Jump to content

Piatan

Trusted Malware Techs
  • Content Count

    187
  • Joined

  • Last visited

Everything posted by Piatan

  1. Hi rsxownes You are probably wondering why you have not recieved a reply to your request for assistance. It is because of the way the board works. Unfortunately your post had to be moved from one part of the site to another, one forum to another. That looks like your post has recieved a reply from a helper. Then, you posted again, that looks like two replies, so helpers do not respond, when they believe another helper has already responded. Sorry, theres nothing to be done, that's just the way it works. Your Hijack This log looks to be relatively clean, but I'd like you to run a series of online scanners and a Program or two, to be sure nothing is hiding and not being revealed by Hijack This. Please use the following links to run one, or more of these online Virus Scanners and let them fix whatever they find. If you are using any of the browsers listed just below, the following online Virus scanning site is compatable. http://be.trendmicro-europe.com/consumer/h...call_launch.php If you are using any of these browsers: Microsoft Internet Explorer Netscape (6+) Mozilla (1+) Firefox (all) Opera (7.5+) Internet Explorer users can also use the following links. When using Trend Micro, be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself. Bitdefender and let it delete everything it finds. TrendMicro HouseCall eTrust AntiVirus Web Scanner Panda ActiveScan Note any thing that can't be fixed Reboot when done. And here are links to two online Trojan Scanners. Lets run one, or both of these too. http://scan.sygatetech.com/pretrojanscan.html And here: http://www.windowsecurity.com/trojanscan/ If you are unable to get or use either of the online Trojan Scanners above........... Go here http://www.trojanhunter.com/ and download and run the free trial of Trojan Hunter. Then, Please download and install Ad-Aware SE and Spybot S&D according to the following instructions. If you already have these programs, please make sure they are the latest version and have been updated today. Then run full systems scans as described below. Install and how to use the NEW Ad-aware SE http://www.bleepingcomputer.com/forums/ind...showtutorial=48 Reboot after using Ad-Aware SE. Download the VX cleaner plug in for Adaware. Install it, then open Adaware & go to *add-ons* & run the plug-in. If anything is found, select *clean system* & when done, reboot & run Adaware & let it finish the clean-up. Reboot again. Would you please download the Spybot S&D program from here Spybot S&D and install it. Select Search for updates. Then select all available updates that are displayed in the white box. Select a download mirror nearest your location. Then select Download updates . Shut down and restart Spybot. Select the Search and destroy icon and click on Check for Problems. Delete/fix anything that spybot lists In RED. . Then, please REBOOT, to allow Spybot to finish working. Please download CCleaner from here to clean temp files from your computer. Double click on the file to start the installation of the program. Select your language and click OK, then next. Read the license agreement and click I Agree. Click next to use the default install location. Click Install then finish to complete installation. Double click the CCleaner shortcut on the desktop to start the program. Click Run Cleaner to run the program. Caution : It is not recommended to use the 'Issues' tab as it is known to find legitimate items. After it has completed it's process, click Exit. Then in Internet Explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well. Then please run Hijack This, copy the log and post it here, in this topic. Please use the New Reply feature, so I will be notified. Please do not change anything in the fresh log. We need to see the entire log, without revisions.
  2. Hello djcheng Congratulations, your Hijack This log is clean. Good job sticking with it under adverse conditions and I know it wasn't easy for you. So many users do not stay the course. One of the best features of Windows XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal. To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (winXP) 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK. Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywareinfo.com/index.php?showtopic=11150 -reboot after using Ad-Aware SE. Also while there get the VX2 plugin and follow the instructions to run it also. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis. And also see TonyKlein's good advice So how did I get infected in the first place?
  3. Hi djcheng Please read this entire post before proceeding. In Hijackthis, click "Config", then click on "Misc Tools". Once at the new screen, click the "Delete a file on reboot" button. You will be presented with a dialog asking you to pick a file. Copy and paste the full path of the file, C:\windows\system32\qMOOSE.exe into the file name field and press the 'open' button. You'll be notified that the file in question will be deleted on reboot; when asked whether you want to restart your computer, click OK. After a reboot the file should be gone. Then, run Hijack This again. Have Hijack This fix all of the following by placing a check in the boxes beside each of the following entries. Make sure all browser and all Windows are closed. O4 - HKLM\..\Run: [qMOOSE.exe] C:\windows\system32\qMOOSE.exe O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/1297f459/enter.cab Click on Fix Checked and exit HijackThis. Delete the following File(s)/Folder(s) in DARK while in Safe Mode. C:\windows\system32\qMOOSE.exe (If it is there) Reboot and run ccleaner. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". Reboot and post a fresh Hijack This log in this thread, Using the New Reply feature, so I will be notified.
  4. Hi djcheng We both owe a great deal to Bobbi Flekman, who provided the greatest portion of the work done here. Please print out these instructions so you can read them while you clean your system. A printout also makes a good check list for Hijack This, to avoid making errors. Please run Hijack This again and place check marks next to the following entries. Close all programs and windows, leaving only HijackThis running. Place a check against the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [qMOOSE.exe] C:\windows\system32\qMOOSE.exe Click on Fix Checked and exit HijackThis. Please REBOOT into safe mode by tapping on F8 frequently, during Bootup. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Delete the following File(s)/Folder(s) in DARKwhile in Safe Mode. C:\windows\system32\qMOOSE.exe The following DIRECTORY CONTENTS (But not the directory) need to be deleted while still in safe mode. * C:WindowsTemp\n * C:Documents and Settings<Your Profile>Local SettingsTemporary Internet Files <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested. * C:Documents and Settings<Your Profile>Local SettingsTemp\n * C:Documents and Settings<Any other users Profile>Local SettingsTemporary Internet Files\n * C:Documents and Settings<Any other users Profile>Local SettingsTemp\n * Empty your "Recycle Bin". Two alternatives to the above: Reboot and Download http://www.ccleaner.com/ccdownload.php, install and run it to delete any files from "temp", "tmp" folders. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis. As an alternative to the above, please download and use CleanUp, free: http://cleanup.stevengould.org/ Reboot into normal mode, enable hidden files and post a fresh Hijack This log in this thread, Using the New Reply feature, so I will be notified.
  5. Hi djcheng Well, like I said, this will take at least two posts. As you have found, it may take me a while to get back to you and is unavoidable. Thank you for being patient. Please read this entire post before proceeding. HijackThis is current; but running from the Desktop. Please move Hijack This into a folder of Its own. Click My Computer, then C:\ In the menu bar, File->New->Folder. That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it. Failure to do so may mean backups, if needed, will not be available. ---------------------------------------------------------------------- Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop. Locate fixme.reg on your Desktop and double-click on it.You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully". ----------------------------------------------------------------------- Then, Close all programs and Windows and with only HijackThis running, Place a check against the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing) The following are optional fixes: If you do not know what this is, it can be fixed with Hijack This.(ipu.dll can be searched for using Google, to verify) O2 - BHO: (no name) - {D05FE530-7985-2305-82E7-70A2A8863AC8} - C:\WINDOWS\System32\ipu.dll Click on Fix Checked and exit HijackThis. Please REBOOT into safe mode by tapping on F8 frequently, during Bootup. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Delete the following File(s)/Folder(s) in DARK while in Safe Mode. C:\WINDOWS\System32\SearchBar.htm Reboot into normal mode, enable hidden files and post a fresh Hijack This log in this thread, Using the New Reply feature, so I will be notified. Note: do not attempt to "Fix" anything, as we need to see the entire log. Also if you have any Startup items disabled in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.
  6. Hi djcheng This is the first of at least two parts to this procedure. If you have any problems or questions, please do not hesitate to include them with each post. It would be a good idea to post an Hijack This log, along with the output of the following , with each post. Launch Notepad, and copy/paste the box below into a new text file. Save it as Export.bat and save it on your Desktop. CODE regedit /e HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" regedit /e HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" copy HKLMRun.txt + HKCURun.txt = Output.txt del /q HKLMRun.txt del /q HKCURun.txt notepad Output.txt del /q Output.txt Locate Export.bat on your Desktop and double-click on it. This will open Notepad with some text in it. Post that.
  7. Hi djcheng Sorry to have been so long getting back to you. It seems those two entries are a new variant and will require special handling. I have asked someone who has a handle on this variant to help us with it and a solution is in the works. Thank you for being patient.
  8. Hi djcheng Seems to be persistent, doesn't it. Lets see if this does the trick. Please do the following and if you have any problem following these directions, please advise of the difficulty in your next post. Please read this entire post before proceeding. Please REBOOT into safe mode by tapping on F8 frequently, during Bootup. Make sure your settings allow you to view "Hidden files". Open up any explorer window and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". During this entire process we will be in Safe Mode. Also,be sure to Close all other windows and browsers. To disable services in Windows XP. Start>Run(type)"services.msc"(no quotes)in the Run box. Then look for "ISTsvc" (no quotes) and DISABLE it. Then use ctl/alt/delete to go to Task Manager and End Process on "ISTsvc". Then go to Add/Remove Programs in your Control Panel and REMOVE "ISTsvc", or it may be listed as " IST " . Then, "DELETE' the following " Files/Folders in DARK still in Safe Mode. C:\Program Files\ISTsvc C:\WINDOWS\lhcsvek.exe Then, while still in Safe Mode run Hijack this and place checks beside, O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lhcsvek.exe O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰¸K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lhcsvek.exe Then, with all other windows and browsrs still closed and still in Safe Mode, click on "Fix Checked. Then, Reboot into Normal Mode. Run Hijack This, copy the log and post it here in this string, using the New Reply feature, so I will be notified.
  9. Hi djcheng Well as I suspected, those entries are going to be a problem. Those two (ISTsvc and lhcsvek.exe) and the 04 entries, are interconnected and until they are dealt with the problem will continue. We may struggle a bit until a solution is found, so bear with me please. Please use the following link and follow the instructions given to download and use the removal tool. Be sure to read the entire page before proceeding. If you have any doubts do not continue. http://sarc.com/avcenter/venc/data/adware.istbar.html Then, run Hijack This and post a fresh log here.
  10. Hi djcheng Please read this entire post before proceeding. Also, please download any programs you will need, at this time, before they are needed. If you have any problems completing any of the suggestions, please advise in your reply. Please print out these instructions so you can read them while you clean your system. A printout also makes a good check list for Hijack This, to avoid making errors. Please use ctl/alt/delete to go to Task Manager and hilight the following, then click on END PROCESS. IESearchToolbar ISTsvc Then go to Start>Settings>Control Panel>Add/Remove Programs and Uninstall/Remove the following. IESearchToolbar ISTsvc Please run Hijack This again and place check marks next to the following entries. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R3 - Default URLSearchHook is missing O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll O4 - HKLM\..\Run: [6kBecnBt] C:\WINDOWS\lhcsvek.exe O4 - HKLM\..\Run: [¢‰¸K0¨4W }ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lhcsvek.exe O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lhcsvek.exe O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰¸K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lhcsvek.exe O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe The following entries are optional, but reccommended for removal. O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe BroadJump.com, now Motive. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit. Close all other windows and browsers, then click on "Fix Checked. Please REBOOT into safe mode by tapping on F8 frequently, during Bootup. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Delete the following File(s)/Folder(s) in DARK while in Safe Mode. C:\Program Files\IESearchToolbar C:\Program Files\ISTsvc C:\Program Files\BroadJump (See optional fixes) C:\WINDOWS\lhcsvek.exe The following DIRECTORY CONTENTS (But not the directory) need to be deleted while still in safe mode. * C:\Windows\Temp\ * C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested. * C:\Documents and Settings\<Your Profile>\Local Settings\Temp\ * C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\ * C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\ * Empty your "Recycle Bin". Two alternatives to the above: Reboot and Download http://www.ccleaner.com/ccdownload.php, install and run it to delete any files from "temp", "tmp" folders. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis. As an alternative to the above, please download and use CleanUp, free: http://cleanup.stevengould.org/ Reboot into normal mode, enable hidden files and post a fresh Hijack This log in this thread, Using the New Reply feature, so I will be notified. Note: do not attempt to "Fix" anything, as we need to see the entire log. Also if you have any Startup items disabled in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup. Please note if you are using AVG6. It will no longer be supported after Dec.2004 and will not be updated. Use the link below to Download the new AVG7. Here is a link for a free AVG ANTI-VIRUS: http://free.grisoft.com/freeweb.php/doc/1/lng/us/tpl/v5
  11. Hi djcheng For starters, you have a Cool Web Search infection. Please do the following. Download the stand-alone version of CWShredder 2.12 http://cwshredder.net/bin/CWShredder.exe Then close every window, disconnect from Internet and doubleclick the CWShredder icon on your Desktop. Click Fix and then Next, let it fix everything it asks about. Then please Reboot and reconnect to the internet. Please use the following links to run the two online Virus Scanners and let them fix whatever they find. Panda http://www.pandasoftware.com/activescan/co...n_principal.htm Trend Micro http://housecall.trendmicro.com/housecall/start_corp.asp And here are links to two online Trojan Scanners. Run one and let it fix what it finds. http://scan.sygatetech.com/pretrojanscan.html Or here: http://www.windowsecurity.com/trojanscan/ Download the new Ad-Aware SE and follow the instructions on how to do a full scan: http://forums.spywareinfo.com/index.php?showtopic=11150 -reboot after using Ad-Aware SE. Download the VX cleaner plug in for Adaware. Install it, then open Adaware & go to *add-ons* & run the plug-in. If anything is found, select *clean system* & when done, reboot & run Adaware & let it finish the clean-up. Reboot again. Would you please download the Spybot S&D program from here Spybot S&D 1.3 and install it. Select Search for updates. Then select all available updates that are displayed in the white box. Select a download mirror nearest your location. Then select Download updates . Shut down and restart Spybot. Select the Search and destroy icon and click on Check for Problems. Delete/fix anything that spybot lists In RED. . Then, please REBOOT, to allow Spybot to finish working Then please run Hijack This, copy the log and post it here, in this string, using the New Reply feature, so I will be notified.
  12. This would be a duplicate. The issue has been resolved. Help was given here: http://pcpitstop.ibforums.com/index.php?showtopic=77712
  13. Hello nadnerb My error. Looks like I tried to update you to Windows XP with those instructions. Isn't quite that easy, is it ? You did fine anyway, despite the confusing instructions. Yes, you can delete any Temporary Internet files. Outlook Tools by Hotbar Webtools by Hotbar Those can both be Uninstalled/Removed from Add/Remove Programs. Your Hijack This log is clean. Congratulations on a fine job. This is the New Ad-Aware SE(free) and instructions on configuring for a full scan. Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywareinfo.com/index.php?showtopic=11150 -reboot after using Ad-Aware SE. Also while there get the VX2 plugin. Used weekly Ad-Aware SE will go far to keep your system clean. Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis. And also see TonyKlein's good advice So how did I get infected in the first place?
  14. Hello nadnerb Thank you for the fine, detailed report. It is very odd that WinTools was not found. As you can see, it is not in your current HJT log,so I would suggest that in a few days you run Hijack This on your own and look for any mention of WinTools. If found, go through the same procedure as outlined and do away with it. If you are not comfortable doing that, then feel free to post a fresh HJT log here and I or someone, will assist you with the procedure. Look up KDX in Google (It is safe) and you can determine if you wish to keep it. In addition to finding it in Task Manager, there should also be a listing in Add/Remove Programs, as well as in your HJT log,all which can be Uninstalled/Removed/fixed, if you wish. I'm sure it is a useful Program you downloaded and do not recall. First, please lets clean up your Hijack This log further below and then you can consider doing those things just below. About your PC being slow. All the following should be of some help with that. Have a look in Task Manager and see if any Program is running unnecessarily, or is using an excessive amount of system resources. Please do nothing that you are not positive about. If in doubt, ask and someone here will be glad to assist you. This download just below is said to help with similar problems. http://vil.nai.com/vil/stinger/ Here are a couple of online Virus Scanners. Run both and let them fix anything they find. Panda http://www.pandasoftware.com/activescan/co...n_principal.htm Trend Micro http://housecall.trendmicro.com/housecall/start_corp.asp I might also suggest to run CHKDSK. If you are not familiar with it........ Double click "My Computer". Right click the desired drive (usually C). Click on Properties> Tools> Error Checking> Check Now. The ChkDsk will ask to run on the next startup. This will take some time, so be sure you have time to spare. This should be done just before doing a Defrag. Then you could check if your machine thinks it is time to do a Defrag. If a Defrag has not been done in some time, it could take several hours. Start> Programs> Accessories> System Tools >Disk Defragmenter. And finally, but not before your machine has been running exceptionally well and all problems are WELL past, you could turn off System Restore, then turn it back on and set a new RESTORE POINT. Never set a restore point on a poorly operating system, or on a system that has any Parasites, Viruses, etc. And now to your Hijack This log. ( This and those following are all Huntbar parasite variants and could easily be one source,or even all of your slowness problem) Note: All may not be listed. Please go into Control Panel, Add/Remove Programs and Uninstall/Remove..... TBPS Huntbar WebSearch toolbar HOTBAR WEATHERONTRAY Please run Hijack This again and place check marks next to the following entries. If you are using a blank home page, do not check this R1 entry to be fixed. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank O4 - HKLM\..\Run: [TBPS] C:\PROGRA~2\TOOLBAR\TBPS.exe O4 - HKLM\..\Run: [WeatherOnTray] C:\PROGRAM FILES\HOTBAR\BIN\4.5.2.0\WEATHERONTRAY.EXE Close all other windows and browsers, then click on "Fix Checked. Please REBOOT into safe mode by tapping on F8 frequently, during Bootup. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Delete the following File(s)/Folder(s) in DARK while in Safe Mode. C:\PROGRA~2\TOOLBAR C:\PROGRAM FILES\HOTBAR The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. * C:\Windows\Temp\ * C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested. * C:\Documents and Settings\<Your Profile>\Local Settings\Temp\ * C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\ * C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\ * Empty your "Recycle Bin". Reboot into normal mode, enable hidden files and post a fresh Hijack This log in this thread, Using the Add/Reply feature, so I will be notified. Note: do not attempt to "Fix" anything, as we need to see the entire log. There are several recommendations I would like to make, that will help keep you safe on the internet, and others that will help clean your machine on a regular basis. I will do so in a reply to your next post.
  15. Hi nadnerb Please print out these instructions so you can read them while you clean your system. A printout also makes a good check list for Hijack This, to avoid making errors. Please use ctl/alt/delete to go into Task Manager. Look for the following and HILIGHT, then END PROCESS. Then exit Task Manager. WINTOOLS, WTOOLSA,WTOOLSB, or any variant. SHOPPERREPORTS,SMRTSHPR, Smart Shopper, or any variant. Then, go into Control Panel, Add/Remove Programs and UNINSTALL/REMOVE these. WINTOOLS,WTOOLSA,WTOOLSB,or any varint. SHOPPERREPORTS, SMRTSHPR, Smart Shopper, or any variant. Then, exit control panel. Please run Hijack This again and place check marks next to the following entries. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file) O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\PROGRAM FILES\SHOPPERREPORTS\BIN\1.0.0.1\SMRTSHPR.DLL O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~2\COMMON~1\WINTOOLS\WTOOLSA.EXE O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23633d25ba9a11...ip/RdxIE601.cab The following entries are optional, or known resource hogs. If you have noticed an overall slowdown in your computer, consider shutting down some of these. Please read the description following each and check mark for "fixing" (or follow instructions for disabling) according to your needs. O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot For TkBellExe: This is unnecessary to run at Startup, but it will need to be turned off in the program as well as fixing it here,or it will simply put itself back here... By the way the Program is Real Player, but only TkBell is what we are concerned with. See the following url for more information on TkBell,to help you make an informed decision. http://www.mikescomputerinfo.com/TkBellExe.htm Close all other windows and browsers, then click on "Fix Checked. Please REBOOT into safe mode by tapping on F8 frequently, during Bootup. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Delete the following File(s)/Folder(s) in DARK while in Safe Mode. C:\PROGRA~2\COMMON~1\WINTOOLS C:\PROGRAM FILES\SHOPPERREPORTS Reboot into normal mode, enable hidden files and post a fresh Hijack This log in this thread, Using the Add/Reply feature, so I will be notified. Note: do not attempt to "Fix" anything, as we need to see the entire log. Also if you have any Startup items disabled in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.
  16. Hello nadnerb This is to let you know I will be having a look at your HJT log and will reply as soon as possible.
  17. Hi JhonnyO I'd like you to do a few things, before getting to your Hijack This log. You're using an old version of HijackThis. Download the latest version (1.98.2) from either Site 1 or Site 2. Then, delete the old version. Next, here are a couple of online Virus scanners. Run them and let them fix what they find. Panda <a href='http://www.pandasoftware.com/activescan/com/activescan_principal.htm' target='_blank'>http://www.pandasoftware.com/activescan/co...n_principal.htm</a> Trend Micro <a href='http://housecall.trendmicro.com/housecall/start_corp.asp' target='_blank'>http://housecall.trendmicro.com/housecall/start_corp.asp</a> Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywareinfo.com/index.php?showtopic=11150 -reboot after using Ad-Aware SE. Also while there get the VX2 plugin. Then, please run Hijack This , copy the log and post it here , in this string, using New Reply, so I will be notified. Topic has't been replied to in a month. If you need it re-opened then PM a Mod or Admin. Thank You, Y kawika
  18. Hi steviec Lets get a couple of online Virus scans first. Run both and let them fix anything they find. Panda http://www.pandasoftware.com/activescan/co...n_principal.htm Trend Micro http://housecall.trendmicro.com/housecall/start_corp.asp Then, download the following and configure according to the instructions given. Scanning in Spybot Search and Destroy: 1. Download and Install Spybot S&D, accepting the Default Settings 2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it. 3. Close ALL windows except Spybot S&D 4. Click the button to ‘Search for Updates’ then download and install the Updates. 5. Next click the button ‘Check for Problems’ 6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window 7. Make certain there is a check mark beside all of the RED entries ONLY. 8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries. 9.REBOOT to complete the scan and clear memory. Scanning With Ad-Aware SE : 1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan 2.Close ALL windows except Ad-Aware SE 3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware. 4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window 1) In the ‘General’ window make sure the following are selected in green: *Automatically save log-file *Automatically quarantine objects prior to removal *Safe Mode (always request confirmation) Under Definitions: *Prompt to udate outdated definitions - set the number of days 2) Click on the ‘Scanning’ button on the left and select in green : Under Driver, Folders & Files: *Scan Within Archives Under Select drives & folders to scan - *choose all hard drives Under Memory & Registry: all green *Scan Active Processes *Scan Registry *Deep Scan Registry *Scan my IE favorites for banned URL’s *Scan my Hosts file 3) Click on the ‘Advanced’ button on the left and select in green: Under Shell Integration: *Move deleted files to recycle bin Under Logfile Detail Level: (all green) *include addtional object information *DESELECT - include negligible objects information *include environment information Under Alternate Data Streams: *Don't log streams smaller than 0 bytes *Don't log ADS with the following names: CA_INOCULATEIT 4) Click the ‘Tweak’ button and select in green: Under the ‘Scanning Engine’: *Unload recognized processes during scanning *Scan registry for all users instead of current user only Under the ‘Cleaning Engine’: *Let Windows remove files in use at next reboot Under the Log Files: *Include basic Ad-aware SE settings in logfile *Include additional Ad-aware SE settings in logfile *Please do not check or make green: Include Module list in logfile 5. Click on ‘Proceed’ to save the settings. 6. Click ‘Start’ *Choose:'Perform Full System Scan' *DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. 7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. 8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window 9. Save the log file when it asks and then click ‘finish’ 10. REBOOT to complete the removal of what Ad-Aware SE found Finally after running both Spybot SD and Ad-Aware SE, RESCAN with HijackThis, copy and paste the log into Notepad and POST your logfile in the same thread using ‘Add Reply’. Do not attempt to fix anything in HijackThis yourself!
  19. Already replied to previous post.
  20. Hi scotchjock It appears that your Hijack This log is clean, so here are some thoughts about possible solutions to your difficulties. Looks like you are using a Proxy server. Though you just moved to Blue Yonder,I would check with them,to see if that might be a contributing factor. It has been suggested to check the properties on the following file. C:\WINDOWS\system32\crypserv.exe To check a files properties, Right click on the file and select "Properties". This will sometimes give you information such as the size, attributes,version number and often the maker. From this you can often determine if it is good. Also, the following could help. Please reboot into safe mode - How do I boot into "Safe" mode? You may need to show hidden files to delete the following File(s) and Folder(s).How to show all hidden and system files In Safe Mode go to C:\Windows\Temp folder. Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the Temp folder. Next, go to C:\Documents and Settings\Your username\Local Settings\Temp folder. Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the that Temp folder. Do that for all user identies on your PC. Finally, go to Control Panel>Internet Options. -On the General tab under: Temporary Internet Files, click: Delete Files and Delete Cookies -Place a check by: Delete Offline Content when the prompt appears, and click OK. -Next, on the Programs tab, press button for: Reset Web Settings Click Apply, then OK. Also, empty the Recycle Bin. Then reboot into Normal mode. You are using Norton Internet Security and maybe Norton's Firewall. They have something called Privacy Control, and you cannot access certain web pages when Privacy Control is active. Would check to see if Privacy Control is enabled. If it is, need to disable Browser Privacy for all web sites by opening Norton Internet Security or Norton Personal Firewall. double-clicking Privacy Control, clicking Custom Level, and in the Customize Privacy Settings window, uncheck Enable Browser Privacy. Then, click OK. Also, In IE, go to Tools> Internet Options>Security tab, select Restricted Sites and see if anything is listed there that could be associated with the problem. It has also been suggested that you try the Firefox browser and see if that is of any help. Link to download Firefox. http://www.mozilla.org/products/firefox/ Good luck.
  21. Hi scotchjock Just wanted you to know that I'm working on a solution to your problem and will post as soon as possible. I have spoken with several of my associates and hope to find the solution.
  22. Hi scotchjock Okay, I'll need you to go into greater detail about the problems you are having, that remain unchanged. Please be as specific as possible.
  23. Hi scotchjock Sorry, I was busy elsewhere and didn't see your two short posts. Glad you got it worked out. It looks like we have one that is stubbornly hanging on, so let's give it a nudge. Please reboot into safe mode - How do I boot into "Safe" mode? You may need to show hidden files to delete the following File(s) and Folder(s).How to show all hidden and system files Hit ctl/alt/delete and go into task manager. Look for the following. Ascentive and possibly ActivePrivacy. Select them , then END PROCESS on them. Then go to Start>Control>Add/Remove Programs and Uninstall Ascentive and if there, ActivePrivacy. Delete the following File(s)/Folder(s) while in Safe Mode. C:\Program Files\Ascentive Please run Hijack This again(still in Safe Mode) and place check marks next to the following entries. O4 - HKCU\..\Run: [ActivePrivacy] C:\Program Files\Ascentive\ActivePrivacy\AP.exe -b Close all other windows and browsers, then click on "Fix Checked. Then please REBOOT. Then please copy a fresh Hijack This log and post it here.
  24. Hello scotchjock I'm assuming the reason you ask if you need to reinstall your Microsoft Updates, is because I had you delete some entries in your Hijack This log that were labeled "Microsoft Update Machine". If that is the reason you ask, then don't worry about it. Those were indications of an Internet Worm and have nothing to do with Microsoft Updates. The creators of the Worm hoped we would think that those were Microsoft files. Please log into your PC in an Account with Full Administrator Access, not simply a USERS ACCOUNT. This time, lets do the entire fix in Safe Mode. Please print out these instructions now, so you can read them while you clean your system. A printout also makes a good check list for Hijack This, to avoid making errors. Please reboot into safe mode - How do I boot into "Safe" mode? You may need to show hidden files to delete the following File(s) and Folder(s).How to show all hidden and system files Please do not leave Safe Mode until asked to do so. Go to Start>Control>Add/Remove Programs.Then, Uninstall/Remove (Ascentive). Then,Delete the following File(s)/Folder(s) while in Safe Mode. C:\Program Files\Ascentive Please run Hijack This again and place check marks next to the following entries.Remain in Safe Mode. O4 - HKLM\..\Run: [ActiveSpeed] C:\Program Files\Ascentive\ActiveSpeed\AS.exe -b O4 - HKCU\..\Run: [ActivePrivacy] C:\Program Files\Ascentive\ActivePrivacy\AP.exe -b O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27d20748d60324...ip/RdxIE601.cab Close all other windows and browsers and remaining in Safe Mode, then click on "Fix Checked. One of the best features of Windows XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal. To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (winXP) 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. ( This will take you into normal mode and that is allright) 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK Reboot into normal mode, enable hidden files and post a fresh Hijack This log in this thread.
  25. Hello scotchjock I find it is often useful to know what sort of difficulties a user is experiencing in order to best serve their needs. If you have anything in particular that you would like me to know, please tell me in your response. I wasn't going to hit you with this in the beginning, but it does now seem necessary,since I found an internet worm in your PC. First: Lets stop Services on something. To disable services in Windows XP. Go to Start>Run(then type)"services.msc"(no quotes)into the Run box. Then look for(Microsoft Update Machine)and DISABLE as many entries for it as you find. Then exit services. Then go to Add/Remove Programs in your Control Panel and REMOVE (Microsoft Update Machine), as many as are there. This is a free trial version of Trojan Hunter. Download it next and let it work. Trial Version of Trojan Hunter. http://www.misec.net/trojanhunter/ Then, Choose one of these, they are online virus scanners, run one of them and have them fix anything they find. Panda http://www.pandasoftware.com/activescan/co...n_principal.htm Trend Micro http://housecall.trendmicro.com/housecall/start_corp.asp And, here's the link to McAfee AVERT Stinger and instructions for use. Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself.Please load and use it now. Please let us know what the results are. Please print out these instructions so you can read them while you clean your system. A printout also makes a good check list for Hijack This, to avoid making errors. Please note that some of these may not be present, after the scans above. Please run Hijack This again and place check marks next to the following entries. O4 - HKLM\..\Run: [Microsoft Update Machine] wuid.exe O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuid.exe O4 - HKCU\..\Run: [Microsoft Update Machine] wuid.exe O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyhoroscope.net/mdh/install.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27d20748d60324...ip/RdxIE601.cab The following appear to be randomly named, or unknown files and as such they may be malware. Unless you know these and are comfortable keeping them, have HJT fix them. O2 - BHO: IE 4.x-6.x BHO - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\PROGRA~1\POPUPB~1\IEHelper.dll The above seems to be some sort of game, from MarBit Tools, in Poland. O4 - HKLM\..\Run: [ActiveSpeed] C:\Program Files\Ascentive\ActiveSpeed\AS.exe -b Note that if you choose to fix the above 04 with Hijack This, you will first need to go to Control>Add/Remove Programs and Uninstall the Program (Ascentive) and then go to C:\Program Files\Ascentive and delete the Program from there. O4 - Startup: Manual.lnk = ? O4 - Startup: Faq.lnk = ? The following entries are optional, or known resource hogs. If you have noticed an overall slowdown in your computer, consider shutting down some of these. Please read the description following each and check mark for "fixing" (or follow instructions for disabling) according to your needs. O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot For TkBellExe: This is unnecessary to run at Startup, but it will need to be turned off in the program as well as fixing it here,or it will simply put itself back here... By the way the Program is Real Player. See the following url for more information on TkBell,to help you make an informed decision. http://www.mikescomputerinfo.com/TkBellExe.htm O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background Windows Messenger utility. If you don't use Windows Messenger, this can be annoying. Available via Start -> Programs. Go to Windows Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts" Close all other windows and browsers, then click on "Fix Checked. Then please REBOOT. Please post a fresh Hijack This log here, in this string, so I will be notified of your post.
×
×
  • Create New...