Author Topic: Smart Security clean-up (Read 2715 times)

frustrated · « **on:** April 11, 2005, 02:50:15 PM »

I got Satan's spyware last week and spent a couple days reading over this site and trying fixes, didn't work other than getting my screen back.

Not a proficient tech guy so I brought in a hired gun Friday. He got a lot of it to work better, no double icons on desktop (I think, haven't put anything back up), URL homepage has been staying (thanks to Microsoft spyware Beta) but it keeps trying to switch it to "about:blank.

Still can't get the right click working in various files or desktop and the many files I had on desktop have been relocated somewhere else. I found them last week but am nervous to put them back as I don't want anything to happen to them until I get this matter cleaned up.

Could you please help, this is a work station and it's driving me nuts! You should be cannonized for your good work!

Hijackthis file to follow:

Logfile of HijackThis v1.99.1
Scan saved at 3:39:05 PM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Xerox\Network Installer\npas.exe
C:\Program Files\NavNT\rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.203.128.3/axiscam/Codebase/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mucc
O17 - HKLM\Software\..\Telephony: DomainName = mucc
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF3AE2D3-90B7-4499-9152-AF6192924593}: NameServer = 192.168.81.253,207.179.70.27
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mucc
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: New Printer Alert - Xerox - C:\Program Files\Xerox\Network Installer\npas.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

guestolo · « **Reply #1 on:** April 11, 2005, 04:12:54 PM »

I'm not sure what steps you have tried yet

Can you do the following for me please
Download and UNZIP to a folder Find.zip
So you now have Find.bat in the same folder

Double click on Find.bat and a log should open
Copy and paste back the findings

frustrated · « **Reply #2 on:** April 11, 2005, 04:37:01 PM »

I have run both Spy Sweeper & Ad-Aware, then on to Microsoft Beta. I can't even remember anymore how I got the desktop back but it was one of the solutions from your site. Everything I did last week were suggestions from your site. Just wish I were a bit more clever so I understood more of what everyone was saying.

You must be one busy dude, thanks for the help with this!

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001
"NoViewContextMenu"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"="C:\\WINDOWS\\desktop.html"

guestolo · « **Reply #3 on:** April 11, 2005, 04:55:06 PM »

Can you do the following for me

Download and UNZIP to a folder NoRight.zip
So you now have NoRight.reg in the same folder

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)

O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on NoRight.reg and allow to merge to the registry

Restart your computer

Back in Windows
Find and delete these files if they exist
C:\WINDOWS\desktop.html <-file
C:\WINDOWS\Web\desktop.html <-file

Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Try changing your Background
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Post back with a fresh Hijackthis log
Let me know of any problems with desktop or rightclick
or display properties

frustrated · « **Reply #4 on:** April 12, 2005, 01:34:34 PM »

After I restarted the computer the Microsoft Beta said the URL was trying to switch back to "about:blank, I didn't allow it. It also said that an unknown startup program was at work, name was fcgneae:exe with a path of c:|windows|system 32|x3yy|fcgneae:exe. I hope that was the registry you wanted merged so I let it go.

I couldn't find the files you asked to delete if they existed. I don't really know how to look though, I just did a search for those specific names. Let me know if that's enough or how to actually look for them. That was one thing in all the other postings that I couldn't figure out, what actually is windows and where to look for these types of files?

Here is the fresh log file.

Logfile of HijackThis v1.99.1
Scan saved at 2:29:10 PM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Xerox\Network Installer\npas.exe
C:\Program Files\NavNT\rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.203.128.3/axiscam/Codebase/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mucc
O17 - HKLM\Software\..\Telephony: DomainName = mucc
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF3AE2D3-90B7-4499-9152-AF6192924593}: NameServer = 192.168.81.253,207.179.70.27
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mucc
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: New Printer Alert - Xerox - C:\Program Files\Xerox\Network Installer\npas.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

frustrated · « **Reply #5 on:** April 12, 2005, 01:38:18 PM »

Forgot, if it mattters, when I was changing the desktop there was a choice that I didn't understand. It was the last choice and it was the web symbol "e" titled as "desktop".

In my feeble brain it seems like one of the files you wanted me to check for could've been this one.

guestolo · « **Reply #6 on:** April 12, 2005, 01:46:26 PM »

Can you please
download Startdreck.zip startdreck.zip

UNZIP to its own folder.... DoubleClick: 'StartDreck.exe'

Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post this log

Copy and Paste the contents of that log back here

If you don't post back for awhile, I will also have to see a fresh Hijackthis log

frustrated · « **Reply #7 on:** April 12, 2005, 02:50:34 PM »

When I double click 'startdreck.exe' it keeps popping up a window that says "failed to start because VB40032.DLL was not found. Re-installing the application may fix this problem".

I deleted and re-downloaded the program several times to it's own folder and had the same prompt each time.

guestolo · « **Reply #8 on:** April 12, 2005, 03:03:54 PM »

The only way I can create that problem is if I didn't unzip Startdreck before running
it

Create a new folder on your desktop
Right click an Empty spot>>Select NEW>>Folder
Name it Startdreck

Unzip Startdreck.zip to that folder
After it is unzipped
Open that new folder and run Startdreck.exe from there

frustrated · « **Reply #9 on:** April 12, 2005, 04:05:20 PM »

StartDreck (build 2.1.7 public stable) - 2005-04-12 @ 17:05:58 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as jturner at JTURNER

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe
*PopupJammer=C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
*x3yy=C:\WINDOWS\System32\x3yy\fcgneaei.exe
»RunOnce
»Default User
»Run
*PopupJammer=C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
»RunOnce
»Local Machine
»Run
*DellTouch=C:\WINDOWS\DELLMMKB.EXE
*vptray=C:\Program Files\NavNT\vptray.exe
*gcasServ="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*PopupJammer.Jammer/{09F0F280-FB9A-481B-B69A-CB00DC44D027}
`InprocServer32=C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
*Bar.WebBar.1/{77712A64-F30B-47C8-A363-CDA1CEC7DC1B}
`InprocServer32=C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+332=\SystemRoot\System32\smss.exe
+392=\??\C:\WINDOWS\system32\csrss.exe
+416=\??\C:\WINDOWS\SYSTEM32\winlogon.exe
+572=C:\WINDOWS\system32\services.exe
+584=C:\WINDOWS\system32\lsass.exe
+764=C:\WINDOWS\system32\svchost.exe
+812=C:\WINDOWS\System32\svchost.exe
+936=C:\WINDOWS\System32\svchost.exe
+980=C:\WINDOWS\System32\svchost.exe
+1088=C:\WINDOWS\system32\spoolsv.exe
+1216=C:\WINDOWS\Nhksrv.exe
+1236=C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
+1256=C:\Program Files\NavNT\DefWatch.exe
+1276=C:\DMI\WIN32\bin\DellDmi.exe
+1292=C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
+1304=C:\Program Files\Dell\OpenManage\Client\DLT.exe
+1340=C:\Program Files\Dell\OpenManage\Client\Iap.exe
+1380=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
+1432=C:\Program Files\Xerox\Network Installer\npas.exe
+1584=C:\Program Files\NavNT\rtvscan.exe
+1656=C:\dmi\win32\bin\Win32sl.exe
+428=C:\WINDOWS\Explorer.EXE
+928=C:\WINDOWS\DELLMMKB.EXE
+948=C:\Program Files\NavNT\vptray.exe
+956=C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
+944=C:\WINDOWS\System32\ctfmon.exe
+624=C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
+1136=C:\Program Files\WinZip\WZQKPICK.EXE
+1464=C:\WINDOWS\System32\x3yy\fcgneaei.exe
+1876=C:\Program Files\Microsoft Office\Office10\msoffice.exe
+1964=C:\Program Files\Netropa\OSD.exe
+2068=C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
+2028=C:\Program Files\Internet Explorer\iexplore.exe
+3988=C:\Program Files\Internet Explorer\iexplore.exe
+4052=C:\Program Files\Outlook Express\MSIMN.EXE
+508=C:\Program Files\Messenger\msmsgs.exe
+3768=C:\startdreck\StartDreck.exe
»Application specific

Logfile of HijackThis v1.99.1
Scan saved at 5:08:07 PM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Xerox\Network Installer\npas.exe
C:\Program Files\NavNT\rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.203.128.3/axiscam/Codebase/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mucc
O17 - HKLM\Software\..\Telephony: DomainName = mucc
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF3AE2D3-90B7-4499-9152-AF6192924593}: NameServer = 192.168.81.253,207.179.70.27
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mucc
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: New Printer Alert - Xerox - C:\Program Files\Xerox\Network Installer\npas.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

guestolo · « **Reply #10 on:** April 12, 2005, 04:32:51 PM »

I need you to do everything you can if possible
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop

Restart your computer into SAFE MODE

In safe mode do the following
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Provides three management service

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

After that is done
Open Startdreck.exe
Set it again to show
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Under (Running processes) near the bottom
If you can find>>May not be running
+1464=C:\WINDOWS\System32\x3yy\fcgneaei.exe
Left click to Highlight it and then click the Terminate button
OK the prompt

Next in startdreck
Under the Current User
Run>> near the top
Left click to Highlight
*x3yy=C:\WINDOWS\System32\x3yy\fcgneaei.exe
Then click the Delete button

Exit Startdreck

Stay in safe mode
Navigate too and delete these files or folders if found
You can do that by opening "MyComputer"
Open the>> C: drive
>>Windows folder
>>System32 folder

Delete if found
C:\WINDOWS\System32\dev32.exe <-this file, may not be found, but take a look
C:\WINDOWS\System32\x3yy <-this folder

Go back to the Windows folder and delete this file if found
C:\WINDOWS\desktop.html <-this file

In the Windows folder will be a Web folder
Open the Web folder and delete if found

C:\WINDOWS\Web\desktop.html <-this file

You can close out of there now, but stay in safe mode

Open Hijackthis>>Open Misc tools section button>>Open "Delete an NT service"
In the empty box type in or copy and paste the entry I have bolded below
and then hit OK
FreeBSD

Afterwards, In hijackthis
Do another scan and fix checked this entry if found, it may not be found but take a look
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)

When that's done, restart your computer back to Normal mode
Do another scan with Hijackthis and post back a fresh log

frustrated · « **Reply #11 on:** April 12, 2005, 04:46:06 PM »

How do you restart in safe mode? I'll have to get on this tommorow.

Thanks again for your help!

guestolo · « **Reply #12 on:** April 12, 2005, 04:48:09 PM »

It's not that tough, and you should know how

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I supplied a link above, but here it is again
How to start in safe mode

frustrated · « **Reply #13 on:** April 13, 2005, 10:53:53 AM »

Yeah, feel kinda stupid, each time I print out your instructions to follow them better. In the course of looking at paper I didn't quite catch that it's a link on how to open in safe mode!

Anyway, I couldn't find the following:
+1464=C:\WINDOWS\System32\x3yy\fcgneaei.exe
x3yy=C:\WINDOWS\System32\x3yy\fcgneaei.exe
C:\WINDOWS\System32\dev32.exe
C:\WINDOWS\desktop.html
C:\WINDOWS\Web\desktop.html
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)

Logfile of HijackThis v1.99.1
Scan saved at 11:50:14 AM, on 4/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Xerox\Network Installer\npas.exe
C:\Program Files\NavNT\rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - HKCU\..\Run: [x3yy] C:\WINDOWS\System32\x3yy\ikogdjjf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.203.128.3/axiscam/Codebase/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mucc
O17 - HKLM\Software\..\Telephony: DomainName = mucc
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF3AE2D3-90B7-4499-9152-AF6192924593}: NameServer = 192.168.81.253,207.179.70.27
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: New Printer Alert - Xerox - C:\Program Files\Xerox\Network Installer\npas.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

guestolo · « **Reply #14 on:** April 13, 2005, 10:11:51 PM »

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKCU\..\Run: [x3yy] C:\WINDOWS\System32\x3yy\ikogdjjf.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Ensure this folder is gone
C:\WINDOWS\System32\x3yy <-folder

Post back a fresh Hijackthis log and let me know of any problems

Could you also let me know if you purposely installed the "Advanced Searchbar"

frustrated · « **Reply #15 on:** April 14, 2005, 09:15:11 AM »

No, I didn't purposely install the Advanced Searchbar. I may have done it on accident however. When I was attempting to open in safe mode yesterday I was having a helluva time getting it to reboot. It was in this continuous loop: I would hit control, alt, delete then the password and it would shut down and start all over again. I must have done that over 20 times before hitting F8 and selecting something like "use the last sequence(?) that opened the computer".

Logfile of HijackThis v1.99.1
Scan saved at 10:13:14 AM, on 4/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Xerox\Network Installer\npas.exe
C:\Program Files\NavNT\rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.203.128.3/axiscam/Codebase/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mucc
O17 - HKLM\Software\..\Telephony: DomainName = mucc
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF3AE2D3-90B7-4499-9152-AF6192924593}: NameServer = 192.168.81.253,207.179.70.27
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: New Printer Alert - Xerox - C:\Program Files\Xerox\Network Installer\npas.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

frustrated · « **Reply #16 on:** April 14, 2005, 09:23:39 AM »

Had a second to think about your question. Is the advanced searchbar located just underneath where URL addresses are show? This area shows, from left to right, a lunchbox, dropdown on where to search, another dropdown to clear the search, search icon, news icon, calculator, games, tools and media icons.

I think this got automatically installed when I downloaded a weather program last year. It was kinda cool as it automatically updated a weather icon in the lower right hand corner where the icons for volume and winzip etc. are located. I became suspicious of this program for some reason and have since deleted it (I think). I'm sure it loaded all sorts of crap onto my computer that I'm unaware of.

I went so far as to tell my wife about it as we were building a house last summer and weather conditions were a paramount concern. She also has that on her computer.

frustrated · « **Reply #17 on:** April 19, 2005, 08:59:28 AM »

Bump

Everything seems to working much better, haven't transered files back to desktop yet. Waiting to make sure everything seems to be in order from your standpoint.

Thanks again for all the help!

guestolo · « **Reply #18 on:** April 19, 2005, 09:21:16 PM »

Sorry about the delay, if you didn't purposely install the Advanced Searchbar
I recommend you uninstall it

Restart the computer afterwards

Post back one last hijackthis log

Could you try saving a shortcut to the desktop and let me know if everything is working fine

frustrated · « **Reply #19 on:** April 20, 2005, 02:34:16 PM »

Was lulled into thinking this was all gone. After posting yesterday I went out on a limb and put a shortcut on the desktop, no problem. Today, when I started the computer, there were 2 copies of said shortcut so I assume I still have a problem.

I did a search for the Advanced Searchbar, found the folder and tried to delete it, didn't work. I opened the file and tried to delete it's contents (16 files?)and it worked with a few. I have gotten rid of everything in the file but:
Jammer.exe & PopupJammer.dll

They leave a popup box stating that they are being used by another person or program, close programs using files & try again. I shut everything down that I had open, including Microsoft Beta, and tried again with no success. The weather program I mentioned earlier was contained within this file and I assume it just loaded a bunch of crap along with the weather. Now I'm stuck on how to get rid of it.

I restarted and posted another HJT log below.

Logfile of HijackThis v1.99.1
Scan saved at 3:30:22 PM, on 4/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Xerox\Network Installer\npas.exe
C:\Program Files\NavNT\rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.203.128.3/axiscam/Codebase/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mucc
O17 - HKLM\Software\..\Telephony: DomainName = mucc
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF3AE2D3-90B7-4499-9152-AF6192924593}: NameServer = 192.168.81.253,207.179.70.27
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: New Printer Alert - Xerox - C:\Program Files\Xerox\Network Installer\npas.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

News:

Author Topic: Smart Security clean-up (Read 2715 times)