you guys are the greatest--SSP victim here

[footsie]

I have been reading and searching your answers to so many problems and just want to say "thank you" and I need your help... I certainly have the sspMydoom virus but in addition, I have lost my desktop icons... I'm having to go to task manager to run anything !!!! thank you thank you thank you !!!! Please help !!

Logfile of HijackThis v1.98.2
Scan saved at 9:56:42 PM, on 2/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\mfcsx32.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeffrey Good\Desktop\HijackThis.exe
C:\WINDOWS\netmy32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {D8044D91-A88E-8AF1-9321-849D547AAE8C} - C:\WINDOWS\system32\ntkv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [mfcsx32.exe] C:\WINDOWS\mfcsx32.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [ipkk.exe] C:\WINDOWS\ipkk.exe
O4 - HKLM\..\RunOnce: [netvv.exe] C:\WINDOWS\system32\netvv.exe
O4 - HKLM\..\RunOnce: [msog.exe] C:\WINDOWS\msog.exe
O4 - HKLM\..\RunOnce: [addqq.exe] C:\WINDOWS\system32\addqq.exe
O4 - HKLM\..\RunOnce: [netdo32.exe] C:\WINDOWS\system32\netdo32.exe
O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\netmy32.exe
O4 - HKLM\..\RunOnce: [apptf32.exe] C:\WINDOWS\system32\apptf32.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

 

[Dust Sailor]

http://forums.techguy.org/t110854.html

There is a tutorial for Hijack This here

 

[footsie]

thanks

 

[footsie]

any idea how to get my desktop icons back !!!

 

[Dust Sailor]

The folllowing are borrowed from Firman 1
-----------------------------------
Go ahead and do this to get your desktop back:

Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK.
__________________

 

[footsie]

problem is the "start button" does not appear either ... any idea how to get to the control panel via "task manager" ??

 

[cybertech]

footsie, Welcome to TSG!! Please repost your hijackthis log.

 

[footsie]

Logfile of HijackThis v1.98.2
Scan saved at 9:25:49 PM, on 2/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeffrey Good\Desktop\HijackThis.exe

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O15 - Trusted Zone: *.windupdates.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

I cannot get any icons on my desktop to appear except in safe mode. No start button or anything but the wallpaper appears.. thank you for your help..

 

[cybertech]

Restart in safe mode


Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Reboot.

Go here http://forums.techguy.org/t110854/s.html and run at least 2 of the on-line virus scanners.

 

[footsie]

thank you, will do the above. NOTES: I have downloaded and/or updated the following.
CWShredder
ADAdware
AVG, version 7.0
Spybot
Spyware blaster
Registry Mechanic

I also have About Buster and a recent Hijack this program in a zipped version, however when I try to use WinZip to unzip them I get the following error.
Windows/exployer.exe "Windows cannot access the specified device, path, or file. You may not have the appropiate permissions to access them"

ok now going to take care of your first instructions... thank you

 

[footsie]

New hijack this log after deleting all users temp folders.. Still have no icons on my desktop only wallpaper.. no start button or anything


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} -

C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = Hewlett-Packard\AiO\hp officejet

d series\FRU\Remind32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program

Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner

- C:\WINDOWS\system32\sysza.exe (file missing)

 

[footsie]

also during the AVG virus scan it gave the message "q123.vbs could be infected" and the scan fixed all but one file...

 

[cybertech]

Download this tool
http://www.mvps.org/winhelp2002/DelDomains.inf

Right click on the file and choose install.


Download the new version of Hijackthis and post another log.

This one is not zipped so that won't be a problem.

 

[footsie]

Still no desktop icons (hmmmm) .... they do show up in safe mode though... thank you ... I used hijack this and deleted the "crazywinnings and findfine" several times and re ran hijack this and they keep coming back...



Logfile of HijackThis v1.99.1
Scan saved at 8:16:50 PM, on 2/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\sysza.exe (file missing)

 

[cybertech]

I see I have already asked you to run deldomains. Did you do that or miss my instructions?

Download this tool
http://www.mvps.org/winhelp2002/DelDomains.inf

Right click on the file and choose install.

____________________________________

Download the KillBox

Unzip the files to your desktop.

Run KillBox.exe.

Select the Delete on Reboot option.

In the Full Path of File to Delete field paste each of the following and click the red circle with the white X in it, when it asks you to reboot, click No.

C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\system32\sm.exe
C:\WINDOWS\system32\Qcfbqn.exe
C:\WINDOWS\system32\sysza.exe


Close killbox.
____________________________________


Run HJT again and put a check in the following:

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\sysza.exe (file missing)

Close all applications and browser windows before you click "fix checked".


Reboot.

Delete this folder: C:\WINDOWS\isrvs


Please post another log.