Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Dave292

8 Posts

814

July 6th, 2006 13:00

System Alert: Spyware Detected - Triangle in Systray

I have a small yellow triangle (with an exclamation mark in it) in my system tray, and the occasional 'balloon' box pointing from it that says "System has detected 4 active spyware applications that may cause your computer to crash and restart, slow it to a crawl and even shut down entirely. Click the icon to get rid of unwanted spyware." Of course, clicking the icon takes me to an offer for virus software.

I also receive a standard (explorer-type) pop-up window from time-to-time. Seems to be two rotating ads, one for Adult Friendfinder, and the other for a casino (kinda forget).

I'm using Windows 2000 with all service packs and updates.

I did an HJT scan, and here it is - can anyone tell me how to remove the problem? Thank you very much:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:35 AM, on 7/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ontrack\Internet Cleanup\icserv.exe
C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
C:\Program Files\VerizonDSL\IPInsight\ARMon32a.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\VerizonDSL\WinPoET\WrOS.EXE
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe
C:\Program Files\MS Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Common Files\AOL\1148167682\ee\aolsoftware.exe
c:\program files\common files\aol\1148167682\ee\aim6.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Ontrack\Internet Cleanup\onictask.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.the-huns-yellow-pages.com/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPoET] C:\Program Files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [mfc30] C:\WINDOWS\system32\mfc30.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Cleanup.lnk = C:\Program Files\Ontrack\Internet Cleanup\onictask.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Dell Home - {D6C9B760-1165-11D4-8A65-000102421EDA} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wma: c:\Program Files\Windows Media Player\NPDSPLAY.DLL
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www11.brinkster.com/waytobehehe/cam.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.hearme.com/HearMeAutoInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1559f7691cc2855d4222/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148130177829
O16 - DPF: {73020B72-CDD6-4F80-8098-1B2ECD9CA4CA} (HearMe VoiceCREATOR) - http://vp.hearme.com/products/vp/embedded/plugins/evp.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=200332912
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://interwoven1.webex.com/client/v_mywebex-localized/event/ieatgpc.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4358/mcfscan.cab
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: icservice - ONTRACK Data International, Inc. - C:\Program Files\Ontrack\Internet Cleanup\icserv.exe
O23 - Service: Visual IP InSight Client (VerizonDSL) (InverseLaunchIPI_BAIS) - Visual Networks - C:\Program Files\VerizonDSL\IPInsight\LaunchIPI.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\VerizonDSL\WinPoET\WrOS.EXE
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

bamajim

10.4K Posts

July 6th, 2006 17:00

Dave292

Please go here

And Download SmitFraudFix by S!ri


Extract all the archive content to your desktop
• Search:
o Double-click smitfraudfix.cmd
o Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Open that file, Ctrl+A to copy, and post a copy of that log as a reply to this thread


Do Not run option 2 until instructed to do so



bamajim

Training at Malware Removal University

Dave292

8 Posts

July 6th, 2006 23:00

No offense - but what was that first scan for? Your instructions are also suspect: "archive to the desktop"? What are you talking about? Can you clarify this?? Shouldn't there be a simple removal tool for this thing - it seems to be common. Anyone else who can weigh in?

Bugbatter

4 Apprentice

 • 

20.5K Posts

July 7th, 2006 01:00

Hi, Dave292,
Please print these instructions so you can refer to them easily.

"archive to the desktop" means to extract SmitfraudFix from the zipped folder and save it to your desktop.
"Shouldn't there be a simple removal tool for this thing..."
Are you referring to the worm, the Trojan, your adult content dialer, or the CWS variants on your computer?
Unfortunately, none are simple infections, so there is not a simple removal tool.

Let us know how you would like to proceed.

Regards,
Bugbatter

Dave292

8 Posts

July 7th, 2006 12:00

Sorry for the suspicion - just seemed strange to unzip directly to the desktop (but it creates a folder there, which is good). Here's the rapport.txt log, thanks for your help:

SmitFraudFix v2.68b

Scan done at 9:50:36.32, Fri 07/07/2006
Run from C:\Documents and Settings\strain\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\a.exe FOUND !
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\bridge.dll FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld???.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\migicons.exe FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\strain\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\strain\FAVORI~1

C:\DOCUME~1\strain\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Security Toolbar\ FOUND !
C:\Program Files\SpyQuake2.com\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"

[HKEY_CLASSES_ROOT\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32]
@="C:\WINDOWS\system32\guxxa.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32]
@="C:\WINDOWS\system32\guxxa.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Bugbatter

4 Apprentice

 • 

20.5K Posts

July 7th, 2006 17:00

Unzipping to the desktop is common with some tools so that the user can find them easily and delete them easily after they are no longer needed.

We'll start with this, but depending on what infections remain, you may need to download additional tools and do additional procedures after we review your next logs.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

If you have not done so already, Download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

  2. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  3. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'
  4. Right click on ewido in the system tray and uncheck "Start with Windows".
    Go to Start > Run and type: services.msc
  5. Press "OK".
  6. In Services, click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
  7. When you find the guard service, double-click on it.
  8. In the Properties Window > General Tab that opens, click the "Stop" button.
  9. From the drop-down menu next to "Startup Type", click on "Manual".
  10. Now click "Apply", then "OK" and close the Services window.

  11. For Windows 2000 instructions for Services see here: http://www.techspot.com/tweaks/win2k_services/

  12. Once the setup is complete you will need run ewido and update the definition files.
  13. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you are having problems with the updater, manually update with the Ewido Full database installer from here.
    • Once the update has completed select the "Scanner" icon at the top of the screen,
      then select the "Settings" tab.

    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

    • Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
      • Close ewido anti-spyware, Do Not run a scan just yet.

        Reboot your computer in Safe Mode.

        * If the computer is running, shut down Windows, and then turn off the power.
        * Wait 30 seconds, and then turn the computer on.
        * Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
        * Ensure that the Safe Mode option is selected.
        * Press Enter. The computer then begins to start in Safe mode.
        * Login on your usual account.

        ______________________________

        Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
        Select option #2 - Clean by typing 2 and press Enter.
        Wait for the tool to complete and disk cleanup to finish.
        You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
        The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

        A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

        The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
        ______________________________

        Clean out your Temporary Internet files. Proceed like this:

        * Quit Internet Explorer and quit any instances of Windows Explorer.
        * Click Start, click Control Panel, and then double-click Internet Options.
        * On the General tab, click Delete Files under Temporary Internet Files.
        * In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
        * On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
        * Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
        * Click OK.

        Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

        Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
        ______________________________

        Close ALL open Windows / Programs / Folders.

        Launch ewido-anti-spyware by double-clicking the icon on your desktop.
        Select the " Scanner" icon at the top and then the " Scan" tab then click on " Complete System Scan".
        ewido will now begin the scanning process, be patient this may take a little time.
        Once the scan is complete do the following:

        If you have any infections you will prompted, then select " Apply all actions"
        Next select the " Reports" icon at the top.
        Select the " Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
        Close ewido and reboot your system back into Normal Mode.

        Please post:

        1. c:\rapport.txt
        2. Ewido report
        3. A new HijackThis log

      Dave292

      8 Posts

      July 7th, 2006 23:00

      Hi: I downloaded Ewido. When I launched it to set it up, it immediately reported a trojan: I believe it was indicated as Trojan.small. Naturally I told it to remove it - that pesky yellow triangle was immediately removed from my system tray. I've rebooted, and I have no more random porn and casino pop-ups. I believe I'm done. I may follow the rest of your instructions later, but I think I'm clear. I wanted to thank you so much for helping me rid myself of this intrusion.

      Dave292

      8 Posts

      July 8th, 2006 00:00

      Well, I've got more work to do. My IE still has its home page high-jacked, and it can't be reset. The home page is a "spyware/anti-virus" software offer. Also, I'm unable to access or clear cookies, cache, history, etc. The Tools, Options are pretty much disabled. I'll go through the instructions and get back to you - but I'm using Mozilla, and my systray is clear - so no popups, or balloons.

      Bugbatter

      4 Apprentice

       • 

      20.5K Posts

      July 8th, 2006 00:00

      No, you are not finished. This will take a few days. I mentioned that you have several infections. Please follow the instructions exactly as I posted. Skipping steps and going online inbetween can cause us to start all over again as the infections reinstall. I have not even gotten to the other tools that you will have to download.
      This is not something that can be hurried, and it needs to be done in a certain sequence.

      Dave292

      8 Posts

      July 11th, 2006 20:00

      I followed all the steps and that seems to have done the trick - I can't thank you enough. I have 2 of the 3 logs to post - can you tell me where to find the 'hijack this' log, and then I'll post them all at once. By the way, has anyone here heard of the book I.T. Wars (it's on Amazon.com)? Phenominal chapter on security that touches on this stuff - it addresses IT/business vulnerabilities from the cultural aspect - people here at work have several copies. I'll post the logs shortly. Thanks again.

      Bugbatter

      4 Apprentice

       • 

      20.5K Posts

      July 12th, 2006 01:00

      Hi, Dave,
      I've heard of the book, but I have not read it yet.
      You can find the HijackThis log by doing a new Scan and Save Log. I look forward to your reply.

      Dave292

      8 Posts

      July 13th, 2006 14:00

      I sent this guy an e-mail this morning - I'll let you know if I hear back.

      http://forums.us.dell.com/supportforums/board?board.id=si_hijack

      Dave292

      8 Posts

      July 13th, 2006 14:00

      I meant to post this link:

      http://www.amazon.com/gp/product/1419627635/103-9116809-5111800?n=283155

      Was this post helpful?

      View All

      No Events found!

      Top