Another victum of SmartSecurity

[boastercoaster]

I thought I did post all the reports you asked for??  I don't have spybot.

[guestolo]

Sorry, my mistake, thanks for the logs

Can you try something please Download and UNZIP
Get.bat
Double click on Get.bat and a new text file will be created called Export.txt

Can you copy and paste the contents of that back here

[boastercoaster]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktopChanges"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispBackgroundPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000

[boastercoaster]

Another question, i get apop up that ask for me to"Help protect your PC scedule automatic updates.  Comes from the ower right toolbar.

And my old Anti spyware is gone and i know I put soem that you gave me.  Will they scan daily or do i need to run them.  My other one ran every night..

[guestolo]

Let's work on your background colors first

Download and Unzip to desktop
Fixdesktop.zip so you now have Fixdesktop.reg on the desktop

Double click on Fixdesktop.reg and allow to merge to the registry
Restart your computer and let me know if your background is back to normal

Post back a fresh Hijackthis log later

[boastercoaster]

I posted earlier, that  the background fixed a few minutes later. It is allright now and i can put and wallpaper i want.

[guestolo]

Let's try this

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Why so far behind on Windows Updates???
This may be the notification your getting from your lower right taskbar
If your version of Windows is legit, this is important to keeping your system secure
If you want a rundown on how I prepare a system before  installing SP2 and all other Critical updates,  let me know

You looked like you had Microsoft Anti-Spyware Beta installed on your computer
I never asked you too remove it
If you removed it, I have a download link at the top of this forum in Removal and Preventive tools

You may also want to run this spyware checker too
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Can you post back one last Hijackthis log, let's make sure your still clean

[boastercoaster]

I had to run a restore,  It got messed up. herre is logfile.  Should I run cleanup321, cwshredder,ewido?? any of these periodically or just the spywareblocker and beta.  I also have symantec antivirus coprorate edition.  I don't remeber that being in the tool bar til recently.


Logfile of HijackThis v1.99.1
Scan saved at 1:54:37 PM, on 4/30/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\crwk32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ntus.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {516B1C67-B52D-E97F-A80D-D6C5DBCBFE0A} - C:\WINDOWS\sdkbf.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [crwk32.exe] C:\WINDOWS\crwk32.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O15 - Trusted Zone: http://launch.yahoo.com
O15 - Trusted Zone: http://radio.music.yahoo.com
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntus.exe

[guestolo]

It looks like you didn't take my final advice and now you paid for it  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/ohmy.gif\' class=\'bbc_emoticon\' alt=\'\' />
As you can see I asked you to disable system restore and restart the computer and then enable system restore
You didn't do that so I guess you didn't install any of the last 3 programs I mentioned
and Still no Windows Updates
Well, if your version of Windows is legit, you will just keep right on getting infected without them
Don't install them yet until we get you clean Again

Same instructions as the first time you posted a log

Could you go to start>>Run>>type in
msconfig
Hit OK
Enable all startup items
Do a Normal startup

You shouldn't have to restart your computer but post back a fresh hijackthis log afterwards

[boastercoaster]

I did exactly what u asked, disabled, then restarted and enabled.  Had I not, it wouldn't have retsored back to that point fromlast week right? My prior email a few days ago had that log from after that. Everything is enabled on startup files.



Logfile of HijackThis v1.99.1
Scan saved at 10:50:47 PM, on 5/9/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O15 - Trusted Zone: http://launch.yahoo.com
O15 - Trusted Zone: http://radio.music.yahoo.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

[guestolo]

Whew, you scared me, I never noticed the date of the scan of the prior log you posted before this one

It looks like you cleaned it up
The log looks good
How's everything on your end?

Why so far behind on Windows updates?
If your version of Windows is legit you should make sure you update
Not the recommended updates, but Critical updates and Services packs

[boastercoaster]

How can i get the critical updates??

[boastercoaster]

I updated the windows files does thi log look any differnet

Logfile of HijackThis v1.99.1
Scan saved at 10:11:09 PM, on 5/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://launch.yahoo.com
O15 - Trusted Zone: http://radio.music.yahoo.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

[guestolo]

It looks really good
I hope you installed SpywareBlaster
I would use IE-Spyad also, it's compatible with SP2

Don't forget to check once a month for High Priority updates(Criticals) at Windows updates or leave Automatic updates enabled

If you didn't manually add these to your trusted zones, I would have Hijackthis fix them
O15 - Trusted Zone: http://launch.yahoo.com
O15 - Trusted Zone: http://radio.music.yahoo.com

[boastercoaster]

Thanks for the help.. Is this forum ran by donations??  Would you run any of the other things i ran to initially clean or just blaster and antisyware by microsaoft and the IE\Spyad?

[guestolo]

Donations are accepted to help with the site, but Google Ads cover most of the cost
I hate some of those google ads>>>Don't click on any most of the time  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'\' />

About:Buster and CWShredder, you can delete

Can't remember everything I had you run
But hold onto Ad-Aware and check for updates every couple of weeks and run a scan
Same with Microsoft Anti-spyware

Remember to check for updates with SpywareBlaster every few weeks
After every update enable all protection
IE-Spyad>>As mentioned, keep the link bookmarked to the site
When you see an update, simply download the zip file and self extract it
Then read the uninstall and reinstall procedure to properly set the new entries
Both spywareblaster and IE-Spyad don't run in the background
SpywareBlaster and IE-Spyad don't clean
They Prevent
Prevention is the best medicine

Hold onto CleanUp! and clean those temp folders and such every couple of weeks

Myself, additionally, I also run Spybot 1.3 on my system every few weeks
and SpywareGuard 2.2
I don't use the Tea Timer that comes with Spybot
SpywareGuard takes care of most of that department anyways
SpywareGuard, won't and doesn't have to update that often, this is another program from JavaCool
The creator of SpywareBlaster
I have links to both Spybot and SpywareGuard at the top of the forum, or
Click HERE if your interested


Well enough gabbing

Stay Safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

EDIT>>I totally forgot about the Hosts file, we should restore it to default if not found
Can you open Hijackthis now and open Misc tools>>>Open Hosts file manager
Click Open in Notepad
If prompted to make a new host file allow it
Post back the contents of the Hosts notepad file