1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

you guys are the greatest--SSP victim here

Discussion in 'Virus & Other Malware Removal' started by footsie, Feb 8, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. footsie

    footsie Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    12
    I have been reading and searching your answers to so many problems and just want to say "thank you" and I need your help... I certainly have the sspMydoom virus but in addition, I have lost my desktop icons... I'm having to go to task manager to run anything !!!! thank you thank you thank you !!!! Please help !!

    Logfile of HijackThis v1.98.2
    Scan saved at 9:56:42 PM, on 2/8/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\mfcsx32.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jeffrey Good\Desktop\HijackThis.exe
    C:\WINDOWS\netmy32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dquzu.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dquzu.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dquzu.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dquzu.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dquzu.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dquzu.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dquzu.dll/sp.html#44768
    R3 - Default URLSearchHook is missing
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O2 - BHO: (no name) - {D8044D91-A88E-8AF1-9321-849D547AAE8C} - C:\WINDOWS\system32\ntkv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [mfcsx32.exe] C:\WINDOWS\mfcsx32.exe
    O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunOnce: [ipkk.exe] C:\WINDOWS\ipkk.exe
    O4 - HKLM\..\RunOnce: [netvv.exe] C:\WINDOWS\system32\netvv.exe
    O4 - HKLM\..\RunOnce: [msog.exe] C:\WINDOWS\msog.exe
    O4 - HKLM\..\RunOnce: [addqq.exe] C:\WINDOWS\system32\addqq.exe
    O4 - HKLM\..\RunOnce: [netdo32.exe] C:\WINDOWS\system32\netdo32.exe
    O4 - HKLM\..\RunOnce: [netmy32.exe] C:\WINDOWS\netmy32.exe
    O4 - HKLM\..\RunOnce: [apptf32.exe] C:\WINDOWS\system32\apptf32.exe
    O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
    O4 - Startup: Hewlett-Packard Recorder.lnk = Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
     
  2. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
  3. footsie

    footsie Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    12
    thanks
     
  4. footsie

    footsie Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    12
    any idea how to get my desktop icons back !!!
     
  5. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
    The folllowing are borrowed from Firman 1
    -----------------------------------
    Go ahead and do this to get your desktop back:

    Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK.
    __________________
     
  6. footsie

    footsie Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    12
    problem is the "start button" does not appear either ... any idea how to get to the control panel via "task manager" ??
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    footsie, Welcome to TSG!! Please repost your hijackthis log.
     
  8. footsie

    footsie Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    12
    Logfile of HijackThis v1.98.2
    Scan saved at 9:25:49 PM, on 2/18/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jeffrey Good\Desktop\HijackThis.exe

    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
    O4 - Startup: Hewlett-Packard Recorder.lnk = Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
    O15 - Trusted Zone: *.windupdates.com
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

    I cannot get any icons on my desktop to appear except in safe mode. No start button or anything but the wallpaper appears.. thank you for your help..
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Restart in safe mode


    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Reboot.

    Go here http://forums.techguy.org/t110854/s.html and run at least 2 of the on-line virus scanners.
     
  10. footsie

    footsie Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    12
    thank you, will do the above. NOTES: I have downloaded and/or updated the following.
    CWShredder
    ADAdware
    AVG, version 7.0
    Spybot
    Spyware blaster
    Registry Mechanic

    I also have About Buster and a recent Hijack this program in a zipped version, however when I try to use WinZip to unzip them I get the following error.
    Windows/exployer.exe "Windows cannot access the specified device, path, or file. You may not have the appropiate permissions to access them"

    ok now going to take care of your first instructions... thank you
     
  11. footsie

    footsie Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    12
    New hijack this log after deleting all users temp folders.. Still have no icons on my desktop only wallpaper.. no start button or anything


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} -

    C:\WINDOWS\isrvs\sysupd.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

    C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

    C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
    O4 - Startup: Hewlett-Packard Recorder.lnk = Hewlett-Packard\AiO\hp officejet

    d series\FRU\Remind32.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program

    Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

    C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner

    - C:\WINDOWS\system32\sysza.exe (file missing)
     
  12. footsie

    footsie Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    12
    also during the AVG virus scan it gave the message "q123.vbs could be infected" and the scan fixed all but one file...
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  14. footsie

    footsie Thread Starter

    Joined:
    Feb 8, 2005
    Messages:
    12
    Still no desktop icons (hmmmm) .... they do show up in safe mode though... thank you ... I used hijack this and deleted the "crazywinnings and findfine" several times and re ran hijack this and they keep coming back...



    Logfile of HijackThis v1.99.1
    Scan saved at 8:16:50 PM, on 2/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\sysza.exe (file missing)
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I see I have already asked you to run deldomains. Did you do that or miss my instructions?

    Download this tool
    http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click on the file and choose install.

    ____________________________________

    Download the KillBox

    Unzip the files to your desktop.

    Run KillBox.exe.

    Select the Delete on Reboot option.

    In the Full Path of File to Delete field paste each of the following and click the red circle with the white X in it, when it asks you to reboot, click No.

    C:\WINDOWS\isrvs\sysupd.dll
    C:\WINDOWS\system32\sm.exe
    C:\WINDOWS\system32\Qcfbqn.exe
    C:\WINDOWS\system32\sysza.exe


    Close killbox.
    ____________________________________


    Run HJT again and put a check in the following:

    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qcfbqn.exe
    O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\sysza.exe (file missing)

    Close all applications and browser windows before you click "fix checked".


    Reboot.

    Delete this folder: C:\WINDOWS\isrvs


    Please post another log.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/328354

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice