|
Home Forum Radio Memberlist Help Search Quick Links | |
| Forum Index » Internet » Spyware / Virus Removal » Problems here... |
| Spyware / Virus Removal Spyware, virus, browser hijack and other malware removal. |
 |
 |
|
Thread Tools | Display Modes |  |
|
#1
04-12-2005, 02:46 PM
|
|||
|
|||
|
Ok well I'm kind of new to this, and I'm really not that good with computers so anyway...
My computer seems to have a lot of problems. My background is replaced by some sort of ad telling me that I have no spyware protection, lots of pop ups, and many other things... anyway, I really don't know what's going on. So here's my logs. Logfile of HijackThis v1.99.1 Scan saved at 15:33:40, on 2005-04-12 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\init32m.exe C:\WINDOWS\Mixer.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe C:\WINDOWS\System32\rundll32.exe C:\windows\system32\taskmg.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\rnai.exe C:\WINDOWS\System32\m?iexec.exe C:\Program Files\NetAssistant\bin\mpbtn.exe C:\Program Files\eMule\emule.exe C:\DOCUME~1\Olivier\LOCALS~1\Temp\tmp58.tmp C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\shop1004.exe C:\program files\internet explorer\iexplore.exe C:\program files\internet explorer\iexplore.exe C:\program files\internet explorer\iexplore.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\program files\internet explorer\iexplore.exe C:\program files\internet explorer\iexplore.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\init32m.exe C:\WINDOWS\System32\wisvccz.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\DOCUME~1\Olivier\LOCALS~1\Temp\Rar$EX00.625\Hij ackThis.exe C:\program files\internet explorer\iexplore.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens F2 - REG:system.ini: Shell=Explorer.exe init32m.exe O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe O4 - HKLM\..\Run: [Advanced Message Server] rundll32.exe ams491.dat,Execute O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteuvf32.exe O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Olivier\LOCALS~1\Temp\shop1004.exe run O4 - HKLM\..\Run: [1EVnn9e] C:\WINDOWS\exbocthe.exe O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Dosd] C:\WINDOWS\System32\rnai.exe O4 - HKCU\..\Run: [Ysykt] C:\WINDOWS\System32\m?iexec.exe O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - Startup: winupdate03430305[1].exe O4 - Startup: winupdate07872521[1].exe O4 - Startup: winupdate52561670[1].exe O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\NetAssistant\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Universite Laval Client VPN ULaval.lnk = C:\Program Files\UnivLaval\vpngui.exe O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {7A237B81-9A42-404D-89E5-76AA84F49C01} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7A237B81-9A42-404D-89E5-76AA84F49C01} - (no file) (HKCU) O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c18.cab O16 - DPF: {1F01C8C9-C6D3-5AC7-53DF-048E16451A2A} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {2BA7DF23-C31A-3F24-520C-3EEB36728E80} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {32E2DEDC-4925-7395-17C7-540131C39AC5} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...sb_regular.cab O16 - DPF: {466610E2-93B2-4094-C1B9-6756481BBF1F} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {5161D29F-FFF7-6AF8-3EAE-3CBA611CD498} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/mmed.cab Hope you can help me, thanks in advance.... 
|
 Posted |
|
#2
04-12-2005, 06:11 PM
|
||||
|
||||
|
Hi sula
Lets start by first having you rescan once again with hijack, insert a check next to each of the following then close all other browser windows and click "fix checked" R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm F2 - REG:system.ini: Shell=Explorer.exe init32m.exe O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe O4 - HKLM\..\Run: [Advanced Message Server] rundll32.exe ams491.dat,Execute O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteuvf32.exe O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Olivier\LOCALS~1\Temp\shop1004.exe run O4 - HKLM\..\Run: [1EVnn9e] C:\WINDOWS\exbocthe.exe O4 - HKCU\..\Run: [Dosd] C:\WINDOWS\System32\rnai.exe O4 - HKCU\..\Run: [Ysykt] C:\WINDOWS\System32\m?iexec.exe O4 - Startup: winupdate03430305[1].exe O4 - Startup: winupdate07872521[1].exe O4 - Startup: winupdate52561670[1].exe O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/62...bridge-c18.cab O16 - DPF: {1F01C8C9-C6D3-5AC7-53DF-048E16451A2A} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {2BA7DF23-C31A-3F24-520C-3EEB36728E80} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {32E2DEDC-4925-7395-17C7-540131C39AC5} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...sb_regular.cab O16 - DPF: {466610E2-93B2-4094-C1B9-6756481BBF1F} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {5161D29F-FFF7-6AF8-3EAE-3CBA611CD498} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/mmed.cab Now download this program. http://www.spyware911.net/downloads/KillBox.exe Open it and in the space provided paste this line. C:\WINDOWS\System32\wisvccz.exe Then tick the "delete on reboot option" Then click the red x. When it asks to reboot select not to reboot at this time. Now do the same for these lines as well. C:\windows\system32\eliteuvf32.exe C:\WINDOWS\System32\canada.exe -N C:\WINDOWS\System32\ap9h4qmo.exe C:\WINDOWS\exbocthe.exe C:\WINDOWS\System32\rnai.exe C:\WINDOWS\System32\m?iexec.exe C:\WINDOWS\EliteSideBar C:\WINDOWS\system32\init32m.exe C:\windows\system32\taskmg.exe C:\WINDOWS\shop1004.exe C:\WINDOWS\System32\wisvccz.exe Now do this please. Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Empty the Recycle Bin Then this: Go to Start>Run and type msconfig Press enter. When msconfig opens, click the Launch System Restore Button. On the next page, click the System Restore Settings Link on the left. Check the box labeled Turn off System restore on all Drives. Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created. Now reboot escan with hijackthis again and post a fresh log for me please.
|
|
#3
04-12-2005, 08:31 PM
|
|||
|
|||
|
Hi, well first thanks for posting a reply so quicly.. really appreciated...
Now, I did as you told me, except for the end part.. with the msconfig thing.. since my window xp is in french.. (yeah i speak french...) I just couldn't translate everything... anyway here's my logs : Logfile of HijackThis v1.99.1 Scan saved at 21:28:10, on 2005-04-12 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\Mixer.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\NetAssistant\bin\mpbtn.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\m?iexec.exe C:\Documents and Settings\Olivier\Application Data\rnai.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Documents and Settings\Olivier\Bureau\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pitchforkmedia.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll O2 - BHO: (no name) - {C3EB1953-D4E3-8D19-CB7A-D8C86A8B2E90} - C:\WINDOWS\System32\pabu.dll O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [Dosd] C:\Documents and Settings\Olivier\Application Data\rnai.exe O4 - Startup: winupdate03430305[1].exe O4 - Startup: winupdate07872521[1].exe O4 - Startup: winupdate52561670[1].exe O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\NetAssistant\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Universite Laval Client VPN ULaval.lnk = C:\Program Files\UnivLaval\vpngui.exe O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {7A237B81-9A42-404D-89E5-76AA84F49C01} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7A237B81-9A42-404D-89E5-76AA84F49C01} - (no file) (HKCU) O16 - DPF: {1EF4D8BD-9AE1-5236-FA26-62F94F5EFF27} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {32E2DEDC-4925-7395-17C7-540131C39AC5} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Hope i did everything right, so what's next ? thanks again
|
|
#4
04-12-2005, 10:23 PM
|
||||
|
||||
|
Rescan once again now and insert a check next to these then close all other open browser windows and click "fix checked"
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll O2 - BHO: (no name) - {C3EB1953-D4E3-8D19-CB7A-D8C86A8B2E90} - C:\WINDOWS\System32\pabu.dll O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe O4 - HKCU\..\Run: [Dosd] C:\Documents and Settings\Olivier\Application Data\rnai.exe O4 - Startup: winupdate03430305[1].exe O4 - Startup: winupdate07872521[1].exe O4 - Startup: winupdate52561670[1].exe O16 - DPF: {1EF4D8BD-9AE1-5236-FA26-62F94F5EFF27} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {32E2DEDC-4925-7395-17C7-540131C39AC5} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab Once again do the killbox process the same as you did earlier with these files: C:\WINDOWS\System32\wisvccz.exe C:\Documents and Settings\Olivier\Application Data\rnai.exe C:\WINDOWS\System32\pabu.dll C:\WINDOWS\SYSTEM\Loader.dll C:\WINDOWS\about.htm Then when completed : Get The latest version of Adaware You can download the free version here: http://www.lavasoftusa.com/support/download/ or here (alternate download location) http://www.majorgeeks.com/download506.html You need to be logged on as Adminstrator through the installation. For ease in installation and operation, view the tutorial here http://www.spyware911.net/forum/index.php?...page&pg=adaware Just download it to your desktop and then to install click on the file you just downloaded (aawsepersonal.exe). You will be guided through the installation. It is recommended to use the default setting of "Protect anyone who uses this computer". On the main screen of Adaware please look for the *check for updates now* link, just above the start button in the bottom right corner or you can click on the Webupdate button that looks like a globe icon at the top. Press * connect* to let it check for any recent updates. If any are found, please let it download and install them. Now, configure your settings. Click the gear icon at the top. These are the recommended settings: AAW SE settings General Button Safety: Check (Green) all three. Advanced Button Logfile Detail Level: All options under this should be checked (Green). Tweak Button Check (Green) the following: Log Files Include basic Ad-Aware settings in logfile: Include additional Ad-Aware settings in logfile: Please do not check (Green): Include Module list in logfile: On your first scan, use the Full Scan (Perform full system scan) mode. Let Adaware remove any *bad* objects found. Reboot your PC and scan again. Repeat this process until no more bad items are found. It may take several scans to clean everything, depending on the type of infections found. Download TDS-3 trojan scanner from http://tds.diamondcs.com.au/index.php?page=download Then you will need to manually update it so follow the instructions given here http://tds.diamondcs.com.au/index.php?page=update Now open the program, pause until its finished its mini test then click system testing / full scan If anything is found, right click and select delete to each when the scan completes itself. Then reboot, rescan with hijack and post a fresh hijack log.
|
|
#5
04-13-2005, 06:49 AM
|
|||
|
|||
|
Hi, well thanks again for all your advice.. don't know if everything is ok, but my computer seems to be running fine now...
Logfile of HijackThis v1.99.1 Scan saved at 07:46:08, on 2005-04-13 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\Mixer.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\NetAssistant\bin\mpbtn.exe C:\Documents and Settings\Olivier\Bureau\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pitchforkmedia.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O1 - Hosts: 64.91.255.87 www.dcsresearch.com O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Startup: winupdate03430305[1].exe O4 - Startup: winupdate07872521[1].exe O4 - Startup: winupdate52561670[1].exe O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\NetAssistant\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Universite Laval Client VPN ULaval.lnk = C:\Program Files\UnivLaval\vpngui.exe O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {7A237B81-9A42-404D-89E5-76AA84F49C01} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7A237B81-9A42-404D-89E5-76AA84F49C01} - (no file) (HKCU) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Is there anything else I have to do ? thanks again...
|
|
#6
04-13-2005, 07:51 AM
|
||||
|
||||
|
I now need you to check out this :
Click start / run and type regedit then click ok. Follow this path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run If the key winupdate is present, right click and delete it. Do the same for these paths as well: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once\ HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\ Then rescan withhijack insert a check next to these then click fix checked: O1 - Hosts: 64.91.255.87 www.dcsresearch.com O4 - Startup: winupdate03430305[1].exe O4 - Startup: winupdate07872521[1].exe O4 - Startup: winupdate52561670[1].exe Reboot, rescan and lets see one more fresh log.
|
|
#7
04-14-2005, 08:31 PM
|
|||
|
|||
|
Hi ok, well I've checked were you told me... no sign of winupdate...son I did the rest...here's my log
Logfile of HijackThis v1.99.1 Scan saved at 21:29:30, on 2005-04-14 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\mocih.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\cmdtel.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Mixer.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe C:\WINDOWS\System32\ufaticom.exe C:\windows\system32\taskmg.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Documents and Settings\Olivier\Menu Démarrer\Programmes\Démarrage\winupdate03430305[1].exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\NetAssistant\bin\mpbtn.exe C:\WINDOWS\System32\rundll32.exe C:\Documents and Settings\Olivier\Bureau\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [labjyji] c:\windows\xmdwvgd.exe O4 - HKCU\..\Run: [eydqnxw] c:\windows\xmdwvgd.exe O4 - HKCU\..\Run: [rbcqgpr] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [qidkenp] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [lxqqhkt] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [qyiygej] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [viggfwp] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [yircvyf] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [umloyqw] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [jdrjtks] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [grmfvmh] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [kxmrqrt] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [fdxhwqw] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [ekfiwra] c:\windows\peqygva.exe O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - Startup: winupdate03430305[1].exe O4 - Startup: winupdate07872521[1].exe O4 - Startup: winupdate52561670[1].exe O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\NetAssistant\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Universite Laval Client VPN ULaval.lnk = C:\Program Files\UnivLaval\vpngui.exe O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {7A237B81-9A42-404D-89E5-76AA84F49C01} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7A237B81-9A42-404D-89E5-76AA84F49C01} - (no file) (HKCU) O16 - DPF: {08BF6530-81D5-32FF-D4A6-33AC59A50AA4} - http://69.50.182.94/1/rdgCA1882.exe O16 - DPF: {63AFB621-C329-083B-14AF-79670A3CC662} - http://69.50.182.94/1/rdgCA1882.exe O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINDOWS\System32\mocih.exe O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe winupdate is still here...don't know what is the problem... hope you can still help me...and again.. thanks for all your advice..
|
|
#8
04-14-2005, 09:28 PM
|
||||
|
||||
|
Click here http://www.mwti.net/antivirus/mwav.asp to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.
|
|
#9
04-14-2005, 09:45 PM
|
|||
|
|||
|
Help... more problems here... everything start running bad again... And I can'T even use spyware doctor or ad-aware anymore.. they don't seem to work... here a fresher log :
Logfile of HijackThis v1.99.1 Scan saved at 22:44:05, on 2005-04-14 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\mocih.exe C:\WINDOWS\System32\cmdtel.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Mixer.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe C:\WINDOWS\System32\ufaticom.exe C:\windows\system32\taskmg.exe C:\WINDOWS\System32\ctfmon.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Documents and Settings\Olivier\Menu Démarrer\Programmes\Démarrage\winupdate03430305[1].exe C:\Program Files\NetAssistant\bin\mpbtn.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Olivier\Bureau\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [labjyji] c:\windows\xmdwvgd.exe O4 - HKCU\..\Run: [eydqnxw] c:\windows\xmdwvgd.exe O4 - HKCU\..\Run: [rbcqgpr] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [qidkenp] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [lxqqhkt] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [qyiygej] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [viggfwp] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [yircvyf] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [umloyqw] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [jdrjtks] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [grmfvmh] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [kxmrqrt] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [fdxhwqw] c:\windows\ayqswnt.exe O4 - HKCU\..\Run: [ekfiwra] c:\windows\peqygva.exe O4 - HKCU\..\Run: [ybscoyt] c:\windows\vejuouo.exe O4 - HKCU\..\Run: [tqghire] c:\windows\vejuouo.exe O4 - HKCU\..\Run: [fhpoumf] c:\windows\vejuouo.exe O4 - HKCU\..\Run: [lrqrcyj] c:\windows\vejuouo.exe O4 - HKCU\..\Run: [dgrklwd] c:\windows\vejuouo.exe O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - Startup: winupdate03430305[1].exe O4 - Startup: winupdate07872521[1].exe O4 - Startup: winupdate52561670[1].exe O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\NetAssistant\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Universite Laval Client VPN ULaval.lnk = C:\Program Files\UnivLaval\vpngui.exe O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {7A237B81-9A42-404D-89E5-76AA84F49C01} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7A237B81-9A42-404D-89E5-76AA84F49C01} - (no file) (HKCU) O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab O16 - DPF: {08BF6530-81D5-32FF-D4A6-33AC59A50AA4} - http://69.50.182.94/1/rdgCA1882.exe O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINDOWS\System32\mocih.exe O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe Hope you can help me thanks...
|
|
#10
04-15-2005, 07:46 PM
|
||||
|
||||
|
Click here http://www.mwti.net/antivirus/mwav.asp to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.
|
|
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
It appears you have not yet registered with our community
which limits what you can do & see. It's Free To register, please click here.
Linear Mode
