TheTechGuide Forum

General Category => Tech Clinic => Topic started by: boastercoaster on April 30, 2005, 01:00:15 PM

Title: Another victum of SmartSecurity
Post by: boastercoaster on April 30, 2005, 01:00:15 PM

It seems you are the man to contact with this dumb redscreen smartsecurtity.  Here is my logfile.Logfile of HijackThis v1.99.1
Scan saved at 1:54:37 PM, on 4/30/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\crwk32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ntus.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {516B1C67-B52D-E97F-A80D-D6C5DBCBFE0A} - C:\WINDOWS\sdkbf.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [crwk32.exe] C:\WINDOWS\crwk32.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O15 - Trusted Zone: http://launch.yahoo.com (http://\"http://launch.yahoo.com\")
O15 - Trusted Zone: http://radio.music.yahoo.com (http://\"http://radio.music.yahoo.com\")
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntus.

Title: Another victum of SmartSecurity
Post by: guestolo on April 30, 2005, 01:44:35 PM

I see another problem on your computer besides Smart Security
Unfortunately, you have either done some fixing with Hijackthis or controlling entries with msconfig
Not that there's nothing wrong with that but you may be hiding malicious activity

Could you go to start>>Run>>type in
msconfig
Hit OK
Enable all startup items
Do a Normal startup

You shouldn't have to restart your computer but post back a fresh hijackthis log afterwards
Also, if you have done fixes with Hijackthis>>Open Hijackthis
View a list of Backups and Restore all backups before do another scan posting back a fresh log

Title: Another victum of SmartSecurity
Post by: boastercoaster on April 30, 2005, 01:59:33 PM

I did as you said and here is a new log

Logfile of HijackThis v1.99.1
Scan saved at 2:56:39 PM, on 4/30/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\crwk32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ntus.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5EB8144B-6EF2-7346-72E4-ADB028205C5E} - C:\WINDOWS\system32\nethk32.dll
O2 - BHO: (no name) - {770CE589-D47C-9567-46F4-E4E08B3366BC} - C:\WINDOWS\ipxe.dll
O2 - BHO: (no name) - {E902A02C-DD59-5DE4-624F-8012F9AFA9B9} - C:\WINDOWS\apptr32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [crwk32.exe] C:\WINDOWS\crwk32.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Vaf] C:\WINDOWS\System32\Hac.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [Ocg] C:\WINDOWS\System32\Iki.exe
O4 - HKLM\..\Run: [Gqb] C:\WINDOWS\System32\Hdu.exe
O4 - HKLM\..\Run: [d3ii.exe] C:\WINDOWS\system32\d3ii.exe
O4 - HKLM\..\Run: [Cga] C:\WINDOWS\System32\Hos.exe
O4 - HKLM\..\Run: [atljw32.exe] C:\WINDOWS\system32\atljw32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O15 - Trusted Zone: http://launch.yahoo.com (http://\"http://launch.yahoo.com\")
O15 - Trusted Zone: http://radio.music.yahoo.com (http://\"http://radio.music.yahoo.com\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntus.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Title: Another victum of SmartSecurity
Post by: guestolo on April 30, 2005, 02:04:39 PM

I need to look for something
Can you download Files.zip and UNZIP the folder within to desktop
or another folder

Open the folder and double click on find.bat
Wait for the scan to finish and a log will be produced

Can you post the log back here, thanks

Title: Another victum of SmartSecurity
Post by: boastercoaster on April 30, 2005, 02:37:41 PM

Does this scan take a while? It has been 10 mins or so and it says scanning for files.

Title: Another victum of SmartSecurity
Post by: boastercoaster on April 30, 2005, 02:53:20 PM

Whe I hit run a window labeled C:Windows\system32\cmd.exe comes up and it says "XFind.com" is not recognized as an internal or external command, operable program or batch file.  Notedpad also opens with the scanning for files text.

Title: Another victum of SmartSecurity
Post by: guestolo on April 30, 2005, 02:59:14 PM

The only way I can reproduce your problem is if I don't UNZIP Files.zip first
You can't run this from within the zipped archive

As I said, UNZIP the contents to desktop or another folder
Than open the folder you UNZIPPED and then run find.bat

Title: Another victum of SmartSecurity
Post by: boastercoaster on April 30, 2005, 03:02:07 PM

clninst.bat   C:'program files\Symantec_CLient_Security\Symatec antivirus

msdtcvtr.bat  c:\windows\system32\msdtc\trace



If I do a *.bat search these come up.  Don't know if that means anything.

Title: Another victum of SmartSecurity
Post by: guestolo on April 30, 2005, 03:04:55 PM

I don't know what this has to do with anything I asked you to do   /unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />
Download Files.zip and save it to a folder
Choose save to disk rather than Open

UNZIP it and then open the folder you unzipped and run files.bat

Title: Another victum of SmartSecurity
Post by: boastercoaster on April 30, 2005, 03:09:07 PM

That is exactly what i am doing.  But I still get the 2 windows.  How long does a scan usualyy take?

Title: Another victum of SmartSecurity
Post by: guestolo on April 30, 2005, 03:14:37 PM

Open the folder you unzipped
Double click on Xfind.com
A window will open and close
Then double click on find.bat>>When it's done, which shouldn't take that long
A text file called files.txt will be placed in the same folder
Copy and paste that back here

If you can't get it to run we'll have to try alternate methods
But as I said, the only way I can reproduce your problems is if you didn't save and then UNZIP the file I uploaded for you

Title: Another victum of SmartSecurity
Post by: boastercoaster on April 30, 2005, 04:02:11 PM

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»
Scanning for file(s)...
 
* result-> C:\WINDOWS\DESKTO~1.HTM
* result-> C:\WINDOWS\FHR~1.HTM
* result-> C:\WINDOWS\POPUP~1.HTM
 

Sorry took so long, pizza arrived.  I finally got it to work

Title: Another victum of SmartSecurity
Post by: guestolo on April 30, 2005, 04:41:37 PM

Let's get to work and clean this machine
Pizza>>I know what I'm having for dinner later, that sounds good  /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />

I'm going to ask you to download a few tools, all are free
and don't take long to run
Only Ewido takes some time, but please try and do everything I ask as you have a couple different infections

==Download and then Install
Ewido Trojan Scanner (http://\"http://www.ewido.net/en/download/\")

When installing, under "Additional Options" UNCHECK "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that in the next step
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido
We'll need it later

==Download to a folder
About:Buster.zip (http://\"http://www.malwarebytes.biz/AboutBuster.zip\")
by RubbeR Ducky
UNZIP the contents to desktop or a folder, a folder will be placed on your desktop or whereever you unzipped it too
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

==Download and UNZIP to a folder
Removal.zip, so you now have a folder unzipped called "Removal"
We'll need this later

==Download and UNZIP to a folder Cwsserviceremove.zip
So you have cwsserviceremove.reg unzipped to the same folder
Cwserviceremove.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=175\")
We'll need this later

==From my signature below, download and save to a folder CWShredder.exe
Don't run it yet

==Could you next
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

==Please  save these instructions to a Notepad file and save it to your Desktop or a folder for reference, I will need you to restart into safe mode soon and stay disconnected from the Internet

==Access your Add/Remove programs and remove if found
SurfSideKick
WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer
Win-Tools for IE
Do not reboot until they have all been removed even if prompted.
# When you are uninstalling the last program you can then reboot when prompted

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

==Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Workstation NetLogon Service

Double click on it--- STOP the service-- If running
In the drop down menu, change the startup type to Disabled

Open your Task manager and kill these processes if still running
crwk32.exe
ntus.exe

Open the Removal folder you unzipped and double click on Removal.bat
A dos window will open and close quickly, this is normal
Say yes to import the registry file

Find and delete these folders if found
C:\Program Files\SurfSideKick 2 <-this folder
C:\Program Files\Toolbar <-folder
C:\Program Files\Common Files\WinTools <-folder

Stay in safe mode
==Start About:Buster and hit ok.   Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

====Double click on cwsserviceremove.reg and allow it to merge to the registry

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done

====Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

==Do another scan with Hijackthis and put a check next to these entries:
Not all may exist, but fix what appears

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5EB8144B-6EF2-7346-72E4-ADB028205C5E} - C:\WINDOWS\system32\nethk32.dll
O2 - BHO: (no name) - {770CE589-D47C-9567-46F4-E4E08B3366BC} - C:\WINDOWS\ipxe.dll
O2 - BHO: (no name) - {E902A02C-DD59-5DE4-624F-8012F9AFA9B9} - C:\WINDOWS\apptr32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)

O4 - HKLM\..\Run: [crwk32.exe] C:\WINDOWS\crwk32.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [Vaf] C:\WINDOWS\System32\Hac.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [Ocg] C:\WINDOWS\System32\Iki.exe
O4 - HKLM\..\Run: [Gqb] C:\WINDOWS\System32\Hdu.exe
O4 - HKLM\..\Run: [d3ii.exe] C:\WINDOWS\system32\d3ii.exe
O4 - HKLM\..\Run: [Cga] C:\WINDOWS\System32\Hos.exe
O4 - HKLM\..\Run: [atljw32.exe] C:\WINDOWS\system32\atljw32.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntus.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Run CWShredder.exe, click the FIX button and let it fix what it finds

===RESTART the computer back to Normal mode
Back in Windows

===Look for a file called shell.dll in your C:\Windows\system32 folder
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
 Under the  Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

==Do the following
1. In the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or  Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

I'm going to ask that you post back a number of logs
Try and supply them all, thanks

Post back with a fresh Hijackthis log
Also, post the logs from About:Buster
Include the report from Ewidos trojan scanner

I want to check to see if your hosts file was edited
Could you do the following
==Open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click the "Open in Notepad"
Copy and paste back the whole contents of this notepad file too

Could you run Find.bat you unzipped earlier and post a new log when it's done

Also let me know if you have Spybot 1.3 installed, I'm just checking!!!

Title: Another victum of SmartSecurity
Post by: guestolo on April 30, 2005, 04:47:40 PM

I forgot to upload Removal.zip, here it is
Sorry, and this is an important step  /laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' />

Title: Another victum of SmartSecurity
Post by: boastercoaster on April 30, 2005, 04:50:37 PM

Thanks.. This will take a bit but I will try to follow exactly and get back with you.  Get back with me at your convenience aferwards.

Title: Another victum of SmartSecurity
Post by: boastercoaster on April 30, 2005, 09:40:05 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:22:26 PM, on 4/30/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O15 - Trusted Zone: http://launch.yahoo.com (http://\"http://launch.yahoo.com\")
O15 - Trusted Zone: http://radio.music.yahoo.com (http://\"http://radio.music.yahoo.com\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         9:54:26 PM, 4/30/2005
 + Report-Checksum:      802A6291

 + Date of database:      5/1/2005
 + Version of scan engine:   v3.0

 + Duration:            22 min
 + Scanned Files:         18540
 + Speed:            13.87 Files/Second
 + Infected files:         71
 + Removed files:         71
 + Files put in quarantine:      71
 + Files that could not be opened:   0
 + Files that could not be cleaned:   0

 + Binder:      Yes
 + Crypter:      Yes
 + Archives:      Yes

 + Scanned items:
   C:\
   G:\

 + Scan result:
   C:\dkload.exe -> TrojanDownloader.Small.vg -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\02B52AD6-8E82-4465-AEDB-B85688\6E7C4ABF-8205-439E-B443-F08C97 -> Spyware.Altnet.c -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\54A4A3AC-58BA-449A-9050-993E25\85C62CB7-30F5-4E2A-B256-2F0BD0 -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\7C562B22-B470-4DDE-86D0-761C98\832C5685-D0D8-4F7D-A0C4-B96DFF -> Spyware.Wintol.y -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\9B908EE8-46AE-4CAD-ABFA-0CA2BA\FA02292E-E9A3-4498-9503-919DE1 -> Spyware.Wintol.y -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\9B908EE8-46AE-4CAD-ABFA-0CA2BA\FA79F0E8-E607-424C-979C-E1CC14 -> TrojanDownloader.Wintool.f -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\D5499A1D-D033-4F17-A251-D9D5CB\BBEC677D-48B2-4F6E-B2A8-84A5F1 -> Spyware.Sahat.l -> Cleaned with backup
   C:\w.exe -> TrojanDownloader.Small.aod -> Cleaned with backup
   C:\WINDOWS\addrf.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
   C:\WINDOWS\apicl32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\apiqq.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
   C:\WINDOWS\appmv32.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
   C:\WINDOWS\appxn32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\d3rk32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\diyju.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\dljhu.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\ehlhz.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\fmtvj.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\gzfuj.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\hgbyr.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\hrogb.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\hwofb.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\iszey.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\javavl.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\jdswr.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\mfcpd32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\mfcqd32.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
   C:\WINDOWS\netiz.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\nifzc.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\npprw.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\ntbc.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\ntvl.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\nvcpf.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\pcbvk.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\qacak.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\qjbjq.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\rxlrt.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\sdkgo.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\sdkiz32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\sdkln.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\sdklo32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\addif.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\apilv32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\apixz32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\atlex32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\d3cp.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\dqymi.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\eiikk.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\fetpy.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\fuguo.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\gxrfh.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\hoauc.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\iell.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\WINDOWS\system32\javaom32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\javaph.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\jlcbg.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\mxjqn.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\netlp32.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
   C:\WINDOWS\system32\ntrf32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\piygt.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\stqhe.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\sujgp.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\tibs.exe -> TrojanDownloader.Small.my -> Cleaned with backup
   C:\WINDOWS\system32\uvbjy.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\wuwkn.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\xzgnn.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\zkylq.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\xfiib.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\yrjfl.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\ysxzm.dll -> Spyware.Hijacker.Generic -> Cleaned with backup


::Report End
 **** Run Keys ****

RUN: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
RUN: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
RUN: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
RUN: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


 **** Browser Helper Objects ****

BHO: [AcroIEHlprObj Class] C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


 **** IE Toolbars ****



 **** IE Extensions ****



 **** Hosts File Entries ****



 **** IE Settings ****

Default Page: http://www.google.com (http://\"http://www.google.com\")
Default Search: http://www.google.com (http://\"http://www.google.com\")

Scanned at: 9:24:57 PM   on: 4/30/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\cvajk.dat
Removed! : C:\WINDOWS\jolyz.dat
Removed! : C:\WINDOWS\mfhaz.dat
Removed! : C:\WINDOWS\zopke.dat
Removed! : C:\WINDOWS\System32\ceqcp.dat
Removed! : C:\WINDOWS\System32\idxlo.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


 »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»
Scanning for file(s)...


Should there be more there?




As i was psting these reprts my desktop turned from blue tan and all the icons are gone..Says it cannot find the host files in the hijackthis
Host FileManager.

Title: Another victum of SmartSecurity
Post by: boastercoaster on April 30, 2005, 09:44:55 PM

From blue to tan from prior post.  Should I turn Folder settting back to hidden aventually?

Title: Another victum of SmartSecurity
Post by: boastercoaster on April 30, 2005, 09:46:53 PM

Now it went back to Blue with icons.. Maybe it was from one of the reports i ran?

Title: Another victum of SmartSecurity
Post by: guestolo on May 01, 2005, 03:03:59 AM

Your doing fine, I can't help you unless you carry on with ALL the instructions
Don't just stop halfway through
Post back with everything I asked for

Title: Another victum of SmartSecurity
Post by: guestolo on May 01, 2005, 03:11:03 AM

Post back with all logs I asked for, If you did that's fine
Don't get ahead of yourself

Title: Another victum of SmartSecurity
Post by: boastercoaster on May 01, 2005, 09:32:48 AM

I thought I did post all the reports you asked for??  I don't have spybot.

Title: Another victum of SmartSecurity
Post by: guestolo on May 01, 2005, 12:59:01 PM

Sorry, my mistake, thanks for the logs

Can you try something please Download and UNZIP
Get.bat
Double click on Get.bat and a new text file will be created called Export.txt

Can you copy and paste the contents of that back here

Title: Another victum of SmartSecurity
Post by: boastercoaster on May 02, 2005, 09:01:24 PM

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktopChanges"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispBackgroundPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000

Title: Another victum of SmartSecurity
Post by: boastercoaster on May 02, 2005, 09:19:36 PM

Another question, i get apop up that ask for me to"Help protect your PC scedule automatic updates.  Comes from the ower right toolbar.

And my old Anti spyware is gone and i know I put soem that you gave me.  Will they scan daily or do i need to run them.  My other one ran every night..

Title: Another victum of SmartSecurity
Post by: guestolo on May 02, 2005, 10:57:03 PM

Let's work on your background colors first

Download and Unzip to desktop
Fixdesktop.zip so you now have Fixdesktop.reg on the desktop

Double click on Fixdesktop.reg and allow to merge to the registry
Restart your computer and let me know if your background is back to normal

Post back a fresh Hijackthis log later

Title: Another victum of SmartSecurity
Post by: boastercoaster on May 03, 2005, 06:00:23 PM

I posted earlier, that  the background fixed a few minutes later. It is allright now and i can put and wallpaper i want.

Title: Another victum of SmartSecurity
Post by: guestolo on May 03, 2005, 10:26:00 PM

Let's try this

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Why so far behind on Windows Updates???
This may be the notification your getting from your lower right taskbar
If your version of Windows is legit, this is important to keeping your system secure
If you want a rundown on how I prepare a system before  installing SP2 and all other Critical updates,  let me know

You looked like you had Microsoft Anti-Spyware Beta installed on your computer
I never asked you too remove it
If you removed it, I have a download link at the top of this forum in Removal and Preventive tools

You may also want to run this spyware checker too
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Can you post back one last Hijackthis log, let's make sure your still clean

Title: Another victum of SmartSecurity
Post by: boastercoaster on May 09, 2005, 05:23:16 PM

I had to run a restore,  It got messed up. herre is logfile.  Should I run cleanup321, cwshredder,ewido?? any of these periodically or just the spywareblocker and beta.  I also have symantec antivirus coprorate edition.  I don't remeber that being in the tool bar til recently.


Logfile of HijackThis v1.99.1
Scan saved at 1:54:37 PM, on 4/30/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\crwk32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ntus.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {516B1C67-B52D-E97F-A80D-D6C5DBCBFE0A} - C:\WINDOWS\sdkbf.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [crwk32.exe] C:\WINDOWS\crwk32.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O15 - Trusted Zone: http://launch.yahoo.com (http://\"http://launch.yahoo.com\")
O15 - Trusted Zone: http://radio.music.yahoo.com (http://\"http://radio.music.yahoo.com\")
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntus.exe

Title: Another victum of SmartSecurity
Post by: guestolo on May 09, 2005, 05:39:01 PM

It looks like you didn't take my final advice and now you paid for it  /ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />
As you can see I asked you to disable system restore and restart the computer and then enable system restore
You didn't do that so I guess you didn't install any of the last 3 programs I mentioned
and Still no Windows Updates
Well, if your version of Windows is legit, you will just keep right on getting infected without them
Don't install them yet until we get you clean Again

Same instructions as the first time you posted a log

Quote

Could you go to start>>Run>>type in
msconfig
Hit OK
Enable all startup items
Do a Normal startup

You shouldn't have to restart your computer but post back a fresh hijackthis log afterwards

Title: Another victum of SmartSecurity
Post by: boastercoaster on May 09, 2005, 09:53:09 PM

I did exactly what u asked, disabled, then restarted and enabled.  Had I not, it wouldn't have retsored back to that point fromlast week right? My prior email a few days ago had that log from after that. Everything is enabled on startup files.



Logfile of HijackThis v1.99.1
Scan saved at 10:50:47 PM, on 5/9/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O15 - Trusted Zone: http://launch.yahoo.com (http://\"http://launch.yahoo.com\")
O15 - Trusted Zone: http://radio.music.yahoo.com (http://\"http://radio.music.yahoo.com\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Title: Another victum of SmartSecurity
Post by: guestolo on May 09, 2005, 10:04:19 PM

Whew, you scared me, I never noticed the date of the scan of the prior log you posted before this one

It looks like you cleaned it up
The log looks good
How's everything on your end?

Why so far behind on Windows updates?
If your version of Windows is legit you should make sure you update
Not the recommended updates, but Critical updates and Services packs

Title: Another victum of SmartSecurity
Post by: boastercoaster on May 09, 2005, 10:13:16 PM

How can i get the critical updates??

Title: Another victum of SmartSecurity
Post by: boastercoaster on May 10, 2005, 09:20:08 PM

I updated the windows files does thi log look any differnet

Logfile of HijackThis v1.99.1
Scan saved at 10:11:09 PM, on 5/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://launch.yahoo.com (http://\"http://launch.yahoo.com\")
O15 - Trusted Zone: http://radio.music.yahoo.com (http://\"http://radio.music.yahoo.com\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Title: Another victum of SmartSecurity
Post by: guestolo on May 10, 2005, 09:44:35 PM

It looks really good
I hope you installed SpywareBlaster
I would use IE-Spyad also, it's compatible with SP2

Don't forget to check once a month for High Priority updates(Criticals) at Windows updates or leave Automatic updates enabled

If you didn't manually add these to your trusted zones, I would have Hijackthis fix them
O15 - Trusted Zone: http://launch.yahoo.com (http://\"http://launch.yahoo.com\")
O15 - Trusted Zone: http://radio.music.yahoo.com (http://\"http://radio.music.yahoo.com\")

Title: Another victum of SmartSecurity
Post by: boastercoaster on May 10, 2005, 10:19:24 PM

Thanks for the help.. Is this forum ran by donations??  Would you run any of the other things i ran to initially clean or just blaster and antisyware by microsaoft and the IE\Spyad?

Title: Another victum of SmartSecurity
Post by: guestolo on May 10, 2005, 10:39:19 PM

Donations are accepted to help with the site, but Google Ads cover most of the cost
I hate some of those google ads>>>Don't click on any most of the time  /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />

About:Buster and CWShredder, you can delete

Can't remember everything I had you run
But hold onto Ad-Aware and check for updates every couple of weeks and run a scan
Same with Microsoft Anti-spyware

Remember to check for updates with SpywareBlaster every few weeks
After every update enable all protection
IE-Spyad>>As mentioned, keep the link bookmarked to the site
When you see an update, simply download the zip file and self extract it
Then read the uninstall and reinstall procedure to properly set the new entries
Both spywareblaster and IE-Spyad don't run in the background
SpywareBlaster and IE-Spyad don't clean
They Prevent
Prevention is the best medicine

Hold onto CleanUp! and clean those temp folders and such every couple of weeks

Myself, additionally, I also run Spybot 1.3 on my system every few weeks
and SpywareGuard 2.2
I don't use the Tea Timer that comes with Spybot
SpywareGuard takes care of most of that department anyways
SpywareGuard, won't and doesn't have to update that often, this is another program from JavaCool
The creator of SpywareBlaster
I have links to both Spybot and SpywareGuard at the top of the forum, or
Click HERE (http://\"http://www.thetechguide.com/forum/index.php?showtopic=15894\") if your interested


Well enough gabbing

Stay Safe  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

EDIT>>I totally forgot about the Hosts file, we should restore it to default if not found
Can you open Hijackthis now and open Misc tools>>>Open Hosts file manager
Click Open in Notepad
If prompted to make a new host file allow it
Post back the contents of the Hosts notepad file