[Trevuren]

1. You may find something usefull HERE

2. Open HJT, Go to Config>>Miscellaneous Tools>>Open Uninstall Manager

3. Check to see if those 2 programs can be found in among those programs.


Trevuren

[Advertisements]

Trevuren,

Thank you for the link, I will try something including reinstall IE.

Yes, both Offer Optimizer and Shopping Wizard are in HJT>>Config>>Miscellaneous Tools>>Open Uninstall Manager

[paper]

Trevuren,

Thank you for the link, I will try something including reinstall IE.

Yes, both Offer Optimizer and Shopping Wizard are in HJT>>Config>>Miscellaneous Tools>>Open Uninstall Manager

[Trevuren]

1. Open HJT, Go to Config>>Miscellaneous Tools>>Open Uninstall Manager

2. Select "Shopping Wizard" from the list

3. Click on the "Delete this entry" button

4. Then do the same with "Offer Optimizer"

5. REBOOT your machine

6. Tell me if the programs are gone From your Add/Remove Programs List.


Trevuren

[paper]

Trevuren,

Yes, both Shopping Wizard and Offer Optimizer dissapear from 'Add or Remove Programs' window.

I then tried to install kaspersky and remove IE and all failed....you know what happend....now I cannot open WindowsXP in either normal or safe mode! It said
The procedure entry point AssocIsDangerous could not be located in the dynamic link library SHLWAPI.dll.

[Trevuren]

Long Shot:

Boot into the Recovery Console by following these steps:

• Insert the Windows CD and restart your computer. Follow your computer's prompts to boot from the CD. (You might need to adjust settings in the computer's BIOS to enable the option to boot from a CD.)
  
• Follow the setup prompts to load the basic Windows startup files. At the Welcome To Setup screen press R to start the Recovery Console.
  
• Enter the number of the Windows installation you want to access from the Recovery Console.
  
• When prompted, type the Administrator password. If you're using the Recovery Console on a system running Windows XP Home Edition, this password is blank by default, so just press Enter.

Trevuren

[paper]

Trevuren,

I went to BIOS, found
1st Boot Device [ATAPI CDROM]
Then, Exc to start window, I can hear the CD running and can see the 'Windows XP' (now the window yet) then the same error message.

[paper]

Trevuren,

Sorry too many mistakes in the last post.

I went to BIOS, found
1st Boot Device [ATAPI CDROM]
Then, Esc to start window, I can hear the CD running and can see the 'Windows XP' (not the window yet) then the same error message.

[Trevuren]

1. It appears that the problem occurred through an incomplete or faulty attempt to remove IE or upgrade. The Microsoft article can be found HERE

2. There is a published fix for which I cannot vouch, published HERE

3. But to even attempt this, you must be able to enter through the Recovery Console.

4. This is really a technical problem which is way beyong my level of knowledge in this field as it does not have anything to do with malware.

5. As mentioned, I cannot vouch for the fix above.

I will keep on looking



Trevuren

[paper]

Hi Trevuren,

I found Windows XP Boot disks and managed to open the window.
As for the malware problem, I guess it has been solved by your help, thanks a lot!!

BTW, I also answered a few questions in VB and Excel in this website but no response for my answers until now.....strange.....

[Trevuren]

Please send a fresh HJT lof for review before we do the cleanup procedures.

Trevuren

[paper]

Logfile of HijackThis v1.99.1
Scan saved at 12:11:15 AM, on 8/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Lin\Tool\Avast4\aswUpdSv.exe
C:\Lin\Tool\Avast4\ashServ.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Lin\Tool\Avast4\ashMaiSv.exe
C:\Lin\Tool\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Lin\Tool\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\mdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Lin\Tool\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Lin\Tool\PDF\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [avast!] C:\Lin\Tool\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...509/mcfscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Lin\Tool\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Lin\Tool\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Lin\Tool\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Lin\Tool\Avast4\ashWebSv.exe" /service (file missing)

[Trevuren]

Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
1. Right-click "My Computer", and then left click "Properties".
2. Left click on "System Restore Tab"
3. Check box beside "Turn Off System Restore"
4. Left click on "Apply"

TO ENABLE SYSTEM RESTORE
1.Remove check mark from "Turn Off System Restore"
2.Click on "Apply"

2. Cleanup the leftovers. Download CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.


3. Finally, Re-hide your System Files and Folders to prevent any future accidents.


Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

[paper]

Trevuren,

Thank you again, I will do those things now.

[Trevuren]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.