•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 427,379 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 3,008 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Viruses, Spyware and other Nasties advertiser: Programming Forums
Views: 6687 | Replies: 44
 |
•
•
Join Date: Nov 2004
Posts: 13
Reputation: 
Rep Power: 4
Solved Threads: 0
Newbie Poster
May have Virus/Spyware/Aliens? or IE Hijacked :eek: I tried posting a new thread on my problem and couldn't on any forum. I was getting really frustrated. Now I can..whoopie!
Ok, here is my problem: I think my IE Browser may have been hijacked. I read a lot of threads about this and have downloaded Hijack This and CSW Shredder. I ran them both and have posted the reports in this email.
My IE is not only running way to slow, but I am consistantly getting "Page Cannot Be Displayed" error messages when trying to view webpages.
I have Windows XP Home, IE 6.0, Ad-aware 6.0, AVG Free Edition, No-Ads and Spyware Doctor. I have run them all. I have gotten several alerts under AVG about Trojan Horses SDbot and Rameh. It said it healed them, but when I restart my comp, they come right back. I did have Norton Anti Virus for awhile. but everytime I started my comp up it gave me a message saying something or someone had been trying to adjust it's settings and I needed to restart my comp. It did this everytime, yet when I scanned with it, it never found anything, except a Bloodhound. So I removed Norton from my comp. I didn't care for it anyway.
These are the things AVG and Spyware Doctor have "fixed, healed or removed" so far:
Bloodhound.W32.1 (found by Norton and supposedly removed 3 times)
ldoxer.exe ("healed" by AVG)
wuamgrd.exe ("healed" by AVG) but got it 6 times
bling.exe ("healed" by AVG)
ATPartners.dll Trojan Horse downloader Rameh.E in my Windows/System32/dllcache ("healed" by AVG 10 times)
and as of starting my comp up today at 8:40 pm and running Spyware Doctor, AVG and Ad-Aware:
TFTP Trojan Horse IRC/Backdoor/SdBot.48T ("healed" by AVG)
Tracking Cookie Cookie File (doubleclick.net) meredith@doubleclick.net (Spyware Doctor removed)
Also, when I first connect to the internet, my IE starts up pages directing me to web sites that have porn on them. It does this all by itself. I was able to add them all on No-Ads so they won't load now, but they leave these white and blue box looking applications everytime. They are called cat, pussy, loud, add and ybsex. I delete these, but they come back every time I connect to the internet. These are the sites that come up:
"http://home.no/sopo/pussy.html"
"http://216.117.190.175/momsex.html"
"http://oddworldz.com/noksha/add.html"
This is driving me nuts. It's been 4 months now. Microsoft won't help me and neither will Gateway (I have a Gateway Laptop).
I have no idea about computers and most of the instructions given in the same type of problem threads made no sense to me. Could you please explain to me how to fix these problems, like I was 10 years old? LOL. I'd appreciate it.
Anyway, here are the reports I got from Hijack This and CSW Shredder:
Logfile of HijackThis v1.98.2
Scan saved at 3:32:14 AM, on 11/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spoolcsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\syswin32.exe
C:\WINDOWS\System32\winxp2.exe
C:\Program Files\HIJACK THIS\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.uproar.com
O15 - Trusted Zone: http://deskwx.weatherbug.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101714994263
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents...3/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20690A7B-6C21-4DB4-BF37-5763289732AC}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{20690A7B-6C21-4DB4-BF37-5763289732AC}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS2\Services\Tcpip\..\{20690A7B-6C21-4DB4-BF37-5763289732AC}: NameServer = 166.102.165.11 166.102.165.13
CWS Shredder Report
CWShredder v2.0. scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
System Information:
Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\System32
AppData folder: C:\Documents and Settings\Meredith\Application Data
Username: Meredith
Found Hosts file: C:\WINDOWS\System32\drivers\etc\hosts (734 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (488 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)
- END OF REPORT -
Since I am having such a problem with getting into any website, including this one, please email me also at either or both email addresses below. That goes for anyone who might be able to help me. You can post replys here too, regarding this problem, just in case I can get in to see them. If you need anymore info, please let me know.
You can email me at:
mereannjenatyahoo.com 0r
mereannjenatHotPOP.com
Thank You So Much,
Meredith Jensen :cheesy:
(mereannjen)
Ok, here is my problem: I think my IE Browser may have been hijacked. I read a lot of threads about this and have downloaded Hijack This and CSW Shredder. I ran them both and have posted the reports in this email.
My IE is not only running way to slow, but I am consistantly getting "Page Cannot Be Displayed" error messages when trying to view webpages.
I have Windows XP Home, IE 6.0, Ad-aware 6.0, AVG Free Edition, No-Ads and Spyware Doctor. I have run them all. I have gotten several alerts under AVG about Trojan Horses SDbot and Rameh. It said it healed them, but when I restart my comp, they come right back. I did have Norton Anti Virus for awhile. but everytime I started my comp up it gave me a message saying something or someone had been trying to adjust it's settings and I needed to restart my comp. It did this everytime, yet when I scanned with it, it never found anything, except a Bloodhound. So I removed Norton from my comp. I didn't care for it anyway.
These are the things AVG and Spyware Doctor have "fixed, healed or removed" so far:
Bloodhound.W32.1 (found by Norton and supposedly removed 3 times)
ldoxer.exe ("healed" by AVG)
wuamgrd.exe ("healed" by AVG) but got it 6 times
bling.exe ("healed" by AVG)
ATPartners.dll Trojan Horse downloader Rameh.E in my Windows/System32/dllcache ("healed" by AVG 10 times)
and as of starting my comp up today at 8:40 pm and running Spyware Doctor, AVG and Ad-Aware:
TFTP Trojan Horse IRC/Backdoor/SdBot.48T ("healed" by AVG)
Tracking Cookie Cookie File (doubleclick.net) meredith@doubleclick.net (Spyware Doctor removed)
Also, when I first connect to the internet, my IE starts up pages directing me to web sites that have porn on them. It does this all by itself. I was able to add them all on No-Ads so they won't load now, but they leave these white and blue box looking applications everytime. They are called cat, pussy, loud, add and ybsex. I delete these, but they come back every time I connect to the internet. These are the sites that come up:
"http://home.no/sopo/pussy.html"
"http://216.117.190.175/momsex.html"
"http://oddworldz.com/noksha/add.html"
This is driving me nuts. It's been 4 months now. Microsoft won't help me and neither will Gateway (I have a Gateway Laptop).
I have no idea about computers and most of the instructions given in the same type of problem threads made no sense to me. Could you please explain to me how to fix these problems, like I was 10 years old? LOL. I'd appreciate it.
Anyway, here are the reports I got from Hijack This and CSW Shredder:
Logfile of HijackThis v1.98.2
Scan saved at 3:32:14 AM, on 11/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spoolcsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\syswin32.exe
C:\WINDOWS\System32\winxp2.exe
C:\Program Files\HIJACK THIS\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.uproar.com
O15 - Trusted Zone: http://deskwx.weatherbug.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101714994263
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents...3/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20690A7B-6C21-4DB4-BF37-5763289732AC}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{20690A7B-6C21-4DB4-BF37-5763289732AC}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS2\Services\Tcpip\..\{20690A7B-6C21-4DB4-BF37-5763289732AC}: NameServer = 166.102.165.11 166.102.165.13
CWS Shredder Report
CWShredder v2.0. scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
System Information:
Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\System32
AppData folder: C:\Documents and Settings\Meredith\Application Data
Username: Meredith
Found Hosts file: C:\WINDOWS\System32\drivers\etc\hosts (734 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (488 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)
- END OF REPORT -
Since I am having such a problem with getting into any website, including this one, please email me also at either or both email addresses below. That goes for anyone who might be able to help me. You can post replys here too, regarding this problem, just in case I can get in to see them. If you need anymore info, please let me know.
You can email me at:
mereannjenatyahoo.com 0r
mereannjenatHotPOP.com
Thank You So Much,
Meredith Jensen :cheesy:
(mereannjen)
Last edited by crunchie : Dec 1st, 2004 at 5:25 am. Reason: Editing of email address
•
•
Join Date: Jul 2004
Location: Wales
Posts: 735
Reputation:
Rep Power: 6
Solved Threads: 17
Master Poster
You appear to have a lot of nasties in there. I'm talking worms and stuff, not just a browser hijack.
So probably the best place to start is to go to http://www.trendmicro.com/download/dcs.asp and download sysclean, and this page http://www.trendmicro.com/download/pattern.asp for the latest pattern file.
Unzip the pattern file into the same folder as sysclean, then run sysclean. It will take a while but hopefully will remove some of those worms. Make sure it's in a user area with administrator priviledges.
So probably the best place to start is to go to http://www.trendmicro.com/download/dcs.asp and download sysclean, and this page http://www.trendmicro.com/download/pattern.asp for the latest pattern file.
Unzip the pattern file into the same folder as sysclean, then run sysclean. It will take a while but hopefully will remove some of those worms. Make sure it's in a user area with administrator priviledges.
emdevelopments - accessible web design | HiJackThis
Portfolio: Fire Equipment, Conveyors, Tools | Whitworth Spanner | Alarm Installers Bath | Physical Security Solutions | Surveyor | Pine Range | Unique Air Charter | Apollo Tiling in Bridgend
Portfolio: Fire Equipment, Conveyors, Tools | Whitworth Spanner | Alarm Installers Bath | Physical Security Solutions | Surveyor | Pine Range | Unique Air Charter | Apollo Tiling in Bridgend
•
•
Join Date: Nov 2004
Posts: 13
Reputation:
Rep Power: 4
Solved Threads: 0
Newbie Poster
It's me again. I did exactly what you said and downloaded Sysclean and the pattern file for it. I followed it's instructions to the letter and here are the results it gave me:Pattern Version: 2.273.00
Release Type: Fix False Negative
Notes: TROJ_FUNWEB.A (moved detection to Spyware pattern as ADW_FUNWEB.C)
November 30, 2004, 12:56:15 (GMT -08:00)
---------------------
New Viruses Detected:
---------------------
There are [25]new viruses detected by the pattern file.
All detail virus names please refer to the list below.
BKDR_BEASTDOR.A
BKDR_BLUEEYE.B
BKDR_GOBOT.Y
HTML_WAMUFRAUD.A
TROJ_ADCLICK.AU
TROJ_BANCOS.EO
TROJ_BANCOS.ZG
TROJ_BANCOS.ZI
TROJ_INSERVI.A
TROJ_LEMIR.DM
TROJ_LEMIR.DR
TROJ_LEMIR.HW
TROJ_LEMIR.JL
TROJ_LEMIR.JN
TROJ_LEMIR.QW
TROJ_MSNFLOOD.B
TROJ_NETSNAKE.B
TROJ_QQSHOU.G
WORM_SDBOT.AES
WORM_SDBOT.CAL
WORM_SPYBOT.JO
WORM_SPYBOT.JP
-------------------
Virus Name Changed:
-------------------
Old Virus Name New Virus Name
-------------- --------------
-------------------------
Virus Signature Modified:
-------------------------
BKDR_AXN.A
BKDR_BANCODOR.K
BKDR_BEASTDR.AA
BKDR_BLASTIT.C
BKDR_SMALL.D
TROJ_ADCLICKER.A
TROJ_BANBRA.Q
TROJ_DELF.AF
TROJ_DELF.AR
TROJ_DELF.C
TROJ_DELF.DK
TROJ_LEMIR.BR
TROJ_LEMIR.CD
TROJ_LEMIR.CJ
WORM_RBOT.ACX
------------------------
Virus Signature Dropped:
------------------------
TROJ_FUNWEB.A
The last part said it cleaned all of them out, but I wasn't so sure so I ran Sysclean again. At the end of it it said 0 viruses. I'm still not so sure. When I restarted my comp and connected to the internet, IE did the same hting it had been doing....connecting to sites all by itself. It also left those blue application boxes behind again. Here is the list of websites:
http://216.117.190.175/momsex.html
http://home.no/sopo/loud.html
http://home.no/sopo/pussy.html
IE is still running slowly. I ran Spyware Doctor, Ad-Aware 6.0, AVG Anti Virus, and Hijack this. Here is the current Hijack This log:
Logfile of HijackThis v1.98.2
Scan saved at 12:37:33 AM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spoolcsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\syswin32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svcload.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS\HIJACK THIS\HijackThis.exe
c:\gmsex.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [svcload] svcload.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [svcload] svcload.exe
O4 - HKLM\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.trendmicro.com
O15 - Trusted Zone: http://www.uproar.com
O15 - Trusted Zone: http://deskwx.weatherbug.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101714994263
O17 - HKLM\System\CCS\Services\Tcpip\..\{20690A7B-6C21-4DB4-BF37-5763289732AC}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{20690A7B-6C21-4DB4-BF37-5763289732AC}: NameServer = 166.102.165.11 166.102.165.13
I have no idea what any of this means. I am so frustrated and tired and angry with all of this. What else can I do? Besides throwing this thing into an old well??
Any help will be most appreciated.
Thank You,
Meredith
(mereannjen@yahoo.com)
•
•
Join Date: Jul 2004
Location: Washington, USA
Posts: 2,964
Reputation:
Rep Power: 10
Solved Threads: 189
You should probably boot into Safe Mode for this. Scan with HJT and have it fix the following entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\Run: [svcload] svcload.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [svcload] svcload.exe
O4 - HKLM\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
After you've done that, go to C:\WINDOWS and delete:
GWMDMpi.exe
Then go to C:\WINDOWS\System32 and delete:
spoolcsv.exe
winxp2.exe
syswin32.exe
svcload.exe
NOTEPAD.EXE
winupd.exe
On the C drive, find this and delete it as well:
c:\gmsex.exe
Reboot normally, make sure all browser windows are closed, scan with HJT and post a new log.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\Run: [svcload] svcload.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [svcload] svcload.exe
O4 - HKLM\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
After you've done that, go to C:\WINDOWS and delete:
GWMDMpi.exe
Then go to C:\WINDOWS\System32 and delete:
spoolcsv.exe
winxp2.exe
syswin32.exe
svcload.exe
NOTEPAD.EXE
winupd.exe
On the C drive, find this and delete it as well:
c:\gmsex.exe
Reboot normally, make sure all browser windows are closed, scan with HJT and post a new log.
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
•
•
Join Date: Dec 2004
Posts: 11
Reputation:
Rep Power: 0
Solved Threads: 1
Newbie Poster
You can Use Firewire, and Delete all IExplorer files, and registry keys. then Download IExplorer from the FireWire connection between the 2 PC's. Or you can Reformat. But no one wants that.
*I PREFER WINDOWS 2000*
*I PREFER WINDOWS 2000*
•
•
Join Date: Nov 2004
Posts: 13
Reputation:
Rep Power: 4
Solved Threads: 0
Newbie Poster
Ok, here is my latest Hijack This log:
Logfile of HijackThis v1.98.2
Scan saved at 6:17:02 PM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\syswin32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS\HIJACK THIS\HijackThis.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.trendmicro.com
O15 - Trusted Zone: http://www.uproar.com
O15 - Trusted Zone: http://deskwx.weatherbug.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101714994263
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB
Things seem to be moving a lot better now, but a lot of webpages I go to load, but at the bottom on the bar it says "Done, but with errors on page." Some of the pictures on these pages don't show up. Their boxes have those little colored boxes in them.
And as I am writting this, Spybot S & D popped up a message saying this:
Spybot S&D
Category System Startup global entry
Change Value Added
Entry Windows Update
New Data slmss.exe
I went ahead and clicked "deny changes" because I didn't know what it was. If I should accept this please let me know.
I am going to run all of my spyware and virus scanning things and see if anything else pops up and I'll post my results in a bit.
Is there anything else I should delete or change? It still doesn't seem quite right.
Thanks for all your help!!
Meredith
(mereannjen@yahoo.com)
Logfile of HijackThis v1.98.2
Scan saved at 6:17:02 PM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\syswin32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS\HIJACK THIS\HijackThis.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.trendmicro.com
O15 - Trusted Zone: http://www.uproar.com
O15 - Trusted Zone: http://deskwx.weatherbug.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101714994263
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB
Things seem to be moving a lot better now, but a lot of webpages I go to load, but at the bottom on the bar it says "Done, but with errors on page." Some of the pictures on these pages don't show up. Their boxes have those little colored boxes in them.
And as I am writting this, Spybot S & D popped up a message saying this:
Spybot S&D
Category System Startup global entry
Change Value Added
Entry Windows Update
New Data slmss.exe
I went ahead and clicked "deny changes" because I didn't know what it was. If I should accept this please let me know.
I am going to run all of my spyware and virus scanning things and see if anything else pops up and I'll post my results in a bit.
Is there anything else I should delete or change? It still doesn't seem quite right.
Thanks for all your help!!
Meredith(mereannjen@yahoo.com)
•
•
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation:
Rep Power: 18
Solved Threads: 339
You still have virus/trojan/etc. infections. Also- from some reports I've read, the NoAds program you installed seems to be questionable. It appears that it may have some "hidden nasties" of its own; personally, I would uninstall it.
1. Have HijackThis fix the following:
O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O15 - Trusted Zone: http://www.uproar.com
O15 - Trusted Zone: http://deskwx.weatherbug.com
2. Turn off XP's System Restore function; instructions are here.
3. - Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)
- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".
- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:
1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5
- Find and delete the following files:
spoolcsv.exe
syswin32.exe
- Delete the entire C:\Program Files\NoAds folder.
- Delete the entire content of your C:\Windows\Temp folder.
Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.
- Empty your Recycle Bin.
- Reboot normally.
1. Have HijackThis fix the following:
O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O15 - Trusted Zone: http://www.uproar.com
O15 - Trusted Zone: http://deskwx.weatherbug.com
2. Turn off XP's System Restore function; instructions are here.
3. - Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)
- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".
- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:
1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5
- Find and delete the following files:
spoolcsv.exe
syswin32.exe
- Delete the entire C:\Program Files\NoAds folder.
- Delete the entire content of your C:\Windows\Temp folder.
Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.
- Empty your Recycle Bin.
- Reboot normally.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Aug 2004
Location: Mass
Posts: 366
Reputation:
Rep Power: 5
Solved Threads: 2
Posting Whiz
lol, be cool like me and test your AV, lol. I unleased 89 viruses on my network, and i got them all. It was fun to because people complain about Norton, when norton, and Pc-Cillin are like the best.
is this a dream
We should all respect Dani, shes the admin and she does a damn good job!. Not to forget the rest of the mod's =)
http://img.photobucket.com/albums/v5...46/Sphyenx.jpg
We should all respect Dani, shes the admin and she does a damn good job!. Not to forget the rest of the mod's =)
http://img.photobucket.com/albums/v5...46/Sphyenx.jpg
•
•
Join Date: Nov 2004
Posts: 13
Reputation:
Rep Power: 4
Solved Threads: 0
Newbie Poster
Ok, I uninstalled No-Ads and deleted everything having to do with it that was left over. I also, did everything you suggested.
While trying to post this, I kept getting that dreaded error message, "Page cannot be displayed and temporarily unavailable" crap all over again when I hit reply. I've spent the last 6 hours trying to reply to your last instructions. No pics are showing up on this page at all. No smileys, no font, size or color box...nothing and I have that error on page message too. I hit refresh over 50 times and finally got some of this page to display properly.
When I start my comp up and Windows comes up, I am now getting an error message saying it can't find Spoolsv.exe. I know you had me delete this. Is it something important? Should I have not deleted it?
I am still getting 5 DSO Exploits everytime I run Spyware Doctor. What are these? I delete them, but they come back everytime. Also, it detects an IE Browser Plugin everytime. It says it's a Medium Security risk, but I go ahead and let it delete it. Yet it comes back everytime, too.
I am still getting those yellow triangles with the exclamation in them saying "Error on page" down where the bar says "Opening" and the web sites address. I came in here, and all of the pictures that would normally show, before I had these problems, had the box with the red X in them. I right clicked on them and chose "show picture" and the red X changed to the box with the colored square, circle and triangle thing. Not sure about this. That's never happened until I started having these problems.
Anyway, before I post my current Hijack This log, I wanted to ask some questions:
1) Is the Free Edition AVG Anti Virus a good program to use? I cannot afford to buy an anti virus program, so if you know of a free on that's really good, please let me know.
2) Should I install Windows SP2? I have heard many bad things about it.
3) Is there any other spyware/adware programs I can download for free besides Spy Bot S&D? I don't really care for this program. Everything I seem to do, I get an alarm from it asking me if I want to allow or deny some change it detected and since I have no idea what some of these changes are. It's was too confusing for me.
Ok, I think that's it for now. Here is the current Hijack This Log:
Logfile of HijackThis v1.98.2
Scan saved at 10:48:33 PM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\svcload.exe
C:\WINDOWS\System32\syswin32.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS\HIJACK THIS\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [svcload] svcload.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [svcload] svcload.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101714994263
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB
If I think of anything else, I'll let you know. Thanks for the help so far. My browser is moving a bit quicker for this site, but I haven't checked out any others yet.
If you can think of anything else after analyzing the latest Hijack This Log, let me know. I'm almost game for anything..LOL.
Cheers'
Meredith
(mereannjen@yahoo.com)
While trying to post this, I kept getting that dreaded error message, "Page cannot be displayed and temporarily unavailable" crap all over again when I hit reply. I've spent the last 6 hours trying to reply to your last instructions. No pics are showing up on this page at all. No smileys, no font, size or color box...nothing and I have that error on page message too. I hit refresh over 50 times and finally got some of this page to display properly.
When I start my comp up and Windows comes up, I am now getting an error message saying it can't find Spoolsv.exe. I know you had me delete this. Is it something important? Should I have not deleted it?
I am still getting 5 DSO Exploits everytime I run Spyware Doctor. What are these? I delete them, but they come back everytime. Also, it detects an IE Browser Plugin everytime. It says it's a Medium Security risk, but I go ahead and let it delete it. Yet it comes back everytime, too.
I am still getting those yellow triangles with the exclamation in them saying "Error on page" down where the bar says "Opening" and the web sites address. I came in here, and all of the pictures that would normally show, before I had these problems, had the box with the red X in them. I right clicked on them and chose "show picture" and the red X changed to the box with the colored square, circle and triangle thing. Not sure about this. That's never happened until I started having these problems.
Anyway, before I post my current Hijack This log, I wanted to ask some questions:
1) Is the Free Edition AVG Anti Virus a good program to use? I cannot afford to buy an anti virus program, so if you know of a free on that's really good, please let me know.
2) Should I install Windows SP2? I have heard many bad things about it.
3) Is there any other spyware/adware programs I can download for free besides Spy Bot S&D? I don't really care for this program. Everything I seem to do, I get an alarm from it asking me if I want to allow or deny some change it detected and since I have no idea what some of these changes are. It's was too confusing for me.
Ok, I think that's it for now. Here is the current Hijack This Log:
Logfile of HijackThis v1.98.2
Scan saved at 10:48:33 PM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\svcload.exe
C:\WINDOWS\System32\syswin32.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS\HIJACK THIS\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [svcload] svcload.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [svcload] svcload.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101714994263
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB
If I think of anything else, I'll let you know. Thanks for the help so far. My browser is moving a bit quicker for this site, but I haven't checked out any others yet.
If you can think of anything else after analyzing the latest Hijack This Log, let me know. I'm almost game for anything..LOL.
Cheers'
Meredith
(mereannjen@yahoo.com)
•
•
Join Date: Jul 2004
Location: Wales
Posts: 735
Reputation:
Rep Power: 6
Solved Threads: 17
Master Poster
um... dmr said to delete spoolcsv.exe, not spoolsv.exe... Look in your recycle bin to see if it's still there. If spoolsv.exe is in your recycle bin then restore it.
DSO exploits can be ignored - it's a bug in spybot. there is a fix you can download but it's not worth it.
1) AVG is good
2) umm... I have it installed, but there isn't really a concensus of opinion on whether to go for it or not. In any case you need to get your spyware cleaned up first. I'm not sure why it's come back this time.
3)Ad-Aware from www.lavasoft.de is good. Normally I use it with Spybot though.
Let's try this:
alt + ctrl + del
end the following processes:
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\svcload.exe
C:\WINDOWS\System32\syswin32.exe
Then tick the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [svcload] svcload.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [svcload] svcload.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB
Basically we need to remove any instances of the following files:
winupd.exe, winxp2.exe, syswin32.exe, spoolcsv.exe and svcload.exe. So if you see them anywhere else in your log, tick them.
Then finally choose 'fix checked'.
Next reboot into safe mode by repeatedly pressing f8 during startup. It will give you a boot menu, so press safe mode when it appears.
to quote dmr
Delete the following:
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\svcload.exe
C:\WINDOWS\System32\syswin32.exe
C:\WINDOWS\System32\spoolcsv.exe
Go to start -> find -> files or folders and search for all those files again. You may find them in the prefetch folder, so delete them if they occur in there. You may also have to go under the advanced options tag and tell it to search system files etc.
Finally be careful that they are spelt right!
DSO exploits can be ignored - it's a bug in spybot. there is a fix you can download but it's not worth it.
1) AVG is good
2) umm... I have it installed, but there isn't really a concensus of opinion on whether to go for it or not. In any case you need to get your spyware cleaned up first. I'm not sure why it's come back this time.
3)Ad-Aware from www.lavasoft.de is good. Normally I use it with Spybot though.
Let's try this:
alt + ctrl + del
end the following processes:
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\svcload.exe
C:\WINDOWS\System32\syswin32.exe
Then tick the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [svcload] svcload.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [svcload] svcload.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB
Basically we need to remove any instances of the following files:
winupd.exe, winxp2.exe, syswin32.exe, spoolcsv.exe and svcload.exe. So if you see them anywhere else in your log, tick them.
Then finally choose 'fix checked'.
Next reboot into safe mode by repeatedly pressing f8 during startup. It will give you a boot menu, so press safe mode when it appears.
to quote dmr
•
•
•
•
- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".
Delete the following:
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\svcload.exe
C:\WINDOWS\System32\syswin32.exe
C:\WINDOWS\System32\spoolcsv.exe
Go to start -> find -> files or folders and search for all those files again. You may find them in the prefetch folder, so delete them if they occur in there. You may also have to go under the advanced options tag and tell it to search system files etc.
Finally be careful that they are spelt right!
emdevelopments - accessible web design | HiJackThis
Portfolio: Fire Equipment, Conveyors, Tools | Whitworth Spanner | Alarm Installers Bath | Physical Security Solutions | Surveyor | Pine Range | Unique Air Charter | Apollo Tiling in Bridgend
Portfolio: Fire Equipment, Conveyors, Tools | Whitworth Spanner | Alarm Installers Bath | Physical Security Solutions | Surveyor | Pine Range | Unique Air Charter | Apollo Tiling in Bridgend
|
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
•
•
•
•
adware antivirus apple complete information defender email exploit fix fraction gmail google hidden files how im ipod kaspersky legal malware mcafee microsoft mobile new folder new viruses news nhatquanglan onecare phone reliability remove report satnav search second security software solve spyware ssvichosst survey svchost symbian taskmanager trends trojan virus viruses vista windows
- Previous Thread: HJT log i'm stumped
- Next Thread: How do I get rid of xadsjt offeroptimizer?
