Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help! Specificclick cookie


  • Please log in to reply

#1
KSizemore

KSizemore

    New Member

  • Member
  • Pip
  • 4 posts
Thanks in advance for all your help. I have several hijack cookie that I can't seem to get rid of. One is specificclick.txt, doubleclick.txt, advertising.txt, can anyone help me with this please.

Thanks
  • 0

Advertisements


#2
ricox

ricox

    Visiting Staff

  • Visiting Consultant
  • 331 posts
Hello and Welcome to Geeks to Go :whistling:

I am ricox and I will be assisting you with your malware problem.
Currently I'm studying your log and will be back to you as soon as possible. Thank you for your patience. :blink:
  • 0

#3
ricox

ricox

    Visiting Staff

  • Visiting Consultant
  • 331 posts
Hi again KSizemore :whistling:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

*******
Next

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#4
KSizemore

KSizemore

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello ricox,

I have the files you need I have attached them here. Thanks for your help.

Deckard's System Scanner v20070611.50
Run by Owner on 2007-07-07 at 07:58:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x000005AA


-- Last 2 Restore Point(s) --
2: 2007-07-07 11:58:41 UTC - RP3 - Deckard's System Scanner Restore Point
1: 2007-07-06 11:57:26 UTC - RP2 - Ken


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:00:42 AM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\SPDEVMONSRV.exe
C:\WINDOWS\system32\SPdevmonx.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\wamp\apache2\bin\Apache.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\SPPDPSRV.EXE
C:\wamp\apache2\bin\Apache.exe
C:\PROGRA~1\SHARP\AJ5030\SPEMAI~1.EXE
C:\WINDOWS\system32\SPDTMONX.EXE
C:\PROGRA~1\COMMON~1\ANTIWO~1\ga6pcw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiWorm2008\pgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\wamp\wampserver.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MKQ5N5WW\dss[1].exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.se1.attbb.net
O2 - BHO: CIEIntegrator Object - {D3B4C621-6024-410B-9F0F-22CBD6981F5E} - C:\Program Files\AntiWorm2008\Addons\popupg.dll
O2 - BHO: IEFW Object - {FAAD2038-C371-473D-86F1-5B11D39C3775} - C:\Program Files\AntiWorm2008\Addons\aviebho.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SPPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\SPPDPSRV.EXE
O4 - HKLM\..\Run: [SHARP SetupPrinter] RunDLL32 INST32.DLL,RunDll_SetDefaultPrinter AJ5030 PDP
O4 - HKLM\..\Run: [SHARP Email Assistant] C:\PROGRA~1\SHARP\AJ5030\SPEMAI~1.EXE
O4 - HKLM\..\Run: [AJ5030 Print to Desktop] C:\WINDOWS\system32\SPDTMONX.EXE
O4 - HKLM\..\Run: [ga6pcw] "C:\PROGRA~1\COMMON~1\ANTIWO~1\ga6pcw.exe" -start
O4 - HKLM\..\Run: [AntiWorm2008] C:\Program Files\AntiWorm2008\pgs.exe /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampserver.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://casinoclassi...sic/FlashAX.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{124D7439-1D8A-4D9B-ACD1-316E0788F222}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{384D0344-CA40-4033-968D-B893B13E1203}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{4725E11E-47A2-4FF9-AF33-DCE6EF394F04}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{7686F577-0A9D-49C3-898F-70372C9499D5}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F9A99E-5F79-41DC-A804-38BD0C15AD10}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{124D7439-1D8A-4D9B-ACD1-316E0788F222}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CS3\Services\Tcpip\..\{124D7439-1D8A-4D9B-ACD1-316E0788F222}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: AJ5030 Device Monitor (SPDevmonSrv) - Unknown owner - C:\WINDOWS\system32\SPDEVMONSRV.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe


-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 SPsmfpi - c:\windows\system32\drivers\spsmfpi.sys <Not Verified; ViewAhead Technology, Inc.; SHARP AJ5030>
R2 VECP - c:\windows\system32\drivers\vecp.sys <Not Verified; ViewAhead Technology, Inc.; SHARP AJ5030>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>

S0 szkg - c:\windows\system32\drivers\szkg.sys (file missing)
S3 MOSUMAC (USB-Ethernet Driver) - c:\windows\system32\drivers\mosumac.sys <Not Verified; --; NDIS-WDM Driver for USB-Ethernet Adapter>
S3 nuvaud2 (Pinnacle DVC 80 Audio) - c:\windows\system32\drivers\nuvaud2.sys <Not Verified; Zoran Ltd.; USBVision>
S3 NUVision (Pinnacle DVC 80 Video) - c:\windows\system32\drivers\nuvvid2.sys <Not Verified; Zoran Ltd.; USBVision>
S3 SymEvent - c:\program files\symantec\symevent.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 SPDevmonSrv (AJ5030 Device Monitor) - c:\windows\system32\spdevmonsrv.exe
R2 wampapache - "c:\wamp\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 wampmysqld - c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld

S3 Ftdhute -


-- Files created between 2007-06-07 and 2007-07-07 -----------------------------

2007-07-06 08:04:32 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-07-06 08:03:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-07-04 09:12:00 0 d--hs---- C:\GA6P
2007-07-04 08:40:36 8704 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-04 08:29:25 0 d--hs---- C:\UGA6P
2007-07-04 08:29:17 0 d-------- C:\Documents and Settings\Owner\Application Data\AntiWorm2008
2007-07-04 08:29:06 0 d-------- C:\Program Files\Common Files\AntiWorm2008
2007-07-04 08:29:06 0 d-------- C:\Program Files\AntiWorm2008
2007-07-02 10:03:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-06-30 10:29:51 0 d-------- C:\Program Files\eBay
2007-06-30 10:29:51 0 d-------- C:\Documents and Settings\All Users\eBay
2007-06-29 15:04:12 0 d-------- C:\E-bay-pics
2007-06-28 06:22:02 0 d-------- C:\hotpics
2007-06-10 19:30:17 0 d-------- C:\Documents and Settings\Owner\Application Data\U3


-- Find3M Report ---------------------------------------------------------------

2007-07-06 12:35:50 0 d-------- C:\Program Files\UltimateBet
2007-07-04 08:26:09 0 d-------- C:\Program Files\Google
2007-07-02 12:26:26 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-02 12:06:37 0 d-------- C:\Program Files\CyberDefender
2007-06-27 20:38:22 0 d-------- C:\Program Files\Full Tilt Poker
2007-06-21 17:54:43 0 d--h----- C:\Program Files\WindowsUpdate
2007-06-06 18:03:02 1044480 -ra------ C:\WINDOWS\system32\roboex32.dll <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9.2>
2007-06-06 18:03:02 49152 -ra------ C:\WINDOWS\system32\inetwh32.dll <Not Verified; Blue Sky Software Corporation.; Blue Sky Software - INETWH32>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{D3B4C621-6024-410B-9F0F-22CBD6981F5E} C:\Program Files\AntiWorm2008\Addons\popupg.dll
{FAAD2038-C371-473D-86F1-5B11D39C3775} C:\Program Files\AntiWorm2008\Addons\aviebho.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SPPDPSRV"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\SPPDPSRV.EXE"
"SHARP SetupPrinter"="RunDLL32 INST32.DLL,RunDll_SetDefaultPrinter AJ5030 PDP"
"SHARP Email Assistant"="C:\\PROGRA~1\\SHARP\\AJ5030\\SPEMAI~1.EXE"
"AJ5030 Print to Desktop"="C:\\WINDOWS\\system32\\SPDTMONX.EXE"
"ga6pcw"="\"C:\\PROGRA~1\\COMMON~1\\ANTIWO~1\\ga6pcw.exe\" -start"
"AntiWorm2008"="C:\\Program Files\\AntiWorm2008\\pgs.exe /min"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="kdvfd.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ \0scecli\0scecli\0scecli\0scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Charter High-Speed Security Suite.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Charter High-Speed Security Suite.lnk"
"backup"="C:\\WINDOWS\\pss\\Charter High-Speed Security Suite.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\CHARTE~1\\backweb\\3528733\\Program\\fspex.exe -startup"
"item"="Charter High-Speed Security Suite"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FSM32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Charter High-Speed Security Suite\\Common\\FSM32.EXE\" /splash"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Startup Wizard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FSSW"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Charter High-Speed Security Suite\\FSGUI\\FSSW.EXE\" /reboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TNBUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Charter High-Speed Security Suite\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fdm"
"hkey"="HKCU"
"command"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQNet"
"hkey"="HKLM"
"command"="C:\\Program Files\\ICQ\\ICQNet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ispnews"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Charter High-Speed Security Suite\\FSGUI\\ispnews.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperBasic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSBasic"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSBasic.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VTTimer"
"hkey"="HKLM"
"command"="VTTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost #***Inserted By STOPzilla***
127.0.0.1 0websearch.com # ***Inserted By STOPzilla***
127.0.0.1 2005-search.com # ***Inserted By STOPzilla***
127.0.0.1 600pics.com # ***Inserted By STOPzilla***
127.0.0.1 a1.interclick.com # ***Inserted By STOPzilla***
127.0.0.1 absolutepics.net # ***Inserted By STOPzilla***
127.0.0.1 ad.yieldmanager.com # ***Inserted By STOPzilla***
127.0.0.1 alex.fileburst.com # ***Inserted By STOPzilla***
127.0.0.1 all-tgp.org # ***Inserted By STOPzilla***
127.0.0.1 all-websearch.com # ***Inserted By STOPzilla***

149 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-07-07 at 08:01:43 ---------

Attached Files


  • 0

#5
ricox

ricox

    Visiting Staff

  • Visiting Consultant
  • 331 posts
Hi KSizemore :whistling:

I see that you have AntiWorm2008 installed on your computer.
This is rogue antispyware program, is known to be bad, but cannot be considered malware. You can find more information about him on:
-> http://research.sunb...threatid=143764
-> http://www.411-spywa...ve-antiworm2008

It is highly recommended to remove it, but decision belongs to you.

*********************************

Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

*********************************

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe
and save it to your desktop.

Do not run it yet !

*********************************

Please disable AVG Anti-Spyware, as it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.

1. Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
2. In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
3. If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
4. Reply 'no' and set it to 'inactive' for the duration of your cleanup.

*********************************

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O17 - HKLM\System\CCS\Services\Tcpip\..\{124D7439-1D8A-4D9B-ACD1-316E0788F222}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{384D0344-CA40-4033-968D-B893B13E1203}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{4725E11E-47A2-4FF9-AF33-DCE6EF394F04}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{7686F577-0A9D-49C3-898F-70372C9499D5}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F9A99E-5F79-41DC-A804-38BD0C15AD10}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{124D7439-1D8A-4D9B-ACD1-316E0788F222}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CS3\Services\Tcpip\..\{124D7439-1D8A-4D9B-ACD1-316E0788F222}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20

If you decided to remove AntiWorm2008, please also check this:

O2 - BHO: CIEIntegrator Object - {D3B4C621-6024-410B-9F0F-22CBD6981F5E} - C:\Program Files\AntiWorm2008\Addons\popupg.dll
O2 - BHO: IEFW Object - {FAAD2038-C371-473D-86F1-5B11D39C3775} - C:\Program Files\AntiWorm2008\Addons\aviebho.dll
O4 - HKLM\..\Run: [ga6pcw] "C:\PROGRA~1\COMMON~1\ANTIWO~1\ga6pcw.exe" -start
O4 - HKLM\..\Run: [AntiWorm2008] C:\Program Files\AntiWorm2008\pgs.exe /min


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis. Reboot into safe mode.

**
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
**

**
Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Windows Safety Alert
AntiWorm2008 <- If you decided to remove it.


Please note any other programs that you dont recognize in that list in your next response

*********************************

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

*********************************


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Documents and Settings\Owner\Application Data\AntiWorm2008 <- If you decided to remove it.
C:\Program Files\Common Files\AntiWorm2008 <- If you decided to remove it.
C:\Program Files\AntiWorm2008 <- If you decided to remove it.
C:\hotpics
C:\GA6P <- Delete only if you don't know it
C:\UGA6P <- Delete only if you don't know it

**

Next,

Run Fixwareout

Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt).

*********************************

Please include the following information in your next reply:

:: C:\fixwareout\report.txt
:: fresh Deckard's System Scanner (DSS) log

  • 0

#6
KSizemore

KSizemore

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello,

I have done what you asked here are the report.

Thanks
Ken

Attached Files


  • 0

#7
KSizemore

KSizemore

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello,
After following the instructions I have an alarm going off on my computer and its flashing red. Also it done this all the way through safe mood.

Thanks
Ken
  • 0

#8
ricox

ricox

    Visiting Staff

  • Visiting Consultant
  • 331 posts
Hi KSizemore :whistling:

After following the instructions I have an alarm going off on my computer and its flashing red. Also it done this all the way through safe mood.


Can you start your computer normally ?

*****************

Please post a fresh Deckard's System Scanner (DSS) log
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP