|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-05-2005, 07:06 AM
|
#21 (permalink) |
|
Registered User
Join Date: Sep 2004
Location: seattle-tacoma metro blob
Posts: 110
OS: win XP ver 5.1.26001
|
Is it problem, or problems, or PEBKAOC (problem exists between keyboard and owners chair). : )
Will be patient. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
06-06-2005, 12:47 AM
|
#22 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
  |
Ok...I'm not sure what issues you have left...but you still have part of the smitfraud trojan files installed..so we are going to run the fix again. Don't worry if you can't find some of these files or entrys as they may be missing...but check anyway.
Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "paint.exe" = "shnlog.exe" [file not found] "notepad.exe" = "msmsgs.exe" [file not found] <--remove those 2 entrys. Please read these instructions carefully and print them out! Be sure to follow ALL instructions! Download the file located here.. http://www.bleepingcomputer.com/files/reg/smitfraud.reg Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: Security IGuard Virtual Maid Search Maid Exit Add/Remove Programs. *IMPORTANT* Be sure VIEW HIDDEN FILES is still enabled...and spybots teatimer is DISABELED Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the processes for each of these I list below or any that have a simular name. C:\WINNT\System32\shnlog.exe C:\WINNT\popuper.exe C:\WINNT\System32\intmonp.exe C:\WINNT\System32\intmon.exe Make sure to end those processes if they are listed. Doubleclick that smitfraud.reg on your desktop and confirm you want to merge it with the registry. Download KillBox http://www.atribune.org/downloads/KillBox.exe *Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program. *In the killbox program, select the Delete on Reboot option. *Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:. ** Note** You may not have all these...but paste them in anyway. If you get a Pending File Operations prompt on the last one ignor it and just reboot manually. C:\wp.exe C:\wp.bmp C:\bsw.exe C:\WINNT\sites.ini C:\WINNT\popuper.exe C:\WINNT\System32\helper.exe C:\WINNT\System32\intmonp.exe C:\WINNT\System32\msmsgs.exe C:\WINNT\System32\ole32vbs.exe C:\WINNT\system32\msole32.exe C:\WINNT\System32\hp596C.tmp C:\WINNT\System32\shnlog.exe C:\WINNT\System32\intmon.exe C:\WINNT\System32\winnook.exe C:\WINNT\system32\hookdump.exe C:\WINNT\desktop.html C:\WINNT\screen.html *Return to Killbox, go to the File menu, and choose "Paste from Clipboard". *Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way) FOLDERS to delete (in bold) if found: C:\Program Files\Search Maid C:\Program Files\Virtual Maid C:\WINNT\System32\Log Files C:\Program Files\Security IGuard Reboot into normal mode. 1.) Download Hoster from HERE ..Hoster http://www.greyknight17.com/spy/Hoster.exe Run the program and Press "Restore Original Hosts" and press "OK". Exit Program. 2.) Download DelDomains.inf Right-click and select..... Save Target As To use: Right-click and select....... Install (no need to restart) **Note** This will remove all entries in the "Trusted Zone" 3.) Download and install CleanUp http://cleanup.stevengould.org/ Run the cleanup utility and reboot/logoff when prompted. Click again on the smitfraud.reg file and merge it for a second time. This should fix the polices of those desktop tabs and allow you to delete that "Security" entry on that "WEB" tab. Now..once your back to normal windows..right click on the desktop..select properties...desktop..customize desktop...web..and uncheck anything listed. Now highlight and delete any entry that says security..or anything other then the default "My Current Homepage". Leave that entry be. Once done...post another hijackthis log...and let me know the outcome of removing that desktop message/background
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
06-06-2005, 08:11 PM
|
#23 (permalink) |
|
Registered User
Join Date: Sep 2004
Location: seattle-tacoma metro blob
Posts: 110
OS: win XP ver 5.1.26001
|
All done. Here is the HJT lob. The black warning desktop screen and grey replacement desktop screen had bee deleted per your previous instructions.
Logfile of HijackThis v1.99.1 Scan saved at 7:05:45 PM, on 6/6/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\SpywareGuard\sgmain.exe C:\WINNT\System32\MsiExec.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe |
|
|
|
|
06-07-2005, 07:23 AM
|
#25 (permalink) |
|
Registered User
Join Date: Sep 2004
Location: seattle-tacoma metro blob
Posts: 110
OS: win XP ver 5.1.26001
|
On startup I still have the Windows Installer attempt to install something, and after closing that, (twice). "Backup Dell installed programs" attempts to load, and as I cancel/close it, I get an "Error 1706". Then I'm back to normal.
|
|
|
|
|
06-07-2005, 10:32 AM
|
#26 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
Go in to Event Viewer and see if it will give you info on what’s trying to install.
Check the application and system folders (in event viewer) for errors (Start >> Settings >> Control Panel >> Administrative Tools >> Event Viewer) 4SG |
|
|
|
|
06-07-2005, 08:02 PM
|
#27 (permalink) |
|
Registered User
Join Date: Sep 2004
Location: seattle-tacoma metro blob
Posts: 110
OS: win XP ver 5.1.26001
|
Well in the event log section I noticed the folowing 4 enties in the Application file. They repeat each time I've started up my system. These each repeated 3 times, with number 1 being the latest of the 4, sequencialy down to 4 being the first logged.
1) Event Type: Information Event Source: MsiInstaller Event Category: None Event ID: 11729 Date: 6/7/2005 Time: 5:48:00 PM User: N/A Computer: W-1ECAED0A32DD4 Description: Product: Backup Dell-Installed Programs -- Configuration failed. 2) Event Type: Error Event Source: MsiInstaller Event Category: None Event ID: 11706 Date: 6/7/2005 Time: 5:48:00 PM User: N/A Computer: W-1ECAED0A32DD4 Description: Product: Backup Dell-Installed Programs -- Error 1706.No valid source could be found for product Backup Dell-Installed Programs. The Windows Installer cannot continue. 3) Event Type: Warning Event Source: MsiInstaller Event Category: None Event ID: 1001 Date: 6/7/2005 Time: 5:47:54 PM User: N/A Computer: W-1ECAED0A32DD4 Description: Detection of product '{2A2766A4-6AE4-11D4-AC8E-52544C1966EE}', feature 'Backup_Programs' failed during request for component '{22056900-C842-11D1-A0DD-00A0C9054277}' 4) Event Type: Warning Event Source: MsiInstaller Event Category: None Event ID: 1004 Date: 6/7/2005 Time: 5:47:54 PM User: N/A Computer: W-1ECAED0A32DD4 Description: Detection of product '{2A2766A4-6AE4-11D4-AC8E-52544C1966EE}', feature 'Backup_Programs', component '{2A2766AA-6AE4-11D4-AC8E-52544C1966EE}' failed. The resource 'C:\WINNT\Temp\DellBckp\' does not exist. No Entries in the Security log. In the System log at around the same time, the following 3 entries. These only ran once each, likewise #5 being the last logged and #7 the first logged. 5) Event Type: Error Event Source: Server Event Category: None Event ID: 2506 Date: 6/7/2005 Time: 5:43:33 PM User: N/A Computer: W-1ECAED0A32DD4 Description: The value named IRPStackSize in the server's Registry key LanmanServer\Parameters was invalid. The value was ignored, and processing continued. Data: 0000: 57 00 00 00 W... 6) Event Type: Information Event Source: EventLog Event Category: None Event ID: 6005 Date: 6/7/2005 Time: 5:43:24 PM User: N/A Computer: W-1ECAED0A32DD4 Description: The Event log service was started. 7) Event Type: Information Event Source: EventLog Event Category: None Event ID: 6009 Date: 6/7/2005 Time: 5:43:24 PM User: N/A Computer: W-1ECAED0A32DD4 Description: Microsoft (R) Windows 2000 (R) 5.0 2195 Service Pack 3 Uniprocessor Free. |
|
|
|
|
06-08-2005, 01:45 AM
|
#28 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
First I would uninstall Ewido in Add/Remove programs. You have AVG running so you don’t need both. We only used Ewido for a one-time scan.
When the Cleanup! program runs, it deletes all files and subfolders in the temp folder. Which means it deleted that C:\WINNT\Temp\DellBckp folder. Do you still have the ‘Backup Dell-Installed Programs’ CD-ROM? Also How are the drive(s)on your system set up? You mentioned earlier that the Dell Backup Software tries to load from E: Is this a partition on your hard drive or a CD-ROM drive? 4SG |
|
|
|
|
06-09-2005, 02:26 AM
|
#30 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
Just wanted to double check on this. You referring to the Backup: Dell-Installed Programs CD and not a recovery/windows CD right?
Go to Add/Remove programs and remove: Backup: Dell-Installed Programs Insert the Backup: Dell-Installed Programs CD in the CD drive. The Backup: Dell-Installed Programs window appears. Click the Next button. The InstallShield Wizard Complete window appears. Click the Finish button. (you don’t want to install anything. Exit) Remove the CD - Reboot and look for errors in Event Viewer again. 4SG |
|
|
|
|
06-09-2005, 08:46 PM
|
#31 (permalink) |
|
Registered User
Join Date: Sep 2004
Location: seattle-tacoma metro blob
Posts: 110
OS: win XP ver 5.1.26001
|
Yes, was referring to the factory Dell backup CD.
Installed and ran it and restarted PC. No error messages on staert up. The following is the only message now in event viewer: Event Type: Error Event Source: Server Event Category: None Event ID: 2506 Date: 6/9/2005 Time: 7:40:05 PM User: N/A Computer: W-1ECAED0A32DD4 Description: The value named IRPStackSize in the server's Registry key LanmanServer\Parameters was invalid. The value was ignored, and processing continued. Data: 0000: 57 00 00 00 W... |
|
|
|
|
06-09-2005, 09:18 PM
|
#32 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
We’re getting there.
Click Start>> Run>> type Regedit Click “My Computer” once to highlight it (in the left pane of registry editor) Click..FILE….EXPORT…and save a copy somewhere. Navigate to the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters And see what the IRPStackSize value is set to. Post it here 4SG |
|
|
|
|
06-11-2005, 02:01 PM
|
#34 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
That value should be between 11 - 15.
Here's the microsoft link:http://support.microsoft.com/kb/q238316/ Let us know how you make out. |
|
|
|
|
06-11-2005, 07:57 PM
|
#35 (permalink) |
|
Registered User
Join Date: Sep 2004
Location: seattle-tacoma metro blob
Posts: 110
OS: win XP ver 5.1.26001
|
Followed the instructions on the webpage (which were to basically delete the IRPstacksize) and retart.
First I made a new startup disk, then followed the instructions and now no issues (no new errors in the Event Viewer). Thanks |
|
|
|
|
06-12-2005, 02:16 AM
|
#36 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2005
Location: NY
Posts: 350
OS: XP Pro/Home SP2
|
Glad we could help - longwinded fix
Your log is clean. Are there any problems now? If not, you should be set to go. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Please go to Microsoft and download all the critical updates to help prevent possible re-infection. 4SG |
|
|
|
| Thread Tools | |
|
|
