Jump to content


Photo

CoolWWW/ about blank removal


  • This topic is locked This topic is locked
18 replies to this topic

#1 RawnNiven

RawnNiven

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 13 July 2004 - 11:21 AM

...and I noticed that there were many other people with the same problem on this site. [I've posted this topic once, but through a link from Hotmail and it didn't seem to post, so I apologise if it's appears twice].

I've read the "FAQ before you do anything else" section, but I'm not sure how to create a StartupList log? Here, as instructed, is the HijackThis log though;

Logfile of HijackThis v1.97.7
Scan saved at 16:52:31, on 13/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\BearShare\BearShare.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Common Files\Vision\vservice.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\PROGRA~1\Vision\System\xvl.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Matthew Sleaford\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0cj.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {AAAC8935-B864-499F-A7FC-B2347EC60931} - C:\WINDOWS\madopew.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [Monitor_Helper] C:\WINDOWS\System32\monitor.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\NUTC\bin\ncoeenv.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [customizesearch] http://ie.search.msn...st/srchcust.htm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [default_page_url] http://www.microsoft...er=6&ar=msnhome
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: usa_connect.lnk = C:\usa\nt\bin\usa_connect.exe
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7876.3624884259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Could someone ease help me to remove this awful spyware. (Who writes such Malicious code in the first place??!?)

Thanks in advance

Matthew

Edited by RawnNiven, 13 July 2004 - 11:23 AM.


#2 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 13 July 2004 - 12:18 PM

Hello RawnNiven,

Can you please download the latest version of HijackThis from here, and save it to a permanent folder, and post the logfile in this thread?

Once you are done, Copy the contents of the bold text to Notepad. Name the file Appinit.bat, and make sure that you save as type: "All Files". Finally, save it on the Desktop:

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt


Double click on Appinit.bat. This will create a file on the desktop named windows.txt . Please post windows.txt in your next reply along with a fresh HijackThis logfile...

Good Luck :)

Edited by splintercell990, 13 July 2004 - 07:01 PM.


#3 RawnNiven

RawnNiven

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 14 July 2004 - 03:44 AM

Hi splintercell990, Thanks for helping.

Here's my Logfile list;

Logfile of HijackThis v1.98.0
Scan saved at 09:35:30, on 14/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\BearShare\BearShare.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Common Files\Vision\vservice.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Vision\System\xvl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Matthew Sleaford\My Documents\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0cj.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {AAAC8935-B864-499F-A7FC-B2347EC60931} - C:\WINDOWS\madopew.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [Monitor_Helper] C:\WINDOWS\System32\monitor.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\NUTC\bin\ncoeenv.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [customizesearch] http://ie.search.msn...st/srchcust.htm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [default_page_url] http://www.microsoft...er=6&ar=msnhome
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: usa_connect.lnk = C:\usa\nt\bin\usa_connect.exe
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Filter: text/html - {CBB18B10-1F41-415D-B2D7-620DFF7A97A2} - C:\WINDOWS\madopew.dll
O18 - Filter: text/plain - {CBB18B10-1F41-415D-B2D7-620DFF7A97A2} - C:\WINDOWS\madopew.dll

and I can't seem to attach the windows.txt file so I've copied it in below, is this what you wanted?

regf       Pugf

[there was a load of space here, Matthew]

hbin  nk, p<?g   x 0  _ 0  Windowsqsk x x        
     !
   !      #
   #  ?    
     ?   
    ?    
        vk    fAppInit_DLLs?G  vk     UDeviceNotSelectedTimeout1 5  (W9 0  ! vk  '   zGDIProcessHandleQuota"vk     Spooler2y e s     0 `  vk    =pswapdiskvk     RTransmissionRetryTimeout  0 `    vk  '   M USERProcessHandleQuota

Look forward to hearing from you,

Matthew

#4 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 14 July 2004 - 09:38 AM

Hmm..this is strange...did you copy the entire Windows.txt logfile? If you did not, please make sure you do, because even if there is a space, I need to know :)

#5 RawnNiven

RawnNiven

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 15 July 2004 - 03:29 AM

No worries, sorry, it does say that in the 'before anything else' section... hehehe.

Here's the whole thing;

regf       Pugf hbin  nk, p<?g   x 0  _ 0  Windowsqsk x x        
     !
   !      #
   #  ?    
     ?   
    ?    
        vk    fAppInit_DLLs?G  vk     UDeviceNotSelectedTimeout1 5  (W9 0  ! vk  '   zGDIProcessHandleQuota"vk     Spooler2y e s     0 `  vk    =pswapdiskvk     RTransmissionRetryTimeout  0 `    vk  '   M USERProcessHandleQuota

I've posted the space too, but it appears to have removed it itself??!?

Thanks again.

Matthew

Edited by RawnNiven, 15 July 2004 - 05:07 AM.


#6 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 15 July 2004 - 09:41 AM

Hello RawnNiven

Please download CWShredder:
http://www.spywarein.../CWShredder.exe. Now, with all other windows closed, double click and hit the fix button to fix all found problems, and Reboot.

Next, download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URLs
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
Posted Image Save the log file when it asks and then click Finish
Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Posted Image Reboot your computer.

Then Turn off System Restore. To do this, right-click My Computer and click Properties. Next, click the System Restore tab and check "Turn off System Restore". Finally, click Apply, and then click OK. Now, to finish resetting the system restore point, we need to turn ON System Restore once again. To do this, right-click My Computer and click Properties. Next, click the System Restore tab and UN-Check "Turn off System Restore". Finally, click Apply, and then click OK.

Next a full scan here and let it clean, making sure you reboot when it is done.

Post a fresh HijackThis logfile in this thread once you are done :)

#7 RawnNiven

RawnNiven

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 20 July 2004 - 04:27 AM

Sorry splintercell990, that I took so long to reply. My internet went down on Fri and I've only just got it back up and running. I've followed your instructions [my God theat House call took a long time :-) ], and here's my new hijack this log; BTW, the home page still gets hijacked, it happened before I came to this site;

Logfile of HijackThis v1.98.0
Scan saved at 10:24:54, on 20/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\BearShare\BearShare.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Common Files\Vision\vservice.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\PROGRA~1\Vision\System\xvl.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Matthew Sleaford\My Documents\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {15829DFF-D22E-49DF-A23F-FE0DA1EAC16C} - C:\WINDOWS\madopew.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [Monitor_Helper] C:\WINDOWS\System32\monitor.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\NUTC\bin\ncoeenv.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [customizesearch] http://ie.search.msn...st/srchcust.htm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [default_page_url] http://www.microsoft...er=6&ar=msnhome
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: usa_connect.lnk = C:\usa\nt\bin\usa_connect.exe
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Filter: text/html - {D10879DF-07AA-4187-A894-6C090D32BDF7} - C:\WINDOWS\madopew.dll
O18 - Filter: text/plain - {D10879DF-07AA-4187-A894-6C090D32BDF7} - C:\WINDOWS\madopew.dll

Thanks,

Matthew

#8 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 20 July 2004 - 07:07 PM

Hello RawnNiven,

Download and run RegLite and open this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DoubleClick and identify the file listed in AppInit_DLLs.
*Note:
If there is no AppInit value, or no file listed skip this step.
(*See bellow)

Create new folder for backups somewhere: (e.g. My Documents\Backups)
Hilite the Windows key marked in purple, and use reglite's file menu>export, save in the following formats:
Name them as--
1.) Winkey.reg (Selected by defaults) (Save as type: regedit4 .reg type)
2.) Winkey.hiv (in Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)

When both files/backups are successfully saved, Rename the Windows key to Windows1
, Clear the data in the AppInit value., Rename back to original , restart
Preferably in Safe mode, find and delete the file.

--When done:
1.) Navigate to backups location, And DoubleClick on the winkey.reg file.
Answer yes to the prompt.
2.) Run reglite, open the same windows key:
While it's being selected/marked in purple, Use reglite's file menu>Import
Browse to and select the "winkey.hiv" saved.
Hit 'open' , merge and 'ok' it.
Repeat the cleanup steps outlined before in the AppInit value (clearing the data)
=====================================================
*If the file name irself is unknown following the steps above, inspect properties of all dlls in System32 ~ that are 56k, 57,344 bytes, modified in last 5 months.

*Most AVs would recognise the file anyway, when it isn't active.
Primarily, AVG Free Anti-Virus.

*If the file is found but can't be deleted!
Create Dummy folder (e.g. C:\junk) Move it there, first:
1.)
-RightClick on it: properties
/Advanced/Security/permissions \
and take ownership giving yourself 'Full control'.
2.)-Right click the 'Container' (junk) folder itself. hit properties.
-Go to the security tab and click the advanced button.
-check the box to reset permissions on all child objects.
Hit apply. ok

Good Luck :)

Edited by splintercell990, 20 July 2004 - 07:11 PM.


#9 RawnNiven

RawnNiven

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 21 July 2004 - 04:33 AM

Hi there,

I did all the steps up until the;

=====================================================

I don't know if you wanted another log, but here it is incase. The page is still there, it came up again when I went onto the net to get here after following the instructions below.

I completely deleted the AppInit because there was nothing in the Value part. when I re imported, there was again nothing in the Value part for me to delete, so I left it.

Logfile of HijackThis v1.98.0
Scan saved at 10:28:35, on 21/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\BearShare\BearShare.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Common Files\Vision\vservice.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Vision\System\xvl.exe
C:\Documents and Settings\Matthew Sleaford\My Documents\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie-search.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {15829DFF-D22E-49DF-A23F-FE0DA1EAC16C} - C:\WINDOWS\madopew.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\StopzillaBH0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [Monitor_Helper] C:\WINDOWS\System32\monitor.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\NUTC\bin\ncoeenv.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [customizesearch] http://ie.search.msn...st/srchcust.htm
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [default_page_url] http://www.microsoft...er=6&ar=msnhome
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: usa_connect.lnk = C:\usa\nt\bin\usa_connect.exe
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Filter: text/html - {D10879DF-07AA-4187-A894-6C090D32BDF7} - C:\WINDOWS\madopew.dll
O18 - Filter: text/plain - {D10879DF-07AA-4187-A894-6C090D32BDF7} - C:\WINDOWS\madopew.dll

Thanks splintercell990

Till tomorrow :)

#10 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 21 July 2004 - 10:03 AM

Okay, with all other browsers closed, please fix the following items in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie-search.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie-search.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O2 - BHO: (no name) - {15829DFF-D22E-49DF-A23F-FE0DA1EAC16C} - C:\WINDOWS\madopew.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O4 - HKLM\..\Run: [customizesearch] http://ie.search.msn...st/srchcust.htm
O4 - HKCU\..\Run: [default_page_url] http://www.microsoft...er=6&ar=msnhome
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O18 - Filter: text/html - {D10879DF-07AA-4187-A894-6C090D32BDF7} - C:\WINDOWS\madopew.dll
O18 - Filter: text/plain - {D10879DF-07AA-4187-A894-6C090D32BDF7} - C:\WINDOWS\madopew.dll


Reboot, and post a fresh HijackThis logfile in this thread once you are done :)

Edited by splintercell990, 21 July 2004 - 10:05 AM.


#11 RawnNiven

RawnNiven

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 22 July 2004 - 03:42 AM

Hiya, How on Earth do you know all of this? It's absolutely amazing!?!? Where did you learn it all, or rather where did you begin learning it all? I'd love to know more...

Anyway, here's the log;

Logfile of HijackThis v1.98.0
Scan saved at 09:37:28, on 22/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\BearShare\BearShare.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Common Files\Vision\vservice.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Vision\System\xvl.exe
C:\Documents and Settings\Matthew Sleaford\My Documents\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\StopzillaBH0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [Monitor_Helper] C:\WINDOWS\System32\monitor.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\NUTC\bin\ncoeenv.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: usa_connect.lnk = C:\usa\nt\bin\usa_connect.exe
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

The fantastic thing is, none of the pop ups arrive when I started up the computer after doing that. However, I now have some Malicious script, as detected by Norton Antivirus.

I don't know if it's related, but its the file 'C:\WINDOWS\odbc.hta' and it says the activity is 'GetSpecialFolder'?

Thanks splintercell990

Till tomorrow...

#12 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 22 July 2004 - 02:10 PM

This infection still does not want to go huh :hmmm:

Lets do this...with all other browsers closed, please fix the following items in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


Now for the rest of your problem:

I don't know if it's related, but its the file 'C:\WINDOWS\odbc.hta' and it says the activity is 'GetSpecialFolder'?


I think this article is what you are talking about (if it is not, please see below)...it says to download, install and run HTAstop, which can be found here. Please make sure you save it to the desktop...

Note: If that article is NOT what you are takling about, then you can tell Norton to ignore the script as ODBC is a legit Microsoft process..

Once you do all of this, reboot and post a fresh HijackThis logfile in this thread :)

Edited by splintercell990, 22 July 2004 - 02:16 PM.


#13 RawnNiven

RawnNiven

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 23 July 2004 - 03:58 AM

Here you go splintercell990;

Which part lets you know there's still an infection? Is it the about:blank part?

Logfile of HijackThis v1.98.0
Scan saved at 10:07:19, on 23/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\BearShare\BearShare.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Vision\vservice.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\PROGRA~1\Vision\System\xvl.exe
C:\Documents and Settings\Matthew Sleaford\My Documents\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\StopzillaBH0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [Monitor_Helper] C:\WINDOWS\System32\monitor.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\NUTC\bin\ncoeenv.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: usa_connect.lnk = C:\usa\nt\bin\usa_connect.exe
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

That link you gave me... I'm not sure if those are the symptoms as the script is always stopped by Norton. So nothing actually ever happens, but because that link says the script opens doors to all sorts of hellish trojans etc, I'm loathed to find out by allowing it. So I've down loaded it anyway and have it running, hidden on my desk top so I don't even know it's there. ;)

Till Monday, take care.

Matthew.

Edited by RawnNiven, 23 July 2004 - 04:08 AM.


#14 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 23 July 2004 - 10:24 AM

Hello RawnNiven,

Download this .reg file to the Desktop. Double-click on it and answer Yes. It will restore all the default Search settings for IE.

Next, run HijackThis and with all other browsers closed, please fix the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-v.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-v.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html


Immediatley after, run the latest version of CWShredder from here, and with all other windows closed, hit "Fix Problems", and let it fix all variants.

Finally, run an online virus scan from BitDefender and let it fix all of the problems it finds. If there are some items it can't fix, please post them here...

Reboot, and post a fresh HJT logfile in this thread once you are done :)

Edited by splintercell990, 23 July 2004 - 10:30 AM.


#15 RawnNiven

RawnNiven

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 27 July 2004 - 08:22 AM

Hi there, it seems that yesterday I couldn't get onto Spywareinfo, but today it's okay, so here, as requested is the Bit defender info;

C:\Documents and Settings\Matthew Sleaford\My Documents\HiJackThis\backups\backup-20040722-093133-753.dll infected: Trojan.StartPage.IS
C:\Documents and Settings\Matthew Sleaford\My Documents\HiJackThis\backups\backup-20040722-093133-753.dll deleted
C:\Documents and Settings\Matthew Sleaford\Local Settings\Temp\cln1.tmp infected: Trojan.Downloader.Dyfuca.BW
C:\Documents and Settings\Matthew Sleaford\Local Settings\Temp\cln1.tmp deleted
C:\Program Files\Norton AntiVirus\Quarantine\02457C4C.tmp=>(Quarantine)=>[Subject: Mail Delivery (failure info@treehousep][Date: Mon, 12 Jul 2004 17:13:23 +1000]=>(MIME part)=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Norton AntiVirus\Quarantine\02457C4C.tmp=>(Quarantine)=>[Subject: Mail Delivery (failure info@treehousep][Date: Mon, 12 Jul 2004 17:13:23 +1000]=>(MIME part)=>message.scr infected: Win32.Netsky.P@mm
C:\Program Files\Norton AntiVirus\Quarantine\2D3859D7.tmp=>(Quarantine)=>[Subject: Mail Delivery (failure info@treehousep][Date: Fri, 16 Jul 2004 15:43:09 +1000]=>(MIME part)=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
C:\Program Files\Norton AntiVirus\Quarantine\2D3859D7.tmp=>(Quarantine)=>[Subject: Mail Delivery (failure info@treehousep][Date: Fri, 16 Jul 2004 15:43:09 +1000]=>(MIME part)=>message.scr infected: Win32.Netsky.P@mm
C:\Program Files\Norton AntiVirus\Quarantine\3A692676.tmp=>(Quarantine) infected: Win32.Netsky.P@mm
C:\Program Files\Norton AntiVirus\Quarantine\3A692676.tmp deleted
C:\Program Files\Norton AntiVirus\Quarantine\3AAE182A.tmp=>(Quarantine) infected: Win32.Netsky.P@mm
C:\Program Files\Norton AntiVirus\Quarantine\3AAE182A.tmp deleted
C:\Program Files\Norton AntiVirus\Quarantine\3F743EFD.tmp=>(Quarantine) infected: Win32.Netsky.AA@mm
C:\Program Files\Norton AntiVirus\Quarantine\3F743EFD.tmp deleted
C:\Program Files\Windows Media Player\wmplayer.exe.tmp=>(Upx) infected: Trojan.Dialer.CE
C:\Program Files\Windows Media Player\wmplayer.exe.tmp deleted
C:\WINDOWS\madopew.dll infected: Trojan.StartPage.IS
C:\WINDOWS\madopew.dll deleted
C:\WINDOWS\odbc.hta=>(VBSCRIPT 1) infected: VBS.Trojan.StartPage.I
C:\WINDOWS\odbc.hta deleted
C:\WINDOWS\podnl1.exe=>(Upx) infected: Trojan.Dialer.CE
C:\WINDOWS\podnl1.exe deleted
C:\WINDOWS\system32\notepad.exe.bak infected: Trojan.Downloader.Small.JC
C:\WINDOWS\system32\notepad.exe.bak deleted
C:\WINDOWS\system32\tksrv98.exe=>(Upx) infected: Application.XPlugin.A
C:\WINDOWS\system32\tksrv98.exe deleted
C:\WINDOWS\wsem217.dll infected: Trojan.Downloader.Dyfuca.CN
C:\WINDOWS\wsem217.dll deleted

Followed neatly by the HJT log;

Logfile of HijackThis v1.98.0
Scan saved at 14:14:26, on 27/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\BearShare\BearShare.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Vision\vservice.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\PROGRA~1\Vision\System\xvl.exe
C:\Documents and Settings\Matthew Sleaford\My Documents\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\StopzillaBH0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [Monitor_Helper] C:\WINDOWS\System32\monitor.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\NUTC\bin\ncoeenv.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: usa_connect.lnk = C:\usa\nt\bin\usa_connect.exe
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab

On the same lines, what in your opinion is the best preventative soloution from the list of software on this site? I quite like the sound of GhostSurf Pro.. is it a better one or any of the others preferable?

Cheers

Matthew.

#16 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 28 July 2004 - 09:27 AM

Excellent :) Your logfile is clean :cool:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Thanks for using SWI forums :wave:

Edited by splintercell990, 28 July 2004 - 09:27 AM.


#17 RawnNiven

RawnNiven

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 29 July 2004 - 03:11 AM

Thank you Splintercell990.

I now have Spywareblaster, Ad Aware, Spy Sweeper, Pop Up Stopper free edition and Norton Anti Virus running... that ought to do it :)

Thanks so much for your help.

Matthew

Edited by RawnNiven, 29 July 2004 - 03:12 AM.


#18 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 29 July 2004 - 02:43 PM

No problem :D

#19 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 29 July 2004 - 05:22 PM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button