|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
09-01-2006, 01:39 AM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2006
Posts: 10
OS: 2000
|
Maxifiles and LinkOptimiser and Tclock.exe - Sluggish system
Hello, because i wrote so much, i have added ====='s to try make it easier to read sorry about that
 ================================================ When i first got infected with the virus and what i done about it ================================================ I first got this virus while surfing the net which installed it's self while i was browsing, i only noticed it when my mouse changed to an hour glass when i wasn't intentially loading anything. I had minimul anti virus protection at the time (only avast antivirus) and the virus infected my computer pretty badly. Originally the virus opened up a new window or two and went to various websites which i would quickly have to click stop on the search bar so it wouldn't load the page (annoying). When it did load the page, it downloaded 'Tclock.exe' which changed my computer clock to 24 hour format and it also added another quicklaunch toolbar at the bottom of my desktop. I got fed up so i searched some forums for ways to fix it so i downloaded afew programs: -Spyware Doctor -SuperantiSpyware -Xoft Spy -Spysweeper I installed them all, updated them, and ran the scanners in safe mode(took a good few hours) they found and removed quite afew things, one of them said it found a worm and removed it, Also i think it was Spyware Doctor that blocked the various websites that would open in their own window so now the Tclock.exe hasn't been back since. [EDIT:] All these free trial programs are past their 30 day trial period - they will scan but won't remove what they find unless i register. [:EDIT] I also done a manual search on my computer for all .exe and .dll files that were created on that day and deleted most of the suspicious ones i could find. But when i went to test it on the internet, My mouse pointer changed to an hour glass again and it downloaded the virus again. (though the websites opening in their own windows had stopped) I couldn't be stuffed trying again so i gave up. I have had these problems/viruses for a couple of months now, because i hadn't used the computer much i wasn't so annoyed by it. But now i have been using the computer more often, it has really started to annoy me. ====================================================== What symptoms my computer has ====================================================== If i go to a search page (mainly google) and look up anything for a reasonable amount of time (afew links have been clicked) every now and then i get a pop up that has my search or a link i clicked quoted in it that says "Click here to search for <your search here> in our archives " or something similar - which is obviously not a smart idea. - after i ran a Spyware Doctor scan it says it found: 10 entries for Maxifiles which is described as "Description: Maxifiles adds a toolbar onto your task manager and creates pop-up advertisements." and 4 LinkOptimizer entries which it describes as "Description: LinkOptimizer is an adware that registers itself as a Browser Helper Object and generates pop-up advertisements when Internet Explorer is open. It also hijacks the URL Search Hook on Internet Explorer." and both are rated in the High risk category. Very rarely, Explorer also opens a file (from system32 folder i think it is) in a new window which goes onto the internet to a web page. Also i have noticed my computer has been alot more sluggish than usual. eg. when i click a link or do a search or load a program, it takes a few seconds to do so, rather than doing it when i click. It seems like it has to process through a program or something before it does it and that particular program is using up my RAM or something. I get this message when i close an internet explorer window that has been open for a while:  Although, after i read the "Read this before you post a HJT log" topic, i had to upgrade my intenet explorer to 6.0 (which i thought i already had...) and i havn't seen the error message again yet. Also my computer has alot of difficulty shutting down - it takes so long that i have to leave the room and grab a drink or something and when i come back, sometimes it still hasn't shut down. Thanks for reading, abbaz0r ===================================================== My HJT log ===================================================== Logfile of HijackThis v1.99.1 Scan saved at 4:04:48 PM, on 9/1/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.au R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.au R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.au R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {3529B3DE-56B1-3A9A-D72E-3A0FF0BE5E75} - C:\WINNT\hvhih1.dll (file missing) O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1142250229828 O17 - HKLM\System\CCS\Services\Tcpip\..\{5264F762-C10F-44F6-BA10-5EEF24210274}: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Last edited by abbaz0r; 09-01-2006 at 01:53 AM. Reason: Added extra information about the anti virus/spyware programs i downloaded |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
09-01-2006, 02:52 PM
|
#2 (permalink) |
|
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
|
Hi abbaz0r and welcome to TSF.
You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please ensure that you follow the instructions in the order I have them listed. You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Downloads Download this file - combofix.exe to your desktop – don’t run it yet! Download Ewido Anti-Malware This is a 30 day trial
If you are having problems with the updater, you can use this link to manually update Ewido. When you have finished updating, EXIT Ewido. Please download FixWareout or use this alternate location. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items: O17 - HKLM\System\CCS\Services\Tcpip\..\{5264F762-C10F-44F6-BA10-5EEF24210274}: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 Please remember to close all other windows, including browsers then click Fix checked. The tool will produce a logfile at C:\fixwareoutreport.txt. At the end of the fix, you may need to restart your computer again. Run combofix NOTE: combofix must be run in Normal Mode Double click combofix.exe & follow the prompts. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. When finished, the tool will produce a log for you at c:\combofix.txt. Post that log in your next reply. Reboot Reboot your system in Safe Mode.
Run Ewido Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
NOTE: Ewido scan may require an hour. Reboot Reboot your system in Normal Mode. Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner. 1. Click Check Now and a "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it * 2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. *Turn off the real time scanner of any existing antivirus program while performing the online scan Logs required C:\fixwareoutreport.txt c:\combofix.txt Ewido Log Panda Log HijackThis Log Please also let me know how your system is performing now and if you have any specific problems.
__________________
Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums.   PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner |
|
|
|
|
09-02-2006, 08:22 AM
|
#3 (permalink) |
|
Registered User
Join Date: Aug 2006
Posts: 10
OS: 2000
|
Thanks for the fast response, i had a go and got to the:
"Please download FixWareout or use this alternate location. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts. Afterwards, HijackThis will launch." part but my hijackthis didn't start, i have to go to bed now anyway. Will it be okay if i try this exact same procedure again after i get home from work tomorrow and is it okay if i run hijackthis myself if it doesn't do it automatically? thanks |
|
|
|
|
09-02-2006, 08:35 AM
|
#4 (permalink) |
|
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
|
Hi there
Never had that happen before, but, yes, start HJT if it doesn't start automatically. Have a good sleep!
__________________
Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner |
|
|
|
|
09-03-2006, 06:59 AM
|
#5 (permalink) |
|
Registered User
Join Date: Aug 2006
Posts: 10
OS: 2000
|
Hey, i didn't have too much of a good sleep, but thanks anyway.
 Okay i started from the beginning of your instructions again and manually ran Hijackthis (after it failed to automatically load again) and got the log file. I managed to get all the way down to the bit where i was supposed to Launch Ewido while in safe mode. I got into Safe Mode but when i tried to run Ewido, my computer's busy light came on indicating it was doing something, then it flashed afew times, then it was just doing the ordinary idling flashing and Ewido didn't load. After about a 5 minute wait, i got this message:  i managed to open that ewido.err file in notepad and got this from the top of it: (there is a whole bunch of other text aswell that i could post if u need me to) //==<ewido anti-spyware 4.0>=================================== Exception code: C0000005 ACCESS_VIOLATION Fault address: 00426DD6 01:00025DD6 C:\Program Files\ewido anti-spyware 4.0\ewido.exe Module Date: 06/17/2006 00:39:05 File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172 Exception Date: 09/03/2006 21:57:44 However, with the bad news is also some good news, i have noticed the shutting down speed of my computer has improved alot and to my surprise so has the start up speed. Okay, i will post the reports i managed to get so far and i have also posted the report from Fixwareout when i tried it yesterday just in case it says something in there that it doesn't say now because it has been fixed or whatever. Once again i have used ------'s to signify the end of each report to try make it easier to follow. Thank you ------------------------------------------------------------------------------------------ Fixwareout report from yesterday ------------------------------------------------------------------------------------------ Fixwareout ver 1.003 Last edited 8/11/2006 Post this report in the forums please Reg Entries that were deleted ... Microsoft (R) Windows Script Host Version 5.6 Random Runs removed from HKLM ... PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names... »»»»» Search five digit cs, dm and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal Other suspects. Directory of C:\WINNT\system32 »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool. --------------------------------------------------------------------------------------------- Today's Log for fixwareout --------------------------------------------------------------------------------------------- Fixwareout ver 1.003 Last edited 8/11/2006 Post this report in the forums please Reg Entries that were deleted ... Microsoft (R) Windows Script Host Version 5.6 Random Runs removed from HKLM ... PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names... »»»»» Search five digit cs, dm and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal Other suspects. Directory of C:\WINNT\system32 »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool. ------------------------------------------------------------------------------------------------ HJT LOG ------------------------------------------------------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 9:32:23 PM, on 9/3/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Hijackthis\HijackThis.exe R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {3529B3DE-56B1-3A9A-D72E-3A0FF0BE5E75} - C:\WINNT\hvhih1.dll (file missing) O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1142250229828 O17 - HKLM\System\CCS\Services\Tcpip\..\{5264F762-C10F-44F6-BA10-5EEF24210274}: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ---------------------------------------------------------------------------------------------------------------- Combo Fix Report ---------------------------------------------------------------------------------------------------------------- luke - Sun 09/03/2006 21:39:19.53 ComboFix 06.09.02BT - Running from: C:\Documents and Settings\luke\Desktop (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Documents and Settings\Abbaz0R\Application Data\NetMon C:\Documents and Settings\Default User\Application Data\NetMon C:\Program Files\Common Files\{A0239B87-0727-1033-0923-040304040001} ((((((((((((((((((((((((((((((( Files Created from 2006-08-03 to 2006-09-03 )))))))))))))))))))))))))))))))))) 2006-09-01 14:48 465,176 --a------ C:\WINNT\system32\wuapi.dll 2006-09-01 14:48 41,240 --a------ C:\WINNT\system32\wups.dll 2006-09-01 14:48 194,328 --a------ C:\WINNT\system32\wuaueng1.dll 2006-09-01 14:48 18,200 --a------ C:\WINNT\system32\wups2.dll 2006-09-01 14:48 172,312 --a------ C:\WINNT\system32\wuauclt1.exe 2006-09-01 14:48 127,256 --a------ C:\WINNT\system32\wucltui.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-03 21:40 -------- d-a------ C:\Program Files\Common Files 2006-09-03 21:22 -------- d-------- C:\Documents and Settings\luke\Application Data\Skype 2006-09-03 20:26 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0 2006-09-01 15:03 -------- d-a------ C:\Program Files\Internet Explorer 2006-09-01 14:55 -------- d-a------ C:\Program Files\Outlook Express 2006-09-01 14:55 -------- d-a------ C:\Program Files\Common Files\System 2006-09-01 14:55 -------- d-a------ C:\Program Files\Common Files\Services 2006-09-01 14:55 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared 2006-08-31 15:15 -------- d-------- C:\Program Files\Thugs at Bay 2006-08-29 22:56 -------- d-------- C:\Documents and Settings\luke\Application Data\LimeWire 2006-08-29 22:53 -------- d-a------ C:\Program Files\Spyware Doctor 2006-08-10 19:44 -------- d-------- C:\Program Files\XoftSpy 2006-08-09 17:07 -------- d-------- C:\Documents and Settings\luke\Application Data\AdobeUM 2006-08-09 17:06 -------- d-------- C:\Program Files\Adobe 2006-08-03 22:31 -------- d-------- C:\Documents and Settings\luke\Application Data\Leadertech 2006-08-03 22:28 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-08-03 22:28 -------- d-------- C:\Program Files\Atari 2006-07-28 20:00 503808 --a------ C:\WINNT\system32\Ralph - Bree.scr 2006-07-28 20:00 503808 --a------ C:\WINNT\system32\Ralph - Anna.scr 2006-07-28 20:00 12288 --a------ C:\WINNT\system32\impborl.dll 2006-07-25 10:43 -------- d-------- C:\Program Files\Webroot 2006-07-25 10:43 -------- d-------- C:\Documents and Settings\luke\Application Data\Webroot 2006-07-25 10:41 -------- d-------- C:\Program Files\CCleaner 2006-07-25 10:39 -------- d-------- C:\Program Files\SUPERAntiSpyware 2006-07-25 10:39 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard 2006-07-25 10:39 -------- d-------- C:\Documents and Settings\luke\Application Data\SUPERAntiSpyware.com 2006-07-24 21:54 -------- d-------- C:\Program Files\Security Task Manager 2006-07-22 23:33 51072 --a------ C:\WINNT\system32\drivers\ikhlayer.sys 2006-07-22 23:33 30592 --a------ C:\WINNT\system32\drivers\ikhfile.sys 2006-07-22 23:16 -------- d-------- C:\Program Files\RegistryFix 2006-07-22 16:13 503808 --a------ C:\WINNT\system32\RALPH - Krystal -.scr 2006-07-22 10:27 -------- d-------- C:\Program Files\Common Files\zwok 2006-07-17 22:17 -------- d-------- C:\Documents and Settings\luke\Application Data\PC Tools 2006-07-16 23:49 -------- d-------- C:\Program Files\abcMover 2006-07-16 19:05 29 --a------ C:\WINNT\system32\WINCNMDBO.DLL 2006-07-13 00:03 -------- d-------- C:\Program Files\mIRC 2006-07-09 00:11 -------- d-------- C:\Documents and Settings\luke\Application Data\teamspeak2 2006-06-04 01:53 356352 --a------ C:\WINNT\eSellerateEngine.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "Synchronization Manager"="mobsync.exe /logon" "NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup" "XoftSpy"="C:\\Program Files\\XoftSpy\\XoftSpy.exe -s" "SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q" "SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 "CDRAutoRun"=dword:00000000 "Mn@iboddPubswLfov"=dword:00000000 "Mn@mlrf"=dword:00000000 "MnOndNeg"=dword:00000000 "MnQtm"=dword:00000000 "NoActiveDesktop"=dword:00000001 "ClassicShell"=dword:00000000 "ForceActiveDesktopOn"=dword:00000000 "NoChangeStartMenu"=dword:00000000 "NoClose"=dword:00000000 "NoLogOff"=dword:00000000 "NoRun"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "Ghp`amfUbrhLds"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000003 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,c0 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\System32\\NVMCTRAY.DLL,NvTaskbarInit" "Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q" [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] "^SetupICWDesktop"="" [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20060903-213515-704 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 backup-20060903-213515-529 O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 backup-20060903-213515-309 O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 backup-20060903-213515-143 O17 - HKLM\System\CCS\Services\Tcpip\..\{5264F762-C10F-44F6-BA10-5EEF24210274}: NameServer = 69.50.176.198,195.225.176.153 Contents of the 'Scheduled Tasks' folder C:\WINNT\tasks\XoftSpy.job Completion time: Sun 2006-09-03 21:41:48.75 ComboFix.txt ---------------------------------------------------------------------------------------------------------------- |
|
|
|
|
09-03-2006, 02:19 PM
|
#6 (permalink) |
|
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
|
Hi again
Did you manage the Panda scan? If so I need the log. If not please do it at the end of these instructions. The problems with Ewido might be a bad download or install. Go to Start > Control Panel > Add or Remove Programs and uninstall Ewido. You may need to reboot. Then follow these instructions which include downloading and installing Ewido again. Downloads Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later. *NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Download Ewido Anti-Malware This is a 30 day trial
If you are having problems with the updater, you can use this link to manually update Ewido. When you have finished updating, EXIT Ewido. Reboot Reboot your system in Safe Mode.
HijackThis Entries Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any) R3 - Default URLSearchHook is missing O2 - BHO: Class - {3529B3DE-56B1-3A9A-D72E-3A0FF0BE5E75} - C:\WINNT\hvhih1.dll (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip\..\{5264F762-C10F-44F6-BA10-5EEF24210274}: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.198,195.225.176.153 Please remember to close all other windows, including browsers then click Fix checked. Run CleanUp! *NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following:
Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. Run Ewido Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
NOTE: Ewido scan may require an hour. Reboot Reboot your system in Normal Mode. Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner. 1. Click Check Now and a "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it * 2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. *Turn off the real time scanner of any existing antivirus program while performing the online scan Logs required Ewido Log Panda Log HijackThis Log Please also let me know how your system is performing now and if you have any specific problems.
__________________
Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner |
|
|
|
|
09-03-2006, 04:21 PM
|
#7 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,477
OS: N/A
|
This is in addition to Glaswegiann's instructions. Do this before commencing the others.
Download Gromozon rootkit removal tool & save it to Desktop: http://info.prevx.com/download.asp?grab=GROMOZONREMTOOL Double-click to run it & follow the prompts. If an infection is found, it shall reboot your machine & produce a log at C:\armada_log Post that log & continue with the rest of the instructions
__________________
Question - what have you done for the community today? |
|
|
|
|
09-04-2006, 05:58 AM
|
#8 (permalink) | |
|
Registered User
Join Date: Aug 2006
Posts: 10
OS: 2000
|
Hey Glaswegian, no sorry i didn't run the Panda scan because your instructions said to do them in order so i didn't want to mix up the order.
Here is the armada log: ======================================================= Armada.exe loaded into memory ------------------------------------ Executing rootkit removal engine.... ------------------------------------ Disabling rootkit file: \\?\C:\WINNT\lpt9.tat \\?\C:\WINNT\lpt9.tat Resetting file permissions... Clearing attributes... Removing file... Rootkit removed! Cleaning up... Removing temp files... Scanning: C:\WINNT Gromozon-Related Malicious Code Detected! FileName: C:\WINNT\3.tmp Removed! Gromozon-Related Malicious Code Detected! FileName: C:\WINNT\4.tmp Removed! Gromozon-Related Malicious Code Detected! FileName: C:\WINNT\8.tmp Removed! Gromozon-Related Malicious Code Detected! FileName: C:\WINNT\hvhih1.dll Removed! Scanning: C:\Program Files\Common Files Trojan.Gromozon Removed! ======================================================= I noticed you said: Quote:
I also thought i should mention that ewido wouldn't let me click the resident shield to set it as "inactive" as it just says "not available in free version" and the icon for it on the desktop toolbar is the "inactive" one. Screenshot:  Also Ewido wouldn't let me change the update interval from 60 minutes. Screenshot: http://img129.imageshack.us/img129/9...oupdatett4.jpg I thought i'd mention those two things i noticed because i didn't have that problem with Ewido yesterday (other than it not launching in safe mode). Okay i will reboot to safe mode now and see how Ewido goes. |
|
|
|
|
|
09-04-2006, 06:47 AM
|
#9 (permalink) |
|
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
|
Hi
That's because you've installed it once and are installing it a second time. Just ignore the shield and time interval. It's more important that you actually manage to scan - if necessary scan in Normal Mode. the good news is that, thanks to sUBs, you've managed to remove a hidden rootkit - excellent!!!
__________________
Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner |
|
|
|
|
09-04-2006, 06:51 AM
|
#10 (permalink) |
|
Registered User
Join Date: Aug 2006
Posts: 10
OS: 2000
|
Okay i had the same problem with Ewido as yesterday, it wouldn't launch in safe mode and came up with the same error message.
Okay i done the online Active scan panda thing anyway so heres the log: Incident Status Location Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Abbaz0R\Cookies\abbaz0r@www.advnt01[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\luke\Cookies\luke@ad.sensismediasmart.com[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\luke\Cookies\luke@ad.yieldmanager[2].txt Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\luke\Cookies\luke@adultfriendfinder[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\luke\Cookies\luke@atdmt[2].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\luke\Cookies\luke@burstnet[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\luke\Cookies\luke@casalemedia[2].txt Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\luke\Cookies\luke@clickbank[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\luke\Cookies\luke@com[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\luke\Cookies\luke@doubleclick[1].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\luke\Cookies\luke@drivecleaner[2].txt Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\luke\Cookies\luke@toplist[1].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\luke\Cookies\luke@www.drivecleaner[2].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\luke\Cookies\luke@xiti[1].txt Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\luke\Cookies\luke@yadro[1].txt Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\luke\Desktop\Folders\Multimedia and games\video edit magic\abc_mover_keygen.exe Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\luke\Desktop\Folders\Multimedia and games\video edit magic\video_edit_magic_4.1_keygen.exe Virus:Trj/Agent.CJA Disinfected C:\Program Files\Common Files\Microsoft Shared\MSEnv\envupd.exe Spyware:Cookie/2o7 Not disinfected C:\WINNT\Cookies\luke@112.2o7[2].txt Spyware:Cookie/YieldManager Not disinfected C:\WINNT\Cookies\luke@ad.yieldmanager[2].txt Spyware:Cookie/BurstNet Not disinfected C:\WINNT\Cookies\luke@burstnet[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\WINNT\Cookies\luke@mediaplex[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\WINNT\Cookies\luke@serving-sys[2].txt Spyware:Cookie/SexList Not disinfected C:\WINNT\Cookies\luke@sexlist[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\WINNT\Cookies\luke@tribalfusion[2].txt Last edited by abbaz0r; 09-04-2006 at 06:54 AM. Reason: Bolded the Trojan it found in the report |
|
|
|
|
09-04-2006, 07:08 AM
|
#11 (permalink) | |
|
Registered User
Join Date: Aug 2006
Posts: 10
OS: 2000
|
Quote:
|
|
|
|
|
|
09-04-2006, 08:00 AM
|
#12 (permalink) |
|
Registered User
Join Date: Aug 2006
Posts: 10
OS: 2000
|
Hey,
I finished the full system scan on Ewido in normal mode and got the report. Don't worry about the "C:\Documents and Settings\luke\Desktop\Folders\Multimedia and games\video edit magic\New Folder\videoeditmagic.rar/videoeditmagic.exe -> Dropper.Delf.yb : Error during cleaning." I just went and deleted that whole folder anyway. Also just done a quick HJT scan too so i'll post that underneath, okay i gotta go to sleep now. Thanks, heres the report and HJT log: --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 11:55:51 PM 9/4/2006 + Scan result: C:\Documents and Settings\luke\Desktop\Folders\Multimedia and games\video edit magic\New Folder\videoeditmagic.exe -> Dropper.Delf.yb : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Desktop\Folders\Multimedia and games\video edit magic\New Folder\videoeditmagic.rar/videoeditmagic.exe -> Dropper.Delf.yb : Error during cleaning. C:\Documents and Settings\Abbaz0R\Local Settings\Temporary Internet Files\Content.IE5\3JMUNEAC\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined). C:\Documents and Settings\Abbaz0R\Local Settings\Temporary Internet Files\Content.IE5\3JMUNEAC\send_ocx_sof[3].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined). C:\Documents and Settings\Abbaz0R\Local Settings\Temporary Internet Files\Content.IE5\AUVIU1RL\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@e-2dj6wfk4qpdzsdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@e-2dj6wjl4gmd5eap.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@e-2dj6wjnyspd5sep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@estat[1].txt -> TrackingCookie.Estat : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@sexlist[2].txt -> TrackingCookie.Sexlist : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). C:\Documents and Settings\Abbaz0R\Cookies\abbaz0r@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Cookies\luke@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\WINNT\Cookies\luke@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Desktop\Folders\Multimedia and games\video edit magic\abc_mover_keygen.exe -> Trojan.Agent.vg : Cleaned with backup (quarantined). C:\Documents and Settings\luke\Desktop\Folders\Multimedia and games\video edit magic\video_edit_magic_4.1_keygen.exe -> Trojan.Agent.vg : Cleaned with backup (quarantined). ::Report end ---------------------------------------------------- HJT log ---------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 12:02:09 AM, on 9/5/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.au R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.au R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {3529B3DE-56B1-3A9A-D72E-3A0FF0BE5E75} - C:\WINNT\hvhih1.dll (file missing) O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1142250229828 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Last edited by abbaz0r; 09-04-2006 at 08:06 AM. Reason: Added HJT log |
|
|
|
|
09-04-2006, 03:02 PM
|
#13 (permalink) |
|
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
|
Hi again
Good work. If you don’t know if you have a 64bit version then you probably don’t. You can use IE to download this script and then run it to check. Clear your IE cookies. Start > Settings > Control Panel > Internet Options > General tab > under Temporary files, click on Delete Cookies. Download IE-Spyad - Extract the contents to a new folder. IE-SPYAD will place thousands of bad websites in the Restricted Zone of Internet Explorer. From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain Download MVPS Hosts file - From within Host.zip, double click on MVPS.bat & allow it to run. This will replace your current Hosts file with one that will block known adware and spy websites. Download SpywareBlaster. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. SpywareBlaster can help prevent spyware installing in the first place. Reboot Reboot your system in Safe Mode.
HijackThis Entries Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any) R3 - Default URLSearchHook is missing O2 - BHO: Class - {3529B3DE-56B1-3A9A-D72E-3A0FF0BE5E75} - C:\WINNT\hvhih1.dll (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm Please remember to close all other windows, including browsers then click Fix checked. File Deletions Delete the following File indicated in RED if it still exists. C:\Program Files\Common Files\Microsoft Shared\MSEnv\envupd.exe Reboot Reboot your system in Normal Mode. Online Scan Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Now under select a target to scan: Select My Computer
* Turn off the real time scanner of any existing antivirus program while performing the online scan Please post back with the Kaspersky Log and a fresh HijackThis Log. Please also let me know how your system is performing now and if you have any specific problems.
__________________
Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner |
|
|
|
|
09-05-2006, 06:27 AM
|
#14 (permalink) |
|
Registered User
Join Date: Aug 2006
Posts: 10
OS: 2000
|
Okay i had a shot at your instructions there and i managed to do it all successfully, except that i think there was a problem with the "MVPS Hosts file" because after i double clicked the "MVPS.bat" file i didn't see any prompts or anything, all i saw was a portion of the window i had open had black in the corner and then it went away.
After that i had a problem rebooting my computer to get into safe mode, it took a while and eventually started shutting down after i clicked the shut down button 2 or 3 times... then it closed everything and all i could see was my desktop wallpaper and it wouldn't shut down after waiting for about 5 minutes so i had to hit the reset button. After i rebooted back into normal mode to do the kaspersky online scan, i hit the internet explorer quick launch button on my desktop and nothign happened, so i clicked it again. Then it kind of froze up and i ctrl + alt + deleted to check out the CPU usage. The task manager took a while to show up but it did, and then afterwards when both of the internet explorer windows opened, the task manager said my CPU was at 100% usage then i went to the Kaspersky website and then it went back down to normal. Would that be because of the "MVPS.bat" maby not working properly the first time and then loading it's self when i launched internet explorer? Anyway, here's the Kaspersky report and a fresh HJT log. Thanks ============================================== Kaspersky Report ============================================== ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Tuesday, September 05, 2006 9:50:15 PM Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 5/09/2006 Kaspersky Anti-Virus database records: 220953 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 48473 Number of viruses found: 1 Number of infected objects: 3 / 0 Number of suspicious objects: 0 Duration of the scan process: 00:42:48 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\luke\Cookies\index.dat Object is locked skipped C:\Documents and Settings\luke\Desktop\Folders\programs\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped C:\Documents and Settings\luke\Desktop\Folders\programs\mirc617.exe mIRC: infected - 1 skipped C:\Documents and Settings\luke\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\luke\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\luke\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\luke\Local Settings\History\History.IE5\MSHist012006090520060906\index.dat Object is locked skipped C:\Documents and Settings\luke\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\luke\NTUSER.DAT Object is locked skipped C:\Documents and Settings\luke\ntuser.dat.LOG Object is locked skipped C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped C:\WINNT\Debug\ipsecpa.log Object is locked skipped C:\WINNT\Debug\oakley.log Object is locked skipped C:\WINNT\Debug\PASSWD.LOG Object is locked skipped C:\WINNT\SchedLgU.Txt Object is locked skipped C:\WINNT\security\logs\scepol.log Object is locked skipped C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped C:\WINNT\system32\config\default Object is locked skipped C:\WINNT\system32\config\default.LOG Object is locked skipped C:\WINNT\system32\config\SAM Object is locked skipped C:\WINNT\system32\config\SAM.LOG Object is locked skipped C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped C:\WINNT\system32\config\SECURITY Object is locked skipped C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped C:\WINNT\system32\config\software Object is locked skipped C:\WINNT\system32\config\software.LOG Object is locked skipped C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped C:\WINNT\system32\config\system Object is locked skipped C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped C:\WINNT\system32\drivers\dtscsi.sys Object is locked skipped C:\WINNT\system32\drivers\sptd.sys Object is locked skipped C:\WINNT\system32\drivers\sptd0029.sys Object is locked skipped C:\WINNT\system32\Perflib_Perfdata_4b0.dat Object is locked skipped C:\WINNT\WindowsUpdate.log Object is locked skipped Scan process completed. ============================================== HJT LOG ============================================== Logfile of HijackThis v1.99.1 Scan saved at 9:52:55 PM, on 9/5/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.au R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.au O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1142250229828 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ============================================== |
|
|
|
|
09-05-2006, 02:08 PM
|
#15 (permalink) |
|
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
|
Hi again
It could have been the combination of the Hosts file and IE-SPYAD. We can check if the Hosts file is installed. Open Windows Explorer and navigate to C:\Windows\System32\drivers\etc And look for the file called Hosts – it should be about 330k in size. Right click and choose ‘Open’ then choose Notepad as the programme to use. If it’s the MVP Hosts file it should look like this at the top # This MVPS HOSTS file is a free download from: # # http://www.mvps.org/winhelp2002/ Let me know if this is what you see. Your cpu usage will jump when doing an online scan – that’s normal. Use your PC as normal and post back with any problems – I don’t see anything else related to malware.
__________________
Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner |
|
|
|
|
09-05-2006, 08:18 PM
|
#16 (permalink) |
|
Registered User
Join Date: Aug 2006
Posts: 10
OS: 2000
|
Hey,
i see a 'HOSTS' file and a 'HOSTS.MVP' file, (though after i opened the HOSTS.MVP file in notepad the .MVP extention was no longer visible untill you click on it then it says it in the file description and it changed to a notepad icon) the 'HOSTS' one is 492kb in size and at the top it says: # This MVPS HOSTS file is a free download from: # # http://www.mvps.org/winhelp2002/ # and the 'HOSTS.MVP' file is 718 bytes and says this at the top: # Copyright (c) 1993-1999 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. Okay when i started up the computer today and clicked the quicklaunch for internet explorer, i had the same problem as yesterday where it didn't do anything for a while but my mouse pointer changed to an hour glass. I done the ctrl + alt +delete again and it said 80% CPU usage then it went back to normal once the internet explorer pages had launched. Could this possibly be because of the new anti spyware programs i have downloaded? Do you think i should uninstall the old ones (over their 30 day trial and dont let me fix anything they detect on a scan) to free up memory usage? Also, i havn't had any of those pop ups or Webpage redirecting problems i had at the start of this post so far, it's looking good  Thank you very much |
|
|
|
|
09-06-2006, 01:00 PM
|
#17 (permalink) |
|
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
|
Hi again
Yes, get rid of anything that has expired. I’ll provide some programmes that will do the same job and will not expire. There’s nothing in your log to indicate any problems – if you’re still having the same issue, you might want to try our XP Forum. The first file, 492K is your new Hosts file. OK, your log is clean. Any more problems? If not we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure. Reset Hidden/System Files To reset your hidden and system files:
System Restore To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. This will create a new Restore Point. IMPORTANT!!! Please ensure that Windows is patched against the WMF exploit. This is a dangerous vulnerability that opens the door to multiple infections. Visit Window's Update to get the KB912919 patch if you have not already done so. Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here. Ad-aware Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here. IE-SPYAD IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here. SnoopFree SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. MVPS Hosts File The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Firefox Opera Maxthon Firewalls A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall ZoneAlarm Tiny Personal Firewall Anti Virus Software It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are two very good free Antivirus products which are available: Avast! AVG It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Other Protection Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles PC Safety & Security - What Do I Need?. Making Internet Explorer Safer. Keep clean and safe and enjoy your computing! Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner |
|
|
|
|
09-07-2006, 03:03 AM
|
#18 (permalink) |
|
Registered User
Join Date: Aug 2006
Posts: 10
OS: 2000
|
Hey, thanks for that i'll give them a shot :) . I just removed one of my old antivirus programs and now i havn't got that freezing problem when i launch internet explorer at all.
So, yeah i think i'm all done on this one. I was thinking of just giving up near the end, but managed to hang in there. Thank you for easing the stress caused by all the malware/spyware/adware. Again, thank you very much for all of your help and thanks for your time, i really appreciate it.
|
|
|
|
| Thread Tools | |
|
|
