Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

about:blank


  • Please log in to reply
9 replies to this topic

#1 kieffer5

kieffer5

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 02 February 2005 - 09:56 PM

I still have an about:blank homepage and I am unable to enter into certain websites. Hotmail will not load and Pogo.com will not load games. Here is my HJ this log . Thank you for your help!
Logfile of HijackThis v1.99.0
Scan saved at 2:33:02 PM, on 2/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\cmd32.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\REGEDIT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Keith Pfau\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.iwon.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost;
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: AntiSpyware Class - {C6176B04-8896-4446-9939-E00EE94C420F} - C:\WINDOWS\system32\ash.dll
O2 - BHO: BrowserHelper Class - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [MSUpdate] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DVD43] C:\Program Files\DVD Region+CSS Free\DVD43.exe /hidden
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\4114.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19da2f002fe815...ip/RdxIE601.cab
O16 - DPF: {6986A6CF-9D58-11D6-91C2-00E02964E8E3} (IntPagomaster Class) - http://www.livecamx.com/preto/pretololitas/pagomast.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://download.iwon.com/ct/pm3/iwonpm_5_1,0,2,5.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars...erxsigned34.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhe...n7/dlhelper.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://www.kscasino.com/CasinoCentr...asino/setup.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/2...OCX/FlashAX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: Norton AntiVirus Auto Protect Service - Unknown - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton Personal Firewall Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service - Unknown - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service - Unknown - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Norton Personal Firewall Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:29 AM

Posted 04 February 2005 - 05:32 PM

Hello keiffer5 and welcome to BC. I am presently reviewing your log and will respond back to you as quickly as I can.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:29 AM

Posted 05 February 2005 - 02:39 PM

Hello again kieffer5. After reviewing your log I see a few items that need to be cleaned up. Please follow these steps in order:

Step # 1

Run both of the following on-line virus scans:

Trend Micro Housecall and
BitDefender On-Line Virus Scan

Make sure that you choose "fix" or "clean".

Step #2

Please download and run the following adware scanning applications:

Spybot Search & Destroy and
AdAware SE Personal.

Then follow the instructions in the links below to make sure that you have the most current updates and the proper settings to run each one.

Spybot Tutorial
AdAware Tutorial

Step # 3

Next, let's clean up the temporary directories:
*Click Start
*Point to Programs
*Point to Accessories
*Point to System Tools
*Click Disk Cleanup.
*Select all items shown and click the OK button.

Step # 4

Start HijackThis and perform a new scan. Post your new log file back here as a relpy to this topic and I will review it.

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGITIMATE AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Additional Information
I see that you have SpyKiller installed on your computer. This product is questionable in it's effectiveness and we do not recommend it. See this link for more information: http://www.adwarereport.com/mt/archives/000024.html. We recommend using Spybot Search and Destroy with the Resident Helper and TeaTimer. The choice is yours.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 kieffer5

kieffer5
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 05 February 2005 - 03:07 PM

Hello again kieffer5. After reviewing your log I see a few items that need to be cleaned up. Please follow these steps in order:

Step # 1

Run both of the following on-line virus scans:

Trend Micro Housecall and
BitDefender On-Line Virus Scan

Make sure that you choose "fix" or "clean".

Step #2

Please download and run the following adware scanning applications:

Spybot Search & Destroy and
AdAware SE Personal.

Then follow the instructions in the links below to make sure that you have the most current updates and the proper settings to run each one.

Spybot Tutorial
AdAware Tutorial

Step # 3

Next, let's clean up the temporary directories:
*Click Start
*Point to Programs
*Point to Accessories
*Point to System Tools
*Click Disk Cleanup.
*Select all items shown and click the OK button.

Step # 4

Start HijackThis and perform a new scan. Post your new log file back here as a relpy to this topic and I will review it.

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGITIMATE AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Additional Information
I see that you have SpyKiller installed on your computer. This product is questionable in it's effectiveness and we do not recommend it. See this link for more information: http://www.adwarereport.com/mt/archives/000024.html. We recommend using Spybot Search and Destroy with the Resident Helper and TeaTimer. The choice is yours.

OT :thumbsup:

Thank you. I have a quick question. I am now running SpySubtract 2.60 from Intermute. It is not listed on the review website you listed. Have you heard of SpySubtract? Also, I have install Firefox instead of IE. That took care of my problems.

Also, what is your opinion on Sygate Personal Firewall and AVG Antivirus?

Keith

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:29 AM

Posted 07 February 2005 - 02:35 PM

Hello again Keith. There are many good anti-spyware apps out there today. Spysubtract is reated quite highly in many reviews and I believe it to be a good product. As in all anti-spyware applications, it's just one more tool to provide a defense against some of the dangers of surfing the internet in today's world.

Sygate Personal Firewall and AVG Anti-Virus are also both excellent products in my opinion. I use both of them on various machines and haven't had any problems or complaints with either product.

I don't know if you have followed the steps I outlined for you in my previous post. Although you have switched from IE to Firefox (I use Firefox also), if you haven't cleaned up the trojans on your system it means that they are still there. Although the symptoms appear to be gone and do not affect the Firefox browser your system remains infected and you will needd to use IE for any Microsoft updates. That means that you will need to start IE and if not clean the installed trojans will continue to be a threat and will continue to propogate.

I like Firefox and recommend people to use it mostly due to the fact that it is not as vulnerable to many of the exploits that IE is at this time. But I also continue to recommend that if IE is infected the user must still repair that infection. If you simply switch to Firefox you have not removed the infection and your system is just as vulnerable. The infection that you have isn't restricted to just having a blank IE page, it also involves the danger of remote control and logon/password security.

Although you are adding to your defenses by switching to Firefox and installing a firewall, anti-virus and anti-spyware applications you should still make sure that the previous infections are removed and your system is clean.

Also, if you leave an infection on your machine, you could be infecting your friends and sending spam without even knowing it:

http://www.theregister.co.uk/2004/12/09/symantec_virus_forecast_2005/

You also have some dialers on your system that showed up in your log and that could raise your phone bill considerably.

So please continue with the steps outlined above and please post a new log so we can make sure you are clean. No matter how many antispyware, antivurs and other removal applications you run, no combination is going to remove everything--ususally more will show up in a HJT log.

OT :thumbsup:

Edited by OldTimer, 07 February 2005 - 02:42 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 kieffer5

kieffer5
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 07 February 2005 - 05:54 PM

You also have some dialers on your system that showed up in your log and that could raise your phone bill considerably.

So please continue with the steps outlined above and please post a new log so we can make sure you are clean. No matter how many antispyware, antivurs and other removal applications you run, no combination is going to remove everything--ususally more will show up in a HJT log.

OT :thumbsup:

Hello OT. Here is my new HT log. Thanks for your help! Here are a few issues also that have not been resolved:

1.) Referring to IE, I have all the necessary items checked under Tools>Internet Options>Security>Custom Level in order to enable Javascript; however, websites that require it do not work. Incidently, switching to Firefox fixed that problem. It's obvious the trojan interferred with Internet Explorer, but how do I fix? I tried repairing IE per Microsoft's directions and I also tried reinstalling IE too. I edited the registry following their methods: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} (Ignore typos, I did not copy/paste.) I then changed the value data from 1 to 0. It did not help. I also ran a sfc /scannow. The issues were not resolved. Comments?

2.) I cannot Search my computer for files or anything under Start>Search. It comes up but I am not able to enter anything. Fix?

3.) The about:blank on Internet Explorer was fixed.



Logfile of HijackThis v1.99.0
Scan saved at 3:27:21 PM, on 2/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Documents and Settings\Keith Pfau\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BrowserHelper Class - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DVD43] C:\Program Files\DVD Region+CSS Free\DVD43.exe /hidden
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:29 AM

Posted 09 February 2005 - 12:14 AM

Hey Keith. As far as your log goes, it looks pretty good. It might be that the trojan deleted some of the system files but sfc should have picked that up. I've got a couple of things for you to try.

To begin, press Ctlr-Alt-Del and click on the Task Manager button. Click on the Processes tab and find SpySubtract. Select it and click the Kill Process button. This isn't a bad program but it might interfere with some of the changes we will be making.

OK. Now let's see if we can fix IE. I'm not sure what methods you used but if you have not done this then follow these directions:

If you don't still have all hidden/system files showing repeat the steps in my previous post to show all files. Have your XP CD ready for this part in case we need to replace some lost files. Start Windows Explorer and navigate to c:\windows\inf. Look for the ie.inf file. Right-click on it and choose Install from the menu.

Next, follow the steps outlined here to fix your java issue: http://support.microsoft.com/default.aspx?scid=kb;en-us;q168806 .

If this doesn't work we can try and use a previous registry but that could reintroduce a number of registry entries that we will have to repair again and I would like to avoid that.

Test you system and post a new log back here with any comments regarding its operation that aren't correct yet.

Cheers.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 kieffer5

kieffer5
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 09 February 2005 - 02:58 AM

Hey Keith. As far as your log goes, it looks pretty good. It might be that the trojan deleted some of the system files but sfc should have picked that up. I've got a couple of things for you to try.

To begin, press Ctlr-Alt-Del and click on the Task Manager button. Click on the Processes tab and find SpySubtract. Select it and click the Kill Process button. This isn't a bad program but it might interfere with some of the changes we will be making.

OK. Now let's see if we can fix IE. I'm not sure what methods you used but if you have not done this then follow these directions:

If you don't still have all hidden/system files showing repeat the steps in my previous post to show all files. Have your XP CD ready for this part in case we need to replace some lost files. Start Windows Explorer and navigate to c:\windows\inf. Look for the ie.inf file. Right-click on it and choose Install from the menu.

Next, follow the steps outlined here to fix your java issue: http://support.microsoft.com/default.aspx?scid=kb;en-us;q168806 .

If this doesn't work we can try and use a previous registry but that could reintroduce a number of registry entries that we will have to repair again and I would like to avoid that.

Test you system and post a new log back here with any comments regarding its operation that aren't correct yet.

Cheers.

OT :thumbsup:

Thanks OT. I will try your suggestions tomorrow.

"If you don't still have all hidden/system files showing repeat the steps in my previous post to show all files. Have your XP CD ready for this part in case we need to replace some lost files. Start Windows Explorer and navigate to c:\windows\inf. Look for the ie.inf file. Right-click on it and choose Install from the menu."

I got to where you wanted me to go but, I don't have a Service Pack 2 CD. I believe, and I could be wrong, that Service Pack 2 was downloaded automatically by Microsoft therefore I don't have a CD. Now, I do have the "Reinstallation CD Microsoft Windows XP" CD. Um, :flowers: Suggestions?

Again, I'll try everything tomorrow. You know I am learning a lot about my computer. Luckily, I am still young(er), can I "get" things (semi) easily :trumpet: I have a stack of papers and notes relating to all my problems about a foot high, and I think there may be a dinner plate or two under all that stuff.

I appreciate all your help; however, I agree with you about editing the registry. I don't want to create more problems than I have now. Firefox works, but if I do something wrong, then, perhaps, not only will IE not work but . . .

#9 kieffer5

kieffer5
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 09 February 2005 - 01:50 PM

Hello OT-

OK the problems are within my System.ini file.

Nothing is resolved. My Search still does not work and my Javascript (within IE) still does not work. What would you suggest? :flowers: Thanks.

My new log:

Logfile of HijackThis v1.99.0
Scan saved at 11:42:10 AM, on 2/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Keith Pfau\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BrowserHelper Class - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVD43] C:\Program Files\DVD Region+CSS Free\DVD43.exe /hidden
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe



:thumbsup: :inlove: :cool: :trumpet:

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:29 AM

Posted 09 February 2005 - 03:57 PM

Hey Keith. You should be alright without the CD, it's just a precaution. Any files that need to be updated/replaced should be in your driver cache on your hard drive. If they aren't the install will give you a message as such.

Something else I was just reading about that solved a similar issue was the corruption of the MS Script/JScript engine. Go to the following link and download the fix from MS and apply it:

Windows Script 5.6

Cheers.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users