• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Reggie

Cant get rid of the last 3-7 files.

5 posts in this topic

Hello all, I have sucessfully removed all of the spy/malware on 1 machine which was actually stopping the guys internet access (over 300 found!) but on the 2nd PC there was around the same amount of problems, but the lad had net access still. Got adaware and spybot to remove almost all of the problems, except betweem 3-7 files will not allow themselves to be removed, can some kind soul take a look at the log for me?

 

Logfile of HijackThis v1.97.7

Scan saved at 22:41:44, on 17/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\USB Storage RW\shwicon.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Exif Launcher\QuickDCF.exe

C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

C:\WINDOWS\System32\rundll32.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Owner.SINA\Desktop\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lycos.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb7.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb7.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [rundll32] C:\WINDOWS\rundll32.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe

O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O9 - Extra button: Money Viewer (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hi,

except betweem 3-7 files will not allow themselves to be removed

What 3-7 files? ... where?

 

1) Restart in Safe Mode (see "How To:" below)

2) Enable Hidden Files (see "How To:" below)

 

Locate and delete the following:

 

C:\WINDOWS\rundll32.exe <--this file

Note: do not delete C:\WINDOWS\System32\rundll32.exe

 

While still in Safe Mode:

Close all open windows, rescan with HijackThis and "Fix checked" the following:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKCU\..\Run: [rundll32] C:\WINDOWS\rundll32.exe

 

Restart normally and then ...

 

Reconfigure Ad-Aware for Full Scan:

Please update the reference file following the instructions here:

http://www.lavahelp.com/howto/updref/index.html

 

Launch the program, and click on the Gear at the top of the start screen.

 

Click the "Scanning" button.

Under Drives & Folders, select "Scan within Archives".

Click "Click here to select Drives + folders" and select your installed hard drives.

 

Under Memory & Registry, select all options.

Click the "Advanced" button.

Under "Log-file detail", select all options.

Click the "Tweaks" button.

 

Under "Scanning Engine", select the following:

"Include additional Ad-aware settings in logfile" and

"Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:

"Let Windows remove files in use after reboot."

Click on 'Proceed' to save these Preferences.

Please make sure that you activate IN-DEPTH scanning before you proceed.

 

After the above post a fresh log ...

Share this post


Link to post
Share on other sites

Yeah, I should have written them down, but I'm doing this from distance, and asking the user to do this would be more than a nightmare. I thought grabbing the log file from Hijack this would help me sort this out. So, I'll have to go back there at some point and get the filenames from spybot.

 

Thanks for the quick reply :)

Share this post


Link to post
Share on other sites

Hi,

Ok, no problem ...

 

Just forward the above instructions, then have them run SpyBot and see if the same files still show up, if so they can forward you the results.

 

Just a thought ...

Share this post


Link to post
Share on other sites

Yeah, I'd thought of that, but thinking about it some more, it's probably safer to save the instructions onto my thumbdrive and go and do it myself in the week when I am in their area again. One of their PCs hadn't been on the internet for 3 months because of mal/spyware and they hadn't made any effort to fix it so I'm guessing its down to being technically lacking as far as PCs are concerned.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0