[kateofdorset]

Have been working my way through your What to do B4 Posting Hijack etc and can't thank you enough for the removal of Shopping Wizard Search Extender etc ~ after an invasion of malware, I've been running repeated AdAware and Spybot checks for days trying to stop keep them at bay.
Now running a Panda check to take out the last of them and want to do everything I can to keep the [bleep]s out, so but have a couple of queries.
1. re the setup instructions for AdAware ~ I downloaded a new version from your site but in the Scanning Engine options, the instruction to 'ignore spanned files when scanning CAB archives' was ticked and greyed out.
2.Ditto under Cleaning Engine, I couldn't tick 'During removal, unload explorer and IE if necessary' ~ it was deselected and greyed out.
Does this sound right??
3.I also downloaded Spyware Blaster from your site and was unsure what to do when it said that it blocked the normal IE security checks ~ should I over ride this or not?
4.I note that Panda says it does not disinfect Spyware ~ should I have chosen Trend instead? I have a feeling the version I have of Spybot may be infected as I've had scan errors several times in last couple of days. If I download a fresh one from your site, will it ask me to unistall current one ~ don't want to start any conflicts
5. And finally, as Norton 2003 proved useless at detecting any viruses when I was crawling with them, I've disabled it and am using AVG. Should I uninstall Norton altogether ~ I have a subscription till next December but I'm happy to let it go if it keeps me bug free.

Hope I won't need to paste a Hijack log if my army of detectors works ~ but I'll let you know. Many thanks for for your excellent advice.

[Advertisements]

Usually when something is greyed out it is because those settings are only an option with the paid tool so dont worry about them at all. Cab files are not a problem at this time anyway, we will know much more later.

With regard to spyware blaster let the IE security checks be enabled.

Panda is fine, it is for Trojans alone and has nothing to do with Spyware basically so again no worries there and Trend is fine but again it would basically be the same thing. Thats why we tell you to use Spyware Blaster. (I would rather you use Spyware Search and Destroy like I do but Im sure its just as good, its the same company.)

Finally, my girfriend had the same problem as did I. I kind of felt like wow, I paid for this, but if it stinx..... it stinx right? Now we know why they gave it to us in the start I guess, it was prob the cheapest thing they could find! : ) I got rid of mine and I would rather see you with Panda for sure.

Now lastly..... It wont hurt to post a log with HijackThis and just let us have a look, its why were here and why we get the big bucks! ( we are all volunteers) I would feel a lot better if we made sure you were clean myself, if you like I have a link to HijackThis in my signature, get the latest edition 1.99 and leave us alog if you like, it can show many things that other scans may not and its why its what we always use to start with. Many thanx for the kind words though, have a great day! (or nite depending upon where you live!)

[Koretek]

Usually when something is greyed out it is because those settings are only an option with the paid tool so dont worry about them at all. Cab files are not a problem at this time anyway, we will know much more later.

With regard to spyware blaster let the IE security checks be enabled.

Panda is fine, it is for Trojans alone and has nothing to do with Spyware basically so again no worries there and Trend is fine but again it would basically be the same thing. Thats why we tell you to use Spyware Blaster. (I would rather you use Spyware Search and Destroy like I do but Im sure its just as good, its the same company.)

Finally, my girfriend had the same problem as did I. I kind of felt like wow, I paid for this, but if it stinx..... it stinx right? Now we know why they gave it to us in the start I guess, it was prob the cheapest thing they could find! : ) I got rid of mine and I would rather see you with Panda for sure.

Now lastly..... It wont hurt to post a log with HijackThis and just let us have a look, its why were here and why we get the big bucks! ( we are all volunteers) I would feel a lot better if we made sure you were clean myself, if you like I have a link to HijackThis in my signature, get the latest edition 1.99 and leave us alog if you like, it can show many things that other scans may not and its why its what we always use to start with. Many thanx for the kind words though, have a great day! (or nite depending upon where you live!)

[kateofdorset]

Thanks Koretek. Hijackthis logs at end of this but first let me tell you about my morning so far (are you sitting comfortably?)

1. Last night's Panda scan had to be aborted ~ after detecting a Sites About Scissor link in my Favourites and infection in the registry, it then spent HOURS (like 2) going through something like EuroArt files (poss. online Microsoft clipart??). When I stoped Scan it said it couldn't delete those particular infections! I got rid of the Scissor link, but didn't know how to get into Registry, so went to bed.
2. This morning I booted up but ignored very persistent Dial Up box (couldn't close it ~ opened multiple copies), but stayed offline and let AVG do a full scan, which was OK
3. Ran AdAware ~ found Bluestreak cookie. Deleted and rebooted.
4. Ran CWShredder ~ OK
5. Ran Spyblaster ~ no trojans but reported a 'change in registry' ~ had a look and found MDM.EXE was back ~ deleted (is it possible to save Spyblaster report?)
6. Ran Spybot ~ error during check ( ISearch and then something in German)
7. Ran Spybot again ~ OK (no Zdemons which is what it usually finds)
8. Ran AdAware again ~ OK
9. Tried to go online ~ no connection.
10. Ran HiJack (More of my morning follows after report). Deleted Hosts: www.dscresearch.com . Also deleted Panda Activescan. Wondered again about BHO ~ no name~ programs~Spybot1 but left it. d*** ~ thought Spybot saved all logs ~ now can only access latest which is at the end of this~ mouse keeps freezing ~ notepad box doesn't want to close -something is trying to stop me sending this so will stop searching for earlier log and let it go.)

11. Still couldn't go online (Speedtouch broadband)
Dial-up box wouldn't close. Ctrl Alt Del~ 'Explorer' gone in running background programmes boc. Had to Ctrl Alt Del again to shutdown and restart.
10. After reboot, ran HiJack immediately ~ report encl. New stuff I noted is 'R1 -Proxy override internet settings' + 014 IERESET-INF START PG. Left well alone
11. Explorer running in background OK again. Connected online no probs.
12. Ran Spyblaster again before writing this ~ only a 'Change in registry' again ~ only thing I could see is the Microsoft Run Once.
13. Ran AdAware again after I was online ~ still OK. (Bt I note that I have to click 'Move files to Recycle Bin' option each time as it deselects itself.

And here I am!! Don't feel safe yet ~ AdAware had consistently found 2 to 4 nasties every day (sometimes several times a day) for a week. So to get it down to just one this morning feels good ~ but I still feel there's something going on in the background that I haven't nailed. Any advice would be SO welcome. You guys are brilliant! To unistall Norton do I just go to Add/Remove??
This is latest Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 13:11:53, on 09/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BELKINUD TOOLS2.33\BELKINUD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PLoader] c:\program files\belkinud tools2.33\belkinud.exe sys_auto_run C:\PROGRAM FILES\BELKINUD TOOLS2.33
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL/VSearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab


Will send floow-up more recent Hi Jack scan since mouse problems after I've got this away successfully. Thanks

[kateofdorset]

(Have a feeling I should have started a new files for all this ~ sorry.)

Following on from last entry, I've made a careful comparison of the HiJack Log at 13.11 and the one I made at 14.20 (after mouse problems) and these are the differences between them:
On the 14.20 scan,
1. the R1 HKCU Internet settings\Proxy Override+;,local. has GONE.
2. There is a new Running Process ~ C:\WONDOWS\SYSTEM\SPOOL32.EXE
3. TWO of these are now running (exactly the same):
04 -HKCU\..\RunServices:[SpybotSD Teatimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe



Any ideas what is going on? Should I rdownload a fresh Spybot from your site? (Copy I'm using was downloaded from net a week ago)