Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

problems with iexplore and svchost [Resolved]


  • This topic is locked This topic is locked

#16
bgdkmetzger2003

bgdkmetzger2003

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
:tazz: ilago, i appreciate all of the help you've given me, but i sort of feel like im doing the same things over and over. but i am willing to do what i have to to fix it. i admit that there does not seem to be anything very wrong with my computer. its not acting up to the degree where i cant do things. i would still like to get to the bottum of these small problems.

i have some new info that might help you. ive discovered Startnow Navigation Helper in my programs and i cannot uninstall it (fatal error during installation). i read online that this could be something bad.

I am behind a college firewall at SDSU.

A while ago AVG picked up something but i could not delete or quarintene it because it said it was imbedded. i forget the name. i havent heard anything else about it though. that might be something.

Microsoft Antispyware always picks up a possible browser hijack (internet explorer search page) all the time, and i keep removing it.

I always seem to be fixing the same problems in hijack this and they keep coming back. ( minsearch, so does spyware doctor, and Mcafee which i dont know how to get rid of)

I still get the Alertview.exe error

i still have a bunch of minisearches and i just fixed them!

Logfile of HijackThis v1.99.1
Scan saved at 12:23:38 AM, on 3/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Adam\Desktop\antivirus stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [] curious
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
  • 0

Advertisements


#17
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi bgdkmetzger2003

The removal of malicious software can be very frustrating. In the end it is usually successful.

A while ago AVG picked up something but i could not delete or quarintene it because it said it was imbedded. i forget the name. i havent heard anything else about it though. that might be something.


Are you able to check AVG logs to see if it has recorded any of the information. You might need to search a little for them. They may be stored in the AVG folder. There are symptoms of viral activity as well as malware.

StartNow Navigation Helper is something new and there are removal methods available. I would like to get some further advice before we attempt any further fixing.

I'll post back as soon as I have some more information.
  • 0

#18
bgdkmetzger2003

bgdkmetzger2003

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
i went back to that scan in AVG that picked up the infected files. i copied the scan and put it in word pad. i cut and pasted this part that said what was infected. hope this helps.

"C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\loaderadv621[1].jar:\Counter.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\loaderadv621[1].jar:\Parser.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\loaderadv621[1].jar","Virus identified Java/ByteVerify","Infected, Archive"
"C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\SLUV01Y7\loaderadv620[1].jar:\Counter.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\SLUV01Y7\loaderadv620[1].jar:\Parser.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\SLUV01Y7\loaderadv620[1].jar","Virus identified Java/ByteVerify","Infected, Archive"
"C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\TCC3L9C1\msjld[1].jar:\GetAccess.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\TCC3L9C1\msjld[1].jar:\InsecureClassLoader.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\TCC3L9C1\msjld[1].jar:\Installer.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\TCC3L9C1\msjld[1].jar","Virus identified Java/ByteVerify","Infected, Archive"
  • 0

#19
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi bgdkmetzger2003

I think a couple of things are interfering with our fixing, and possibly with the attempts to comletely remove McAfee. Can you disable the Microsoft Antispyware real-time protection by right clicking on the icon and clicking on Security Agents Status (Enabled) and click on Disable Real-time Protection. To re enable it later, you follow the same steps but click on Enable Real-time Protection.

We also need to disable the Cleaner's real time monitors - tcmonitor and tcactive. The procedure should be similar. Right click on the tray icons and select to Disable or Shutdown.

While we are working on this log both of these need to be disabled. If they start up again when you reboot - please make sure you disable them again.

Download CWShredder from here http://www.geekstogo...tion=show&id=17 and save it to your desktop. We'll use it later.

Open HijackThis again and check these items. Disconnect from the internet and close all open windows and click on fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
O4 - HKCU\..\Run: [] curious
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)


Reboot into Safe Mode and double click on CWShredder. Click on Fix. It will let you know when it is finished and whether it found any CWS related items. Please let me know when you post your next log.

Clean out temporary files:Start | Run | type cleanmgr | OK
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.
Reboot into normal mode. Do a new HijackThis log and post it. Let me know what problems you still may have.
  • 0

#20
bgdkmetzger2003

bgdkmetzger2003

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
what if i kill the process "Alertview.exe"??? will that get rid of the alertview.exe error??
  • 0

#21
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi there

Getting rid of the alertview message won't remove the infection you have. You could do that last fix in Safe Mode if you are having trouble with it. In Safe Mode only a minimal part of the operating is loaded so there should be nothing loaded that could interfere with the fix.

Let us know if you are still having problems.
  • 0

#22
bgdkmetzger2003

bgdkmetzger2003

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
i guess the problem is, whether im in safe mode or not, those same things come up in hijack this everytime. so we just have to figure out how to get rid of them. im also worried that since i cant click on dell alerts without getting an alert.exe error, i wont be able to update my computer.
  • 0

#23
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi again

It certainly wouldn't hurt to kill the process and go on with the fix.

Dell Support is additional proprietary software. It may be that the Dell software installed has become damaged or corrupt. This may have been caused by the spyware infection but not necessarily. The spyware infection that you have certainly won't be helping.

According to Dell Support here: http://service.dell....2 16456,00.html
Dell Support software can be downloaded from their site. You could uninstall and reinstall later if you wish. It isn't essential for the operation of your computer but some users find it helpful.

I will give you some help on making sure Windows is up to date after the infection is removed if you are concerned about keeping up to date. It's not a good idea to install additional software while removing spyware infections unless it belongs to the removal procedures.
  • 0

#24
bgdkmetzger2003

bgdkmetzger2003

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
do you think that i can go the the "delete NT service" in the misc tools section of HIjack this to get rid of the things that keep popping up in the scan. actually ive already tried to get rid of the Mcafee file missing things but i keep typing in the name wrong or something. how can i get rid of the missing files thorugh delete NT service....can it be done that way?? also i believe i have the "Startnow Navigation Helper" spyware bug. how do i get rid of this??? :tazz:
  • 0

#25
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi there

Could you do a new HijackThis log so we can check it. If you have something new we might need to change some of what we were trying to do.
  • 0

Advertisements


#26
bgdkmetzger2003

bgdkmetzger2003

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
My guess is the minisearch stuff is because i have the startnow navigation helper virus. i looked it up. how do i get rid of that? also, how do i get rid of the mcafee files that are missing?? do you have anything new on the alertview.exe error thing??

Logfile of HijackThis v1.99.1
Scan saved at 8:49:32 PM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Adam\Desktop\antivirus stuff\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [] curious
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
  • 0

#27
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi bgdkmetzger2003

For the moment we'll just ignore the Dell alert. It's a Dell Support Program and can be fixed later if it's still giving alerts. It's not relevant to what we are trying to do. When the spyware is removed we'll sort out the Dell alert and updating Windows.

If you didn't already do this please download CWShredder from here http://www.geekstogo...tion=show&id=17 and save it to your desktop.

Print out these instructions so you have them in front of you when aren't able to access the internet. We are going to do this fix in Safe Mode so that only minimal software is running and the software that is interfering with the removal can't load up.

Boot into Safe Mode-----very important----- by tapping F8 continuously as soon as the computer beeps as it starts up. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking. You'll know you're in Safe Mode - it's really ugly, the icons are huge and the colors are terrible. Safe Mode is written in each corner of the screen. This may help if you don't feel confident about Safe Mode.How to get into safe mode http://service1.syma...001052409420406

Now you're in Safe Mode. Open HijackThis again and click on Do System Scan Only. When the scan is finished put a check mark into the boxes beside these items. Close all open windows and click on fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
O4 - HKCU\..\Run: [] curious
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)


Still in Safe Mode. Find CWShredder on your desktop where you downloaded it before. Double-click on it to open it. Click on Fix. It will let you know when it is finished and whether it found any CWS related items. When the first CWShredder run is completed run it again and select to fix again.

Open Windows Explorer and navigate to c:\program files\ McAfee.com This folder

Delete the folder. Most of the files have already been removed when you uninstalled the program. We'll see if this additional step removes those entries.

Reboot into normal mode. Do a new HijackThis log and post it. Let me know what problems you still may have with the Dell support alert.

I normally give people the prevention information at the end but I'm going to give some now to give you a little extra help in trying not to get re-infected.

Downdoad and install SpywareBlaster it will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. The download is well down the page and the page is worth reading for more information about spyware infections. This program opens in a command window. You will need to use the numbers to select what is to be installed. It acts by preventing internet explorer getting to some web sites that are known to be nasty.
https://netfiles.uiu...ww/resource.htm

Lastly if your log is clean when you post it you need to visit Windows Update to ensure you have all the patches your system needs.

Sorry I took a little while to get back to you - I had major computer problems :tazz:

Edited by ilago, 23 March 2005 - 06:04 AM.

  • 0

#28
bgdkmetzger2003

bgdkmetzger2003

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
:tazz: i think i found the problem!! i found some files that keep replicating themselves. one file is called desktop.ini, and the other one which im sure is the problem is index.dat. there are 4 of these files in my cookies, and internet folders. i cannot remove them no matter what i do. they keep making more of themselves and i keep deleting them. ive traced them back to four files. two of them are 16kb and two are 32kb. now how do i remove them. it says that they are being used by another program (the virus?).
  • 0

#29
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi there

They are normal Windows files and it's not uncommon to more than one of either of them. You could have several index.dat files in your temporary internet files folder for example - they store data. Windows regards index.dat as a system file so it won't let you delete it. Desktop.ini is a configuration file and usually used to save settings. For example it could be used to store customized folder settings. I don't think you need to worry about them at the moment.

You need to do the things I posted so you can remove the main problems.

Let me know if you need help to do anything that I've listed.
  • 0

#30
UnnaturalInamorata

UnnaturalInamorata

    New Member

  • Member
  • Pip
  • 1 posts
Hey there,
I was having the same problems, multiple instances of iexplore.exe in my task manager showing up, and NO iexplore windows open. I would open them, close them, but, the iexplore instance would stay alive. Eventually, system functions would slow down, and fail, for having too much of my memory dedicated to these ghost iexplore.exe's running.

On a whim, I uninstalled an older version of the google taskbar search, and reinstalled, rebooting inbetween, and my problems were solved!

By any chance, are you running google software on your system? If so, that may be your problem too.

jon

please let me know if this helps!
email address removed

Edited by ilago, 04 April 2005 - 06:31 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP