It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) "
Auto Clean".
3. Click "
Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Download, unzip to your desktop
CWShredder and run it, then:
1. Click "
Check For Update"
(
If an update isn't available, skip to step #4.)
2. Click "
Click here to Download the upate".
3. When the new version has been downloaded, click "
Save".
4. Click "
Fix ->"
Go to
Add/Remove programs and remove(uninstall) the following, if present:
Quick Search Toolbar
The above could appear anywhere within the entry. Be careful not to remove any
personal or
system software.
Now, let's open a
command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u QuickSearchBar3_30.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
Before we begin, let's move
HiJackThis to it's own folder; like
c:\HJT. When we're done '
cleaning' off your system, we're going to '
flush' the temporary folders which, with
HiJackThisin it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.
Also move the "
Backups" folder, for
HiJackThis, if present.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
Now, with all windows closed except
HiJackThis, click "
Fix checked".
Locate and
delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
folders...
C:\Program Files\QuickSearch
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Post back a new log, and let me know how everything goes.
You don't want to duplicate multiple processes unless you know for sure they're bad - like viruses and trojans. Windows will option start multiple copies of the same program, especially svchost. Which program(s) were you referring to?
This file probably relates to SmileyCentral or one of their other products. If you don't use them, then remove this file; otherwise leave it alone.
The duplicate files that I was referring to in the log:
(6) C:\WINDOWS\system32\svchost.exe
(2)C:\Program Files\Common Files\AOL\TopSpeed|2.0\aoltpspd.exe (which is a version that is old and had been upgraded to more recent versions, now AOL 9.0
(2) C:\WINDOWS\ayatem32.cidaemon.exe
I've done all of the above and here's the new log. The system still seems a bit slow, but a little more manageable.
Logfile of HijackThis v1.99.0
Scan saved at 11:26:00 PM, on 2/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
That log is looking much better - good work! Now, let's move onto the next scan, then after that, we'll see if we can help troubleshoot your system's performance.
1. Double-click the mwav.exe icon to run it (it'll self extract). 2. Click "Scan". 3. When it completes, post back the results from the 'Virus log information' pane.
I completed the scan and for some reason, when I went to get back on the internet, an error popped up that said tht a firewall may be blocking my internet from working properly. Then it cannot find the server on any internet site.
I tried to take the log to my work to copy and paste, but it won't paste. There were several viruses on there, but since I am at work and the internet isn't working, I'm at a lost as to what to do.
When I get home later tonight, I'm going to try it again, but any suggestions as to what happened to the internet/ firewall?
That one's got me stumped; not sure why it would do that. I seem to see alot of users posting back with a 'broken' internet connection due to Norton's firewall - it usually happens just after a LiveUpdate. If that's the case, you might try using system restore and going back to a point, just prior to the update, and see if that resolves the problem.
-
You might try rebooting your system (if it's still up and running), and trying again. If your still having problems, try entering:
netsh winsock reset catalog
from a command prompt and see if that gets you back up and running.
-
Also try disabling your firewall, temporarily, and see if everything goes back to normal.
Midnight Star
4.8K Posts
0
February 13th, 2005 22:00
Let's start with this...
Go to www.trendmicro.com, and then:
1. Click " Free Online Scan".
2. Click " Scan now, it's free".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Download, unzip to your desktop CWShredder and run it, then:
1. Click " Check For Update"
( If an update isn't available, skip to step #4.)
2. Click " Click here to Download the upate".
3. When the new version has been downloaded, click " Save".
4. Click " Fix ->"
Go to Add/Remove programs and remove(uninstall) the following, if present:
Quick Search Toolbar
The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u QuickSearchBar3_30.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done ' cleaning' off your system, we're going to ' flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.
Also move the " Backups" folder, for HiJackThis, if present.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_30.dll
O2 - BHO: CSBrBho Class - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)
O3 - Toolbar: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_30.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
folders...
C:\Program Files\QuickSearch
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
Post back a new log, and let me know how everything goes.
-
Mike.
DawnHNC
14 Posts
0
February 14th, 2005 01:00
Thanks, Mike!!! I really appreciate the advice.
Quick qeustion . . . .
I'm doing the Housecall Scan and in the web-sites instructions, it says that when a virus is found to either clean or delete if it cannot be cleaned.
Here's the file that has popped up:
Midnight Star
4.8K Posts
0
February 14th, 2005 01:00
Dawn,
You don't want to duplicate multiple processes unless you know for sure they're bad - like viruses and trojans. Windows will option start multiple copies of the same program, especially svchost. Which program(s) were you referring to?
This file probably relates to SmileyCentral or one of their other products. If you don't use them, then remove this file; otherwise leave it alone.
C:\Program Files\FunWebProducts\Install\1.bin\F3EZSETP.DLL
DawnHNC
14 Posts
0
February 14th, 2005 01:00
DawnHNC
14 Posts
0
February 14th, 2005 02:00
Scan saved at 11:26:00 PM, on 2/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\DOCUME~1\DAWNM~1.KEE\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
C:\WINDOWS\system32\cidaemon.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.freeze.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.freeze.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.1.0.39/aces/aces-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.5.28/superbingo/superbingo-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.1.0.39/flinger/flinger-ob-assets.cab
O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.1.0.39/holdem/holdem-ob-assets.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} (AOL YGP Screensaver) - http://pak01.pictures.aol.com/ygp/aol/plugin/screensaver/YGPPicScreensaver.9.0.1.2.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} (CountSpies.SpyCounter) - http://www.sunbelt-software.com/dell/CounterSpy.CAB
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/323/webolr/OCX/FlashAX.cab
O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Midnight Star
4.8K Posts
0
February 14th, 2005 15:00
Dawn,
That log is looking much better - good work! Now, let's move onto the next scan, then after that, we'll see if we can help troubleshoot your system's performance.
Download mwav.exe from MicroWorld, then:
1. Double-click the mwav.exe icon to run it (it'll self extract).
2. Click "Scan".
3. When it completes, post back the results from the 'Virus log information' pane.
Mike.
DawnHNC
14 Posts
0
February 15th, 2005 12:00
Midnight Star
4.8K Posts
0
February 15th, 2005 12:00
That one's got me stumped; not sure why it would do that. I seem to see alot of users posting back with a 'broken' internet connection due to Norton's firewall - it usually happens just after a LiveUpdate. If that's the case, you might try using system restore and going back to a point, just prior to the update, and see if that resolves the problem.
-
You might try rebooting your system (if it's still up and running), and trying again. If your still having problems, try entering:
netsh winsock reset catalog
from a command prompt and see if that gets you back up and running.
-
Also try disabling your firewall, temporarily, and see if everything goes back to normal.
Let me know how it goes.
Mike.