0

I am very sure (and hopeful) that someone here will be able to offer the solution. I have been reading posts here on the site for something very similar... i need some specific advice for my situation though please.
I had the same situation where pop-ups keep arising saying that i need to purchase anti-virus.spyware software etc. and also, the desktop has been taken over by a black image which says the same warning.
I deleted the security guard yesturday from the computer.. but obviously the effects are still there. If i trace the "location" of the present background image "file://C:\Windows\web\desktop.html" and then delete it.... i can get rid off the black warning image, but it is replaced by a grey/white image which flickers.

Now someone else posted the same thing on this site... but i have a slight problem, further than already discussed. I read the "solution" which was to untick all the boxes under "desktop", "customize desktop", "web"... but for me, i can't even access it!! It has hidden "desktop" from me so i cannot alter it. How do i get rid of it now??

Another thing i should mention, is that for this computer, there are different "user accounts"... my girlfriend, and mine, and a few other names (which aren't used). It was while using my login that the thing jumped onto the computer. It managed to get onto my girlfriends login too.... but that one has now been cleared by following the advice of unticking boxes.. because somehow, on her login, you can access the desktop, and change the background. For me though, as already stated, i cannot access the "desktop" function... what do i do?? how do i get rid of this hijacker? it is so frustrating.

Please help, and thankyou in advance.

3
Contributors
13
Replies
14
Views
12 Years
Discussion Span
Last Post by DMR
0

Also, some things i should add...
- When you launch the internet explorer, it immediately goes to "about.blank/" in the url. it's automatically set as the homesite, no matter how many times i try to change it in "internet options".
- The computer is running slower and slower...
- No matter how many times i delete the file "desktop.html" it always comes back after i turn the computer off and on. Thus, displaying the same black warning image.
- also, i'm not a very technical person when it comes to computer... i probably can't give you and in-depth description of what is happening, logging's etc. and please, when you reply, keep it relatively simple.

I'll keeping adding more, as more comes to mind.

0

1. Download and install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days


2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file


3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information

Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT


4) Click the ‘Tweak’ button and select in green:

Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only


Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot


Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check or make green: Include Module list in logfile


5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’

*Choose:'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware SE found

Download & instal Spybot S&D 1.3 from here. Update it before scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot

Download HijackThis selfextracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

0

Thankyou so much for all the time you have spent helping me already. I have followed every step of your advice (so far no solution of course... which perhaps you expect). Having made a scan with hijackthis, i have posted the scan log as you asked me to. I hope this will enable you to offer more advice as to how i can get rid of this virus thing!!!!!
thankyou in advance.

Logfile of HijackThis v1.99.1
Scan saved at 19:19:30, on 01/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\3Com\3Com Wireless Card Manager\Monitor.exe
C:\WINDOWS\System32\nvdsvc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\OKPODE~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yoursearch.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\OKPODE~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ewizard.cc/cn/?r=b667d03f703dc1ba&pin=370
O1 - Hosts: 82.146.42.75 web.da-us.citibank.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {269F1447-0003-4960-96ED-467C17178A98} - C:\WINDOWS\System32\kngl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SENS Keyboard V4 Launcher] "C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [3COMMonitor] C:\Program Files\3Com\3Com Wireless Card Manager\Monitor.exe
O4 - HKLM\..\Run: [C:\WINDOWS\System32\nvdsvc32.exe ] C:\WINDOWS\System32\nvdsvc32.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{007D53F0-7FE3-40B6-BD90-A305EE4B59AB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{007D53F0-7FE3-40B6-BD90-A305EE4B59AB}\SECURITY.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\DANNYH~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Filter: text/html - {A23F8943-B102-49AE-96E0-4F1118C5BD90} - C:\WINDOWS\System32\kngl.dll
O18 - Filter: text/plain - {A23F8943-B102-49AE-96E0-4F1118C5BD90} - C:\WINDOWS\System32\kngl.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: pufPxz - {D03F9FC7-7A95-356D-B10A-9F3EB1B5D2B5} - C:\WINDOWS\System32\dnlsbn.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

0

Download CWShredder 2.14 from here.

Download \'SpSeHjfix\' to the desktop and then
right click a blank part of the desktop and select new folder, call it spfix
unzip the file into that folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Run the shredder and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

0

Crunchie, again thankyou. I have gone through all you have said. The first pasting, is that of the spfix log as below:

(5/1/05 23:57:14) SPSeHjFix started v1.1.2
(5/1/05 23:57:14) OS: WinXP (5.1.2600)
(5/1/05 23:57:14) Language: english
(5/1/05 23:57:14) Win-Path: C:\WINDOWS
(5/1/05 23:57:14) System-Path: C:\WINDOWS\System32
(5/1/05 23:57:14) Temp-Path: C:\DOCUME~1\OKPODE~1\LOCALS~1\Temp\
(5/1/05 23:57:19) Disinfection started
(5/1/05 23:57:19) Bad-Dll(IEP): (not found)
(5/1/05 23:57:19) Bad-Dll(IEP) in BHO: (not found)
(5/1/05 23:57:19) UBF: 4 - UBB: 2 - UBR: 17
(5/1/05 23:57:19) UBF: 4 - UBB: 2 - UBR: 17
(5/1/05 23:57:19) Bad IE-pages: (none)
(5/1/05 23:57:19) Stealth-String not found
(5/1/05 23:57:19) Not infected->END

After everything, (both sphefix and shredder) the HJT log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 00:06:47, on 02/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\nvdsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yoursearch.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: 82.146.42.75 web.da-us.citibank.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SENS Keyboard V4 Launcher] "C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [3COMMonitor] C:\Program Files\3Com\3Com Wireless Card Manager\Monitor.exe
O4 - HKLM\..\Run: [C:\WINDOWS\System32\nvdsvc32.exe ] C:\WINDOWS\System32\nvdsvc32.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{007D53F0-7FE3-40B6-BD90-A305EE4B59AB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{007D53F0-7FE3-40B6-BD90-A305EE4B59AB}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: pufPxz - {D03F9FC7-7A95-356D-B10A-9F3EB1B5D2B5} - C:\WINDOWS\System32\dnlsbn.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Having used the shredder, it appeared to do nothing, but returned with the statement: "Cool Web Search was not found on this system".

It appears that both of these programs have done nothing... but perhaps, that fact may enable you to have a better idea of what to do next. I will be grateful for any further assistance (and with all hope... SOLUTION!) you can provide. ;) Thankyou.

0

Today, having began using computer... the internet browser no longer automatically loads to about/blank like it used to. Also, when it moves from page to page, it doesn't throw pop-ups at me... and, i've been able to change the desktop background, back to the orignal.
PROGRESS! I hope this is a lasting improvement.
I think the main problems i can identify now are....
- Pop-up keeps telling me to install/download "Macromedia flash player 7".. no matter how many times i click, "no"... it will keep coming back and asking me the same question.... page after page.
- Little yellow triangle in bottom right, tells me my comuter is in danger from spyware (but no longer throws advertisements at me)
- Computer runs VERY slowly on first loading it up! and i mean VERY slowly.

All of these have occured, following the ISecurity Guard virus. As far as i can tell, progress is definately being made, but there are still some significant problems (as outlined). How do i now solve these other related problems?
Thankyou.

0

Dj_Dan,

Hi. You got some more work to do :).

-

There are entries there I do not recognise so please see if there are any you recognise. If you recognise any, then just omit them from this fix.

===============

When we're done cleaning off your system, I'd recommend that you install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccuring in the future.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\System32\nvdsvc32.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yoursearch.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O1 - Hosts: 82.146.42.75 web.da-us.citibank.com

O4 - HKLM\..\Run: [C:\WINDOWS\System32\nvdsvc32.exe ] C:\WINDOWS\System32\nvdsvc32.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{007D53F0-7FE3-40B6-BD90-A305EE4B59AB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{007D53F0-7FE3-40B6-BD90-A305EE4B59AB}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?

O21 - SSODL: pufPxz - {D03F9FC7-7A95-356D-B10A-9F3EB1B5D2B5} - C:\WINDOWS\System32\dnlsbn.dll


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"

folders...

C:\WINDOWS\System32\{007D53F0-7FE3-40B6-BD90-A305EE4B59AB}

files...

C:\WINDOWS\System32\nvdsvc32.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\System32\dnlsbn.dll

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting your PC, post back a new log and let me know how everything goes.

0

okay... completed tasks.
this is the new log:
all files were deleted i think except C:\WINDOWS\System32\{007D53FO.....} which wasn't to be found.


Logfile of HijackThis v1.99.1
Scan saved at 15:39:27, on 02/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\3Com\3Com Wireless Card Manager\Monitor.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DANNYH~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SENS Keyboard V4 Launcher] "C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [3COMMonitor] C:\Program Files\3Com\3Com Wireless Card Manager\Monitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: pufPxz - {D03F9FC7-7A95-356D-B10A-9F3EB1B5D2B5} - C:\WINDOWS\System32\dnlsbn.dll (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

What next? :D

0

all files were deleted i think except C:\WINDOWS\System32\{007D53FO.....} which wasn't to be found.

Sorry, that wasn't quite the right path. It should have been:

C:\WINDOWS\System32\Services\{007D53F0-7FE3-40B6-BD90-A305EE4B59AB}


Some of the other nasties have respawned as well. Have HJT fix these again:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DANNYH~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O21 - SSODL: pufPxz - {D03F9FC7-7A95-356D-B10A-9F3EB1B5D2B5} - C:\WINDOWS\System32\dnlsbn.dll (file missing)

Once you do that:

1. Turn off XP's System Restore feature.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

3. Post a fresh Hijackthis log.

0

sorry, before i begin, i'm a little unsure of where "Services" folder is in System 32... basically i can't find it (it doesn't appear to exist).
I have taken a photo shot of my System32 folder... which displays the other folders it contains. Is it supposed to contain a "services" folder?

I will wait your reply before i begin cleaning everything....
but thankyou once again for all you are doing. I really appreciate it.

just before i post, let me also reconfirm.... in order to fix the other files listed in the above post (before this one), i first use HJT to scan, and then i check the box against each file right? THEN press fix? i'm a little wary, simply because i'm often told how serious it is using that program.

ALSO (hehe), when you list Temp folders etc. (1-4), you want me to go into each folder, select all content and delete it all right? (just checking)
thankyou.

0

Try doing a system search for this entry and delete it, if found;

{007D53F0-7FE3-40B6-BD90-A305EE4B59AB}

just before i post, let me also reconfirm.... in order to fix the other files listed in the above post (before this one), i first use HJT to scan, and then i check the box against each file right? THEN press fix? i'm a little wary, simply because i'm often told how serious it is using that program.

Yes, but make certain the ones listed above are the only ones you fix :).

ALSO (hehe), when you list Temp folders etc. (1-4), you want me to go into each folder, select all content and delete it all right?

Yes :).

0

Just as i was reading this post (now at work), i got a phone call from my girlfriend (who's laptop it is that has the virus).. and apparently, she has taken it to a friend... and it won't be returned until thursday.
In short, i won't be able to do anything more until that time. Anyway, as soon as i get it back, i'll go on fixing it! :rolleyes:
thankyou.

0

Is it supposed to contain a "services" folder?

Actually, a basic XP system won't have a C:Windows\System32\Services folder; it isn't a folder that gets created during the Windows install.

There may be legit applications that create a Services folder during their installation, but the existence of the folder is also known to be associated with at least a couple of pieces of malware.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.