| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 66003 | 2006-02-07 22:37:00 | Help w/Removal of w32/Nsag.B | Zero (9770) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 428143 | 2006-02-07 22:37:00 | Hello, I have tried to remove this little pain myself and am obivously missing something so I come to you for help. I have run HJT, Smitrem, spybot search and destroy, a virus scan with AntiVir & NOD32 and can't seem to shack this. Any help would be greatly appreciated. Here is my HJT: Logfile of HijackThis v1.99.1 Scan saved at 2:27:46 PM, on 2/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\AVPersonal\AVGNT.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Allen Whitt\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [licli] li.exe O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - Startup: Microsoft Outlook.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - acs.pandasoftware.com O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe |
Zero (9770) | ||
| 428144 | 2006-02-07 23:11:00 | I cant see anything wrong with this log. You can run HJT again and tick these entries and tick fix checked. O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe Update for Java is here (www.java.com:80) Uninstall the version u have first then install the newest version, if u update Java. O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [licli] li.exe (*I dont know what this is). Do you? I think this is part of Spysheriff. O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe (did you run Smitrem in safe mode)? And double click on runthis.bat in safe mode? Get this (http://www.ccleaner.com) and click on run cleaner, to get rid of the temp files etc. |
Speedy Gonzales (78) | ||
| 428145 | 2006-02-08 00:08:00 | K i will try that thanks! The problem I'm still having is it wont give me my desktop back. It had change it to some spam about my comp being infected. Well in the process of removing it got rid of that message but now no matter what background I choose for my desktop it stays white. Also, yes i did run smitrem in safe mode. I also have no clue what that li.exe is. Thanks again for your speedy response. Zero |
Zero (9770) | ||
| 428146 | 2006-02-08 00:40:00 | Both these files will need to be deleted. C:\Windows\System32\li.exe C:\winstall.exe ================================ As it hard to determin what virus has upset your desktop one of these fixes will help. ------------------ Download an run this Background Fixer (ralphcaddell.com) ----------------- Run this file.Double click to merge it. www.bleepingcomputer.com ---------------- Go to Control Panel > Display Properties. Click the Desktop tab and click the Customize Desktop button. Click the Web tab and make sure all checkboxes in this window are unchecked. If any look a bit odd, check them then uncheck again. Next, check hidden files and folders To show hidden files instructions (WinXP) Doubleclick My Computer | Tools | Folder Options | View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders | Yes | Apply | OK Search for C:\Windows\Web\Desktop.html and delete it if you find it. Reboot and see if this helps. |
Pancake (6359) | ||
| 428147 | 2006-02-08 22:35:00 | Both these files will need to be deleted . C:\Windows\System32\li . exe C:\winstall . exe ================================ As it hard to determin what virus has upset your desktop one of these fixes will help . ------------------ Download an run this Background Fixer ( . com/Uploads/Background . zip" target="_blank">ralphcaddell . com) ----------------- Run this file . Double click to merge it . . bleepingcomputer . com/files/reg/smitfraud . reg" target="_blank">www . bleepingcomputer . com ---------------- Go to Control Panel > Display Properties . Click the Desktop tab and click the Customize Desktop button . Click the Web tab and make sure all checkboxes in this window are unchecked . If any look a bit odd, check them then uncheck again . Next, check hidden files and folders To show hidden files instructions (WinXP) Doubleclick My Computer | Tools | Folder Options | View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders | Yes | Apply | OK Search for C:\Windows\Web\Desktop . html and delete it if you find it . Reboot and see if this helps . I deleted the li . exe file but could find the winstall . exe file . I also d/l both of the files and installed them but still cant see me background . Its wierd cause when I shutdown it shows my background till the Windows screen comes up . So its like the background is there but something is on top of it . Also i did not find a Desktop . html file . Thanks again for all the help . Zero |
Zero (9770) | ||
| 428148 | 2006-02-08 23:10:00 | Try this (www.simplysup.com) Download this install it, run it and click on scan. Then select the 3rd - 7th option under the utilities menu. |
Speedy Gonzales (78) | ||
| 428149 | 2006-02-08 23:57:00 | have you scanned your pc while in safe mode? also do not run more than one antivirus at once. it can cause problems. it looks like you have AVG and NOD32 running at the same time. |
tweak'e (69) | ||
| 428150 | 2006-02-09 00:11:00 | Did you run the other two options I posted ?. | Pancake (6359) | ||
| 1 | |||||