• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Stem

Help !!!

8 posts in this topic

Basically, the automove.exe file appeared on a system at work a couple of days ago and won't go away.

 

Now, frustratingly, Ad Aware comes up clean, AntiVirus comes up clean, i've removed the file from MSConfig, the registry and physically removed it from the System32 folder. I've also cleared System Restore and yet the file keeps coming back after a few minutes.

 

It's not harming anything, just putting an annoying popup on the screen every few minutes.

 

Help me please.

Edited by Stem

Share this post


Link to post
Share on other sites

Hi,

Download "Hijack This!"

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

 

Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

 

Double-click "HijackThis.exe" and Press "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button.

Click: "Save Log" (generates: "hijackthis.log")

 

Copy and Paste the entire log into your next post.

 

Note: do not attempt to "Fix" anything, as we need to see the entire log.

Also if you have any Startup items unchecked in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.

 

Hint: after posting your log click "Track this topic" at the top of the page, this way you will be notified (email) when a response is made to your post.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 13:16:02, on 17/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Documents and Settings\workshop\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn_5.2.0.8.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

Hmm, spy sweeper seemed to get rid of it but it just came back again.

 

Ah well.

Share this post


Link to post
Share on other sites

And by the way, not sure if it matters or not, the popups are coming from 680180.net and are for ringtones.

Edited by Stem

Share this post


Link to post
Share on other sites

Hi,

First thing to do is ...

 

Reconfigure Windows Explorer to show Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button. Close Windows Explorer.

 

Next:

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Start | Run (type) "%temp%" (no quotes)

Completely delete the entire contents of that "temp" folder.

 

Open Windows Explorer locate and delete the following:

 

 

C:\WINDOWS\System32\SWin32.dll <--this file

C:\WINDOWS\System32\automove.exe <--this file

C:\WINDOWS\System32\ADStartUP.exe <--this file

C:\WINDOWS\System32\AdUpdater.exe <--this file

C:\WINDOWS\System32\adupdmanager.xml <--this file

C:\WINDOWS\System32\data.xml <--this file

C:\WINDOWS\System32\IEEnhancer.dll <--this file

 

After the above, reboot, rescan with HijackThis and post a fresh log ...

Share this post


Link to post
Share on other sites

Hi,

 

I've had the same problem, i posted my log about a week ago. The solutions provided by WinHelp are usefull, yet temporary: the pop-ups keep coming back. To me, the 680180.net pop-up caused IE5.5 to crash, so i HAD to find a definitive solution. I think I found one: try downloading SPyware-guard and SpywareBlaster.

http://www.javacoolsoftware.com/spywareguard.html

I've been running these programs for four days now, and my computer still seems clean and the pop-ups gone, whereas with the manual removal the automove.exe-file (and the other stuff) always came back. Another usefull spyware removal tool is BPS SPyware remover, which provides an indepth-scan of your computer (it takes a bit longer than other programs, but it always detects more than programs like ad-aware and spybot).

 

The origin of all these problems lays in Curacao, check this link:

http://antivirus.about.com/library/weekly/aa071403a.htm

If anyone succeeds in hacking their server i would gladly buy him a beer :p

 

Hope this helps you!

 

Greetz,

 

Blasherke

Share this post


Link to post
Share on other sites

blasherke,

If you go back to the post I was helping you with ... you never finished up or followed the posted instructions.

 

Another usefull spyware removal tool is BPS

That product is banned here, matter of fact SpyBot targets that for removal!

Share this post


Link to post
Share on other sites

As a matter of fact, i think i did! I posted my last log June 15 8.48 am. I updated my system, as far as possible because for a particular reason i'm unable to update to IE6, the installation always fails.

 

Concerning BPS, i didn't understand completely: do you mean BPS is spyware itself???

 

greetz,

 

Blasherke

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0