« previous next »
Pages: [1]

Author Topic: Unsure  (Read 1402 times)

Offline kas

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Unsure
« on: May 14, 2005, 02:43:57 AM »
I have been having a very tough time with my computer. Having recently lost control of my background to what I believe was SmartSecurity. I have ran several anti-virus programs (Adaware, Spybot, and now have the hijack this log saved) and have a black background after running the first two. If anyone has any advice on how to handle and fix this problem I would be greatly appreactive.

Logfile of HijackThis v1.99.1
Scan saved at 2:41:59 AM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\S_Mil\Desktop\Stuff that you don't really need\HijackThis.exe

O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Unsure
« Reply #1 on: May 14, 2005, 02:46:07 AM »
Could you Download and UNZIP to desktop or a folder
Get2.zip
 so you now have Get2.bat extracted to the desktop
Doulble click on Get2.bat and a text file called Export2.txt will be produced
Copy and paste back Export2.txt also
« Last Edit: May 14, 2005, 02:54:51 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline kas

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Unsure
« Reply #2 on: May 14, 2005, 02:58:30 AM »
Here you go and thank you for the help.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktopChanges"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=dword:00000000
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"Wallpaper"="c:\\wp.bmp"
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Unsure
« Reply #3 on: May 14, 2005, 03:18:29 AM »
This infection is best if you follow all these instructions

*  Please download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

*Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later

*Download and UNZIP to a folder or desktop
Fixdesktop.zip,    so you now have Fixdesktop.reg extracted

*Download and UNZIP to a folder or desktop
StHome.zip so you now have STHome.reg extracted
[attachment=223:attachment]

Please Print this out or save these instructions to a Notepad file and save it to your Desktop or a folder

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
Exit Add/Remove Programs.

[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

[color=\"purple\"]Killbox file paths between dotted lines[/color]
=========================================
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
==========================================
*  Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt.  Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.  

[color=\"red\"]While your computer is restarting, tap the F8 key continually until a menu appears.  Use your up arrow key to highlight Safe Mode, then hit enter.[/color]

[color=\"purple\"]While in Safe Mode, please do the following:[/color]

Run Ewido, and run a full scan.  Clean any infected files found, and save the log from the scan.

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

Delete the following folders, if they exist:

C:\Program Files\Search Maid <-this folder
C:\Program Files\Security IGuard
C:\Program Files\Virtual Maid
C:\Program Files\STLinks
C:\Program Files\STHomePage
C:\Windows\System32\Log Files

Double Click on Fixdesktop.reg and allow to merge to the registry
Double click on STHome.reg and allow to merge

Restart back to Normal Mode

Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Your not running any Anti-Virus software
If yours is disabled, enable it now and update and run a full system scan
If you don't have your own
I recommend that you download and Install the free version of AVG 7
This will update for free for the life of the product
Go to this link
http://free.grisoft.com/doc/2/lng/us/tpl/v5

Scroll down to
VG Free Edition installation files
File   Version
avg70free_308a468.exe <-click this link
Save the Installer to desktop
Install AVG and restart the computer if prompted

Ensure AVG is right up to date and run a full system scan
Restart the computer again if anything is fixed

Post back a fresh hijackthis log and the Report from Ewidos when done
« Last Edit: May 14, 2005, 03:42:04 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline kas

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Unsure
« Reply #4 on: May 14, 2005, 03:36:53 AM »
A quick question on this step.

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

Would this be from the hijack this log?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Unsure
« Reply #5 on: May 14, 2005, 03:39:48 AM »
Go to START>>RUN>>Type in notepad
Hit OK

A notepad file will open

Copy and paste all the below in bold to that notepad file

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

Save it
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »