you guys are the greatest--SSP victim here

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

footsie

Thread Starter
Joined
Feb 8, 2005
Messages
12
I have been reading and searching your answers to so many problems and just want to say "thank you" and I need your help... I certainly have the sspMydoom virus but in addition, I have lost my desktop icons... I'm having to go to task manager to run anything !!!! thank you thank you thank you !!!! Please help !!

Logfile of HijackThis v1.98.2
Scan saved at 9:56:42 PM, on 2/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\mfcsx32.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeffrey Good\Desktop\HijackThis.exe
C:\WINDOWS\netmy32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dquzu.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {D8044D91-A88E-8AF1-9321-849D547AAE8C} - C:\WINDOWS\system32\ntkv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [mfcsx32.exe] C:\WINDOWS\mfcsx32.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [ipkk.exe] C:\WINDOWS\ipkk.exe
O4 - HKLM\..\RunOnce: [netvv.exe] C:\WINDOWS\system32\netvv.exe
O4 - HKLM\..\RunOnce: [msog.exe] C:\WINDOWS\msog.exe
O4 - HKLM\..\RunOnce: [addqq.exe] C:\WINDOWS\system32\addqq.exe
O4 - HKLM\..\RunOnce: [netdo32.exe] C:\WINDOWS\system32\netdo32.exe
O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\netmy32.exe
O4 - HKLM\..\RunOnce: [apptf32.exe] C:\WINDOWS\system32\apptf32.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
 
Joined
Mar 17, 2004
Messages
2,735
The folllowing are borrowed from Firman 1
-----------------------------------
Go ahead and do this to get your desktop back:

Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK.
__________________
 

footsie

Thread Starter
Joined
Feb 8, 2005
Messages
12
problem is the "start button" does not appear either ... any idea how to get to the control panel via "task manager" ??
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
footsie, Welcome to TSG!! Please repost your hijackthis log.
 

footsie

Thread Starter
Joined
Feb 8, 2005
Messages
12
Logfile of HijackThis v1.98.2
Scan saved at 9:25:49 PM, on 2/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeffrey Good\Desktop\HijackThis.exe

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O15 - Trusted Zone: *.windupdates.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

I cannot get any icons on my desktop to appear except in safe mode. No start button or anything but the wallpaper appears.. thank you for your help..
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Restart in safe mode


Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Reboot.

Go here http://forums.techguy.org/t110854/s.html and run at least 2 of the on-line virus scanners.
 

footsie

Thread Starter
Joined
Feb 8, 2005
Messages
12
thank you, will do the above. NOTES: I have downloaded and/or updated the following.
CWShredder
ADAdware
AVG, version 7.0
Spybot
Spyware blaster
Registry Mechanic

I also have About Buster and a recent Hijack this program in a zipped version, however when I try to use WinZip to unzip them I get the following error.
Windows/exployer.exe "Windows cannot access the specified device, path, or file. You may not have the appropiate permissions to access them"

ok now going to take care of your first instructions... thank you
 

footsie

Thread Starter
Joined
Feb 8, 2005
Messages
12
New hijack this log after deleting all users temp folders.. Still have no icons on my desktop only wallpaper.. no start button or anything


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} -

C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = Hewlett-Packard\AiO\hp officejet

d series\FRU\Remind32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program

Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner

- C:\WINDOWS\system32\sysza.exe (file missing)
 

footsie

Thread Starter
Joined
Feb 8, 2005
Messages
12
also during the AVG virus scan it gave the message "q123.vbs could be infected" and the scan fixed all but one file...
 

footsie

Thread Starter
Joined
Feb 8, 2005
Messages
12
Still no desktop icons (hmmmm) .... they do show up in safe mode though... thank you ... I used hijack this and deleted the "crazywinnings and findfine" several times and re ran hijack this and they keep coming back...



Logfile of HijackThis v1.99.1
Scan saved at 8:16:50 PM, on 2/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\sysza.exe (file missing)
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
I see I have already asked you to run deldomains. Did you do that or miss my instructions?

Download this tool
http://www.mvps.org/winhelp2002/DelDomains.inf

Right click on the file and choose install.

____________________________________

Download the KillBox

Unzip the files to your desktop.

Run KillBox.exe.

Select the Delete on Reboot option.

In the Full Path of File to Delete field paste each of the following and click the red circle with the white X in it, when it asks you to reboot, click No.

C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\system32\sm.exe
C:\WINDOWS\system32\Qcfbqn.exe
C:\WINDOWS\system32\sysza.exe


Close killbox.
____________________________________


Run HJT again and put a check in the following:

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\sysza.exe (file missing)

Close all applications and browser windows before you click "fix checked".


Reboot.

Delete this folder: C:\WINDOWS\isrvs


Please post another log.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top