DaniWeb IT Discussion Community - Inundated with urgent repair messages after reformating

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)

- Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)

- - Inundated with urgent repair messages after reformating (http://www.daniweb.com/forums/thread29852.html)

dcc	Aug 5th, 2005 3:09 am

Inundated with urgent repair messages after reformating

Hi all...I had to reformat my computer last week and have just about everything back on line as it should be, but I'm being inundated by pop-up messages telling me that it's urgent that I use their product to repair everything from the registry to my hard drive. If you're niave enough to download their test and use it, it will install a problem that you will then have to purchase their product to "fix", what a scam! I have AVG, Zone Alarm, Spybot search and destroy, and adaware, but I still get these pop-up "urgent" messages, how do I stop these things, they are making me cazy!

crunchie

Aug 5th, 2005 6:56 am

Re: Inundated with urgent repair messages after reformating

Try this; Download and use shootthemessenger to disable Windows messenger.

==

Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

dlh6213

Aug 5th, 2005 6:57 am

Re: Inundated with urgent repair messages after reformating

For future reference, have a look at this thread:
http://www.daniweb.com/techtalkforum...stmas+crackers

For now, please follow the recommendations and instructions in the links below, and then post a HijackThis log in this thread so we can see what's going on.

dlh6213

Aug 5th, 2005 6:58 am

Re: Inundated with urgent repair messages after reformating

Crunchie! What are you doing here? I just checked and you were looking at a different thread!

crunchie

Aug 5th, 2005 6:59 am

Re: Inundated with urgent repair messages after reformating

Gotta be quick :mrgreen:

dcc	Aug 5th, 2005 10:49 am

Re: Inundated with urgent repair messages after reformating

Hey guys...it sounds like both of you suspect an intruder! I will do as you have suggested, but tell me this...what made both of you suspect a virus or another "nastie"? Thanks, dcc

dcc	Aug 5th, 2005 11:05 am

Re: Inundated with urgent repair messages after reformating

OK guys...here it is,

Logfile of HijackThis v1.99.1
Scan saved at 6:59:54 AM, on 8/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\FaxTalk Communicator\FTCtrl32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\PeoplePC\ISP6100\Browser\Bartshel.exe
C:\PROGRA~1\PeoplePC\ISP6100\Browser\PPShared.exe
C:\Program Files\FaxTalk Communicator\FAPIEXE.EXE
C:\Program Files\PeoplePC\ISP6100\Browser\Bartshel.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6100\BIN\PPCOLink.exe -STATION
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60...ad/ppcwebi.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9969DEE-9C86-470C-A9A5-C40A7D9B6E7E}: NameServer = 66.81.0.251 66.81.0.252
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

dlh6213

Aug 5th, 2005 11:33 am

Re: Inundated with urgent repair messages after reformating

'Nasties' are almost always what causes popups. But in your case, at least some of them are courtesy of your ISP...

Check this link for some info on Bartshel.exe --
http://www.pcpitstop.com/spycheck/SW...n=bartshel.exe

There are a couple of things you can fix with HijackThis, but first, right-click in an open area of your desktop and select New, Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Now, scan with HJT and have it fix the following entries:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Close any open windows, other then HijackThis, and hit Fix checked.

Go to C:\WINNT\web and delete related.htm

Empty your Recycle bin.

I also suggest dowloading and updating Ewido --
http://www.download.com/Ewido-Securi...ml?tag=lst-0-1 -- but don't scan with it yet.

Reboot into Safe Mode first, and then scan with Ewido, allowing it to fix whatever it finds. Please post the log in your next reply.

Reboot normally, close any open browser windows, scan with HJT, and post a new log along with the Ewido log.

All times are GMT -4. The time now is 1:32 pm.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC