run HSFIX.bat again
Restart back to Normal mode
Post back a fresh Hijackthis log and the hsfix.bat log>>C:\hslog.txt
Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Code: [Select]
dir C:\WINNT\System32\r?gsvr32.exe /a h > files.txt
notepad files.txtSave this file on the desktopDouble click on Export.bat, a text file will open, can you copy and paste that info back here too, thanks
Post by: flora on March 27, 2005, 08:52:58 PM
......and thank you...again!
Logfile of HijackThis v1.99.1
Scan saved at 8:39:57 PM, on 3/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe (http://\"http://www.ipswitch.com/_installs/wsftp_le/setup.exe\")
O16 - DPF: {AD5F3C4B-BD73-11D5-838B-0050042DF1E4} (HOOPS 3D Stream Control Class) - http://www.hoops3d.com/downloads/hoopsatlcontrol.cab (http://\"http://www.hoops3d.com/downloads/hoopsatlcontrol.cab\")
O16 - DPF: {D3D53657-4115-11D2-B73A-00805F85736F} (HOOPS 3D Stream Control) - http://www.hoops3d.com/downloads/hoops3daf.cab (http://\"http://www.hoops3d.com/downloads/hoops3daf.cab\")
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
HSLOG
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
drct16.dll
mszx23.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-
NOTEPAD FILE
Volume in drive C is Local Disk
Volume Serial Number is 801B-4ECE
Directory of C:\WINNT\System32
08/23/2001 07:00 AM 9,728 regsvr32.exe
1 File(s) 9,728 bytes
Directory of C:\Desktop
Post by: guestolo on March 27, 2005, 10:12:52 PM
If everything is running better
You should clear your System Restore points
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Why so far behind on Windows Updates?
This is important in keeping your system secure online too...
Can you also let me know if you can access your options in
Control Panel>>Display
Also let me know if duplicate Icons are being displayed on the Desktop
Create a new shortcut icon to the desktop and see if it duplicates
Post by: Guest on March 29, 2005, 09:07:45 PM
I'm far behind on Windows updates because I actually reinstalled Windows after this first started (after I updated Norton and ran several virus checks/spyware programs) - but before you started helping. Not sure that was smart?
I'm not able to access the options in Control Panel - Display. Is there any simple fix ?
But, it's not creating double Shortcuts on the Desktop.
Once again, thank you very much for your help!! I'm amazed by the extensive knowledge in something this complicated.
Out of curiosity, is there something I had to have clicked on/okayed to download that started all of this SmartSecurity stuff - or was it simply clicking on a website that allowed it to install everything?
Thanks again!
Post by: guestolo on March 29, 2005, 10:08:23 PM
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Code box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Save this file to Desktop
Code: [Select]
regedit /e Export.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"Double click on Export.bat and a file should be placed on the Desktop
Export.reg
Right click on Export.reg and select EDIT
Copy and paste back the findings
Post by: Guest on April 02, 2005, 07:27:56 AM
Thanks
Post by: guestolo on April 02, 2005, 05:30:08 PM
60 mb, woah, something went wrong
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Can you do the following for me please
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Code: [Select]
@echo off
regedit /e C:\temp.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
more C:\temp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\temp.reg
del /q C:\Display.txtDouble click Export.bat and copy and paste back the findings
Post by: flora on April 02, 2005, 05:54:29 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> ) I thought it was logging me in automatically....Anyways, here's what I got back this time:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001
"NoViewContextMenu"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoSaveSettings"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"="C:\\WINNT\\desktop.html"
(This "Wallpaper" file no longer exists....)
Post by: guestolo on April 02, 2005, 06:12:12 PM
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Code: [Select]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"ForceActiveDesktopOn"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Custom Desktop"=-Double click on fix.reg and allow to merge to your registry
Restart your computer and let me know if you can Access your display options and change your background on the desktop
Could you also
In Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Uncheck everything
Log off and back on again if you had to uncheck anything
Post by: flora on April 02, 2005, 07:25:18 PM
I have a restored desktop! No more pop-ups!! No more modified website links, or anything!!!!!
Thank you a ton!!
Post by: guestolo on April 02, 2005, 10:53:02 PM
I would make sure you get your Windows Updates and install SpywareBlaster and IE-Spyad
EDIT>>I'm locking this topic as your problems appear resolved, If you need it reopened
Please PM a Mod or the site Admin and supply a link to this thread
Stay safe
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />