2 Problems Left After Spybot

Discussion in 'Malware Help (A Specialist Will Reply)' started by watchdog, Jan 25, 2005.

  1. watchdog

    watchdog Private E-2

    Running Win2000 ver 5.00.2195, SP4 on a Pentium 3 550mhz machine with 256K RAM and a 10gig WD unpartitioned hard drive. Ran your entire cleaning process described in "READ ME FIRST - Basic ... Removal" through Step 4 TWICE. Ran several of the utilities more than once during each pass as I notice some have better success on repeat attempts. HOWEVER, this machine won't let me boot to Safe Mode and I have 2 remaining registry key setting problems after running the last Spybot S&D - probably because they're already running by the time Spybot tries to fix them. They are HKEY_USERS\DEFAULT\Software\Policies\Avenue Media and HKEY_USERS\DEFAULT\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}. I have an old Win95 startup floppy that will get me to a C prompt from which I could del or edit the appropriate files if I knew where to find them. Will this method work? If so, where do I find the registry files using DOS? From what I read here, you guys are great!
     
    watchdog, Jan 25, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Also post the actual log from Spybot!
     
    chaslang, Jan 26, 2005
    #2
  3. watchdog

    watchdog Private E-2

    Logs from HijackThis and Spybot are attached (I think) per your instructions. Thanks again!
     

    Attached Files:

    Last edited: Jan 28, 2005
    watchdog, Jan 28, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you realize how out of date your version of IE is? This is a major security risk. After fixing your current problems, you must go to Windows Update and uget your updates.

    Why did you skip the Symantec online scan?

    Please remember that ALL BROWSERS must always be shutdown before running HJT. You had this running: C:\Program Files\Internet Explorer\iexplore.exe

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)
    Double-click on the fixit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them (there may be multiple sessions running, end them all):
    C:\WINNT\system32\navprotect.exe
    C:\WINNT\system32\navprotect.exe
    C:\WINNT\system32\navprotect.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
    O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
    O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
    O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)
    O23 - Service: Smart Card Helper - Unknown - C:\WINNT\system32\scardsvr32.exe (file missing)

    Do you know what the below is for? It seems suspicious to me. If not sure, leave it be.
    O23 - Service: CTI Central Management - Unknown - C:\WINNT\cti.exe
    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINNT\system32\navprotect.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Jan 28, 2005
    #4
  5. watchdog

    watchdog Private E-2

    Interesting that IE was running - no icon in the task bar - something else must be loading it. I'll check out cti.exe. Per my first post, this machine won't let me boot into safe mode - I get the white picket fence line at the bottom of the screen that says "windows loading" after selecting safe mode from the F8 menu and it just sits there -- overnight -- locked up -- and I have to power off. This is since before the recent round of viruses/trojans/whatever. Can I accomplish the desired results from a C: prompt using DOS?
     
    Last edited by a moderator: Jan 28, 2005
    watchdog, Jan 28, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Possibly! Just make sure all the navprotect.exe processes have been ended first.
    Then instead of booting into safe mode try just deleting the file from normal boot mode using Windows Explorer (a command prompt will not give you anymore control).

    If the file cannot be found or cannot be delete, just reboot and then see if it can be deleted.
     
    chaslang, Jan 29, 2005
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds