Jump to content


Photo

got most of it, but some is still causing popups.


  • This topic is locked This topic is locked
16 replies to this topic

#1 Novadistortion

Novadistortion

    Member

  • Full Member
  • Pip
  • 97 posts

Posted 23 June 2004 - 01:09 PM

Today I went to one website(warcraft III site) which hit me with several popups.

I have never had an infection this bad. Spybot S & D and adaware combined found almost 150 problems.

I had a new taskbar, several programs installed, my favorites list altered, CWS, and a bunch of other garbage.

I caught it fairly early and got the worst of it. Spybot said I was clean at one point while adaware found 86 more infections.

I wonder if spybot itself somehow got compromised by this particular infection. Just to be sure, I uninstalled and reinstalled it.

HJT, Adaware, and Spybot S & D are all updated. I have read through the FAQ as well.

Anyway, here is my logfile:(edit: Fought with the spyware a bit more, I think I got rid of some more of it, so I updated the log.)

Logfile of HijackThis v1.97.7
Scan saved at 2:23:41 PM, on 6/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\MICROR~1\Keyboard\Ikeymain.exe
C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\dqikjczm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\INVERW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt Riedl\Desktop\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0\printray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\MICROR~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [mpcqvl] C:\WINDOWS\System32\dqikjczm.exe
O4 - HKLM\..\Run: [INVERW] C:\WINDOWS\System32\INVERW.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A20ABB2-6398-4E49-8886-BB44C04626A0}: NameServer = 192.168.203.102 192.168.203.101




I realize that I have neglected some security updates, and that is undoubtedly to blame for some of this. I plan to get them all downloaded after I get everything back to normal again.

Thanks in advance.

(UPDATE: I thought I had it beat, but last night when I was about to disconnect, a ton of popups kept coming up. After they finally quit, I added the site it kept trying to bring me to into my restricted sites category. It hasn't happened again, but at least I know it isn't fixed. Adaware and Spybot aren't finding anything new except a few minor tracking cookies.)

Edited by Novadistortion, 24 June 2004 - 10:28 AM.

"To argue with a man who has renounced his reason is like giving medicine to the dead." -- Thomas Paine

Your computer, your castle... but don't forget to put in a moat:

How Did I Get Infected In The First Place
HijackThis
CWShredder
Spybot Search & Destroy
Ad-Aware
SpywareBlaster
IE-SPYAD'S
How To Set Up Ad-Aware/Spybot S&D
HouseCall Online Virus Scan
 

#2 DIGIWIBBS

DIGIWIBBS

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 23 June 2004 - 06:39 PM

Hey I think I'm having the same problem, can't fix it though.

#3 Novadistortion

Novadistortion

    Member

  • Full Member
  • Pip
  • 97 posts

Posted 25 June 2004 - 05:12 PM

Been a few days. I read the thing on bumping as well as the announcements so... I figure it is time.

Here is a new log file:

Logfile of HijackThis v1.97.7
Scan saved at 5:09:49 PM, on 6/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\MICROR~1\Keyboard\Ikeymain.exe
C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
C:\WINDOWS\System32\dqikjczm.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\SVCRT20M.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt Riedl\Desktop\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0\printray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\MICROR~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [mpcqvl] C:\WINDOWS\System32\dqikjczm.exe
O4 - HKLM\..\Run: [SVCRT20M] C:\WINDOWS\System32\SVCRT20M.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A20ABB2-6398-4E49-8886-BB44C04626A0}: NameServer = 192.168.203.102 192.168.203.101


Just to sum up my latest problems:

So far I have had:

Occasional single popups.
Computer slowdown(minor)
Applications crashing(possibly unrelated)

Huge masses of popups(tossed the site on the restricted list, hasn't happened since.)

Right when I started my computer it tried to connect me to some site that I have never been to before. I just hit cancel and it hasn't happened again.

Obviously everything is not fixed yet.

I ran a series of new scans including a virus scan. Nothing of note except a few tracking cookies.
"To argue with a man who has renounced his reason is like giving medicine to the dead." -- Thomas Paine

Your computer, your castle... but don't forget to put in a moat:

How Did I Get Infected In The First Place
HijackThis
CWShredder
Spybot Search & Destroy
Ad-Aware
SpywareBlaster
IE-SPYAD'S
How To Set Up Ad-Aware/Spybot S&D
HouseCall Online Virus Scan
 

#4 Novadistortion

Novadistortion

    Member

  • Full Member
  • Pip
  • 97 posts

Posted 29 June 2004 - 05:37 PM

Well, I have read through the stickied threads, and I really don't know if that is indeed what I was being plagued with. I updated adaware, altered the settings, and restarted in safe mode. That found about 10 things which it hadn't found before.

New Log:

Logfile of HijackThis v1.97.7
Scan saved at 5:28:56 PM, on 6/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\MICROR~1\Keyboard\Ikeymain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\SORCL32M.exe
C:\Documents and Settings\Matt Riedl\Desktop\HJT\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0\printray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\MICROR~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [mpcqvl] C:\WINDOWS\System32\dqikjczm.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SORCL32M] C:\WINDOWS\System32\SORCL32M.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A20ABB2-6398-4E49-8886-BB44C04626A0}: NameServer = 192.168.203.102 192.168.203.101



I have been reading through the tutorial for using Hijack This myself, but I am not sure exactly what I am doing, so I am loathe to just start deleting things.

Some of those random letter .exe files make me nervous though. I think I have gotten rid of the worst of it, but I would really appreciate it if someone who knows what they are doing could look it over for me to see what I missed.

I have placed all the popups that it has tried to hit me with at startup or while I am using the internet into the restricted list. I think that is helping, but it is tough to say.

Also, I have added the site it tries to connect me to occasionally when I start up. (it doesn't do it every time for some reason.)

I am tempted to put up a firewall. Is that going to help at all?
"To argue with a man who has renounced his reason is like giving medicine to the dead." -- Thomas Paine

Your computer, your castle... but don't forget to put in a moat:

How Did I Get Infected In The First Place
HijackThis
CWShredder
Spybot Search & Destroy
Ad-Aware
SpywareBlaster
IE-SPYAD'S
How To Set Up Ad-Aware/Spybot S&D
HouseCall Online Virus Scan
 

#5 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 30 June 2004 - 01:03 PM

I'm looking over your log right now to see what needs to be removed.

Both XP and IE are not up to date. At some point you'll need to download critical updates.

You mentioned you altered settings. What settings did you alter?

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#6 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 30 June 2004 - 11:59 PM

Go back into HijackThis and, with all browser windows closed, remove the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O4 - HKLM\..\Run: [mpcqvl] C:\WINDOWS\System32\dqikjczm.exe
O4 - HKLM\..\Run: [SORCL32M] C:\WINDOWS\System32\SORCL32M.exe

Next, change settings to show hidden files (click here to see how to do this).

Then reboot into safe mode by choosing Restart from the shutdown menu, then repeatedly hitting F8 while rebooting until you hit a menu. Choose Safe Mode from that menu.

Once there, delete the following files:

C:\WINDOWS\System32\dqikjczm.exe
C:\WINDOWS\System32\SORCL32M.exe

Reboot and post a new log.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#7 Novadistortion

Novadistortion

    Member

  • Full Member
  • Pip
  • 97 posts

Posted 01 July 2004 - 02:58 PM

Did everything you mentioned. I ran into a few bumps though that I figure I should mention.

1. SORCL32M.exe was not there. In its place I found something named estoreR.exe. It was in the same spot and everything, and I know it is not something that was there a day ago. I figured it had been renamed or something so I deleted it instead of the SORCL32 thing.

(Also, when I look back across the old logs I posted, it seems to have done the same before: INVERW.exe, LEXBCES.EXE. I think they were all the same thing renaming itself if I am not mistaken. Please correct me if I am wrong here though.)

2. The dqikjczm.exe thing didn't read as just dqikjczm.exe. It had a bunch of other things in its listing, but it was all that appeared on the search so I deleted it.


Here is my new log file:

Logfile of HijackThis v1.97.7
Scan saved at 3:03:06 PM, on 7/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\MICROR~1\Keyboard\Ikeymain.exe
C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt Riedl\Desktop\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0\printray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\MICROR~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A20ABB2-6398-4E49-8886-BB44C04626A0}: NameServer = 192.168.203.102 192.168.203.101

(Edit: updated it again. First one was different than after I posted this message originally.)


Also, you asked previously about the altered settings for Adaware. I refer to the changes mentioned in this thread:

http://www.spywarein...?showtopic=8847

As for the critical updates, I plan to update after I get everything squared away with these problems.

Thanks for the help once again.

Edited by Novadistortion, 01 July 2004 - 03:30 PM.

"To argue with a man who has renounced his reason is like giving medicine to the dead." -- Thomas Paine

Your computer, your castle... but don't forget to put in a moat:

How Did I Get Infected In The First Place
HijackThis
CWShredder
Spybot Search & Destroy
Ad-Aware
SpywareBlaster
IE-SPYAD'S
How To Set Up Ad-Aware/Spybot S&D
HouseCall Online Virus Scan
 

#8 Baris

Baris

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 July 2004 - 03:10 PM

Close all windows and check then the following items and click then on Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab


#9 Novadistortion

Novadistortion

    Member

  • Full Member
  • Pip
  • 97 posts

Posted 01 July 2004 - 03:18 PM

Funny... VashonDude found no problem with what you just mentioned.

You will have to forgive me if I am wrong with my guess here, but it seems most likely to me that you are trying to cause me problems.

I notice you don't have a "helper" in your group thing and you only have 3 posts.


This tells me that I am better off not trusting you at this time and waiting until I am told otherwise.

Sorry if I have misjudged you of course.

Edited by Novadistortion, 01 July 2004 - 04:41 PM.

"To argue with a man who has renounced his reason is like giving medicine to the dead." -- Thomas Paine

Your computer, your castle... but don't forget to put in a moat:

How Did I Get Infected In The First Place
HijackThis
CWShredder
Spybot Search & Destroy
Ad-Aware
SpywareBlaster
IE-SPYAD'S
How To Set Up Ad-Aware/Spybot S&D
HouseCall Online Virus Scan
 

#10 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 01 July 2004 - 04:21 PM

Baris, Please see The various helper groups here. Do join the team if you want to post help, we'd love to have you with us. :)

None of the items Baris mentioned should be deleted.... they're all legit.

I'll get back to you once I've analysed the latest log.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#11 Novadistortion

Novadistortion

    Member

  • Full Member
  • Pip
  • 97 posts

Posted 01 July 2004 - 04:33 PM

I was/still am unsure if Baris had any malicious intent with his advice. I hope he was just trying to help.

I did a search and notice he gave out advice elsewhere as well. I mentioned it in this thread as well just in case.

http://www.spywarein...showtopic=11669

Figured you would want to be aware.

(Edit: I notice there is a new version of Hijack This out. I looked at the thread, and it looks like it is having errors when people use it. Apparently there is work being done to fix that. Should I download it now, or after it is patched?)

(Edit again: I know for certain that I used to have a VX2 infection(adaware found a bunch of them.) Is that what it was? This is not necessary or anything, but I am curious if you know exactly what it is.)

Edited by Novadistortion, 01 July 2004 - 04:57 PM.

"To argue with a man who has renounced his reason is like giving medicine to the dead." -- Thomas Paine

Your computer, your castle... but don't forget to put in a moat:

How Did I Get Infected In The First Place
HijackThis
CWShredder
Spybot Search & Destroy
Ad-Aware
SpywareBlaster
IE-SPYAD'S
How To Set Up Ad-Aware/Spybot S&D
HouseCall Online Virus Scan
 

#12 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 01 July 2004 - 11:32 PM

LEXBCES.EXE is part of the printer software/driver.

Go ahead and download the new version of HijackThis and post a new log.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#13 Novadistortion

Novadistortion

    Member

  • Full Member
  • Pip
  • 97 posts

Posted 02 July 2004 - 08:59 AM

Heh, I guess that would explain why it is still there. How about the other one? Do you think it was renaming itself?

Here is my new log file:

Logfile of HijackThis v1.98.0
Scan saved at 8:56:01 AM, on 7/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\MICROR~1\Keyboard\Ikeymain.exe
C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt Riedl\Desktop\HJT\hijackthis.98\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x7328e0\printray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\MICROR~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\MICROR~1\Mouse\Amoumain.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A20ABB2-6398-4E49-8886-BB44C04626A0}: NameServer = 192.168.203.102 192.168.203.101

(edit: edited out previous edit after I answered my own question.)

Edited by Novadistortion, 02 July 2004 - 01:55 PM.

"To argue with a man who has renounced his reason is like giving medicine to the dead." -- Thomas Paine

Your computer, your castle... but don't forget to put in a moat:

How Did I Get Infected In The First Place
HijackThis
CWShredder
Spybot Search & Destroy
Ad-Aware
SpywareBlaster
IE-SPYAD'S
How To Set Up Ad-Aware/Spybot S&D
HouseCall Online Virus Scan
 

#14 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 02 July 2004 - 03:06 PM

It was something called WinPup that was causing those weird filenames.

Your log looks clean :)

I recommend downloading the following programs:

SpywareBlaster

IE-Spyad

MVPS Hosts

This will prevent much of the bad stuff from getting on your computer.

For IE-Spyad and MVPS Hosts, check either at their respective web sites or the Software Update forum here for update announcements.

Change your cookie settings as follows:
  • From the Tools menu in IE 6, choose Internet Options.
  • Click on the Privacy tab and click on the Advanced button.
  • In the box that pops up, check both the Override automatic cookie handling and Always allow session cookies boxes. Set First party cookies to "Allow" and Third party cookies to "Block".
Next, go to the Security tab & click the Custom Level button.

The following ActiveX section settings should be changed as follows:
  • Download signed ActiveX controls: Prompt
  • Download unsigned ActiveX controls: Prompt
  • Initialize and script ActiveX controls not marked as safe: Disable
In the Microsoft VM section, set Java Permissions to "High Safety"

In the Miscellaneous section, set Installations of desktop items to "Prompt"

Click on the Advanced tab and uncheck both Install on demand items. Click Apply, then OK

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#15 Novadistortion

Novadistortion

    Member

  • Full Member
  • Pip
  • 97 posts

Posted 02 July 2004 - 09:32 PM

Many thanks!

I downloaded all of those programs you mentioned shortly after I signed up for the training.

Fixed my settings as you mentioned as well.

(edit: Completely problem free now. :) )

Edited by Novadistortion, 02 July 2004 - 09:40 PM.

"To argue with a man who has renounced his reason is like giving medicine to the dead." -- Thomas Paine

Your computer, your castle... but don't forget to put in a moat:

How Did I Get Infected In The First Place
HijackThis
CWShredder
Spybot Search & Destroy
Ad-Aware
SpywareBlaster
IE-SPYAD'S
How To Set Up Ad-Aware/Spybot S&D
HouseCall Online Virus Scan
 

#16 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 02 July 2004 - 10:59 PM

I'm glad I could be of assistance.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#17 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 16 October 2004 - 04:30 AM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button