|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
07-09-2004, 06:24 PM
|
#1 |
|
Member (4 bit)
Join Date: Jul 2004
Posts: 11
|
Getting rid of spyware??
I haven't had much protection from this stuff, but since I've started having problems I've bought a new virus checker and gotten several programs such as spybot, ad-aware, etc. to try to get rid of it. Most of it is gone, however, my homepage is still locked as some "home search" web page and I get several pop ups for pop up blockers ironically. I have also found several progarms installed on my computer that I cannot remove via the add or remove programs option. They are: Home search assistant, Pgate basic, Search Extender, and Shopping Wizard. How can I get rid of these annoyances? I've been told to try buying registry mechanic? Would this be a good option or something else? or... should I just wipe my pc clean and start over with my new virus checker and spyware programs already in place? Thanks for any info and help.
|
|
|
|
07-09-2004, 06:27 PM
|
#2 |
|
Supergeek in training
Join Date: Apr 2004
Location: UK
Posts: 1,690
|
Maybe posting a HJT log would be the next step, but we'll wait for the more experienced members to post first.
__________________
Pure geek and proud. "Success is not final and failure is not fatal. It is the courage to continue that counts." - Winston Churchill ------------------------------------------------------------------------------------------------- |
|
|
|
|
07-09-2004, 07:26 PM
|
#3 |
|
Member (4 bit)
Join Date: Jul 2004
Posts: 11
|
I'm not quite sure what an HJT log is..... I'm kinda new to this stuff and was referred to this site by a friend.
|
|
|
|
|
07-09-2004, 08:47 PM
|
#4 |
|
Lest we forget
Join Date: Jun 2003
Location: Ontario, Canada
Posts: 1,870
|
go to www.spywareinfo.com/~merijn/downloads and get hijackthis, put it in its own folder and run it then click scan. Then save the log and it will open notepad, copy the contents here. Dont fix anything yet since most of what it shows is harmless and even needed for your system to work.
__________________
redqueen: Antec Sonata, Pentium-D 2.5GHz, MSI G31M3-L, 2GB ram, 320 GB HDD, OpenBSD hal9000: Lenovo T61, 2GB ram, 120 GB HDD, FreeBSD |
|
|
|
|
07-10-2004, 07:46 AM
|
#5 |
|
Member (4 bit)
Join Date: Jul 2004
Posts: 11
|
Here's what it shows:
Logfile of HijackThis v1.98.0 Scan saved at 6:44:59 AM, on 7/10/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\sysky32.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\documents and settings\eric\local settings\temp\NJn7.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\system32\netxn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Eric\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eieii.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://eieii.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://eieii.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eieii.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eieii.dll/sp.html#96676 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://eieii.dll/index.html#96676 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.ramgo.com/search.html R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {A490913E-404C-4851-6AFE-B571204BBED4} - C:\WINDOWS\winsc32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [NJn7] C:\documents and settings\eric\local settings\temp\NJn7.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [5KE92HR4NQQJ7P] C:\WINDOWS\System32\Awdzm.exe O4 - HKLM\..\Run: [msmv32.exe] C:\WINDOWS\system32\msmv32.exe O4 - HKLM\..\Run: [netxn.exe] C:\WINDOWS\system32\netxn.exe O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Eric\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\" O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1" O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) O9 - Extra button: Microsoft® JavaScript® Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra 'Tools' menuitem: JavaScript Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU) O9 - Extra button: Microsoft® JavaScript® Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra 'Tools' menuitem: JavaScript Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...3/mcinsctl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/073784c491d3e2e...p/RdxIE601.cab O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...20/mcgdmgr.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab |
|
|
|
|
07-10-2004, 10:29 AM
|
#6 |
|
Member (11 bit)
Join Date: Oct 2000
Location: Yorba Linda, CA
Posts: 1,159
|
I think someone else had the same problem with spyware that would not remove. The suggestion I believe was to restart in safe mode and then run spybot and ad aware, then finally try the add remove before you restart.
Edrod13
__________________
"Do not worry about your difficulties in Mathematics. I can assure you mine are still greater." - Albert Einstein |
|
|
|
|
07-10-2004, 12:24 PM
|
#7 |
|
Member (4 bit)
Join Date: Jul 2004
Posts: 11
|
I'll try that.. How do I restart in safe mode though?
|
|
|
|
|
07-11-2004, 09:55 PM
|
#8 |
|
Member (4 bit)
Join Date: Jul 2004
Posts: 11
|
well, I restarted in safe mode and ran spybot and ad-aware. I then went to add/remove, however, home search assistant, search extender and shopping wizard were not available anymore to remove so I thought the problem was fixed. I restarted the computer normally and found the programs back in the menu in the add/remove window and my homepage is still taken over and I get a lot of pop ups slowing things down. What should I try next? or should I just cut my losses and wipe it clean and start all over? Thanks for all suggestions.
|
|
|
|
|
07-11-2004, 10:15 PM
|
#9 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
please post a new hijack this log
|
|
|
|
|
07-12-2004, 03:30 PM
|
#10 |
|
Member (10 bit)
Join Date: Mar 1999
Location: San Francisco, CA US
Posts: 922
|
Don't forget to run CWshredder
Shredder catches some things Spybot doesn't.
|
|
|
|
|
07-19-2004, 10:14 AM
|
#11 |
|
Member (4 bit)
Join Date: Jul 2004
Posts: 11
|
Sorry it took so long to reply to this thread again... I went on vacation and just got back.
Harry: could you please be more specific about what the entire name of the shredder program is that I should try. Lobos: Here is another fresh Hijack this log Anyone that can help I truely appreciate... Thanks again Logfile of HijackThis v1.98.0 Scan saved at 9:11:27 AM, on 7/19/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\winkk32.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\system32\netxn.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Eric\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zryam.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zryam.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zryam.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zryam.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zryam.dll/sp.html#96676 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zryam.dll/index.html#96676 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {9D2038E0-DC8C-0EE4-766C-5E89BAD0CB6F} - C:\WINDOWS\ipdt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [netxn.exe] C:\WINDOWS\system32\netxn.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Eric\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\" O4 - HKLM\..\RunOnce: [winfh32.exe] C:\WINDOWS\winfh32.exe O4 - HKLM\..\RunOnce: [msza.exe] C:\WINDOWS\system32\msza.exe O4 - HKLM\..\RunOnce: [atllm32.exe] C:\WINDOWS\system32\atllm32.exe O4 - HKLM\..\RunOnce: [javats.exe] C:\WINDOWS\system32\javats.exe O4 - HKLM\..\RunOnce: [sdkfx32.exe] C:\WINDOWS\system32\sdkfx32.exe O4 - HKLM\..\RunOnce: [ipbm32.exe] C:\WINDOWS\ipbm32.exe O4 - HKLM\..\RunOnce: [atlic.exe] C:\WINDOWS\atlic.exe O4 - HKLM\..\RunOnce: [atlzz32.exe] C:\WINDOWS\system32\atlzz32.exe O4 - HKLM\..\RunOnce: [ipmr.exe] C:\WINDOWS\system32\ipmr.exe O4 - HKLM\..\RunOnce: [nettm32.exe] C:\WINDOWS\system32\nettm32.exe O4 - HKLM\..\RunOnce: [javamc.exe] C:\WINDOWS\javamc.exe O4 - HKLM\..\RunOnce: [ieov.exe] C:\WINDOWS\system32\ieov.exe O4 - HKLM\..\RunOnce: [netnp.exe] C:\WINDOWS\system32\netnp.exe O4 - HKLM\..\RunOnce: [sysgf.exe] C:\WINDOWS\system32\sysgf.exe O4 - HKLM\..\RunOnce: [apiil32.exe] C:\WINDOWS\system32\apiil32.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) O9 - Extra button: Microsoft® JavaScript® Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra 'Tools' menuitem: JavaScript Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU) O9 - Extra button: Microsoft® JavaScript® Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra 'Tools' menuitem: JavaScript Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...3/mcinsctl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/073784c491d3e2e...p/RdxIE601.cab O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...20/mcgdmgr.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab |
|
|
|
|
07-19-2004, 03:04 PM
|
#12 |
|
Resident Intel Fanboy
Join Date: Mar 2004
Location: Cincinnati
Posts: 1,669
|
CWshredder is available at Merijn.org also. Make sure all browser windows are closed when you run it.
__________________
...wide is the gate, and broad is the way, that leadeth to destruction, and many there be which go in thereat... |
|
|
|
|
07-19-2004, 04:19 PM
|
#13 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
Hi gabe99
You may want to print these instructions out everything is going to be done in safe mode and so you dont miss a step Download About:Buster from here: http://www.downloads.subratam.org/AboutBuster.zip unzip it to your desktop DownloadCWShredder by Merijn Bellekom, the creator of Hijack This unzip it to the to desktop Do Not Run It Yet download AdAware 6 181 Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts. Now to set it up for optimum performance... Make sure the following settings are configured. Remember that ON=GREEN. From main window click Start | Activate in-depth scan. Then click Use custom scanning options | Customize and have these options switched ON... Scan within archives Scan active processes Scan registryDeep scan registry Scan my IE Favourites for banned URLs Scan my host-files Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check.. Unload recognised processes during scanning. Cleaning engine. Let windows remove files in use at next reboot. and uncheck.. Automatically try to unregister objects prior to deletion. Then click Proceed, to save your settings. Do not run Adaware yet. ------------------------------------------------------------- enable the viewing of Hidden files follow these steps: How to see Hidden files and Folders reboot into safe mode How to boot into safe mode * Right-click on My Computer * Choose Manage * Double-click on Services and Applications * Click on Services * In the righthand column find "Network Security Service", and double-click on it (in Safe Mode this may already be stopped) * Choose Stop and then write down the name and path of the file in the "Path to Executable" section * Set the Startup Type to Disabled * Click Ok * Close the Computer Management window ------------------------------------------------------------------------------ Run HijackThis place a check beside each of the following items. Once done click the fix checked button. some of them may not be there but fix what is. R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {9D2038E0-DC8C-0EE4-766C-5E89BAD0CB6F} - C:\WINDOWS\ipdt.dll O4 - HKLM\..\Run: [netxn.exe] C:\WINDOWS\system32\netxn.exe O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Eric\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\" O4 - HKLM\..\RunOnce: [winfh32.exe] C:\WINDOWS\winfh32.exe O4 - HKLM\..\RunOnce: [msza.exe] C:\WINDOWS\system32\msza.exe O4 - HKLM\..\RunOnce: [atllm32.exe] C:\WINDOWS\system32\atllm32.exe O4 - HKLM\..\RunOnce: [javats.exe] C:\WINDOWS\system32\javats.exe O4 - HKLM\..\RunOnce: [sdkfx32.exe] C:\WINDOWS\system32\sdkfx32.exe O4 - HKLM\..\RunOnce: [ipbm32.exe] C:\WINDOWS\ipbm32.exe O4 - HKLM\..\RunOnce: [atlic.exe] C:\WINDOWS\atlic.exe O4 - HKLM\..\RunOnce: [atlzz32.exe] C:\WINDOWS\system32\atlzz32.exe O4 - HKLM\..\RunOnce: [ipmr.exe] C:\WINDOWS\system32\ipmr.exe O4 - HKLM\..\RunOnce: [nettm32.exe] C:\WINDOWS\system32\nettm32.exe O4 - HKLM\..\RunOnce: [javamc.exe] C:\WINDOWS\javamc.exe O4 - HKLM\..\RunOnce: [ieov.exe] C:\WINDOWS\system32\ieov.exe O4 - HKLM\..\RunOnce: [netnp.exe] C:\WINDOWS\system32\netnp.exe O4 - HKLM\..\RunOnce: [sysgf.exe] C:\WINDOWS\system32\sysgf.exe O4 - HKLM\..\RunOnce: [apiil32.exe] C:\WINDOWS\system32\apiil32.exe O4 - Startup: PowerReg Scheduler.exe delete these files in windows folder C:\WINDOWS atlic.exe javamc.exe winfh32.exe ipbm32.exe delete these files in System32 folder C:\WINDOWS\system32\ msza.exe atllm32.exe javats.exe sdkfx32.exe atlzz32.exe ipmr.exe nettm32.exe ieov.exe netnp.exe sysgf.exe apiil32.exe ------------------------------------------------------------------------------------- Run AboutBuster.exe, click ok, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log. so you you should have two about buster logs ---------------------------------------------------------------------------------------- Cwshredder Run it, press 'Fix', and allow it to fix all it finds. And remember to click "Fix" (Not "Scan only") ----------------------------------------------------------------------- Run AdAware With the custom settings Now click the Scan button. When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them ---------------------------------------------------------------- then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this while in the temp folder, select view and select details. then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page. select all the files/folders except the today ones and delete them all. 1) Open Control Panel 2) Click on Internet Options 3) On the General Tab, in the middle of the screen, click on Delete Files 4) You may also want to check the box "Delete all offline content" 5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files 6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive -------------------------------------------------------------------------------------------------------------- empty your recyle bin reboot to normal post a new HijackThis log along with the two reports from About:Buster. and let me how you computers running Lobos Last edited by Lobos; 07-19-2004 at 04:23 PM. |
|
|
|
|
07-19-2004, 11:07 PM
|
#14 |
|
Member (4 bit)
Join Date: Jul 2004
Posts: 11
|
Thanks for all your help Lobos. I followed your instructions word for word. Unfortunately, after running AboutBuster twice, I was unable to save the logs. I highlighted the logs and hit copy, but after exiting the program, I was left in a black screen and had no way to paste the logs to save them. For some reason I still can't get my home page back either. I did run hijackthis again and here is the log:
Logfile of HijackThis v1.98.0 Scan saved at 10:00:24 PM, on 7/19/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\system32\msbw32.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\WINDOWS\system32\netxn.exe C:\Documents and Settings\Eric\Desktop\Maintenance\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nxrrl.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nxrrl.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nxrrl.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nxrrl.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nxrrl.dll/sp.html#96676 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nxrrl.dll/index.html#96676 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {66984619-ADA4-CFD0-E11A-2E0AB9E72156} - C:\WINDOWS\javash32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [netxn.exe] C:\WINDOWS\system32\netxn.exe O4 - HKLM\..\RunOnce: [msbw32.exe] C:\WINDOWS\system32\msbw32.exe O4 - HKLM\..\RunOnce: [nettj32.exe] C:\WINDOWS\nettj32.exe O4 - HKLM\..\RunOnce: [sdkvz.exe] C:\WINDOWS\system32\sdkvz.exe O4 - HKLM\..\RunOnce: [mfcbt.exe] C:\WINDOWS\mfcbt.exe O4 - HKLM\..\RunOnce: [javahn32.exe] C:\WINDOWS\system32\javahn32.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) O9 - Extra button: Microsoft® JavaScript® Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra 'Tools' menuitem: JavaScript Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU) O9 - Extra button: Microsoft® JavaScript® Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra 'Tools' menuitem: JavaScript Console - {54077EEE-EC55-4C0B-AFD0-9F97CA7EE465} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...3/mcinsctl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/073784c491d3e2e...p/RdxIE601.cab O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...20/mcgdmgr.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab Thanks again for all your help... Let me know if there are still some more options, or if I should just reinstall everything fresh. Let me know if I can give any more info that would help. Thanks. |
|
|
|
|
07-19-2004, 11:27 PM
|
#15 |
|
Member (10 bit)
Join Date: Dec 2001
Location: Marlette, Michigan
Posts: 523
|
did you ever think of just backing up your files and reformatting? Seems to be easier.
|
|
|
|
|
07-19-2004, 11:44 PM
|
#16 |
|
Member (4 bit)
Join Date: Jul 2004
Posts: 11
|
that's pretty much what I'm thinking.... If you look earlier in the thread, I mentioned that I was thinking of that, but wanted to see if someone had another way to solve this problem. I don't want to have to do that if I don't have to because my wife has a bunch of home movies and pictures saved that will be a pain to back up, but I'm afraid that's what I may have to do. Thanks for the advice.
|
|
|
|
|
07-23-2004, 11:34 AM
|
#17 |
|
Member (4 bit)
Join Date: Jul 2004
Posts: 11
|
Just want to say thanks to Lobos and all others that offered help and suggestions. Eventually I did end up wiping everything off and starting over with a fresh install of Windows XP, but I appreciate all the time everyone put in trying to help me out. Now I have the newest McAfee Virus checker installed along with spybot and ad-aware and hopefully I can prevent a similar problem in the future.
|
|
|
|
|
07-23-2004, 11:42 AM
|
#18 | |
|
PCMech: Saving Lives
Join Date: Apr 2004
Location: England, the United Kingdom
Posts: 1,839
|
Quote:
__________________
 |
|
|
|
|
|
07-23-2004, 02:07 PM
|
#19 |
|
Member (7 bit)
Join Date: Mar 2003
Location: Altamonte Springs, FL
Posts: 108
|
Gabe99,
Visit the System Security and Privacy forum and review some of the threads regarding antivirus programs. You can do much better than MaAfee and for free. Keep you antivirus program updated and keep Adaware and Spybot updated. Watch your surfing habits. There are several websites that address safe surfing habits. Make sure that all current critical updates for XP are installed - extremely important.
__________________
Carl S |
|
|
|
|
07-23-2004, 02:49 PM
|
#20 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
let me get the other fix for this ill be back
unfortunatly this varient has morphed. We will see what path to take . Please download this file to your desktop and extract the file from the zip onto your desktop. Then run the vbs file and post the contents of the notepad http://www.computercops.biz/modules....wnload&id=2239 it will speed up the process. its going to give me a list of the active services you are running Lobos |
|
|
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Linear Mode
