« previous next »
Pages: [1]

Author Topic: about blank  (Read 2464 times)

Offline Barry

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
about blank
« on: May 27, 2005, 03:11:59 AM »
I use AOL and my computer come up with a C++ runtime error as soon as i go online.  

My screen background has turned blue and says "A fatal error in IE has occured at 0028:c0011e36 in VXD VMM(01) + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c" in the middle of the screen.

My default page has become about blank.

i have tried running cwshredder spybot and adaware, as well as running hijackthis and trying to remove all references to about blank
Unfortunately i have failed.

I would therefore be very grateful for any help that can be given.  Below is my hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 20:38:06, on 26/05/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\atiupdpl.exe
C:\WINDOWS\System32\gclib.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AOL 7.0\wEmail Removedexe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/spage.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [@programasukgb-htm] RunDll32 UDConn.dll,RunAsIcon @programasukgb
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.registration.sonystyle-europe.com (HKLM)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C311699F-E773-4FB3-B202-40D38CDCE887}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
Logged

Offline Barry

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
about blank
« Reply #1 on: May 28, 2005, 03:56:57 AM »
Bump
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
about blank
« Reply #2 on: May 28, 2005, 11:53:03 PM »
Sorry for the Delay Barry, if you still need a hand
Could you Access your Add/Remove programs and remove if found
any of these
# Bargain Buddy
# Exact Search Bar
# CashBack

Restart the computer afterwards

Also, could you do the following please

Download and UNZIP to desktop or a folder Get2.zip
So you now have Get2.bat extracted
Double click on Get2.bat and a text file will appear on the desktop or folder
Called Export2.txt

Can you copy and paste the contents back here along with a fresh Hijackthis log

Could you also let me know if you see any of these in your Add/Remove programs
Security IGuard
Virtual Maid
Search Maid

Additionally, you stated you ran Spybot and Ad-Aware
Could you also do the following for me please
Open SPYBOT
Click on HELP>>ABOUT
Let me know Spybot version and Latest detection update date

Open Ad-Aware
Click on DETAILS under Intitialization Status
Let me know Reference No. and Internal build
« Last Edit: October 05, 2005, 12:25:16 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Barry

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
about blank
« Reply #3 on: May 29, 2005, 05:48:55 AM »
Thanks Guestolo

and yes i do need help:)

I have just checked for those programs and none are present, although there was one that looked odd
@programasukgb
i have removed this now
Spybot info is
version 1.3.  - no update
Adaware is
IR200 12.07.2003
Build 6.181

Get 2 Log
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktopChanges"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=dword:00000000
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"Wallpaper"="c:\\wp.bmp"

Hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 11:31:17, on 29/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\atiupdpl.exe
C:\WINDOWS\System32\gclib.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.registration.sonystyle-europe.com (HKLM)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe


if i take a while to reply it is because i am having to run between computers to do this as it is a friends computer i am trying to fix.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
about blank
« Reply #4 on: May 29, 2005, 10:34:17 AM »
OIC, Your having problems getting this computer online??

If so, I would suggest that you download a different browser and use it

Why don't you try installing Firefox on the infected computer and then you can download the tools that we need
We are going to need a few and this would make life a bit easier for you

http://www.mozilla.org/

Follow that link and download the free download at the top and install it

Let me know when your ready and we'll get some tools to clean up this machine
If you have to download to your machine and transfer over because firefox won't work
Let me know
It would be easier however if we could just work only with the infected machine
But we'll do it either way
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Barry

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
about blank
« Reply #5 on: May 29, 2005, 11:52:39 AM »
It will probably be tomorrow before i see him.

i will install firefox on his machine or i will try anyway.

I will attempt to download it and whatever else i need on his computer, although he only has dial up so can be a bit slow.

once i've installed Firefox what do i need to do then.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
about blank
« Reply #6 on: May 29, 2005, 01:06:36 PM »
This is what I would like you to do if you can

Most of these you can download on your machine and transfer over

However, you will have to make sure that Ad-Aware and Ewido are updated before you run them

Can you download the following please

==Download and save to Desktop or a folder
SpSeHjfix112.zip
From that link
Unzip the contents, so you now have SpSeHjfix112.exe extracted

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Alternate Download link
We'll need this later

==Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later

==Download and UNZIP to a folder or desktop
Fixdesktop.zip, so you now have fixdesktop.reg extracted
We'll need this later
[attachment=247:attachment]

==Download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* UNZIP it to your desktop or a folder

Please Print this out or save these instructions to a Notepad file and save it to your Desktop or a folder, many of the fixes will be done in Safe mode without Internet connection

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- ISEXEng

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Do the same for this one
ZESOFT

Double click on fixdesktop.reg and allow to add or Merge to the Registry

Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK

[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

[color=\"purple\"]Killbox file paths to copy and paste to Notepad between dotted lines[/color]
===========================================
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\WINDOWS\System32\gclib.exe
C:\WINDOWS\System32\atiupdpl.exe
c:\eied_s7.cab
C:\WINDOWS\System32\angelex.exe
C:\WINDOWS\zeta.exe
===================================================
*  Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt.  Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.  

[color=\"red\"]While your computer is restarting, tap the F8 key continually until a menu appears.  Use your up arrow key to highlight Safe Mode, then hit enter.[/color]


*Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

In SAFE MODE

Using Windows Explorer, Manually navigate and delete these folders if found

C:\Program Files\Search Maid
C:\Program Files\Security IGuard
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\NaviSearch

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done

==Open Hijackthis>>Open Misc tools section>>Open "Delete an NT service"
In the new box, copy and paste or type in the entry below in bold and hit OK
ISEXEng
Do the same for this entry
ZESOFT

==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

==Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what you see

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/spage.html

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe
O4 - HKLM\..\Run: [vmtuner] gclib.exe

O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe

O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe

O9 - Extra button: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F44C866E-2DF8-48B9-BC63-D9D13DE1F3EB} - C:\WINDOWS\System32\wldr.dll (HKCU)

O15 - Trusted Zone: *.registration.sonystyle-europe.com (HKLM)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab

O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Double click on fixdesktop.reg again allow to merge

==Run SpSeHjfix112.exe by clicking the Start Disinfection
It should reboot your computer
If not Reboot anyways back to Normal mode

Your running an older version of Ad-Aware, can you please uninstall it from the Add/Remove programs
Then
Download and Install the free version of Ad-Aware SE Personal 1.06
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows
SPYBOT doesn't appear to be updated
Can you open SPYBOT
SEARCH FOR UPDATES on the right
Check, and download all updates
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish the cleaning process

Back in Windows

Run another scan with Hijackthis and post a fresh log
Could you also post the log from SpSeHjfix112.exe
and include the Report from Ewido's
« Last Edit: May 29, 2005, 01:08:05 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Barry

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
about blank
« Reply #7 on: May 31, 2005, 05:10:08 PM »
Guestolo sorry about the delay.

You are a Prince among men, nay a king.

as you may have guessed it seems to have worked.

Below are the various scans you wanted.

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         22:22:50, 31/05/2005
 + Report-Checksum:      F767678

 + Date of database:      31/05/2005
 + Version of scan engine:   v3.0

 + Duration:            29 min
 + Scanned Files:         54581
 + Speed:            30.66 Files/Second
 + Infected files:         69
 + Removed files:         69
 + Files put in quarantine:      69
 + Files that could not be opened:   0
 + Files that could not be cleaned:   0

 + Binder:      Yes
 + Crypter:      Yes
 + Archives:      Yes

 + Scanned items:
   C:\
   D:\

 + Scan result:
   C:\Documents and Settings\Owner\Desktop\backups\backup-20030526-194702-322.dll -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\Documents and Settings\Owner\Desktop\backups\backup-20030526-194702-339.dll -> Spyware.BargainBuddy.n -> Cleaned with backup
   C:\Program Files\180Solutions\sais.exe -> Spyware.180Solutions -> Cleaned with backup
   C:\Program Files\180Solutions\saishook.dll -> Spyware.180solutions -> Cleaned with backup
   C:\Program Files\BullsEye Network\bin\adv.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
   C:\Program Files\BullsEye Network\bin\adx.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
   C:\Program Files\Common Files\WinTools\WSup.exe -> Spyware.Wintol.y -> Cleaned with backup
   C:\Program Files\Common Files\WinTools\WToolsA.exe -> Spyware.Wintol.y -> Cleaned with backup
   C:\Program Files\Common Files\WinTools\WToolsB.dll -> Spyware.Wintol.y -> Cleaned with backup
   C:\Program Files\Common Files\WinTools\WToolsS.exe -> TrojanDownloader.Wintool.f -> Cleaned with backup
   C:\Program Files\Internet Explorer\gckkomsf.exe -> Trojan.LowZones -> Cleaned with backup
   C:\Program Files\Internet Optimizer\optimize.exe -> TrojanDownloader.Dyfuca -> Cleaned with backup
   C:\Program Files\ISTbar\istbarcm.dll -> TrojanDownloader.IstBar.ik -> Cleaned with backup
   C:\Program Files\ISTsvc\istsvc.exe -> TrojanDownloader.IstBar -> Cleaned with backup
   C:\Program Files\Media Access\MediaAccC.dll -> Spyware.WinAD.ag -> Cleaned with backup
   C:\Program Files\Media Access\MediaAccess.exe -> Spyware.WinAD.am -> Cleaned with backup
   C:\Program Files\Media Access\MediaAccK.exe -> Spyware.WinAD -> Cleaned with backup
   C:\Program Files\Power Scan\powerscan.exe -> Spyware.PowerScan.d -> Cleaned with backup
   C:\Program Files\Power Scan\uninstall.exe -> TrojanDownloader.IstBar.gi -> Cleaned with backup
   C:\Program Files\SideFind\sfbho.dll -> Spyware.SideFind -> Cleaned with backup
   C:\Program Files\SideFind\update\sidefind.exe -> TrojanDownloader.IstBar.jm -> Cleaned with backup
   C:\Program Files\Toolbar\common.dll -> Spyware.WebSearch.aj -> Cleaned with backup
   C:\Program Files\Toolbar\gykhxlmu.rmr -> Spyware.IBISToolbar -> Cleaned with backup
   C:\Program Files\Toolbar\IExploreSkins.exe -> Spyware.Websearch -> Cleaned with backup
   C:\Program Files\Toolbar\PIB.exe -> Spyware.WebSearch.aj -> Cleaned with backup
   C:\Program Files\Toolbar\radio.exe -> Spyware.WebSearch -> Cleaned with backup
   C:\Program Files\Toolbar\TBPS.exe -> Spyware.WebSearch.aj -> Cleaned with backup
   C:\Program Files\Toolbar\toolbar.dll -> Spyware.WebSearch -> Cleaned with backup
   C:\Program Files\Toolbar\xlmurin.wzg -> Spyware.IBISToolbar -> Cleaned with backup
   C:\web.exe -> Trojan.LowZones -> Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\gckkomsf.exe -> Trojan.LowZones -> Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\istactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\lkir8l2gm_.dll -> Spyware.Sahat.l -> Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD -> Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
   C:\WINDOWS\dyh.exe -> Spyware.180solutions -> Cleaned with backup
   C:\WINDOWS\nem220.dll -> TrojanDownloader.Dyfuca -> Cleaned with backup
   C:\WINDOWS\remeariq.exe -> TrojanDownloader.IstBar.ij -> Cleaned with backup
   C:\WINDOWS\system\BHOmod.dll -> TrojanDownloader.Agent.li -> Cleaned with backup
   C:\WINDOWS\system\Loader.dll -> TrojanDownloader.Agent.li -> Cleaned with backup
   C:\WINDOWS\system32\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\WINDOWS\system32\exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\WINDOWS\system32\exdl.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\exdl0.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\exdl1.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\exdl2.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\exul1.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\exul2.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
   C:\WINDOWS\system32\instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\WINDOWS\system32\javex80.vxd/C:/Program Files/NaviSearch/bin/nls.exe -> Spyware.ExactSearchBar -> Cleaned with backup
   C:\WINDOWS\system32\javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\mac80ex.idf/C:/WINDOWS/System32/msbe.dll -> Spyware.BargainBuddy.n -> Cleaned with backup
   C:\WINDOWS\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adv.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
   C:\WINDOWS\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adx.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
   C:\WINDOWS\system32\mqexdlm.srg -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\msbe.dll -> Spyware.BargainBuddy.n -> Cleaned with backup
   C:\WINDOWS\system32\msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\WINDOWS\system32\msxct.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/exdl.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/mqexdlm.srg -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\WINDOWS\system32\trkgif.exe -> Spyware.Winpup32 -> Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 22:39:42, on 31/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.registration.sonystyle-europe.com (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c9.cab
O16 - DPF: {16AD0894-098E-2C4B-06A0-092A6EFD2775} - http://205.252.161.238/1/gdnUS1878.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




(5/31/05 22:28:41) SPSeHjFix started v1.1.2
(5/31/05 22:28:41) OS: WinXP Service Pack 1 (5.1.2600)
(5/31/05 22:28:41) Language: english
(5/31/05 22:28:41) Win-Path: C:\WINDOWS
(5/31/05 22:28:41) System-Path: C:\WINDOWS\System32
(5/31/05 22:28:41) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(5/31/05 22:28:48) Disinfection started
(5/31/05 22:28:48) Bad-Dll(IEP): (not found)
(5/31/05 22:28:48) Bad-Dll(IEP) in BHO: (not found)
(5/31/05 22:28:48) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\kihj.dll
(5/31/05 22:28:48) Searchassistant Uninstaller - Keys Deleted
(5/31/05 22:28:48) UBF: 7 - UBB: 6 - UBR: 16
(5/31/05 22:28:48) UBF: 7 - UBB: 6 - UBR: 16
(5/31/05 22:28:48) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank


Thanks again.
Logged

Glenn Taylor (taylor4life@hotmai

  • Guest
about blank
« Reply #8 on: May 31, 2005, 11:17:33 PM »
Right the only way possible to remove the f*kin anoyin about:blank is by doing the following,

Open up regedit (Start menu, run, regedit, ok)
This will be abit complex for people who dont know much bout computers but basically click the plus sign at the side of
HKEY_CURRENT_USER after this click on software then click microsoft then internet explorer Then click main.

To find your hijackers under the data colomn it will say the address of the hijack right click on all occurences then click delete. It will automatically put your start page back to its original default.

Hope this helps.

Any more help needed contact me - taylor4life@Email Removed.co.uk p.s i do have msn.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
about blank
« Reply #9 on: June 01, 2005, 09:59:21 PM »
Sorry for the delay, we still have some cleanup to do

Could you please do the following

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c9.cab
O16 - DPF: {16AD0894-098E-2C4B-06A0-092A6EFD2775} - http://205.252.161.238/1/gdnUS1878.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer
Back in Windows

Find and delete this folders if found
C:\Program Files\180Solutions
C:\Program Files\BullsEye Network
C:\Program Files\Internet Optimizer
C:\Program Files\ISTbar
C:\Program Files\Media Access
C:\Program Files\Power Scan
C:\Program Files\SideFind
C:\Program Files\Toolbar
C:\Program Files\Common Files\WinTools

Run another scan with Hijackthis and post a fresh log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

gultekin

  • Guest
about blank
« Reply #10 on: June 05, 2005, 02:58:27 AM »
to remove desktop virus (i mean smitfraud) is too hard.this can be solution.at least i tried. and result is good fo now.

download the trial version of adware away (search the google for trial adware away because in their new official website there is not trial version. install and run the program.select remove hijacks.then select (with only one click) smitfraud desktop hijacker .then click remove. then click remove again. i tried it is succesfull. then you can change yor desktop settings.   you can use this program for about:blank virus (program claims that it eliminates about:blank virus.) yes. but it can be temprorily. i am not sure. gilevgiEmail Removed
Logged
Pages: [1]
« previous next »