please help me

This is a discussion on please help me within the Resolved HJT Threads forums, part of the Tech Support Forum category. i share a computer with my parents and lately they have gotten tons of spyware and such on the computer.


 
 
Thread Tools Search this Thread
Old 01-18-2005, 06:33 PM   #1
Registered Member
 
SikEnCide's Avatar
 
Join Date: Jan 2005
Posts: 8
OS: n


Send a message via AIM to SikEnCide Send a message via MSN to SikEnCide Send a message via Yahoo to SikEnCide

i share a computer with my parents and lately they have gotten tons of spyware and such on the computer. i was able to remove all but one. it is this thing called SurfSideKick 2 ..... i use AdAware and SpyBot S&D . however i have had no luck removing it. i used the remover software in hte controle pannel and it removes it. but next time i look it is back again. please help me.

__________________
SikEnCide is offline  
Old 01-19-2005, 10:23 AM   #2
dai
TSF Team, Emeritus
 
Join Date: Jul 2004
Location: west australia
Posts: 74,479
OS: win 7 32x 64x rtm


you will need to post a hijack log for one of the experts to advise you on it's removal
post it in
hijack log help forum

__________________
dai is offline  
Old 01-19-2005, 10:27 PM   #3
Administrator
 
Horse's Avatar
 
Join Date: Oct 2003
Location: Durban South Africa
Posts: 4,797
OS: Windows 7 Home

My System

Send a message via MSN to Horse Send a message via Skype™ to Horse
Hi there

Here are the links for the program syou need. Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless. Make sure to include the System information at the top of the log as well.
__________________
The Sky is not the limit - there are footprints on the Moon

Horse is offline  
Old 01-20-2005, 05:47 AM   #4
Registered Member
 
SikEnCide's Avatar
 
Join Date: Jan 2005
Posts: 8
OS: n


Send a message via AIM to SikEnCide Send a message via MSN to SikEnCide Send a message via Yahoo to SikEnCide

ok i did as u said i rahjt .. then hjt analyzer .. here is hte log

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/16/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 1:32:22 PM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\Documents and Settings\Chris Rosa\Desktop\Chris Stuff\Progs\Spybot Removal\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ptd.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CD...bridge-c11.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {3E13AA37-352F-4E5F-91C4-08A0BA0C9541} -
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.3dgroove.com/download/GrooveAX.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


End of KRC HijackThis Analyzer Log.
====================================================================
__________________
SikEnCide is offline  
Old 01-20-2005, 06:23 AM   #5
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,829
OS: Every Windows OS known to man


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

[/b]Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C.../bridge-c11.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
O16 - DPF: {3E13AA37-352F-4E5F-91C4-08A0BA0C9541} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
__________________


GO BIG BLUE!!
CTSNKY is offline  
Old 01-20-2005, 03:06 PM   #6
Registered Member
 
SikEnCide's Avatar
 
Join Date: Jan 2005
Posts: 8
OS: n


Send a message via AIM to SikEnCide Send a message via MSN to SikEnCide Send a message via Yahoo to SikEnCide
ok thank you all very much ill do all of that hortly and post a new log
__________________
SikEnCide is offline  
Old 01-20-2005, 04:59 PM   #7
Registered Member
 
SikEnCide's Avatar
 
Join Date: Jan 2005
Posts: 8
OS: n


Send a message via AIM to SikEnCide Send a message via MSN to SikEnCide Send a message via Yahoo to SikEnCide
EEK!

i didnt realize i had so much c*** on my computer i mean i know hte net is rittled with the c*** but i figured if i rutenly scanned wit nortan adware n spybot it would be fine. i thought i knew quite a bit about removing unwanted things. being A+ Certified doesnt help me much with removing this c*** . man it sux . ok n e ways here is the TDS-3 scan and alarms :


18:27:01 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
18:27:01 [Init] Started 20-01-05 18:27:01 Eastern Standard Time (UTC: 5), Internet Time @1018.76
18:27:01 [Init] Loading TDS-3 Systems ...
18:27:01 [Init] Token successfully adjusted.
18:27:01 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
18:27:02 [Init] • Plugins : OK. Loaded 13
18:27:02 [Init] • Exec Protection : Not Installed
18:27:02 [Init] WARNING: Your Radius.TD3 database needs to be updated!
18:27:02 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
18:27:02 [Init] Licensed users can use the Update facility from the TDS menu
18:27:02 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
18:27:10 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
18:27:10 [Init] • Systems Initialised [44882 references - 20956 primaries/11789 traces/12137 variants/other]
18:27:10 [Init] Radius Systems loaded. <Databases updated 20-01-2005>
18:27:10 [Init] TDS-3 Ready. <Administrator@24.229.168.126, 127.0.0.1 - United States>
18:27:10 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system to detect NTFS Streams! You can even remove trojans when found in a stream, without damaging the parent file. See the help file for more information.
18:27:10 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
18:27:10 [TDS] Good evening Administrator. Time to stop working!
18:27:14 [Mutex Memory Scan] Started...
18:27:16 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:27:16 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
18:27:33 [CRC32] Started - verifying 29 files ...
18:27:33 [CRC32] File doesn't exist: C:\autoexec.bat
18:27:37 [CRC32] Test finished.
18:29:26 [Memory Scan] Memory scan started, please wait a moment ...
18:29:27 [Memory Scan] Memory scan complete.
18:29:27 [Mutex Memory Scan] Started...
18:29:28 [Mutex Memory Scan] Finished (no trojan mutexes found).
18:29:28 [Trace Scan] Started...
18:29:40 [Trace Scan] Finished.
18:29:40 [ServiceScan] Scanning for services and drivers ...
18:29:46 [ServiceScan] Scanned 302 services and drivers.
18:29:46 [File Scan] Scanning in A:\ ...
18:29:47 [File Scan] Scanned 0 files: 0 alarms in 1.023438 seconds (Avg 1. files/sec)
18:29:47 [File Scan] Scanning in C:\ ...
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\accwiz.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\hh.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\locator.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\magnify.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\migwiz.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\narrator.exe for read access, file is locked
19:08:34 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntkrnlpa.exe for read access, file is locked
19:08:35 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntoskrnl.exe for read access, file is locked
19:08:35 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\osk.exe for read access, file is locked
19:08:36 [Locked File] Couldn't open c:\windows\$ntuninstallkb828741$\comrepl.exe for read access, file is locked
19:08:36 [Locked File] Couldn't open c:\windows\$ntuninstallkb828741$\migregdb.exe for read access, file is locked
19:22:42 [File Scan] Scanned 73424 files: 23 alarms in 3175.648 seconds (Avg 24.12 files/sec)
19:22:42 [File Scan] Scanning in D:\ ...
19:22:42 [File Scan] Scanned 0 files: 23 alarms in 0 seconds (Avg -1.#IND files/sec)
19:22:42 [File Scan] Scanning in E:\ ...
19:22:42 [File Scan] Scanned 0 files: 23 alarms in 0 seconds (Avg -1.#IND files/sec)
19:22:42 [Scan] Finished.

Alarms:
Scan Control Dumped @ 19:24:22 20-01-05
Positive identification: TrojanDownloader.Win32.Agent.ct Dropper
File: c:\documents and settings\eric\local settings\temp\ab1.exe

Positive identification: Trojan.Win32.VB.kq Dropper
File: c:\documents and settings\eric\local settings\temp\mw_4s_stub.exe

Positive identification: TrojanDownloader.Win32.WinFetch.a
File: c:\documents and settings\eric\local settings\temp\qmtb.exe

Positive identification: Trojan.Win32.Septic.a Dropper
File: c:\documents and settings\eric\local settings\temp\sepinst.exe

Positive identification (embedded in file): Adware.NewDotNet (dll)
File: c:\program files\filesubmit\a letter to santa\nnezta388.exe

Positive identification: Adware.NewDotNet
File: c:\program files\filesubmit\a letter to santa\nnezta388.exe

Positive identification (embedded in file): Adware.Toolbar.Quick.a (dll)
File: c:\program files\filesubmit\a letter to santa\tbeza127q.exe

Suspicious Filename: Dual extensions
File: c:\unzipped\nfsu_unlockers[1]\nfsu huvinyls for v1.3.0.exe

Positive identification: TrojanDownloader.Win32.Small.adu
File: c:\windows\e2g25.exe

Positive identification (DLL): TrojanDownloader.Win32.VB.ez1 (dll)
File: c:\windows\mm21.ocx

Positive identification: TrojanClicker.Win32.VB.ei
File: c:\windows\mmups.exe





so how do i remove all of these now ?

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/16/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 7:57:38 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\Documents and Settings\Chris Rosa\Desktop\Chris Stuff\Progs\Spybot Removal\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ptd.net/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CD...bridge-c11.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
O16 - DPF: {3E13AA37-352F-4E5F-91C4-08A0BA0C9541} -
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.3dgroove.com/download/GrooveAX.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -


End of KRC HijackThis Analyzer Log.
====================================================================
__________________
SikEnCide is offline  
Old 01-20-2005, 07:56 PM   #8
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,829
OS: Every Windows OS known to man


Hi again.....I think we can do without all the "descriptive terms" regarding the bad stuff. Thanks.

============

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C.../bridge-c11.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
O16 - DPF: {3E13AA37-352F-4E5F-91C4-08A0BA0C9541} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} -

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

c:\program files\filesubmit\
c:\windows\e2g25.exe
c:\windows\mm21.ocx
c:\windows\mmups.exe

Run CleanUp! again.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
__________________


GO BIG BLUE!!
CTSNKY is offline  
Old 01-21-2005, 10:08 AM   #9
Registered Member
 
SikEnCide's Avatar
 
Join Date: Jan 2005
Posts: 8
OS: n


Send a message via AIM to SikEnCide Send a message via MSN to SikEnCide Send a message via Yahoo to SikEnCide
ok im srry bout the use ofthat word i was unaware of it having to be censored. also i didnt realize ghow much i use it. so one agin srry bout that.

also i foudn a new program for finding and removing spyware. it is call "Microsoft AntiSpyware" i can be found here. http://www.microsoft.com/athome/secu...e/default.mspx
__________________
SikEnCide is offline  
Old 01-21-2005, 10:21 AM   #10
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,829
OS: Every Windows OS known to man


Yeah, we know about that one. Please post a fresh HJT log when completed with above instructions. Thanks again....
__________________


GO BIG BLUE!!
CTSNKY is offline  
Old 01-21-2005, 10:30 AM   #11
Registered Member
 
SikEnCide's Avatar
 
Join Date: Jan 2005
Posts: 8
OS: n


Send a message via AIM to SikEnCide Send a message via MSN to SikEnCide Send a message via Yahoo to SikEnCide
new log

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/16/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 1:28:25 PM, on 1/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\Documents and Settings\Chris Rosa\Desktop\Chris Stuff\Progs\Spybot Removal\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ptd.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ptd.net/
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.3dgroove.com/download/GrooveAX.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab


End of KRC HijackThis Analyzer Log.
====================================================================
__________________
SikEnCide is offline  
Old 01-21-2005, 10:31 AM   #12
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,829
OS: Every Windows OS known to man


Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

__________________


GO BIG BLUE!!
CTSNKY is offline  
Old 01-21-2005, 10:32 AM   #13
Registered Member
 
SikEnCide's Avatar
 
Join Date: Jan 2005
Posts: 8
OS: n


Send a message via AIM to SikEnCide Send a message via MSN to SikEnCide Send a message via Yahoo to SikEnCide
ahh no problems and as off now and last ngith everything seemsot be running msoother and faster .. thnx no i need to trin my parents on hwo to usee all of this stuf

__________________
SikEnCide is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 10:32 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts