Smart Security clean-up

[frustrated]

Dawned on me to look for these again, found that one was open at the lower right portion of screen where various icons are found.  Closed it out, deleted it, now it's gone.  Left with only PopupJammer.dll, can't get it to delete.

[guestolo]

Can I have you post back a fresh Hijackthis log

Also, can you create a new shortcut on your desktop

Let me know if it doubles when you do it

Also let me know if you did the below

1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Try changing your Background
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Make sure all checkboxes in this window are un-checked.
OK your way out

[frustrated]

Yes, I've done the control panel thing already, just double checked it all and it's in order.

The shortcut is still creating doubles on my desktop.

Logfile of HijackThis v1.99.1
Scan saved at 11:08:45 AM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Xerox\Network Installer\npas.exe
C:\Program Files\NavNT\rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.203.128.3/axiscam/Codebase/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mucc
O17 - HKLM\Software\..\Telephony: DomainName = mucc
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF3AE2D3-90B7-4499-9152-AF6192924593}: NameServer = 192.168.81.253,207.179.70.27
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: New Printer Alert - Xerox - C:\Program Files\Xerox\Network Installer\npas.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

[guestolo]

Can you download and UNZIP to a folder
fixdsply.zip
So you now have fixdisply.reg in the same folder

Double click on fixdisply.reg and allow to merge to the registry

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL (file missing)

O8 - Extra context menu item: Add to White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\PROGRAM FILES\ADVANCED SEARCHBAR\delfromlist.js

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer and post back one last hijackthis log
Let me know of any problems afterwards

[frustrated]

Whoa, somehow you put all the files back on my desktop, unbelievable!  And no doubles to boot!

You are truly outstanding!  Without working for a few days I'm not sure if there is anything else wrong here, I suspect you know more than I at this point.  Sounds like your confident I'm all cleaned up.

Thanks a million!

Jack



Logfile of HijackThis v1.99.1
Scan saved at 2:04:16 PM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Xerox\Network Installer\npas.exe
C:\Program Files\NavNT\rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.203.128.3/axiscam/Codebase/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mucc
O17 - HKLM\Software\..\Telephony: DomainName = mucc
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF3AE2D3-90B7-4499-9152-AF6192924593}: NameServer = 192.168.81.253,207.179.70.27
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: New Printer Alert - Xerox - C:\Program Files\Xerox\Network Installer\npas.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

[guestolo]

Good work, I missed an entry to fix with Hijackthis

With all other windows closed down have hijackthis fix this entry

O4 - HKCU\..\Run: [PopupJammer] C:\PROGRAM FILES\ADVANCED SEARCHBAR\JAMMER.EXE

Restart your computer and then delete this folder if found
C:\PROGRAM FILES\ADVANCED SEARCHBAR <-folder

Now that we have remove advanced searchbar we leave you without a popup blocker
We can go 2 routes with this
Get you to update to Service Pack 2 for XP
IE has a built in popup blocker in the newest service pack

Or get you a new popupblocker for IE if you refuse to update

I would think that updating to the latest service pack would be the way to go
If you want a hand on what steps I like to do before updating, let me know

[frustrated]

Man, thanks a million!  The searchbar is now gone, all is well I guess.

Agreed on the service pack.  I have a new alter to pray at and your in the middle of the shrine.  If you have some system of downloading such things I'd be stupid not to listen.  I'm good at following directions and would simply do what they told me.

If you've got some insight I'd love to hear it.

Thanks again.

PS, can I now delete all the programs that I downloaded to solve my problems?

[guestolo]

First, can you do the following

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
IE-Spyad is compatible with XP SP2 as well