Jump to content


Photo

IE hijacked by Search Engine


  • This topic is locked This topic is locked
24 replies to this topic

#1 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 10:05 AM

An unwanted Search Engine (www.bestsearchs.com) has been emplanted on my system and I cannot remove it. I have downloaded Hijack this and the following is the log from it. I would really appreciate someones help here that could advise what I can do. Please be gentle I am no expert>

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\POP3TRAP.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\WEBTRAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\TISCALI\TKONNECT\TKONNECT.EXE
C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\ONICTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.besstsearchs.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\POPFILTR.DLL
O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\IC3HLPR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe -SetupRunOnce
O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 7.5\PCCIOMON.EXE"
O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 7.5\pop3trap.exe"
O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 7.5\WebTrap.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [applc] C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 7.5\PCCIOMON.EXE"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [tkonnect] C:\PROGRAM FILES\TISCALI\TKONNECT\TKONNECT.EXE updatemode
O4 - HKLM\..\RunOnce: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin Systems\Internet Cleanup\ONICTASK.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: IC 3.0 (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O12 - Plugin for .eid: C:\PROGRA~1\INTERN~1\PLUGINS\NPIPRT32.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .p: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.btinterne...ild/preload.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7990.4042708333
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.2...uka.chm::/x.exe
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgin....chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.ruworld.c....chm::/file.exe

#2 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 10:32 AM

have HJT fix the following...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.besstsearchs.com

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.2...uka.chm::/x.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgin....chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.ruworld.c....chm::/file.exe

Just for good measure, once you do that, get CWshredder from my sig and run it too. Then Reboot and post a new log....
HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#3 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 10:41 AM

Many thanks for the v prompt response! I have tried as you suggested - checked all the items you have listed, ran the programme and guess what - they are there are STILL there the next time I scan!! No idea why this is happening - any idea?

#4 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 10:49 AM

Did you run the CWshredder and reboot the system also?

I was afraid that they would still be there. But I need you to run the CWshredder and reboot then post a new log.
Eventhough this may not help at all. I want to be sure.

Your problem could be kinda rough getting cleaned up.

Edited by Orumph, 16 May 2004 - 10:56 AM.

HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#5 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 11:16 AM

Tried as you suggested and ran CWS and did a reboot - new log attached. Thanks for the help.

Logfile of HijackThis v1.97.7
Scan saved at 17:11:35, on 16/05/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\POP3TRAP.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\WEBTRAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\TISCALI\TKONNECT\TKONNECT.EXE
C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\ONICTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.besstsearchs.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\POPFILTR.DLL
O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\IC3HLPR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe -SetupRunOnce
O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 7.5\PCCIOMON.EXE"
O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 7.5\pop3trap.exe"
O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 7.5\WebTrap.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [applc] C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 7.5\PCCIOMON.EXE"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [tkonnect] C:\PROGRAM FILES\TISCALI\TKONNECT\TKONNECT.EXE updatemode
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKLM\..\RunOnce: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin Systems\Internet Cleanup\ONICTASK.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: IC 3.0 (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O12 - Plugin for .eid: C:\PROGRA~1\INTERN~1\PLUGINS\NPIPRT32.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .p: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.btinterne...ild/preload.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7990.4042708333
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.2...uka.chm::/x.exe
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgin....chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.ruworld.c....chm::/file.exe

#6 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 11:23 AM

Do you know what this is?

O4 - HKLM\..\Run: [applc] C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE

Search for the following files and delete them if you find them... Let me know if you can ot not.

file.exe
load.exe
x.exe
HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#7 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 11:32 AM

Not sure - but may be an small file I downloaded earlier from this site to let me try to discuss the topic on the SWI chat forum. Did not use it though.

I will st6rat looking for the files you mention. Thanks

#8 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 11:34 AM

None of the files on my C drive.

file.exe
load.exe
x.exe

#9 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 11:36 AM

You should not have to d/l any files to post to this forum. You may want to delete that file also. It is downloaded from the net so if you need it again by going to the site that needs it, it will be d/led again. I would delete it for the time being. It's not common to find a ligit file called 2.exe
HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#10 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 11:38 AM

Have you tried going into Add/Remove programs and see if there are any entries for "search" or anything out of the ordinary?

Also, from HJT / Config / Misc Tools ,, Generate a Startup list and post it.
HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#11 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 11:49 AM

I had a look in the Add/ Remove - nothing strange in there. Using HJT i attempted to remove that line - it is still there, even though I have checked it and tried the fix.

I have attached the start up list:

tartupList report, 16/05/04, 17:42:28
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\POP3TRAP.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\WEBTRAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\TISCALI\TKONNECT\TKONNECT.EXE
C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\ONICTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
IC Task Manager.lnk = C:\Program Files\Aladdin Systems\Internet Cleanup\ONICTASK.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LWBMOUSE = C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
PMXInit = C:\WINDOWS\SYSTEM\pmxinit.exe -SetupRunOnce
PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 7.5\PCCIOMON.EXE"
pop3trap.exe = "C:\Program Files\Trend PC-cillin 7.5\pop3trap.exe"
WebTrap.exe = "C:\Program Files\Trend PC-cillin 7.5\WebTrap.exe"
LoadQM = loadqm.exe
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
applc = C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

PMXInit = C:\WINDOWS\SYSTEM\pmxinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 7.5\PCCIOMON.EXE"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

H/PC Connection Agent = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
tkonnect = C:\PROGRAM FILES\TISCALI\TKONNECT\TKONNECT.EXE updatemode
msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 16/5/2004, 17:1:10)

[Rename]
NUL=C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\TRENDP~1.5\PCSCAN.EXE C:\ C:\WINDOWS\COMMAND\ /NS /WIN95
mode con codepage prepare=((850) c:\windows\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,c:\windows\COMMAND\keyboard.sys
PATH C:\BITWARE\
SET MSINPUT=C:\MSINPUT
SET FX_GLIDE_NO_SPLASH=1
PATH=C:\LOCALCAI\BIN;%PATH%
PATH=C:\LOCALCAI\VDI;%PATH%
SET CLASSPATH=C:\Program Files\HEAT\navbar;%CLASSPATH%

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
PopupFilter Class - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\POPFILTR.DLL - {1F2E844B-8211-46ff-8262-772F03295CF4}
(no name) - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\IC3HLPR.DLL - {1f0c8547-2639-4c91-b8aa-c7eca24c3163}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
{F4F0B20B-A6E7-11D8-BBBA-444553540000}_Default.job
{F4F0B20C-A6E7-11D8-BBBA-444553540000}_Default.job
{F4F0B20D-A6E7-11D8-BBBA-444553540000}_Default.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://active.macrom...abs/swflash.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab

[preload control]
InProcServer32 = C:\WINDOWS\SYSTEM\preload.ocx
CODEBASE = http://www.btinterne...ild/preload.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...7990.4042708333

[{10003000-1000-0000-1000-000000000000}]
CODEBASE = ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.2...uka.chm::/x.exe

[SassCln Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SASSCLN.DLL
CODEBASE = http://www.microsoft...ols/SassCln.CAB

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://housecall.tre...all/Xscan53.cab

[{11111111-1111-1111-1111-111111111157}]
CODEBASE = ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgin....chm::/load.exe

[{11111111-1111-1111-1111-111111111123}]
CODEBASE = ms-its:mhtml:file://c:\nosuch.mht!http://www.ruworld.c....chm::/file.exe

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #7: C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\adlsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,273 bytes
Report generated in 0.130 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#12 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 11:50 AM

Ok,, go to this folder and delete the following if you see them

C:\WINDOWS\Downloaded Program Files

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.2...uka.chm::/x.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgin....chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.ruworld.c....chm::/file.exe

If you don't see them, tell me exactly what is in that folder.

{edit}
Look for this file there also and delete it if you can.
C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE

You may bhave to End the Task from TaskManager first.

Edited by Orumph, 16 May 2004 - 11:51 AM.

HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#13 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 11:57 AM

Done that and they are removed - I did get a prompt telling me that it did not have enough information to remove them completely and to refer to the Add/Remove programmes. The following are also in this folder:

House call control
preload control
SassCln Object
Shockwave Activ
Shockwave Flash
Update Class

#14 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 12:03 PM

Ok,, run HJT and fix the following if you see them... then reboot and post a new log

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.besstsearchs.com

O4 - HKLM\..\Run: [applc] C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.2...uka.chm::/x.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgin....chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.ruworld.c....chm::/file.exe

I don't know if this will be resolved after this or not. I really don't want to have to hack the registry. But it may be needed. We'll see though.

Edited by Orumph, 16 May 2004 - 12:04 PM.

HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#15 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 12:10 PM

Did as you suggested - guess what!!! No change! I was unable to check the 3 O16 lines - they are no longer present.





logfile of HijackThis v1.97.7
Scan saved at 18:05:18, on 16/05/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\POP3TRAP.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 7.5\WEBTRAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\TISCALI\TKONNECT\TKONNECT.EXE
C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\ONICTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.besstsearchs.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\POPFILTR.DLL
O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\IC3HLPR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe -SetupRunOnce
O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 7.5\PCCIOMON.EXE"
O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 7.5\pop3trap.exe"
O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 7.5\WebTrap.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [applc] C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 7.5\PCCIOMON.EXE"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [tkonnect] C:\PROGRAM FILES\TISCALI\TKONNECT\TKONNECT.EXE updatemode
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKLM\..\RunOnce: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin Systems\Internet Cleanup\ONICTASK.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: IC 3.0 (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\aladdin systems\internet cleanup\adlsp.dll
O12 - Plugin for .eid: C:\PROGRA~1\INTERN~1\PLUGINS\NPIPRT32.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .p: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.btinterne...ild/preload.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7990.4042708333
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab

#16 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 12:57 PM

Go into TaskMan

CTRL-ALT-DELETE and end the 2.exe process. Then goto C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE and dlete the file.

Then fix the following with HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestsearchs.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestsearchs.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestsearchs.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestsearchs.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.besstsearchs.com

O4 - HKLM\..\Run: [applc] C:\WINDOWS\DOWNLOADED PROGRAM FILES\2.EXE

We may have to do some registry hacking
HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#17 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 01:33 PM

Ok,, i figured out what the problem is. This is what you need to do. The thing I was most dreading.

{Borrowed from Daemon}
Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Also, click here and download 'Find-All.zip'. Unzip and run the 'findall.bat' file inside. It'll run for a while and generate a file called output.txt - save it and paste the contents of 'output.txt' in your next reply.

This one is fairly easy to get rid of, once you know the procedure.
HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#18 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 01:36 PM

Many Thanks friend. I will give it a go.

#19 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 01:42 PM

One more thing - I am running Win 98! Before I go through this procedure, does this matter?

#20 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 01:43 PM

Yes
Stop

Sorry,, I didn't notice before. I'm also at work, fixing PC's so I may have gotten a bit off track.

Edited by Orumph, 16 May 2004 - 01:44 PM.

HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#21 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 01:54 PM

Have you installed Ad-Aware or SpyBot S&D? If not,, do the following.

{also borrowed from Daemon cause I'm too lazy to type all this out,,,}
Click here to download Full Install Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done, rescan with HJT and post a new log here so that any remnants can be removed manually.
HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#22 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 01:57 PM

FIXED!!! I did what you said on your previous post and went in to task manager then deleted the 2.exe in HJT and guess what - its gone!!!! Great news - many, many thanks for your excellent help.

#23 Orumph

Orumph

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 May 2004 - 02:05 PM

Cool, I thought killing that 2.exe file would do it. I'm glad we didn't have to go the long hard road on that one.

You should get IE-SpyAD and Spyware Blaster.
Trust me when I say, "It's worth it".
HiJackThis , CWshredder , IE-SpyAD , SpywareBlaster
HTAstop and other usefull items
Trend HouseCall
Also check out GRC.com for some security measures you should take.

#24 subatpd

subatpd

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 May 2004 - 02:08 PM

I see they are on your signature. Thanks for the advice - will do and have a great day.

#25 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 04 October 2004 - 01:53 AM

Due to the time passed without a response in this thread - I am closing it.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button