TheTechGuide Forum
General Category => Tech Clinic => Topic started by: andy_parkes on May 05, 2005, 05:54:20 AM
-
I've run ad-aware and read this forum on subjects similar to mine.
Here's the Hijack This log file...
Please help!
Logfile of HijackThis v1.99.1
Scan saved at 8:52:10 PM, on 5/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\prvdi.exe
C:\Documents and Settings\Andrew Parkes\My Documents\HiJack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/ (http://\"http://www.smh.com.au/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\prvdi.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\prvdi.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...ors&conn=PAP130 (http://\"https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.05.04&unknown&unknown&http://www.pryda.com.au/catalog.php?sectionid=20&type=Post%20Anchors&conn=PAP130\")
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab (http://\"http://www.ipix.com/download/ipixx.cab\")
O16 - DPF: {5A3C6507-730A-43B2-8EAC-4C430F2EF35E} (PortfolioManager Class) - https://portfoliomanager.westpac.com.au/por...oliomanager.cab (http://\"https://portfoliomanager.westpac.com.au/portfoliomanager/portfoliomanager.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
-
Let's try the following
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
==Download and UNZIP to a folder
HSFIX.zip (http://\"http://www.atribune.org/downloads/HSFix.zip\")
HSFix directory will be created
We'll need this later
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
Find and delete these files or folders if found
C:\WINDOWS\drexinit.dll <-file
C:\WINDOWS\system32\prvdi.exe <-file
C:\Program Files\WebSiteViewer <-folder
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\prvdi.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\prvdi.exe
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
==Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt <--we'll need this later
Restart back to Normal mode
Back in Windows
Can you post back a fresh hijackthis log
Also the log from hsfix.bat
C:\hslog.txt <-this log
I would also run this free virus scanner, I know you have Norton's installed, but this is a double check
==Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, Save to your desktop
Double click to run eScan's Mwav scan
It will self extract
Before running you may want to disable Norton's autoprotect, so it won't get in the way
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
This may take awhile, let it finish
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and Paste it back here
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
-
Thanks Guestolo - very much appreciated so far!
Here's the Hijack log file...
Logfile of HijackThis v1.99.1
Scan saved at 4:38:42 PM, on 7/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Andrew Parkes\My Documents\HiJack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/ (http://\"http://www.smh.com.au/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...ors&conn=PAP130 (http://\"https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.05.04&unknown&unknown&http://www.pryda.com.au/catalog.php?sectionid=20&type=Post%20Anchors&conn=PAP130\")
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab (http://\"http://www.ipix.com/download/ipixx.cab\")
O16 - DPF: {5A3C6507-730A-43B2-8EAC-4C430F2EF35E} (PortfolioManager Class) - https://portfoliomanager.westpac.com.au/por...oliomanager.cab (http://\"https://portfoliomanager.westpac.com.au/portfoliomanager/portfoliomanager.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
And now the hslog.txt...
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
msvcrta.dll
dload.exe
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-
And the Virus log Information from mwav...
File C:\WINDOWS\sasent.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sasent.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Andrew Parkes\My Documents\HiJack\backups\backup-20050504-165754-347.dll infected by "not-a-virus:AdWare.MetaSearch.a" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Andrew Parkes\My Documents\HiJack\backups\backup-20050504-165754-528-old OfficeTools.hta infected by "Trojan-Dropper.VBS.Inor.bt" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Andrew Parkes\My Documents\HiJack\backups\backup-20050504-165754-841.dll infected by "not-a-virus:AdWare.ToolBar.STIEBar.b" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Andrew Parkes\My Documents\HiJack\backups\backup-20050504-165754-858.dll infected by "not-a-virus:AdWare.MetaSearch.a" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Andrew Parkes\My Documents\HSFix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\gde.exe infected by "Trojan.Win32.Agent.bw" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP1\A0000036.exe infected by "Trojan-Proxy.Win32.Sobit.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP1\A0000048.exe infected by "Trojan-Downloader.Win32.Delf.dg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP1\A0000052.exe infected by "Trojan-Proxy.Win32.Sobit.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP1\A0000064.exe infected by "Trojan-Downloader.Win32.Delf.dg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP1\A0000069.exe infected by "Trojan-Proxy.Win32.Sobit.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP1\A0000090.exe infected by "Trojan-Proxy.Win32.Sobit.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP1\A0000091.exe infected by "Trojan.Win32.Agent.bw" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP1\A0000093.exe infected by "Trojan-Downloader.Win32.Delf.dg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP1\A0000094.exe infected by "Trojan-Proxy.Win32.Sobit.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP1\A0000096.exe infected by "Trojan-Downloader.Win32.Small.rd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000209.exe infected by "Trojan-Downloader.Win32.Delf.dg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000218.exe infected by "Trojan-Downloader.Win32.Delf.dg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000222.exe infected by "Trojan-Proxy.Win32.Sobit.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000232.exe infected by "Trojan-Downloader.Win32.Delf.dg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000237.exe infected by "Trojan-Proxy.Win32.Sobit.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000242.exe infected by "Trojan-Proxy.Win32.Sobit.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000248.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000250.exe infected by "Trojan-Downloader.Win32.Small.rd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000251.exe infected by "Trojan-Proxy.Win32.Sobit.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000277.dll infected by "Trojan.Win32.Agent.q" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000278.exe infected by "Trojan-Downloader.Win32.Delf.dg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{91A2AF12-F90A-4D68-992B-1EEAD59FFD09}\RP2\A0000289.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sasent.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
Hope you can help to finally rid me of these.
I'm a bit disappointed that Norton AV didn't prevent this or pick up the viruses that mwav did!
Thanks again.
-
In all fairness, many files are in your System restore folders
AV's have a hard time removing entries from those locations, there not doing no harm
But you will be reinfected if you use a restore point
And a few are in your Hijackthis backups, there safe there too
We still have some files to remove however
Here's what we should do
==Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice
==Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
C:\WINDOWS\sasent.dll
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
Continue to copy and paste the next path to the file below into killbox
Selecting Delete on Reboot afterwards
C:\gde.exe
When you've entered the last path to the file
Allow the computer to Reboot
or Restart the computer anyways
Back in Windows
Ensure both those files are gone that we killed with killbox
You can also manually delete this folder created by Killbox once you restarted
C:\!Submit <-this folder
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.3 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all
IE-Spyad is compatible with XP SP2 as well
Could you post one final hijackthis log after doing the above, let me know how everything is running
-
Thanks for the prompt reply.
I've followed you're advice up to the Disabling and Re-enabling System Restore.
Here's the HJT log...
Logfile of HijackThis v1.99.1
Scan saved at 9:37:56 PM, on 7/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrew Parkes\My Documents\HiJack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/ (http://\"http://www.smh.com.au/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/ (http://\"http://www.smh.com.au/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...ors&conn=PAP130 (http://\"https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.05.04&unknown&unknown&http://www.pryda.com.au/catalog.php?sectionid=20&type=Post%20Anchors&conn=PAP130\")
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab (http://\"http://www.ipix.com/download/ipixx.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {5A3C6507-730A-43B2-8EAC-4C430F2EF35E} (PortfolioManager Class) - https://portfoliomanager.westpac.com.au/por...oliomanager.cab (http://\"https://portfoliomanager.westpac.com.au/portfoliomanager/portfoliomanager.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
I also downloaded the Microsuft Antispyware Beta and will see how I go with this. I think it does the same as Spyware Blaster and IE Spyad, right? Do you think the MS product is good enough? It prompted me to "remove the spyware threat Spyware.BHO.sasetup that has been detected by real-time protection trying to run the program c:\windows\frennk.dll." when I opened up the techguide forum web page.
Thanks again for your help.
Incidentally, since completing your first batch of advice, I've noticed that my Windows XP Visual Style has disappeared from the Display Properties Appearance tab.
Any idea on this? How can I get that back?
Cheers
-
Go ahead and delete this file if you can find it
c:\windows\frennk.dll <-file
Before you posted your first Hijackthis log here, can you let me know what problems you were having
Were you initially having problems with desktop
Any Security warnings on your desktop to click here to remove infection?
Any yellow triangles?
Any info would be helpful
Could you do the following please, I think an infection you have or had changed an entry in your registry, I just want to take a look
Can you download and UNZIP to desktop
Get2.zip, so you now have Get2.bat on your desktop
Double click on Get2.bat, a text file called Export2.txt will be placed on your desktop
Can you copy and paste that info back here
[attachment=202:attachment]
By the way, MS Anti-Spyware provides realtime protection
SpywareBlaster and IE-Spyad are considered silent spywareblockers
They don't run in the background, they just set registry entries to help prevent spyware from ever being installed
They work totally different than Real time protection
Very valuable assets to have on your computer
Remember to check for updates with them every couple of weeks
Could you also download and save to desktop
dpf.zip, unzip the contents to desktop so you now have dpf.bat on the desktop
Double click on dpf.bat, a log will be produced, can you copy and paste that back here
-
I couldn't find frennk.dll on my computer.
My initial problems were, home page being reset to a sex site, a "sex" icon appearing on desktop and on programmes start menu.
I suspect Norton AV did pop up a warning about an hta file called OfficeTools.hta and another user of my PC ran this file!!!
I was also getting some dialogue boxes appearing - I think related to dialer...
Here's the export2.txt output (incidentally this was saved in c:\windows\system32):
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
...and the dpflist.txt...
Volume in drive C has no label.
Volume Serial Number is 2CF6-C969
Directory of C:\WINDOWS\Downloaded Program Files
07/05/2005 09:01 PM <DIR> BUILTIN\Administrators .
07/05/2005 09:01 PM <DIR> BUILTIN\Administrators ..
26/01/2005 10:34 PM 168 PARKESDESKTOPPC\Andrew default.inf
06/08/2003 09:50 PM 65 BUILTIN\Administrators desktop.ini
14/10/1997 06:52 PM 697 BUILTIN\Administrators DirectAnimation Java Classes.osd
28/03/2002 03:05 PM 1,268 PARKESDESKTOPPC\Andrew erma.inf
13/03/2003 11:03 AM 962 PARKESDESKTOPPC\Andrew IPIXX.inf
02/06/2000 11:29 AM 102,912 PARKESDESKTOPPC\Andrew ipixx.ocx
15/01/2003 05:16 PM 897 PARKESDESKTOPPC\Andrew iuctl.inf
28/01/2005 03:28 PM 495 PARKESDESKTOPPC\Andrew LegitCheckControl.inf
22/08/2003 08:49 AM 220 PARKESDESKTOPPC\Andrew MetaStream3.inf
20/01/2000 03:25 PM 1,162 BUILTIN\Administrators Microsoft XML Parser for Java.osd
13/07/2004 10:41 AM 227 PARKESDESKTOPPC\Andrew MsnMessengerSetupDownloader.inf
05/11/2004 02:58 PM 119,496 PARKESDESKTOPPC\Andrew MsnMessengerSetupDownloader.ocx
08/09/2003 01:38 PM 674 PARKESDESKTOPPC\Andrew msSecAdv.inf
22/08/2003 09:10 PM 226 PARKESDESKTOPPC\Andrew opuc.inf
26/01/2005 10:52 PM 57,344 PARKESDESKTOPPC\Andrew pinstall.dll
08/11/2001 02:55 PM 286,809 PARKESDESKTOPPC\Andrew portfoliomanager.dll
08/12/2003 12:58 PM 3,759 PARKESDESKTOPPC\Andrew swflash.inf
17/04/2000 01:04 PM 3,072 PARKESDESKTOPPC\Andrew voxacm.inf
24/03/2004 06:17 PM 1,777 PARKESDESKTOPPC\Andrew xscan.inf
24/03/2004 06:22 PM 435,712 PARKESDESKTOPPC\Andrew xscan53.ocx
19/08/2004 08:18 PM 279,672 PARKESDESKTOPPC\Andrew YDropperUK1.dll
21 File(s) 1,297,614 bytes
2 Dir(s) 25,573,478,400 bytes free
I'll also install the Spywareblaster and IE-Spyad - just don't tell me to walk off a bridge because I'm trusting your advice 100% now!
Thanks for all your help!
-
Hi again Andy, can you do the following please
Go to START>>RUN>>type in cmd
Hit OK
At the command prompt type in the following in bold>>(Enter) is hitting enter on the keyboard
cd C:\WINDOWS\Downloaded Program Files (Enter) single space after cd
del default.inf (Enter) single space after del
exit (Enter)
After that is done, I want to see what reg entry is messing with your Visual styles in display properties
This hijacker keeps trying different methods to mess with the backgrounds
Can you do the following please
Download and unzip to desktop Export.zip so you now have Export.bat on the desktop
Double click on Export.bat and a new text file will appear on the desktop
Export.txt
Can you copy and paste that back here
[attachment=206:attachment]
Also
Navigate to this folder
C:\WINDOWS\Resources\Themes
Open the Themes folder
Let me know if you see the following
Luna folder
Luna.theme
WindowsClassic.theme
-
Thanks for the follow up.
Here's the export.txt output:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Themes"
"Group"="UIGroup"
"ObjectName"="LocalSystem"
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,6f,00,6f,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00
"Description"="Provides user experience theme management."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,68,00,73,00,76,00,63,00,73,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceMain"="ThemeServiceMain"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Enum]
"0"="Root\\LEGACY_THEMES\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
The Luna folder, Luna.theme and WindowsClassic.theme files are present in that directory, but when I look at the Display Properties, Appearance Tab under Windows and Buttons, only Windows Classic Style is shown as an option.
My continuing thanks...
-
Can you do me one more favor, I won't see the result until tomorrow
Download and Unzip to desktop Grab.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=209\") so you now have Grab.bat on the desktop
Double click on Grab.bat and post the contents of the new text file Grab.txt
-
Here you are...
Windows Registry Editor Version 5.00
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"LoadedBefore"="1"
"LMVersion"="103"
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,52,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
00,74,00,68,00,65,00,6d,00,65,00,73,00,5c,00,4c,00,75,00,6e,00,61,00,5c,00,\
4c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
00,00,00
"LastUserLangID"="1033"
"ColorName"="NormalColor"
"SizeName"="NormalSize"
Until tomorrow...
-
Thanks for being patient
One last request,
Can you do the following please
Download Find1.zip and UNZIP it
Double click Find1.bat and copy and paste back the text file that opens
Could you also do a Search on your computer
for
luna.msstyles
If you find luna.msstyles can you let me know what location and the size of the file, thanks
Before performing a search, ensure under Advanced options you have
the first 3 options checked
-
Thanks...
I think you were on the right track...
I found the luna.msstyles file in:
C:\WINDOWS\$NtServicePackUninstall$
But nowhere else.
I copied that to:
C:\WINDOWS\Resources\Themes
Then double clicked it and it fixed the display problem.
Was this correct? I hope I didn't use what little knowledge I've gained and replaced a virus affected file...??
I'd appreciate if you could confirm what I've done, and I offer my most sincere thanks for all of your help.
-
to take of that sex icon on the comp i system restored my comp
is that good enough. And is it spyware