Post by: gazoomba on April 02, 2005, 08:44:48 AM
I've used my updated versions of Ad-Aware SE personal, Spybot Search and Destroy as well as eTrust Antivirus and they sometimes identify the problem but do not delete or fix it.
My Desktop has a red screen with a link to Smart Security or Slimshield, IE is disabled, my right click button has been disabled and it occasionally disables Outlook Express.
I have loaded Firefox so have access to the net plus I have a second stand alone laptop that is not infected to browse the net and follow instructions etc while the other PC is not working
I have read a few postings and have also loaded and used the following programs:
- CWShredder
- HiJack this
- Registrar light
- Spysubtract
- Cleanup312
I have not been able to successfully use these programs to delete the problems.
Here is my logfile:
Logfile of HijackThis v1.99.0
Scan saved at 11:32:15 PM, on 2/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Cvi.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MKemper\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Documents and Settings\MKemper\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MKemper\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Boc] C:\WINDOWS\System32\Cvi.exe
O4 - HKLM\..\Run: [Sar] C:\WINDOWS\System32\Uab.exe
O4 - HKLM\..\Run: [Jtl] C:\WINDOWS\Vrg.exe
O4 - HKLM\..\Run: [Ufd] C:\WINDOWS\System32\Ois.exe
O4 - HKLM\..\Run: [Ljc] C:\WINDOWS\Rof.exe
O4 - HKLM\..\Run: [Bdr] C:\WINDOWS\Ouk.exe
O4 - HKLM\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKLM\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKLM\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKLM\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKLM\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKCU\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKCU\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKCU\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKCU\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKCU\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CA License Client - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
I have deleted a lot of the nasty files like the R and F sections and some of the others but the keep re-appearing.
Can you help me? This has been driving me nuts!
Gazoomba
Post by: guestolo on April 02, 2005, 05:49:46 PM
Also, ensure you save Hijackthis too a Permanent folder
Please Read This (http://\"http://www.thetechguide.com/forum/index.php?act=ST&f=4&t=14623&st=0#entry28996\")
Could you also, along with a fresh Hijackthis log
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Code: [Select]
@echo off
regedit /e C:\temp.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
more C:\temp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\temp.reg
del /q C:\Display.txtDouble click Export.bat and copy and paste back the findings
Post by: Chelsea on April 02, 2005, 06:31:37 PM
Please, Read This (http://\"http://www.thetechguide.com/forum/index.php?showtopic=14623\")
~guestolo~
Post by: gazoomba on April 04, 2005, 05:12:11 AM
Thanks for your reply and guidance. Here is my response to your requests.
1. A fresh Hijackthis Log (using the latest version of HJT)
Logfile of HijackThis v1.99.1
Scan saved at 7:44:43 PM, on 4/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Uab.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MKemper\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Boc] C:\WINDOWS\System32\Cvi.exe
O4 - HKLM\..\Run: [Sar] C:\WINDOWS\System32\Uab.exe
O4 - HKLM\..\Run: [Jtl] C:\WINDOWS\Vrg.exe
O4 - HKLM\..\Run: [Ufd] C:\WINDOWS\System32\Ois.exe
O4 - HKLM\..\Run: [Ljc] C:\WINDOWS\Rof.exe
O4 - HKLM\..\Run: [Bdr] C:\WINDOWS\Ouk.exe
O4 - HKLM\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKLM\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKLM\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKLM\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKLM\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKLM\..\Run: [Fdt] C:\WINDOWS\Lhq.exe
O4 - HKLM\..\Run: [Dvj] C:\WINDOWS\Tia.exe
O4 - HKLM\..\Run: [Ehs] C:\WINDOWS\Clf.exe
O4 - HKLM\..\Run: [Emh] C:\WINDOWS\System32\Uui.exe
O4 - HKLM\..\Run: [Qcv] C:\WINDOWS\Jqv.exe
O4 - HKLM\..\Run: [Vbk] C:\WINDOWS\System32\Esg.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Eua.exe
O4 - HKLM\..\Run: [Kmm] C:\WINDOWS\System32\Bje.exe
O4 - HKLM\..\Run: [Iti] C:\WINDOWS\Kph.exe
O4 - HKLM\..\Run: [Vsr] C:\WINDOWS\Ahr.exe
O4 - HKLM\..\Run: [Alp] C:\WINDOWS\System32\Oab.exe
O4 - HKCU\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKCU\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKCU\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKCU\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKCU\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKCU\..\Run: [Fdt] C:\WINDOWS\Lhq.exe
O4 - HKCU\..\Run: [Dvj] C:\WINDOWS\Tia.exe
O4 - HKCU\..\Run: [Ehs] C:\WINDOWS\Clf.exe
O4 - HKCU\..\Run: [Emh] C:\WINDOWS\System32\Uui.exe
O4 - HKCU\..\Run: [Qcv] C:\WINDOWS\Jqv.exe
O4 - HKCU\..\Run: [Vbk] C:\WINDOWS\System32\Esg.exe
O4 - HKCU\..\Run: [Csn] C:\WINDOWS\System32\Eua.exe
O4 - HKCU\..\Run: [Kmm] C:\WINDOWS\System32\Bje.exe
O4 - HKCU\..\Run: [Iti] C:\WINDOWS\Kph.exe
O4 - HKCU\..\Run: [Vsr] C:\WINDOWS\Ahr.exe
O4 - HKCU\..\Run: [Alp] C:\WINDOWS\System32\Oab.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
2. The Findings from the Export.bat enquiry:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001
"NoViewContextMenu"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"="C:\\WINDOWS\\desktop.html"
Hopefully, this will provide the information you need.
Regards,
Gazoomba
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />
Post by: guestolo on April 04, 2005, 09:41:43 PM
There is a registry fix circulating that is helping with this problem
Can you first create a new Restore point
Go to START>>All programs>>Accessories>>System Tools>>System Restore
Create a new restore point
Name it and click Create
After you have done that
Download and UNZIP to a folder
Fixdesktop.zip
So you now have fixdesktop.reg in the same folder
Fixdesktop.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=112\")
We'll need this later
==Also ===Download and UNZIP to a folder
HSFIX.zip (http://\"http://www.atribune.org/downloads/HSFix.zip\")
HSFix directory will be created
We'll need this later
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MKemper\LOCALS~1\Temp\keep.exe
All the next ones I ask you too remove with Hijackthis, can you also find the files in there respective folders and delete them if found
O4 - HKLM\..\Run: [Boc] C:\WINDOWS\System32\Cvi.exe <-delete this file
O4 - HKLM\..\Run: [Sar] C:\WINDOWS\System32\Uab.exe
O4 - HKLM\..\Run: [Jtl] C:\WINDOWS\Vrg.exe
O4 - HKLM\..\Run: [Ufd] C:\WINDOWS\System32\Ois.exe
O4 - HKLM\..\Run: [Ljc] C:\WINDOWS\Rof.exe
O4 - HKLM\..\Run: [Bdr] C:\WINDOWS\Ouk.exe
O4 - HKLM\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKLM\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKLM\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKLM\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKLM\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKLM\..\Run: [Fdt] C:\WINDOWS\Lhq.exe
O4 - HKLM\..\Run: [Dvj] C:\WINDOWS\Tia.exe
O4 - HKLM\..\Run: [Ehs] C:\WINDOWS\Clf.exe
O4 - HKLM\..\Run: [Emh] C:\WINDOWS\System32\Uui.exe
O4 - HKLM\..\Run: [Qcv] C:\WINDOWS\Jqv.exe
O4 - HKLM\..\Run: [Vbk] C:\WINDOWS\System32\Esg.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Eua.exe
O4 - HKLM\..\Run: [Kmm] C:\WINDOWS\System32\Bje.exe
O4 - HKLM\..\Run: [Iti] C:\WINDOWS\Kph.exe
O4 - HKLM\..\Run: [Vsr] C:\WINDOWS\Ahr.exe
O4 - HKLM\..\Run: [Alp] C:\WINDOWS\System32\Oab.exe
O4 - HKCU\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKCU\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKCU\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKCU\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKCU\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKCU\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKCU\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKCU\..\Run: [Fdt] C:\WINDOWS\Lhq.exe
O4 - HKCU\..\Run: [Dvj] C:\WINDOWS\Tia.exe
O4 - HKCU\..\Run: [Ehs] C:\WINDOWS\Clf.exe
O4 - HKCU\..\Run: [Emh] C:\WINDOWS\System32\Uui.exe
O4 - HKCU\..\Run: [Qcv] C:\WINDOWS\Jqv.exe
O4 - HKCU\..\Run: [Vbk] C:\WINDOWS\System32\Esg.exe
O4 - HKCU\..\Run: [Csn] C:\WINDOWS\System32\Eua.exe
O4 - HKCU\..\Run: [Kmm] C:\WINDOWS\System32\Bje.exe
O4 - HKCU\..\Run: [Iti] C:\WINDOWS\Kph.exe
O4 - HKCU\..\Run: [Vsr] C:\WINDOWS\Ahr.exe
O4 - HKCU\..\Run: [Alp] C:\WINDOWS\System32\Oab.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
EDIT>>Also look for these files and delete if found
C:\WINDOWS\desktop.html <-file
C:\WINDOWS\Web\desktop.html <-file
Run Windows CleanUp!
After it's finish cleaning files
Don't restart or log off yet
Instead
Double click on Fixdesktop.reg and allow to merge to the registry
===Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt. <--we'll need this later
Restart back to Normal Mode
If you can, access your Display properties options in your Control panel
Go to Desktop tab>>Customize Desktop >>> Web tab>> and ensure to uncheck everything
Log off and back on again from Windows if you needed to uncheck anything
Post back a fresh Hijackthis log and the log from HSFix.bat>>C:\hslog.txt
Post by: gazoomba on April 05, 2005, 06:15:18 AM
You are a miracle worker. I have control of my desktop, right click button, Web Browser (IE) and access again to my computer. What a relief!
Logfile of HijackThis v1.99.1
Scan saved at 8:07:52 PM, on 5/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
Here is the other log:
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
WINLOW
[SC] DeleteService SUCCESS
vdmt16
[SC] DeleteService SUCCESS
-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
vdmt16.sys
winlow.sys
drct16.dll
mszx23.exe
cz.dll
w32tm.exe
-
4. Deleting files that were found.
-
unable to remove drct16.dll
unable to remove mszx23.exe
-
5. Checking for and Removing Winupdate
-
-
-
What are your thoughts. Things seem to be OK now?
Regards,
Gazoomba
Post by: guestolo on April 05, 2005, 09:14:39 AM
Was it called fixdesktop.reg??
Are all your shortcut icons on the desktop back to normal?
I'm just checking something out
Could you one more time
With windows set to show hidden files and folders
Reboot back to safe mode
Run HSFix.bat again >> It still has some cleaning to do
Return to Normal mode and post a fresh Hijackthis log and the log from Hsfix.bat
Also let me know about fixdesktop.reg, thanks
Post by: gazoomba on April 06, 2005, 06:26:21 AM
Here are your answers:
The Registry Fix you asked me to try was Fixdesktop Registry Editor. You sent it as a zip file named fixdesktop.zip
All the shortcut items on my previous desktop are back to normal. I had a JPEG saved as the desktop and this was not there but I have just used a generic Microsoft desktop until the system is clear again.
HSFix Log is below:
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
ps.a3d
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-
Hijack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:09:08 PM, on 6/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe
C:\HJT\HijackThis.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
Also, I seem to have an error loading IE and even Mozilla Firefox after running Hijack this? I lose connection to the Internet. The first time I ran Hijackthis after the main deletion of the 04 Autoloading programs etc, I had troubles seeing my C drive and my virus protection said something about a Haxdoor Virus. That was the last time I saw that error. Not sure if this has anything to do with your analysis. After running Spybot search and Destroy I get no errors after the scan but IE works fine again after a reboot?
Cheers,
Gazoomba
Post by: guestolo on April 06, 2005, 07:56:05 PM
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
I'm curious about this entry in your log
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe
You look like your in dire need of Windows Updates, your way behind
Were you in the process of installing them but stopped?
Is that what it's related too?
If your version of Windows is legit
I would go and Install all Latest critical updates and Service packs
Don't get the recommended unless you prefer them
Restart your computer when prompted, keep revisiting Windows Updates until you have all Critical updates and Service Packs installed
If you decide to update to Service pack 2, give it time to install, even if it appears to Hesitate at times
Post by: gazoomba on April 06, 2005, 08:47:40 PM
Everything is running better now.
I recently updated from Windows 2000 to XP and rebuilt my computer from scratch. Not sure if the entry you mention has something to do with this.
I was way behind on the Windows Updates and have since updated and included SP2. I am now current.
I will also follow your other instructions and load the other protection programs. I am on the home stretch now.
You have been a great help and I am pleased that I have found this website. It's definitely on my favorites now.
How does it make money? I would like to support it with a donation for your efforts and assistance.
Regards,
Gazoomba
Post by: guestolo on April 06, 2005, 10:39:42 PM
Donations at this time would be incredibly appreciated as our site Admin is make his way to help the CSI Roatan orphanage
All donations at this time will go to help the cause
Please read more below my signature and follow the link if you would like to help out
Thank you