At bleepingcomputer.com start reading at the section that says:
You can download this program here: CWShredder
(Note...we have noticed recently some CWS variants are harder to remove unless the shredder is run in Safe Mode...hit F8 while booting to enter Safe Mode and run the shredder.)
After cleaning with the shredder in Safe Mode do this:
Download and run these two programs (Spybot S&D and Adaware). Use Spybot first. Follow the directions completely at:
Reboot if asked by either program and let it complete any cleanup. Then reboot a final time after running both and run Windows Disk Cleanup: Start/Run/ type: cleanmgr
I check all the categories to be deleted here.
Next we need you to download and install an analysis and repair tool called Hijackthis.
Please unzip Hijackthis.zip into a new folder you create in the root level of the C: drive. Name this folder C:\HJT for best and safest results. (don't put in a temp folder, or the desktop, etc...as it needs a safe folder to keep backup logs). Also when people post here and place it on the Desktop the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)
Run Hijackthis, click on the 'scan' button and then 'save log' button. Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt
Post back with a new log as a reply to this message (stay in this message posting thread for continuity). Most of your infections will be addressed with these tools, but you must follow the directions exactly to make final manual cleanup easier.
Logfile of HijackThis v1.97.7 Scan saved at 11:01:17 PM, on 23/04/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Still have an entry for Coolwebsearch...probably should run CWshredder again. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
Your choice...run CWshredder once more in Safe Mode and select fix. It may still miss it, but probably will get it the second time. Or take a chance and fix it below.
Back in normal mode. Hit Shift-Control-Esc keys simultaneously and in Processes tab look for and stop these if they are running:
Run Hijackthis and scan. Check the following items:
C:\WINDOWS\System32\nt32.exe C:\PROGRA~1\MOVEME~1\poll rule blue.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\windows\redirect7.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\windows\redirect7.exe C:\Program Files\AutoUpdate\AutoUpdate.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file) Comments: (your Huntbar persecutor) O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - (no file) O2 - BHO: (no name) - {CCA97416-6D10-824B-5E77-91BEB976A599} - C:\PROGRA~1\GRIDOK~1\Acid The.dll (Comments...if you know this file and folder as safe leave it...otherwise check for deletion.) O3 - Toolbar: (no name) - {F50CE767-AE72-45EB-AECD-E8786C240373} - (no file) O3 - Toolbar: ReadmeMessThis - {05646329-E726-03A9-FD28-CF1776E371F9} - C:\PROGRA~1\GRIDOK~1\Acid The.dll (same as above comments) O4 - HKLM\..\Run: [nt32] nt32.exe O4 - HKLM\..\Run: [UpBook] C:\PROGRA~1\MOVEME~1\poll rule blue.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe O4 - HKLM\..\Run: [redirect] C:\windows\redirect7.exe O4 - Startup: PowerReg SchedulerV2.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
Click on the button 'fix checked'. Exit Hijackthis.
If you feel capable of sending attachments I would like to see two of the suspect files. Email me at the link in my Dell profile and send the following files listed below designated by EMAIL in front of their entry (before you delete them in Safe Mode). I can accept them as .exe files, but make sure you get my email address correct. *;-) Edit: Actually I used to be able to get .exe files, but upon testing it after posting this reply it appears my email postmaster strips out .exe files and makes you beg the help desk to retrieve them. *;-( So if you can zip the files I can receive them. If that's too much trouble then just forget it. Or you could copy them to a floppy and snail mail them to me. They aren't dangerous to zip, copy or send in email...if they were the Trojan writers would all be toast. Double left clicking and executing the files is what runs a process. These Trojans are pretty wimpy compared to a full-blown virus like Magistr or Sircam.
Reboot in Safe Mode (hit F8 on restarting)
Use Windows Explorer in Safe Mode to delete these files or folders.
EMAIL: C:\WINDOWS\System32\nt32.exe delete nt32.exe EMAIL: C:\PROGRA~1\MOVEME~1\poll rule blue.exe delete Moveme folder (it will be named longer as it appears DOS-truncated...look for poll rule blue.exe file to make sure you have correct folder)
C:\Program Files\AutoUpdate\AutoUpdate.exe delete folder AutoUpdate C:\windows\redirect7.exe delete file C:\PROGRA~1\GRIDOK~1\Acid The.dll Delete Gridok~something folder if you checked above
Reboot in Normal Windows mode and run Disk cleaner (type cleanmgr at Start/Run and click OK).
Scan all hard drives and when it finishes check all boxes for removal.
Run your browser around the block and see if you can change home page and maintain it.
I did everything you told me to. Everything was there except for when I scaned with highjack this, none of the C:\ files were there but all the rest was. When I went in safe mode to delete the files in windows explorer I could not fine C:\windows\redirect7.exe, the C:\program files\autoupdate\autoupdate.exe let me delete but the libexpat.dll was still left in the folder? and the C:\progra~1\gridok`1\acid the.dll was not there all I found was gridokaycity folder. I left it there for now. This might be a silly question but what is the difference between C:\program files and C:\progra~1 if any?
I did run into a little bit of trouble when trying to do the disk cleaner. It completely froze at 3 green boxes (the process line) and would not move at all. After xing out of it, it was still running when I checked in the task manager and taking up all my cpu usage (100%). I dont know what happened????
Anyways, here is my new log.
ogfile of HijackThis v1.97.7 Scan saved at 5:29:02 PM, on 24/04/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>C:\program files\autoupdate\autoupdate.exe let me delete but the libexpat.dll was still left in the folder?
Did you delete the entire autoupdate folder as I asked?
>and the C:\progra~1\gridok`1\acid the.dll was not there all I found was gridokaycity folder. I left it there for now. This might be a silly question but what is the difference between C:\program files and C:\progra~1 if any?
Don't see any web references to that program or folder. The Progra~1 is just a DOS reference to Program Files. DOS sees only 8 characters and truncates last two characters to ~1. Delete gridokaycity folder.
I followed your instructions to a tee. I did not find the poll rule blue.exe before as I did not see the moveme something part of it but this time I did and I removed it as well as the autoupdate and the gridokaycity.
Here is my new log but I see that the mysearchnow thing is still showing up...........why is this thing so hard to get rid of?
Anyways, thanks again.
Logfile of HijackThis v1.97.7 Scan saved at 12:06:27 PM, on 25/04/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Tough nut indeed. I'm offline for a few hours, but have emailed Chris to see your case if he has some free time. I have some ideas, but for now family life supercedes the Forum. *;-)
Hi I see you still have a CWS infection and I also see 'Stop Sign'. You I assume used that as an online Anti-Virus test. Unfortunately what they don't tell you is that Stop Sign although doing a free AV scan, it then installs Ad/spy programs on your machine. Please NEVER use them again. On my website you will see a list of free online AV scanners, any one will do it for free without installing junk on your machine while doing it. It may have been Stop Sign that has been infecting you with this junk.
=============================
CWShredder has had another new version out in just the last 24 hours. So please use the update feature from your current copy - the version should go to v1.57.0.
Then run it in safe mode, (F8 at boot time) and use the FIX button to clean your machine. Please post the CWShredder log for to check.
====================================
Also fix this in hijackthis, with all other windows closed.
Then Reboot and post a fresh log for me to check.
NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
How to Show Hidden/System Files :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
File > > C:\PROGRA~1\MOVEME~1\poll rule blue.exe
(Or even the folder if not in use for legit programs) File > > C:\WINDOWS\Fonts\Backup\LOADER.exe
(Or even the folder if not in use for legit programs)
After the scan with the shredder the hijackthis was missing the R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html, but all the rest were there.
Do I still keep my hidden and operating system files to show or put it back to default?
Here is my new log
Logfile of HijackThis v1.97.7 Scan saved at 9:25:45 PM, on 25/04/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
I tried to sent the shredder report but it keeps telling me that The tag: is not allowed. Please go to Scratch Pad and refer to the post titled "Allowed HTML Tags" for a list of support elements. The tag:
contains attributes which are not allowed. Please go to Scratch Pad and refer to the post titled "Allowed HTML Tags" for a list of support elements.
Sorry but I am not sure what I am doing wrong. :-(
Chris is alsleep in England, so I'll put some comments here and he can give the all clear tomorrow...looks good to me, but I struggled on yours earlier so I'll defer.
>Wow, I had no clue about the stop sign thing.
Can't believe I missed that eAcceleration CLSID myself...I've fought it before.
After the scan with the shredder the hijackthis was missing the R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html, but all the rest were there.
If you mean the other R1 lines those are good entries.
Do I still keep my hidden and operating system files to show or put it back to default?
Your choice...the default setting is for most users...I use the option to see everything. A lot depends on how many novice users will be on your machine as they may delete key files in Windows Explorer.
Sorry to be a pain in the u know what but I still have a few questions.
1. Every-time I go to use the disk cleaner it freezes on me and will not do anything but even after I ex out of it, it is still running when I go to check in the task manager and uses 100% cpu. Would you know how I go about fixing that?
2. You know how when u un-install a program most of them leave bunch of folder etc behind? Is there a program that would scan my system and find all these unnecessary folder/files so I can than delete them without worrying about it?
3. In my IE settings in the activex controls and plug ins I changed it all to either prompt or disable which now gives me pop up windows in some of the websites asking whether I want to allow software such as activex controls and plug-ins to run? do I click on yes or no?
4. From time to time my system will get verrry verrry slow, when I go in the task manager it shows 100% cpu usage but no program showing using that much of it. Could it be something in the back round and how would I find out?
Once again, I can not thank you and Chris enough for all the help.
>Sorry to be a pain in the u know what but I still have a few questions.
You're not a pain...the only dumb question is the one not asked.
>1. Every-time I go to use the disk cleaner it freezes on me and will not do anything but even after I ex out of it, it is still running when I go to check in the task manager and uses 100% cpu. Would you know how I go about fixing that?
Some process is eating up CPU resources...msconfig is the tool invented by MS engineers to 'diagnose' technical problems in Windows. Note..I said 'diagnose'. Unfortunately, most people including tech phone support think it if the Holy Grail for 'fixing' problems. As my friend Ed Bott and I always used to say...that is a bad policy. You use msconfig to find problems, then solve them in the Registry or by uninstalling programs.
For now until you find out what is causing the problem (by process of elimination in msconfig...check a couple of items, reboot in selective startup...problem still there? Try some more...etc..) you may find running Disk Cleaner in safe mode is a good policy. Same thing for defrag if it has problems.
> You know how when u un-install a program most of them leave bunch of folder etc behind? Is there a program that would scan my system and find all these unnecessary folder/files so I can than delete them without worrying about it?
You are not the first to ask that...my brother and late dad begged me to get a cleaner program years ago so I bought the most popular one and let my brother use it (definitely wouldn't let my dad try it). He proceeded to delete winword.exe and asked me to email it to him. Hmmm....mighty big file for those days on 14.4 modems. So my answer is...no...I don't think any program is smart enough yet to do that job well. Symantec's Cleansweep is not bad if you start out with it before anything else is installed, but it can lead you to make mistakes, and especially if it is installed later.
Best rule of thumb...get a drive image program and make a clean image of your drive as soon as you install Windows and get the basics loaded...patches, AV, Office, etc.. Burn it to a DVDR or CDRs and store it. I use Ghost, but other good programs exists. Back up all personal data as you go. If disaster strikes bring back the basic install in 20 minutes or less.
> In my IE settings in the activex controls and plug ins I changed it all to either prompt or disable which now gives me pop up windows in some of the websites asking whether I want to allow software such as activex controls and plug-ins to run? do I click on yes or no?
It depends...is it a reputable site? I personally prefer a firewall like NIS 2004 or the free Zone Alarm and using the tools recommended in this Forum for protecting against ActiveX hijackers. Just look for Chris and his all clear messages or mine.
4. From time to time my system will get verrry verrry slow, when I go in the task manager it shows 100% cpu usage but no program showing using that much of it. Could it be something in the back round and how would I find out?
Msconfig helps.
>Once again, I can not thank you and Chris enough for all the help.
You are very welcome...there is nothing more frustrating than computer problems..especially caused by greedy online miscreants.
Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.
Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.
Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.
With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.
Texruss
3.4K Posts
0
April 24th, 2004 01:00
You have a CoolWebsearch infection for certain.
Get CW Shredder to repair your CoolWebSearch infestations:
http://www.spywareinfo.com/~merijn/files/cwshredder.zip version 1.56.3
Follow the directions for running the program at the next link.
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47
At bleepingcomputer.com start reading at the section that says:
You can download this program here: CWShredder
(Note...we have noticed recently some CWS variants are harder to remove unless the shredder is run in Safe Mode...hit F8 while booting to enter Safe Mode and run the shredder.)
After cleaning with the shredder in Safe Mode do this:
Download and run these two programs (Spybot S&D and Adaware). Use Spybot first. Follow the directions completely at:
http://www.cjwd.demon.co.uk/spybot-adaware.html
Reboot if asked by either program and let it complete any cleanup. Then reboot a final time after running both and run Windows Disk Cleanup: Start/Run/ type: cleanmgr
I check all the categories to be deleted here.
Next we need you to download and install an analysis and repair tool called Hijackthis.
Go here and download the file: http://tomcoyote.com/hjt
Please unzip Hijackthis.zip into a new folder you create in the root level of the C: drive. Name this folder C:\HJT for best and safest results. (don't put in a temp folder, or the desktop, etc...as it needs a safe folder to keep backup logs). Also when people post here and place it on the Desktop the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)
See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm
Run Hijackthis, click on the 'scan' button and then 'save log' button. Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt
Post back with a new log as a reply to this message (stay in this message posting thread for continuity). Most of your infections will be addressed with these tools, but you must follow the directions exactly to make final manual cleanup easier.
HTH (Hope that Helps)
Texruss
kasia
8 Posts
0
April 24th, 2004 02:00
Hi Texruss and thank you for your quick reply.
Here is my log.
Logfile of HijackThis v1.97.7
Scan saved at 11:01:17 PM, on 23/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\nt32.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus1.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MOVEME~1\poll rule blue.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\windows\redirect7.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus1.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\windows\redirect7.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\REAL\My Documents\AnalogX\POW\pow.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\hjt\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {CCA97416-6D10-824B-5E77-91BEB976A599} - C:\PROGRA~1\GRIDOK~1\Acid The.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {F50CE767-AE72-45EB-AECD-E8786C240373} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: ReadmeMessThis - {05646329-E726-03A9-FD28-CF1776E371F9} - C:\PROGRA~1\GRIDOK~1\Acid The.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nt32] nt32.exe
O4 - HKLM\..\Run: [Msgsrv] C:\WINDOWS\Fonts\Backup\LOADER.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpBook] C:\PROGRA~1\MOVEME~1\poll rule blue.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
O4 - HKLM\..\Run: [redirect] C:\windows\redirect7.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopupEliminator] C:\Program Files\Popup Eliminator\Popup Eliminator.exe /min
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Update Grokster.lnk = C:\Program Files\Grokster\WiseUpdt.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 5.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38081.5095601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD5161D6-E7C6-4AE3-B5EE-173E4BC115C1}: NameServer = 216.211.26.14 206.47.150.225
Texruss
3.4K Posts
0
April 24th, 2004 03:00
Still have an entry for Coolwebsearch...probably should run CWshredder again.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
Your choice...run CWshredder once more in Safe Mode and select fix. It may still miss it, but probably will get it the second time. Or take a chance and fix it below.
Back in normal mode. Hit Shift-Control-Esc keys simultaneously and in Processes tab look for and stop these if they are running:
redirect7.exe
nt32.exe
autoupdate.exe
poll rule blue.exe
easywww.exe
Run Hijackthis and scan. Check the following items:
C:\WINDOWS\System32\nt32.exe
C:\PROGRA~1\MOVEME~1\poll rule blue.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\windows\redirect7.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\windows\redirect7.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
Comments: (your Huntbar persecutor)
O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - (no file)
O2 - BHO: (no name) - {CCA97416-6D10-824B-5E77-91BEB976A599} - C:\PROGRA~1\GRIDOK~1\Acid The.dll (Comments...if you know this file and folder as safe leave it...otherwise check for deletion.)
O3 - Toolbar: (no name) - {F50CE767-AE72-45EB-AECD-E8786C240373} - (no file)
O3 - Toolbar: ReadmeMessThis - {05646329-E726-03A9-FD28-CF1776E371F9} - C:\PROGRA~1\GRIDOK~1\Acid The.dll (same as above comments)
O4 - HKLM\..\Run: [nt32] nt32.exe
O4 - HKLM\..\Run: [UpBook] C:\PROGRA~1\MOVEME~1\poll rule blue.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
O4 - HKLM\..\Run: [redirect] C:\windows\redirect7.exe
O4 - Startup: PowerReg SchedulerV2.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
Click on the button 'fix checked'. Exit Hijackthis.
If you feel capable of sending attachments I would like to see two of the suspect files. Email me at the link in my Dell profile and send the following files listed below designated by EMAIL in front of their entry (before you delete them in Safe Mode). I can accept them as .exe files, but make sure you get my email address correct. *;-) Edit: Actually I used to be able to get .exe files, but upon testing it after posting this reply it appears my email postmaster strips out .exe files and makes you beg the help desk to retrieve them. *;-( So if you can zip the files I can receive them. If that's too much trouble then just forget it. Or you could copy them to a floppy and snail mail them to me. They aren't dangerous to zip, copy or send in email...if they were the Trojan writers would all be toast. Double left clicking and executing the files is what runs a process. These Trojans are pretty wimpy compared to a full-blown virus like Magistr or Sircam.
Reboot in Safe Mode (hit F8 on restarting)
Use Windows Explorer in Safe Mode to delete these files or folders.
EMAIL: C:\WINDOWS\System32\nt32.exe delete nt32.exe
EMAIL: C:\PROGRA~1\MOVEME~1\poll rule blue.exe delete Moveme folder (it will be named longer as it appears DOS-truncated...look for poll rule blue.exe file to make sure you have correct folder)
C:\Program Files\AutoUpdate\AutoUpdate.exe delete folder AutoUpdate
C:\windows\redirect7.exe delete file
C:\PROGRA~1\GRIDOK~1\Acid The.dll Delete Gridok~something folder if you checked above
Reboot in Normal Windows mode and run Disk cleaner (type cleanmgr at Start/Run and click OK).
Scan all hard drives and when it finishes check all boxes for removal.
Run your browser around the block and see if you can change home page and maintain it.
Repost a new Hijackthis log. Stay in this thread.
Texruss
Message Edited by Texruss on 04-23-2004 11:52 PM
kasia
8 Posts
0
April 24th, 2004 20:00
Hi Texruss,
Thanks again for all your help.
I did everything you told me to. Everything was there except for when I scaned with highjack this, none of the C:\ files were there but all the rest was. When I went in safe mode to delete the files in windows explorer I could not fine C:\windows\redirect7.exe, the C:\program files\autoupdate\autoupdate.exe let me delete but the libexpat.dll was still left in the folder? and the C:\progra~1\gridok`1\acid the.dll was not there all I found was gridokaycity folder. I left it there for now. This might be a silly question but what is the difference between C:\program files and C:\progra~1 if any?
I did run into a little bit of trouble when trying to do the disk cleaner. It completely froze at 3 green boxes (the process line) and would not move at all. After xing out of it, it was still running when I checked in the task manager and taking up all my cpu usage (100%). I dont know what happened????
Anyways, here is my new log.
ogfile of HijackThis v1.97.7
Scan saved at 5:29:02 PM, on 24/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus1.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\hjt\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Msgsrv] C:\WINDOWS\Fonts\Backup\LOADER.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [UpBook] C:\PROGRA~1\MOVEME~1\poll rule blue.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopupEliminator] C:\Program Files\Popup Eliminator\Popup Eliminator.exe /min
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Update Grokster.lnk = C:\Program Files\Grokster\WiseUpdt.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 5.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38081.5095601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD5161D6-E7C6-4AE3-B5EE-173E4BC115C1}: NameServer = 216.211.26.14 206.47.150.225
Message Edited by kasia on 04-24-2004 05:30 PM
Texruss
3.4K Posts
0
April 24th, 2004 23:00
>C:\program files\autoupdate\autoupdate.exe let me delete but the libexpat.dll was still left in the folder?
Did you delete the entire autoupdate folder as I asked?
>and the C:\progra~1\gridok`1\acid the.dll was not there all I found was gridokaycity folder. I left it there for now. This might be a silly question but what is the difference between C:\program files and C:\progra~1 if any?
Don't see any web references to that program or folder. The Progra~1 is just a DOS reference to Program Files. DOS sees only 8 characters and truncates last two characters to ~1. Delete gridokaycity folder.
In Hijackthis, scan, and check:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
Comments (remnants of CWS infection)
O4 - HKLM\..\Run: [UpBook] C:\PROGRA~1\MOVEME~1\poll rule blue.exe
Click on Fix checked.
Reboot in Safe Mode and delete the folder for poll rule blue.exe. It will be under C:\Program Files\Moveme something. Did you find it before?
Post back with a new log.
Texruss
kasia
8 Posts
0
April 25th, 2004 15:00
Hi Texruss and thank you for your patience.:-)
I followed your instructions to a tee. I did not find the poll rule blue.exe before as I did not see the moveme something part of it but this time I did and I removed it as well as the autoupdate and the gridokaycity.
Here is my new log but I see that the mysearchnow thing is still showing up...........why is this thing so hard to get rid of?
Anyways, thanks again.
Logfile of HijackThis v1.97.7
Scan saved at 12:06:27 PM, on 25/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus1.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hjt\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {CCA97416-6D10-824B-5E77-91BEB976A599} - C:\PROGRA~1\GRIDOK~1\Idle Coal.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: ReadmeMessThis - {05646329-E726-03A9-FD28-CF1776E371F9} - C:\PROGRA~1\GRIDOK~1\Idle Coal.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Msgsrv] C:\WINDOWS\Fonts\Backup\LOADER.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [UpBook] C:\PROGRA~1\MOVEME~1\poll rule blue.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopupEliminator] C:\Program Files\Popup Eliminator\Popup Eliminator.exe /min
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Update Grokster.lnk = C:\Program Files\Grokster\WiseUpdt.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 5.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38081.5095601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD5161D6-E7C6-4AE3-B5EE-173E4BC115C1}: NameServer = 216.211.26.14 206.47.150.225
Texruss
3.4K Posts
0
April 25th, 2004 15:00
Tough nut indeed. I'm offline for a few hours, but have emailed Chris to see your case if he has some free time. I have some ideas, but for now family life supercedes the Forum. *;-)
Hang in there,
Texruss
ChrisRLG
3.9K Posts
0
April 25th, 2004 19:00
=============================
CWShredder has had another new version out in just the last 24 hours. So please use the update feature from your current copy - the version should go to v1.57.0.
Then run it in safe mode, (F8 at boot time) and use the FIX button to clean your machine. Please post the CWShredder log for to check.
====================================
Also fix this in hijackthis, with all other windows closed.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {CCA97416-6D10-824B-5E77-91BEB976A599} - C:\PROGRA~1\GRIDOK~1\Idle Coal.dll (file missing)
O3 - Toolbar: ReadmeMessThis - {05646329-E726-03A9-FD28-CF1776E371F9} - C:\PROGRA~1\GRIDOK~1\Idle Coal.dll (file missing)
O4 - HKLM\..\Run: [UpBook] C:\PROGRA~1\MOVEME~1\poll rule blue.exe
O4 - HKLM\..\Run: [Msgsrv] C:\WINDOWS\Fonts\Backup\LOADER.exe
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
Then Reboot and post a fresh log for me to check.
NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
How to Show Hidden/System Files : http://www.xtra.co.nz/help/0,,4155-1916458,00.html
File > > C:\PROGRA~1\MOVEME~1\poll rule blue.exe (Or even the folder if not in use for legit programs)
File > > C:\WINDOWS\Fonts\Backup\LOADER.exe (Or even the folder if not in use for legit programs)
And reboot post another hijackthis log please.
kasia
8 Posts
0
April 26th, 2004 00:00
Hi Chris.
Wow, I had no clue about the stop sign thing.
After the scan with the shredder the hijackthis was missing the R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html, but all the rest were there.
Do I still keep my hidden and operating system files to show or put it back to default?
Here is my new log
Logfile of HijackThis v1.97.7
Scan saved at 9:25:45 PM, on 25/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Messenger Plus! 2\MsgPlus1.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\hjt\hijackthis\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopupEliminator] C:\Program Files\Popup Eliminator\Popup Eliminator.exe /min
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Update Grokster.lnk = C:\Program Files\Grokster\WiseUpdt.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 5.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38081.5095601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
kasia
8 Posts
0
April 26th, 2004 00:00
Hey Chris,
I tried to sent the shredder report but it keeps telling me that The tag: is not allowed. Please go to Scratch Pad and refer to the post titled "Allowed HTML Tags" for a list of support elements. The tag:
contains attributes which are not allowed. Please go to Scratch Pad and refer to the post titled "Allowed HTML Tags" for a list of support elements.
Sorry but I am not sure what I am doing wrong. :-(
Texruss
3.4K Posts
0
April 26th, 2004 01:00
>I tried to sent the shredder report
If you wish click on my name to the left and send it in regular email to my email address. I will forward to Chris.
Texruss
Texruss
3.4K Posts
0
April 26th, 2004 01:00
Chris is alsleep in England, so I'll put some comments here and he can give the all clear tomorrow...looks good to me, but I struggled on yours earlier so I'll defer.
>Wow, I had no clue about the stop sign thing.
Can't believe I missed that eAcceleration CLSID myself...I've fought it before.
After the scan with the shredder the hijackthis was missing the R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html, but all the rest were there.
If you mean the other R1 lines those are good entries.
Do I still keep my hidden and operating system files to show or put it back to default?
Your choice...the default setting is for most users...I use the option to see everything. A lot depends on how many novice users will be on your machine as they may delete key files in Windows Explorer.
All the best,
Texruss
kasia
8 Posts
0
April 26th, 2004 02:00
Hey Tex.
I sent the report to you for Chris. Thanks.
Sorry to be a pain in the u know what but I still have a few questions.
1. Every-time I go to use the disk cleaner it freezes on me and will not do anything but even after I ex out of it, it is still running when I go to check in the task manager and uses 100% cpu. Would you know how I go about fixing that?
2. You know how when u un-install a program most of them leave bunch of folder etc behind? Is there a program that would scan my system and find all these unnecessary folder/files so I can than delete them without worrying about it?
3. In my IE settings in the activex controls and plug ins I changed it all to either prompt or disable which now gives me pop up windows in some of the websites asking whether I want to allow software such as activex controls and plug-ins to run? do I click on yes or no?
4. From time to time my system will get verrry verrry slow, when I go in the task manager it shows 100% cpu usage but no program showing using that much of it. Could it be something in the back round and how would I find out?
Once again, I can not thank you and Chris enough for all the help.
Kasia
Texruss
3.4K Posts
0
April 26th, 2004 03:00
>I sent the report to you for Chris. Thanks.
And already forwarded to Chris.
>Sorry to be a pain in the u know what but I still have a few questions.
You're not a pain...the only dumb question is the one not asked.
>1. Every-time I go to use the disk cleaner it freezes on me and will not do anything but even after I ex out of it, it is still running when I go to check in the task manager and uses 100% cpu. Would you know how I go about fixing that?
Some process is eating up CPU resources...msconfig is the tool invented by MS engineers to 'diagnose' technical problems in Windows. Note..I said 'diagnose'. Unfortunately, most people including tech phone support think it if the Holy Grail for 'fixing' problems. As my friend Ed Bott and I always used to say...that is a bad policy. You use msconfig to find problems, then solve them in the Registry or by uninstalling programs.
For now until you find out what is causing the problem (by process of elimination in msconfig...check a couple of items, reboot in selective startup...problem still there? Try some more...etc..) you may find running Disk Cleaner in safe mode is a good policy. Same thing for defrag if it has problems.
> You know how when u un-install a program most of them leave bunch of folder etc behind? Is there a program that would scan my system and find all these unnecessary folder/files so I can than delete them without worrying about it?
You are not the first to ask that...my brother and late dad begged me to get a cleaner program years ago so I bought the most popular one and let my brother use it (definitely wouldn't let my dad try it). He proceeded to delete winword.exe and asked me to email it to him. Hmmm....mighty big file for those days on 14.4 modems. So my answer is...no...I don't think any program is smart enough yet to do that job well. Symantec's Cleansweep is not bad if you start out with it before anything else is installed, but it can lead you to make mistakes, and especially if it is installed later.
Best rule of thumb...get a drive image program and make a clean image of your drive as soon as you install Windows and get the basics loaded...patches, AV, Office, etc.. Burn it to a DVDR or CDRs and store it. I use Ghost, but other good programs exists. Back up all personal data as you go. If disaster strikes bring back the basic install in 20 minutes or less.
> In my IE settings in the activex controls and plug ins I changed it all to either prompt or disable which now gives me pop up windows in some of the websites asking whether I want to allow software such as activex controls and plug-ins to run? do I click on yes or no?
It depends...is it a reputable site? I personally prefer a firewall like NIS 2004 or the free Zone Alarm and using the tools recommended in this Forum for protecting against ActiveX hijackers. Just look for Chris and his all clear messages or mine.
4. From time to time my system will get verrry verrry slow, when I go in the task manager it shows 100% cpu usage but no program showing using that much of it. Could it be something in the back round and how would I find out?
Msconfig helps.
>Once again, I can not thank you and Chris enough for all the help.
You are very welcome...there is nothing more frustrating than computer problems..especially caused by greedy online miscreants.
All the best,
Texruss
ChrisRLG
3.9K Posts
0
April 26th, 2004 19:00
Have looked at your CWShredder scan and that looks OK. Your hijackthis log looks clean too.
Do you have any other problems now?
================================
This is my normal post for when you are clear - which you now seem to be - please advise of any problems :-
------------------------
How on earth did I get infected with all that spyware in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051
Also available from here :- http://www.computercops.biz/postlite7736-.html or http://boards.cexx.org/viewtopic.php?t=957
--------------
Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-
Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.
Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.
Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.
With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.