|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-29-2005, 10:26 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 35
OS: WinXP
|
ezula, qoolaid, loading website, medload...
I have pop-ups driving me crazy! I've run Adaware, SpyBot, Cleamup!, plus I have Norton Systemworks running, and I still can't stop the pop-ups. Please help? Here is my Hijackthis log.
Logfile of HijackThis v1.99.1 Scan saved at 12:26:02 PM, on 6/29/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\WINDOWS\Explorer.exe C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\OPScan.exe C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://online.wsj.com/home/health F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.tourguidemike.com O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lvn2095oe.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Thanks in advance for your help! |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
06-29-2005, 11:04 AM
|
#2 (permalink) |
|
Registered User
Join Date: Jan 2005
Location: London, UK
Posts: 305
OS: WinXP SP2/98/98SE
|
Hi thefly and welcome to TSF
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". OJ
__________________
“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.” Eugene H. Spafford |
|
|
|
|
06-29-2005, 04:54 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 35
OS: WinXP
|
Hi Oddjob, and thanks. I subscribed to the thread as you recommended so I will be able to respond quickly. Please bear with me as well since I unplug my cable modem most of the time to avoid having my PC tampered with. I do get on and check email pretty regularly, though.
|
|
|
|
|
06-30-2005, 12:54 AM
|
#4 (permalink) |
|
Registered User
Join Date: Jan 2005
Location: London, UK
Posts: 305
OS: WinXP SP2/98/98SE
|
Hello again
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. That 015 Trusted Zone entry for tourguidemike.com. We would recommend removal but the instructions below do NOT address this issue. It is assumed that you want this site into your Trusted Zone but, if not, and want this entry removed, let us know and we will give you specific instructions relative to that entry. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this site to get the plug-in for fixing VX2 variants. To run this tool go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results by reading this. Run the scan and fix everything that it finds. Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet. Download nailfix at http://users.pandora.be/bluepatchy/nailfix.zip.Unzip it to the desktop. Do NOT run it yet. Download CleanUp! by going here. Do NOT run it yet. Go to Start->Run and type in services.msc and hit OK. Then look for System Startup Service (SvcProc) and double click on it. Click on the Stop button and under Startup type, choose Disabled. Reboot your system in Safe Mode (by repeatedly tapping the F8 key until the menu appears). Once in Safe Mode, please double-click on nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Next run a full scan in Ewido. Post the log from the Ewido scan here. Open HijackThis and click on Scan. Check the following entries (make sure you do not miss any): F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lvn2095oe.dll O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) Please remember to close all other windows, including browsers, before clicking “Fix checked”. Delete the following Files indicated in RED if they still exist….. C:\WINDOWS\Nail.exe C:\WINDOWS\system32\lvn2095oe.dll C:\WINDOWS\svcproc.exe Reboot your System in normal mode. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. If you have a fast internet connection (Broadband), run online scans at Panda Activescan and Housecall. Housecall has now been upgraded. Please run ALL the free scans offered at these sites. Make sure they both perform a full system scans and please use the “Autoclean” option when running Housecall. If either/both scans find something they cannot fix - perhaps because the infected files are "in use" - please make a note of the file(s) concerned and post the details back to this thread. Please post a fresh HijackThis log, so that we can check if your system is clean, AND give us an update on how your system is operating now. OJ Last edited by oddjob; 06-30-2005 at 12:56 AM. |
|
|
|
|
06-30-2005, 01:32 PM
|
#7 (permalink) |
|
Registered User
Join Date: Jan 2005
Location: London, UK
Posts: 305
OS: WinXP SP2/98/98SE
|
Sorry about that. Here's another link to nailfix. This one should be OK......
http://www.noidea.us/easyfile/index.php?folder=2 There will be more to do after this fix. All the best. OJ |
|
|
|
|
06-30-2005, 02:57 PM
|
#8 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 35
OS: WinXP
|
OK thanks - that seemed to work. I double clikced Nailfix.cmd since there was no BAT file and it did the same thing you described it would with .BAT. I'm in the process of running Housecall now - will post again soon. Thanks for the quick replies!
|
|
|
|
|
06-30-2005, 09:27 PM
|
#9 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 35
OS: WinXP
|
I finally got all the scans done. Here is the Panda Activescan log, which found 15 infections and couldn't fix 5 of them:
Incident Status Location Adware:Adware/eZula No disinfected Windows Registry Adware:Adware/Apropos No disinfected C:\Program Files\Aprps Adware:Adware/WinTools No disinfected C:\WINDOWS\hisistheurls.exe Spyware:Spyware/Media-motor No disinfected Windows Registry Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Owner\Favorites\1111\1111.url Adware:Adware/ImGiant No disinfected C:\Program Files\joystick networks Adware:Adware/Weirdontheweb No disinfected C:\Program Files\WeirdOnTheWeb Adware:Adware/Apropos No disinfected C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\AlertSWF\contents\Exec.exe Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Owner\Favorites\1111\1111.url Adware:Adware/Weirdontheweb No disinfected C:\Documents and Settings\Owner\Favorites\WeirdOnTheWeb.url Adware:Adware/PopCapLoader No disinfected C:\hjt\backups\backup-20050629-121620-353.inf Adware:Adware/WinTools No disinfected C:\WINDOWS\hisistheurls.exe Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system\QBUninstaller.exe Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\nMrrhook.dll Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\rOsmontr.dll Here is the Ewido scan log: --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 4:05:39 PM, 6/30/2005 + Report-Checksum: 18DF4AFD + Date of database: 6/30/2005 + Version of scan engine: v3.0 + Duration: 117 min + Scanned Files: 65558 + Speed: 9.31 Files/Second + Infected files: 6 + Removed files: 6 + Files put in quarantine: 6 + Files that could not be opened: 0 + Files that could not be cleaned: 0 + Binder: Yes + Crypter: Yes + Archives: Yes + Scanned items: C:\ + Scan result: C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup C:\Program Files\Common Files\Java\flaclean.exe -> Spyware.Broadcap.b -> Cleaned with backup C:\Program Files\rdso\eetu.exe -> Spyware.PurityScan -> Cleaned with backup C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor.a -> Cleaned with backup C:\WINDOWS\system32\ѕеcurity\msconfig.exe -> Spyware.PurityScan -> Cleaned with backup ::Report End And the HJT log: Logfile of HijackThis v1.99.1 Scan saved at 11:26:24 PM, on 6/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://online.wsj.com/home/health O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.tourguidemike.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\m082lalo1dqc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Thanks again, OJ! |
|
|
|
|
07-01-2005, 07:37 AM
|
#10 (permalink) |
|
Registered User
Join Date: Jan 2005
Location: London, UK
Posts: 305
OS: WinXP SP2/98/98SE
|
Glad to help out. Log’s looking better. Well done.
Panda Activescan and Housecall are very useful in that they see many things HijackThis can’t see and reveal those items they can’t fix. You should add these two sites to your favourites and scan your system with them frequently. On to the next stage. Again, I suggest you print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Download L2Mfixhere [Alternate download sources if this doesn’t work…..here]. Save the file to your desktop and double click l2mfix.exe. Click the Install button, to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #2, for the fix, by typing 2 and then pressing enter. Please Do NOT run any other files in the l2mfix folder until told to. Make sure you still have the latest version of CleanUp! by going here. Do not run it yet. Reboot your system in Safe Mode (by repeatedly tapping the F8 key until the menu appears). Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs IF FOUND (don’t worry if you can’t find them all): Apropos Aprps BetterInet joysticks networks Pacimedia Viewpoint WierdOnTheWeb WinTools Open HijackThis and click on Scan. Check the following entry: O4 - Startup: PowerReg Scheduler V3.exe (this is a “registration reminder” used by many different companies; it may continue to re-appear) Please remember to close all other windows, including browsers, before clicking ”Fix checked”. Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\Aprps C:\WINDOWS\hisistheurls.exe C:\Documents and Settings\Owner\Favorites\1111\1111.url C:\Program Files\joystick networks C:\Program Files\WeirdOnTheWeb C:\Documents and Settings\All Users\Application Data\Viewpoint C:\WINDOWS\hisistheurls.exe C:\WINDOWS\system\QBUninstaller.exe C:\WINDOWS\system32\nMrrhook.dll C:\WINDOWS\system32\rOsmontr.dll Reboot your System in normal mode. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Repeat the online scans at Panda Activescan and Housecall. As before, please run ALL the free scans offered at these sites and make sure they both perform a full system scans, using the “Autoclean” option when running Housecall. Please post details of anything the online scans can’t fix, as you did before. Please post a fresh HijackThis log so that we can check if your system is clean. PLEASE ALSO give us an update on how your system is operating now. OJ |
|
|
|
|
07-01-2005, 09:37 AM
|
#11 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 35
OS: WinXP
|
Hello again, OJ -
I'm in the process of running Panda Activescan which takes a while, then I still have to run Housecall. So far, though, I haven't had a single pop-up, so good progress has been made! Thank you again. I will be back in a while after the scans are complete. Panda has already found 6 infected files... |
|
|
|
|
07-01-2005, 12:01 PM
|
#12 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 35
OS: WinXP
|
Hi OJ -
I followed your instructions and here are the scans. Panda Activescan: Incident Status Location Adware:Adware/eZula No disinfected Windows Registry Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[hr6s05j7e.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[iuetcplc.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[mhjava.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[nMrrhook.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[rOsmontr.dll] Adware:Adware/PopCapLoader No disinfected C:\hjt\backups\backup-20050629-121620-353.inf Spyware:Spyware/BetterInet No disinfected C:\RECYCLER\S-1-5-21-842925246-1563985344-839522115-500\Dc6.exe Housecall came up clean. Latest HJT log: Logfile of HijackThis v1.99.1 Scan saved at 1:57:57 PM, on 7/1/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://online.wsj.com/home/health O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.tourguidemike.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe I have been online all morning and haven't had a single pop-up. Things seem to be running faster, and I'm not having IE crash during scans. Thank you!! |
|
|
|
|
07-02-2005, 06:08 AM
|
#13 (permalink) |
|
Registered User
Join Date: Jan 2005
Location: London, UK
Posts: 305
OS: WinXP SP2/98/98SE
|
Hi again
Good work. Your log is clean. As everything seems to be working normally now we need to take steps to get rid of those files found by Panda and clean out your system restore points. You will have to delete those files found by Panda manually. If you can’t find any don't use the windows search feature as it may not find them. L2Mfix backups To fix these………. Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[hr6s05j7e.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[iuetcplc.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[mhjava.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[nMrrhook.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[rOsmontr.dll] Go to this file (in bold) and delete it: C:\Documents and Settings\Owner\Desktop\l2mfix In HijackThis backup To fix this: Adware:Adware/PopCapLoader No disinfected C:\hjt\backups\backup-20050629-121620-353.inf Go to this file (in bold) and delete it: C:\hjt\backups In RECYCLER Spyware:Spyware/BetterInet No disinfected C:\RECYCLER\S-1-5-21-842925246-1563985344-839522115-500\Dc6.exe The RECYCLER folder is associated to the recycle bin. First, make sure that the recycle bin is empty (do that for each registered user in your computer) by right clicking the desktop icon for the Bin and hit “Empty recycle bin”. There is one directory in the recycler folder for each registered user. Once the recycle bins are empty, the legitimate directories should be empty as well. If you still have a directory with data it is probably adware. You can remove the contents manually by going to the command prompt, navigating to c:\RECYCLER and then using rmdir/s directory_name to delete the directory in question. And finally… As this shows no location in the registry, it will be almost impossible to find, but it's an orphan registry key and will cause you no problems……… Adware:Adware/eZula No disinfected Windows Registry RESET SYSTEM RESTORE Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK. Reboot your System. To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. For good measure please scan once more with Housecall & Panda Activescan, post back the results to this thread and let us know how your system is behaving now. OJ |
|
|
|
|
07-02-2005, 09:21 AM
|
#14 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 35
OS: WinXP
|
Thanks OJ. i still can't get rid of the 2 files from the recycler. Should I attempt it in Safe Mode?
Housecall cleaned an infection but I don't have a log for it (or I don't know where it is). Here is the Panda Activescan: Incident Status Location Adware:Adware/eZula No disinfected Windows Registry Spyware:Spyware/BetterInet No disinfected C:\RECYCLER\S-1-5-21-842925246-1563985344-839522115-500\Dc6.exe |
|
|
|
|
07-03-2005, 04:17 AM
|
#15 (permalink) |
|
Registered User
Join Date: Jan 2005
Location: London, UK
Posts: 305
OS: WinXP SP2/98/98SE
|
HI again
As I said before you needn't worry about his one...... Adware:Adware/eZula No disinfected Windows Registry ....just forget it. As to the other one........... Spyware:Spyware/BetterInet No disinfected C:\RECYCLER\S-1-5-21-842925246-1563985344-839522115-500\Dc6.exe ........I agree with your suggestion. Go to safe mode and clean out your recycle bin from there. Also make sure you have the latest version of Cleanup! (see my post above; #4) and clean your system again with that. Am I right in saying that your system is now running fine and back to normal? OJ |
|
|
|
|
07-03-2005, 06:05 PM
|
#16 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 35
OS: WinXP
|
Hi OJ -
Sorry for the delay in replying. For some reason I didn't get an email. My system is working great; I do have the current version of cleanup and I will try to delete those files in Safe Mode. Thank you so much for all your help (and anyone else who contributed behind the scenes). You saved me from having to format my hard drive and starting over again. |
|
|
|
|
07-04-2005, 04:23 AM
|
#17 (permalink) |
|
Registered User
Join Date: Jan 2005
Location: London, UK
Posts: 305
OS: WinXP SP2/98/98SE
|
Glad to hear all is well again.
In closing I suggest you have a read of this article to help prevent further infections etc.......... http://www.greyknight17.com/spyware.htm#prevent Happy surfing! OJ |
|
|
|
| Thread Tools | |
|
|
