aaron63
asked on
Smitfraud virus plus disabled task manager plus no desktop icons and no start menu
Not sure where I picked up this virus, but I got one of those 'a Trojan has been detected on this computer' message boxes. Being an idiot I fell for it and ended up paying $20 for some bogus spyware remover program. But unfortunately it didn't end there.
I restarted with the plan to start in Safe Mode so I could get a real spyware remover program working. When I restarted, however, the desktop is blank and there is no Start menu. Furthermore when I push Cntrl-Alt-Delete I get the following message: Task manager has been disabled by your administrator.
Same problem whether I am in Safe Mode or not.
So what steps do I need to do to dig myself out of this hole? Obviously I can't surf or install anything with the computer in question (since there is no desktop and no start menu), but I can use my laptop to download the needed files to a floppy/CD and hopefully run something that way.
Thanks for any help.
I restarted with the plan to start in Safe Mode so I could get a real spyware remover program working. When I restarted, however, the desktop is blank and there is no Start menu. Furthermore when I push Cntrl-Alt-Delete I get the following message: Task manager has been disabled by your administrator.
Same problem whether I am in Safe Mode or not.
So what steps do I need to do to dig myself out of this hole? Obviously I can't surf or install anything with the computer in question (since there is no desktop and no start menu), but I can use my laptop to download the needed files to a floppy/CD and hopefully run something that way.
Thanks for any help.
Once your task manager is enabled, you should be able to run explorer.exe via task manager > New Task > explorer.exe
And your desktop should return.
And your desktop should return.
Hi,
Is it windows xp home or prof
Ded9
Is it windows xp home or prof
Ded9
ASKER
It is XP Home.
rpggamergirl:
How do I download and run taskmanager.reg without a desktop? Should I download it with another computer and put it on a floppy?
Thanks.
rpggamergirl:
How do I download and run taskmanager.reg without a desktop? Should I download it with another computer and put it on a floppy?
Thanks.
ASKER
Okay I ran the regedit and the smitfraudfix through command prompt in safe mode. I now get my desktop back, but I'm obviously still infected. Here is my logfile from hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:47 PM, on 1/1/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\lpcywi
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCE
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\alg.ex
C:\Program Files\Symantec\LiveUpdate\
C:\WINDOWS\System32\igbjpj
C:\Program Files\Canon\IJPLM\IJPLMSVC
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc3
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\wdfmgr
C:\PROGRA~1\LEXMAR~1\ACMon
C:\PROGRA~1\LEXMAR~1\AcBtn
C:\WINDOWS\System32\spool\
C:\PROGRA~1\NORTON~1\navap
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin
C:\PROGRA~1\LEXMAR~1\AcBtn
C:\Program Files\Canon\MyPrinter\BJMy
C:\WINDOWS\System32\spool\
C:\PROGRA~1\LEXMAR~1\ACMon
C:\PROGRA~1\NORTON~1\navap
C:\WINDOWS\mrofinu1053.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD .exe
C:\WINDOWS\System32\regsvr
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Java\jre1.5.0_06\bin
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\WINDOWS\System32\RUNDLL
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Canon\MyPrinter\BJMy
C:\Program Files\QdrModule\QdrModule1
C:\Program Files\QdrPack\QdrPack11.ex
C:\WINDOWS\mrofinu1053 .exe
C:\Program Files\Common Files\W?nSxS\w?auclt.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\Router\Router.exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\Program Files\iPod\bin\iPodService
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent .exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\Program Files\QdrModule\QdrModule1
C:\Program Files\Router\Router .exe
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\WinAble\winable .exe
C:\WINDOWS\System32\wuaucl
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\Update.exe
C:\Program Files\Internet Explorer\iexplore.exe
H:\HiJackThis.exe
C:\WINDOWS\System32\wbem\w
R0 - HKCU\Software\Microsoft\In
F3 - REG:win.ini: load=C:\WINDOWS\System32\a
F2 - REG:system.ini: UserInit=C:\WINDOWS\System
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMon
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtn
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navap
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMy
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1053.exe
O4 - HKLM\..\Run: [lingruvu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lingruvu.dll"
O4 - HKLM\..\Run: [drmsrv32] C:\DOCUME~1\CYNTHI~1\LOCAL
O4 - HKLM\..\Run: [WinPerformance] C:\Program Files\WinPerformance\WinPe
O4 - HKLM\..\Run: [a00f10b1] rundll32.exe "C:\WINDOWS\System32\jnajw
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor .exe" /Q
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTR
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateMana
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule1
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.ex
O4 - HKCU\..\Run: [Thza] "C:\Program Files\Common Files\W?nSxS\w?auclt.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - S-1-5-18 Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe (User 'Default user')
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9
O16 - DPF: {4C39376E-FA9D-4349-BACC-D
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-0
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-4
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-B
O20 - AppInit_DLLs: NVDESK32.DLL c:\windows\system32\ldcore
O21 - SSODL: AOL Instant Messenger - {850D130D-99CA-A18A-E8D2-9
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: DomainService - - C:\WINDOWS\System32\igbjpj
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiR
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 10229 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:47 PM, on 1/1/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\lpcywi
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCE
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\alg.ex
C:\Program Files\Symantec\LiveUpdate\
C:\WINDOWS\System32\igbjpj
C:\Program Files\Canon\IJPLM\IJPLMSVC
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc3
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\wdfmgr
C:\PROGRA~1\LEXMAR~1\ACMon
C:\PROGRA~1\LEXMAR~1\AcBtn
C:\WINDOWS\System32\spool\
C:\PROGRA~1\NORTON~1\navap
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin
C:\PROGRA~1\LEXMAR~1\AcBtn
C:\Program Files\Canon\MyPrinter\BJMy
C:\WINDOWS\System32\spool\
C:\PROGRA~1\LEXMAR~1\ACMon
C:\PROGRA~1\NORTON~1\navap
C:\WINDOWS\mrofinu1053.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD .exe
C:\WINDOWS\System32\regsvr
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Java\jre1.5.0_06\bin
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\WINDOWS\System32\RUNDLL
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Canon\MyPrinter\BJMy
C:\Program Files\QdrModule\QdrModule1
C:\Program Files\QdrPack\QdrPack11.ex
C:\WINDOWS\mrofinu1053 .exe
C:\Program Files\Common Files\W?nSxS\w?auclt.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\Router\Router.exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\Program Files\iPod\bin\iPodService
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent .exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\Program Files\QdrModule\QdrModule1
C:\Program Files\Router\Router .exe
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\WinAble\winable .exe
C:\WINDOWS\System32\wuaucl
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\Update.exe
C:\Program Files\Internet Explorer\iexplore.exe
H:\HiJackThis.exe
C:\WINDOWS\System32\wbem\w
R0 - HKCU\Software\Microsoft\In
F3 - REG:win.ini: load=C:\WINDOWS\System32\a
F2 - REG:system.ini: UserInit=C:\WINDOWS\System
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMon
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtn
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navap
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMy
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1053.exe
O4 - HKLM\..\Run: [lingruvu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lingruvu.dll"
O4 - HKLM\..\Run: [drmsrv32] C:\DOCUME~1\CYNTHI~1\LOCAL
O4 - HKLM\..\Run: [WinPerformance] C:\Program Files\WinPerformance\WinPe
O4 - HKLM\..\Run: [a00f10b1] rundll32.exe "C:\WINDOWS\System32\jnajw
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor .exe" /Q
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTR
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateMana
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule1
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.ex
O4 - HKCU\..\Run: [Thza] "C:\Program Files\Common Files\W?nSxS\w?auclt.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - S-1-5-18 Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe (User 'Default user')
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9
O16 - DPF: {4C39376E-FA9D-4349-BACC-D
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-0
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-4
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-B
O20 - AppInit_DLLs: NVDESK32.DLL c:\windows\system32\ldcore
O21 - SSODL: AOL Instant Messenger - {850D130D-99CA-A18A-E8D2-9
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\
O23 - Service: DomainService - - C:\WINDOWS\System32\igbjpj
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiR
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 10229 bytes
rpg and aaron63:
This is a VERY badly infected machine.
Hope you don't mind if I interject. I have a feeling (hopefully I'm wrong but I've worked a few of these over the past couple of days) that this is the new file infecting Vundo Trojan (ya Vundo wasn't nasty enough already was it?).
Many of the entries are very similar to a log I'm working right now at WhatTheTech. The file infector infects mainly all the startups (04's). Combofix will remove the infected files but the programs will not run any more. sUBs has come through yet again with another tool to help with this. I would suggest first to hit this with SDFix to deal with some of the backdoors, then combofix, then a CFScript, then new tool if needed. This one is bad. One question...aaron63:, have you been using cracks here? That's where these nasties are coming from.
Here's what I suggest:
Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open,
Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your SDFix log and click "Upload"
Copy the resulting "url" and post it back here.
--------------------------
Download and Run ComboFix (by sUBs)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.
Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
Type or paste the link to your Question
"Browse" your pc to the location of your combofix log and click "Upload"
Copy the resulting "url" and post it back here.
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.
NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.
PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
This is a VERY badly infected machine.
Hope you don't mind if I interject. I have a feeling (hopefully I'm wrong but I've worked a few of these over the past couple of days) that this is the new file infecting Vundo Trojan (ya Vundo wasn't nasty enough already was it?).
Many of the entries are very similar to a log I'm working right now at WhatTheTech. The file infector infects mainly all the startups (04's). Combofix will remove the infected files but the programs will not run any more. sUBs has come through yet again with another tool to help with this. I would suggest first to hit this with SDFix to deal with some of the backdoors, then combofix, then a CFScript, then new tool if needed. This one is bad. One question...aaron63:, have you been using cracks here? That's where these nasties are coming from.
Here's what I suggest:
Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open,
Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your SDFix log and click "Upload"
Copy the resulting "url" and post it back here.
--------------------------
Download and Run ComboFix (by sUBs)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.
Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
Type or paste the link to your Question
"Browse" your pc to the location of your combofix log and click "Upload"
Copy the resulting "url" and post it back here.
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.
NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.
PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
ASKER
IndiGenus-
I have a vague knowledge of what 'cracks' are but not really.I'm middle aged, and while I have a computer programming degree I'm waaay out of the loop with technology. I don't even have an IPOD! :) My computer hardware is so out of date it won't run the cool RPGs out there (which I find so tempting). So no, I haven't been using any 'cracks'.
When all this happened I was surfing for news of the most recent UFC fight (to see the live results). I am a martial artist and had an unhealthy fascination with who won the matches. Google had revealed a number of sites offering live results and I was hitting refresh on these various websites. A lot of popups were coming off these websites as well. It probably wasn't a coincidence that this problem happened almost immediately after visiting all those sites.
I'm trying your solution now. I am forced to run safe-mode with command prompt because the desktop and start menu won't come up in safe mode. I ran SDFix and it rebooted. But it didn't bring up any logfile (or anything else for that matter) after it restarted. I did, however, ask it to restart in safe mode when it restarted. Wat that a mistake? Should I have just let it restart as normal?
Thanks for your help.
I have a vague knowledge of what 'cracks' are but not really.I'm middle aged, and while I have a computer programming degree I'm waaay out of the loop with technology. I don't even have an IPOD! :) My computer hardware is so out of date it won't run the cool RPGs out there (which I find so tempting). So no, I haven't been using any 'cracks'.
When all this happened I was surfing for news of the most recent UFC fight (to see the live results). I am a martial artist and had an unhealthy fascination with who won the matches. Google had revealed a number of sites offering live results and I was hitting refresh on these various websites. A lot of popups were coming off these websites as well. It probably wasn't a coincidence that this problem happened almost immediately after visiting all those sites.
I'm trying your solution now. I am forced to run safe-mode with command prompt because the desktop and start menu won't come up in safe mode. I ran SDFix and it rebooted. But it didn't bring up any logfile (or anything else for that matter) after it restarted. I did, however, ask it to restart in safe mode when it restarted. Wat that a mistake? Should I have just let it restart as normal?
Thanks for your help.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your help. Both of you! Combofix worked. I had to run it like three times for it to finally get through, but it seems to have fixed it. I'll post the log file. Hopefully it will let me even after I submit this as finalized.
ASKER
Dang it all. I'm doing something wrong with uploading the log files. If you really need to see them I can post them in them here, but I don't want to waste the screen space.
Once again thanks for your help.
Once again thanks for your help.
If you can't upload it, you can also just try and attach the logfile into "Attach Code Snippet' window.
You closed your question so quickly, that's a contrast to Askers who close their question after 2 weeks or so, :)
Well, you have the vundo file infector there in your hijackthis logfile, we always want to look at a Combofix log because sometimes there are bad files that Combofix cannot remove during the first run where we have to use its CFScript function, the more so in your case having the file infector.
There's another tool you need to run to replace the deleted/infected legit files.
Combofix nuetralizes the infection, but doesn't restore the deleted files.
You closed your question so quickly, that's a contrast to Askers who close their question after 2 weeks or so, :)
Well, you have the vundo file infector there in your hijackthis logfile, we always want to look at a Combofix log because sometimes there are bad files that Combofix cannot remove during the first run where we have to use its CFScript function, the more so in your case having the file infector.
There's another tool you need to run to replace the deleted/infected legit files.
Combofix nuetralizes the infection, but doesn't restore the deleted files.
>>Combofix nuetralizes the infection, but doesn't restore the deleted files.<<
rephrase that..... Combofix nuetralizes the infection but won't replace/restore the legit files that has been deleted.
rephrase that..... Combofix nuetralizes the infection but won't replace/restore the legit files that has been deleted.
New version of CF 08-01-02.1 will now attempt to replace the infected files.
Yes I've been watching the cf discussion threads and wow....sUBs is doing some amazing stuff. Glad he's on our side...
Oh yeah, he's amazing! Fighting malware willl be difficult without his awesome tool.
Download and run the above regfile to enable the task manager, then download and run Smitfraudfix.
Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Later on when you can run Hijackthis and show us the log please.
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.