Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

fade2black3424

21 Posts

3635

April 30th, 2004 00:00

Please help! I can't get into Task Manager or Registry Editor

I recently got a virus from a friends profile on AIM. This virus will not let me get into task manager or registry editor. I was browsing through the boards and noticed that many people had this same problem, but I dont understand what was going on. Virus Scanner (Norton 2003) is completly updated, and i tried running it in safe mode as well as normal, but it doesn't find the infected files. How can I fix my computer?

 

Texruss

2 Intern

 • 

3.4K Posts

April 30th, 2004 00:00

We need you to download and install an analysis and repair tool called Hijackthis.

Go here and download the file: http://tomcoyote.com/hjt

Please unzip Hijackthis.zip into a new folder you create in the root level of the C: drive. Name this folder C:\HJT for best and safest results. (don't put in a temp folder, or the desktop, etc...as it needs a safe folder to keep backup logs). Also when people post here and place it on the Desktop the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)

See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm


Run Hijackthis, click on the 'scan' button and then 'save log' button. Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt


Stay in this thread for continuity. Reply to this message.


HTH (Hope that Helps)

Texruss

fade2black3424

21 Posts

April 30th, 2004 01:00

Here is my log file of HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 10:02:24 PM, on 4/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\BCMSMMSG.exe
C:\WINNT\Twain_32\R9000\HotKey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\system32\SVEHOST.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - _{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - (no file)
O2 - BHO: (no name) - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - C:\Program Files\WhistleSoftware\WselServices\WhistleHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HotKey] C:\WINNT\Twain_32\R9000\HotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [MSVersion] C:\WINNT\system32\internetfeatures.exe
O4 - HKLM\..\Run: [SoloSentry] C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\PROGRA~1\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [Windows Svehost Services] SVEHOST.EXE
O4 - HKLM\..\Run: [rreg] C:\Program Files\Common Files\System\rreg.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Windows Svehost Services] SVEHOST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Whistle (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Texruss

2 Intern

 • 

3.4K Posts

April 30th, 2004 02:00

Lots of stuff...including the kitchen sink. *;-) But I'm a good plumber for this dirty stuff.
>;->

Good folder location for Hijackthis.exe! I salute you as 8 out of 10 posters never get that right. *;-)

OK...the fix...you have Agobot trojan as the worst baddie and a raft of adware popup critters (popnav being one).

Open Hijackthis and scan. Place a check by these:

C:\WINNT\system32\SVEHOST.EXE
Comments: the baddie Agobot worm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
Comments: Secondthought adware (popnav)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
Comments: we'll trim these and see if CWS is lurking. Report back if you have any webpages redirected to Zestyfind.com.


R3 - URLSearchHook: (no name) - _{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - (no file)
O2 - BHO: (no name) - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - C:\Program Files\WhistleSoftware\WselServices\WhistleHelper.dll
Comments: WhistleSoftware crud

O4 - HKLM\..\Run: [MSVersion] C:\WINNT\system32\internetfeatures.exe
Comments: IEFeatures downloader


O4 - HKLM\..\Run: [Windows Svehost Services] SVEHOST.EXE
Comments: Agobot again
O4 - HKLM\..\Run: [rreg] C:\Program Files\Common Files\System\rreg.exe
Comments: random-named Trojan...if you're good with Windows zip it and send it to me before you delete it in Safe Mode below...look in my profile for my email address...

O4 - HKCU\..\RunOnce: [Windows Svehost Services] SVEHOST.EXE
Comments: Agobot likes to play three times...

O9 - Extra button: Whistle (HKLM)
Comments: Whistler makes a bad button

O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab

Comments: SpywareBlaster does not peg this as bad, but if if it isn't our friend above then I'm Whistler's mother.  Removing ActiveX 016s is always safe as you will get them again if you visit that link...good or bad...unless you have protection like we can advise...in final clean message).

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

Comments: last dirty one of the bunch...IEPlugin...time to flush now...

With no other windows open click fix checked button in HJT.

Now...more plumber work to clean the real bad files...HJT sees where they are and deletes their activity in the Registry:

Reboot to SAFE mode
How to start the computer in Safe mode


Show hidden files.

Show hidden files and folders

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders:

C:\WINNT\system32\SVEHOST.EXE   file   (bye-bye Agobot!)
C:\Program Files\WhistleSoftware      folder   (whistle this one sayonara)
C:\WINNT\system32\internetfeatures.exe   file   (what a name...seeya!)
C:\Program Files\Common Files\System\rreg.exe  file   (reg yes...rreg...NO!)

and to complete our search and destroy mission...not seen in our log...just for good measure...these are secondThought popnav folders..may be there...maybe not:
Purge them all without prejudice...if present the red devil folders must die....

C:\Program Files\ClearSearch     
C:\ProgramFiles\Media
C:\ProgramFiles\STC
C:\ProgramFiles\Common Files\Slmss

OK...now reboot in normal mode...run Disk Cleanup (type cleanmgr at Start Run button).  Scan all hard drives, select all categories at end of scan and remove.

Run around the block a bit in your browser...then a fresh Hijackthis log here with comments on the search in Safe Mode....were any of the last folders found is of particular interest to me.

Thanks,

Texruss

P.S. After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System restore which can't be cleaned by your antivirus programs.

fade2black3424

21 Posts

April 30th, 2004 14:00

OK now either I am just not seeing it, but when I run HijackThis I can't find some of the things you are telling me to check. I am in school right now so I can't show you exactly what I see, but a lot of things that are on the log file aren't there when I scan. Also, I have Windows 2000 and not XP so is there another way to flush the restore points or just leave that alone. Thanks for all your help.

Texruss

2 Intern

 • 

3.4K Posts

April 30th, 2004 18:00

>Also, I have Windows 2000 and not XP so is there another way to flush the restore points or just leave that alone.

Sorry...canned message (macro) and I usually have XP posters and missed your OS in the header...I'll blame it on too much Kenyan coffee last night. *;-)

XP and Millennium have Restore feature, W2K does not.

As for not seeing some things...take your time and don't rush...work through the instructions and follow them where you find the entries. Post a new log when you finish first cleanup run.

All the best,

Texruss

 

fade2black3424

21 Posts

April 30th, 2004 19:00

OK  whatever you told me is working, because I can get into task manager again, but I'm not sure if everything is gone. Here is a new log file:

Logfile of HijackThis v1.97.7
Scan saved at 4:07:34 PM, on 4/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\BCMSMMSG.exe
C:\WINNT\Twain_32\R9000\HotKey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\cleanmgr.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HotKey] C:\WINNT\Twain_32\R9000\HotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [SoloSentry] C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\PROGRA~1\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [Windows Svehost Services] SVEHOST.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Texruss

2 Intern

 • 

3.4K Posts

April 30th, 2004 22:00

 

 

O4 - HKLM\..\Run: [Windows Svehost Services] SVEHOST.EXE

See the link. Spybot worm.

Try checking and removing in HJT. Reboot in Safe Mode and delete file svehost.exe in C:\Winnt\system32 folder

Reboot in normal mode and run disk cleaner  (type cleanmgr  at Start/Run) Scan and remove all files in all categories.

Post a new HJT log.

Texruss

fade2black3424

21 Posts

April 30th, 2004 23:00

Thanks for all your help, I really appreciate it.

fade2black3424

21 Posts

April 30th, 2004 23:00

I just ran HJT and I checked the box you told me, then fixed it. When I restarted my computer in Safe Mode svehost.exe was not there, which I'm guessing is because I deleted it the first time. I am now currently trying to run the disk scan, but it gets about 4 bars done and says "Scanning: Compressing Old Files." It has been running for the past thirty minutes and it just stays there. Should I just wait or do something else. Here is a new log just in case:

Logfile of HijackThis v1.97.7
Scan saved at 8:25:47 PM, on 4/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\BCMSMMSG.exe
C:\WINNT\Twain_32\R9000\HotKey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\System32\cleanmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HotKey] C:\WINNT\Twain_32\R9000\HotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [SoloSentry] C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\PROGRA~1\SRNMIC~1\SYSCHECK.COM
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Texruss

2 Intern

 • 

3.4K Posts

April 30th, 2004 23:00

Scandisk as well as defrag can be affected by conflicts with programs in memory (usually not hostile). Best bet...run both programs in Safe Mode.

Your log looks like a clean one. Let me know of any special issues or strange behavior as a very few hostile programs (new CWS hijackers mainly) hid from the log scan.

How to stay clean:

1. The main cleanup programs...they are reactive...not proactive:

Spybot Search&dDestroy, Ad-aware Run weekly - or after a heavy internet session.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...go slow on the directions for the custom setup of Adaware:

http://www.cjwd.demon.co.uk/spybot-adaware.html

I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).

Reboot and click on Start/Run/ type: cleanmgr
I check all the selected items to be deleted here.

2. Proactive programs: Spywareblaster & Spywareguard, first sets kill bits to stop known bad MSIE ActiveX scripts from installing, second acts like your AV to stop browser hijacks and installing of known baddies.

3. IE-Spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentally getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

Links for these at: http://www.cjwd.demon.co.uk/compsafetyonline.html

4. Don't forget keeping Windows updated. The automatic updates frequently fail so run it manually once a week or when new updates are publicized.

Windows Live Update Page
http://v4.windowsupdate.microsoft.com/en/default.asp
Free Windows Security CD (for those who qualify):
www.microsoft.com/security/protect/cd/order.asp

5. Keep your antivirus updated.
Free AVG Antivirus for home users: http://www.grisoft.com

6. Practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will. Sometimes it won't when a new virus hits the Net and definitions take hours to create by the AV vendors. There is only one defense that works 100% for the safe protection of your machine's personal data and that is timely and accurate backups of your files. Hard drives die, viruses ruin your files, and other bad things can happen (fire, theft, etc..). Offsite backups are the best.

7. Don't forget our great analysis tool Hijackthis. We have a lot of gratitude we need to show towards the author Merijn. I hope he does great things in his future endeavors and is richly rewarded for his time and expertise in providing this super program.

Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt

(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). (don't put in a temp folder, or the Windows desktop, etc...as it needs a safe folder to keep backup logs). Also when people post here and place it on the Desktop the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)

See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm

Forums for help and analysis of your Hijackthis logfile:

http://forums.us.dell.com/supportforums
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.computercops.us/forums.html
http://forums.net-integration.net
http://boards.cexx.org
http://www.wilderssecurity.com


Good luck and safe computing!

Texruss

Texruss

2 Intern

 • 

3.4K Posts

May 1st, 2004 00:00

Good one Jim...I misread his post 'disk scan' and didn't associate it with Disk Cleanup....it always pays to check MS KB!

All the best,

Texruss

jwatt

4.4K Posts

May 1st, 2004 00:00

I am now currently trying to run the disk scan, but it gets about 4 bars done and says "Scanning: Compressing Old Files." It has been running for the past thirty minutes and it just stays there. Should I just wait or do something else

I'd do something else!  You've encountered a bug! Here's  Microsoft's article about it, including a registry fix to get rid of the problem.

(edit) Denny Denham has provided a fix for this in the form of a small ".reg" file. You can download the fix from  Denny's Web site.

Jim

Message Edited by jimw on 04-30-2004 06:19 PM

Was this post helpful?

View All

No Events found!

Top