Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dr Watson Poblem - PLEASE HELP! [resolved]


  • This topic is locked This topic is locked

#16
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi pcnumpty

Welcome to geekstogo!

Please read through the instructions before you start (you may want to print this out).The following items are malware and must be fixed

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
Click on Fix Checked when finished and exit HijackThis.


C:\Documents and Settings\laurence\Favorites\Sites about\Broadband comparison.url<--Delete this file

Post back a fresh HijackThis log and we will take another look.
And the scan.log from panda

Kc :tazz:
  • 0

Advertisements


#17
pcnumpty

pcnumpty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi thatman

Completed the action as per your last post..........I also noticed that in the following file:

C:\Documents and Settings\laurence\Favorites\Sites about\

there were lots of similar files to the one I have just deleted, therefore I have deleted them all. (I deleted them whilst the active scan was running, therefore I think the scan report shows on one of the files I have since deleted....)

Attached as requested is a new HJT log and a updated active scan report:

Look forward to your next reply

Cheers

pcnumpty
:tazz:

Logfile of HijackThis v1.99.1
Scan saved at 14:24:35, on 20/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\tesconet\Tesconet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5A1C567-D857-4652-B24D-DA75EAB7F5ED}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



Incident Status Location

Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\laurence\Favorites\Sites about\Credit counseling.url
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected Windows Registry

  • 0

#18
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi pcnumpty :)

I will leave this topic open for a few days just post back if you need any help.

What that big grin for :)

This is one item you need to search your registery for it's a dead link.
HomeSearchAsisstant

Download the ccleaner
I use this Program and is setup like this all boxs are check. Then chose Auto start.
Now run the ccleaner

Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 80 MB at the Settings.

Mozilla: Edit/ Options/ Extended/ Cache/ Clear Cache

Turn of system restore
Disabling or enabling Windows XP System Restore

Defrag your hard drive turn system restore back on and create a new restore point.

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

After doing all these, your system will be thoroughly protected from future threats. ;)

Kc ;)
  • 0

#19
pcnumpty

pcnumpty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi thatman

Nearly there now.........just a few more daft questions.......

1) How do I search the registry and delete the 'HomeSearchAssistant'??

2) What does the following mean I have to actually do?? - Mozilla: Edit/ Options/ Extended/ Cache/ Clear Cache

3) How do I 'defrag my hard drive and create a new restore point'??

Back to sulking again!!

:tazz:

Cheers

pcnumpty
  • 0

#20
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi pcnumpty

Use the following links tutorials

“Hidden files and folders” http://www.bleepingc...tutorial62.html

http://www.bleepingc...tutorial62.html

Reboot the computer into “ Safe Mode” http://www.bleepingc...tutorial61.html

Demystifying the Windows Registry

http://www.bleepingc...tion-tut55.html

http://www.bleepingc...uide-tut56.html

http://www.bleepingc...ures-tut58.html


Kc :tazz:
  • 0

#21
pcnumpty

pcnumpty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi thatman

Thanks for the last post.......very helpful.....

However, I'm having a lot of difficulty locating the adware/homesearchassistant file that is still infected on my PC......

The active scan says it is in the 'Windows Registry'.......I cannot find a file with a name I recognise as the adware one........do you have any idea what it may be called????........or do i need to run one of the adware/malware removal scans??

I have attached an updated active scan report and a new HJT log for your info......

Many thanks

pcnumpty
:tazz:

Incident Status Location

Adware:Adware/CWS.HomeSearchAsisstantNo disinfected Windows Registry


Logfile of HijackThis v1.99.1
Scan saved at 19:41:07, on 22/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\tesconet\Tesconet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5A1C567-D857-4652-B24D-DA75EAB7F5ED}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


  • 0

#22
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi pcnumpty

Lets try this tool

Lexun RegScrubXP 3.25

Kc :tazz:
  • 0

#23
pcnumpty

pcnumpty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi thatman

Thanks for the latest post......

I have donwloaded and run RegScrubXP (173 problems were found - all fixed and deleted) but unfortunately it has not got rid of the problem with the HomeSearchAssistant......when I run an Active Scan it is still found......

When I used RegScrubXP the facility 'User Determines Problem' did identify a large amount of entries but not knowing what was what I did not fix any of them.......maybe the problem is lurking in there??

Not sure what else can be done!!

Cheers

pcnumpty

:tazz:
  • 0

#24
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi pcnumpty

Try this link just found it:

http://www.trendmicr...ADW_SEARCHAID.M

Please post back when you are done the we will seewhat is next to remove if any.

Kc :tazz:
  • 0

#25
pcnumpty

pcnumpty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi thatman

I managed to download the file but I was unable to open it and run it as it said 'it was unable to recognise which program had created it'..........

I tried to find it via the internet but it was still unrecognised.....

Thanks

pcnumpty

:tazz:
  • 0

Advertisements


#26
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi pcnumpty

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
Still In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Uninstall
Still in the left panel, right-click on the following key(s) and choose Delete:
HSA <--Delete this
SW <--Delete this
SE <--Delete this

In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Classes>CLSID
Still in the left panel, right-click on the following key(s) and choose Delete:
{5B7E41D7-7D84-4D18-F028-D4A3986027B8} <--Delete this

Still In the left panel, double-click the following:
HKEY_CLASSES_ROOT>CLSID
Still in the left panel, right-click on the following key(s) and choose Delete:
{5B7E41D7-7D84-4D18-F028-D4A3986027B8} <--Delete this

Still In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer>URLSearchHooks
Still in the left panel, right-click on the following key(s) and choose Delete:
{5B7E41D7-7D84-4D18-F028-D4A3986027B8} <--Delete this

Still In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Explorer>Browser Helper Objects
Still in the left panel, right-click on the following key(s) and choose Delete:
{5B7E41D7-7D84-4D18-F028-D4A3986027B8} <--Delete this

Close Registry Editor.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#27
pcnumpty

pcnumpty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi thatman

Thanks for the last post......

I did what you asked but again none of the entries you quoted were to be found in the registry........

Cheers

pcnumpty
:tazz:
  • 0

#28
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi pcnumpty

The new panda malware is a beta version we may have some imperfections with it but believe it will improve

Are you having any problems

Kc :tazz:
  • 0

#29
pcnumpty

pcnumpty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi thatman

I think I'll call it a day with this issue........having followed your expert advice over the last week or so, my PC has gotten rid of the Dr Watson problem and is also running much faster having dumped much of the crap that was clogging it up........

Finally, I'd like to thank you for your time, effort and much patience during my time on this forum........without people like you many of us PC numpties would have no idea what to do.....

thanks again

not so - pcnumpty!!

:tazz:
  • 0

#30
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi pcnumpty

Have a nice day

Kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP