Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

OIN [RESOLVED]


  • This topic is locked This topic is locked

#1
Moj7711

Moj7711

    Member

  • Member
  • PipPip
  • 17 posts
Hello,

I still have OIN in the add/remove program, althought I have not experienced pop-ups. Yet, my connection is slow. I followed your guidelines and I the doftware picked up some file, but OIN is still there. I read some other thread about it and folowed the instructions up to the "save mode" step. Here is my Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 1:33:29 AM, on 8/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ww.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107579985056
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

Thank you for the future help.
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Moj7711

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware se.
Click Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log and post the log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Run Ad-aware se let it remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Let the system reboot as normal.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://enterprises.p...l_companies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz:
  • 0

#3
Moj7711

Moj7711

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thank you for your help thatman, here is the info you requested:

Panda report (I think it found something)


Incident Status Location

Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Hijackthis report

Logfile of HijackThis v1.99.1
Scan saved at 10:04:50 PM, on 8/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ww.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107579985056
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

Hope this will help. thank you in advance!
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Moj7711

Please read through the instructions before you start (you may want to print this out).

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
Click on Fix Checked when finished and exit HijackThis.

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer (Yes.)
C:\WINDOWS\system32\Shex.exe

Let the system reboot as normal.


Please run the following free, online virus scans.
http://enterprises.p...l_companies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz:
  • 0

#5
Moj7711

Moj7711

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ty thatman.

Panda log:


Incident Status Location

Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe


Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:15:56 PM, on 8/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ww.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107579985056
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Moj7711

Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe This is a safe program I wish pand would fix this fault.

Your system is CLEAN

Microsoft® Windows AntiSpyware (Beta) 2000 and XP ONLY.
Please download SpyBot V1.4 http://www.majorgeek...wnload2471.html
Spybot Tutorial
Disable Spybot Tutorial

Winpatrol Free

Ad-Aware SE Personal Edition Free
AdAware Tutorial

Turn of system restore
Disabling or enabling Windows XP System Restore
WIndows ME
Defrag your hard drive. Turn system restore back on and create a new restore point.

Tony Klien: So how did I get infected in the first place

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here

It Prevent's the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.
http://www.mozilla.o...oducts/firefox/

2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp Windows (Offline Installation)

After doing all these, your system will be thoroughly protected from future threats.

Have a nice Day.

Kc :tazz:
  • 0

#7
Moj7711

Moj7711

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thank you. I've done all you suggested me. I know the system is clean now necuase it is running a lot faster. However, I still see "OIN" in the add/remove programs list. Is it OK if I leave it there? Is there a way to remove from the list without using their link? Thank you.
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Moj7711

Download the following program http://www.tune-up.c...ownload/tu2004/
TuneUp Utilities 2004 optimizes the performance of your computer, solves problems and helps you to customize your system to suit your needs.

This is a 30 day free trial full working version.
Run the program it will remove all the bad links on you system

Please run the following free, online virus scans.
http://enterprises.p...l_companies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz:
  • 0

#9
Moj7711

Moj7711

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
OK! The OIN is gone. I eliminated it using the Tune-UP.

Panda scan:

Incident Status Location

Adware:adware/mediatickets No disinfected Windows Registry
Spyware:Spyware/Cydoor No disinfected C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe

I see it fouund something from Spybot. I do not know if it has to do but my spybot has not been able to update the last two times I tried.

Thank you.
  • 0

#10
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Moj7711

I really don't know why Panda are detecting this file as bad dummy.cd_clint.dll
C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
I have this file in my Spybot - Search & Destroy dummy.cd_clint.dll
The dummy.cd_clint.dll is safe

Ad-Aware back in 2001-2002 detected CD_CLINT.DLL <--It is the origenal file from Kazaa and is bad.

This file dummy.cd_clint.dll was used to replace the bad CD_CLINT.DLL file.

This dummy.cd_clint.dll was used to replace the bad CD_CLINT.DLL file in Kazaa it stoped the Kazaa program from spying on the user.

Mediatickets removal:
Open the Downloaded Program Files folder (which you will find inside the Windows folder). Right-click and remove the entry named ‘MediaTicketsInstaller Control’ (MT, CC variants), ‘{16556DE0-D692-494C-A8E7-7FAD0E2931D9}’ (GC variant) or ’ShellInstaller Control’ (BuddyLinks variant).

Post back let me know if you found Mediatickets

Kc :tazz:
  • 0

Advertisements


#11
Moj7711

Moj7711

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
thatman,

This is what I found in C:\WINDOWS\Downloaded Program Files

ActiveScan Installer Class
Creative Software AutoUpdate
Creative Software AutoUpdate Support Package
DirectAnimation Java Classes
FilePlante Download Control Class
iCC Class
Java runtime Environment 1.5.0
Java runtime Environment 1.5.0
Java runtime Environment 1.5.0
Microsoft Office Template and Media Control
Microsoft XML Parser for Java
PCPitstop utility
PopCapLoader Object
Shockwave ActiveX Control
Shockwave Flash Object
WUWebControl Class

PS. I am using Firefox since last Sunday.
  • 0

#12
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Moj7711

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_CLASSES_ROOT\PopCapLoader.PopCapLoaderCtrl2]
[-HKEY_CLASSES_ROOT\PopCapLoader.PopCapLoaderCtrl2.1]
[-HKEY_CLASSES_ROOT\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]
[-HKEY_CLASSES_ROOT\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA}]
[-HKEY_CLASSES_ROOT\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\ClassesPopCapLoader.PopCapLoaderCtrl2]
[-HKEY_LOCAL_MACHINE\SOFTWARE\ClassesPopCapLoader.PopCapLoaderCtrl2.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1}]

Save the file as "delete.reg". Double click on it and choose Yes to merge it. You may delete the file afterwards.

Doubleclick the file and confirm you want to merge it with the registry. Make sure you do this step first before going any further.

Reboot as normal

Please run the following free, online virus scans.
http://enterprises.p...l_companies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz:
  • 0

#13
Moj7711

Moj7711

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi thatman,


Incident Status Location

Adware:adware/mediatickets No disinfected Windows Registry

Thanks.

PS I just turned on the computer and got a message at startup window saying that one or more file of the registry had to be recovered using an alternate file and the recover was suscessful.

Edited by Moj7711, 01 September 2005 - 06:31 PM.

  • 0

#14
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Moj7711

Please run the following online spyware scan , this needs to be done with internet explorer.
Save the spyware log when done, you will then see a option to run a Panda virus scan click on the virus scan when that to has completed post both logs.
Along with a new HijackThis log.

http://www.pandasoft..._principal.htm#

Thank You

Kc :tazz:
  • 0

#15
Moj7711

Moj7711

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey thatman,

Sry I've been away from home lately.

This is the log u requested:

Incident Status Location

Spyware:spyware/bargainbuddy Reported Windows Registry
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Zedo Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Statcounter Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adserver Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/FastClick Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Com.com Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.com.com/]
Spyware:Cookie/Casalemedia Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/CentrPort Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.centrport.net/]
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/PointRoll Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/bravenetA Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/MediaTickets Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.kinghost.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\87p4xw1a.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\87p4xw1a.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\87p4xw1a.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\87p4xw1a.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\87p4xw1a.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Adserver Reported C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\87p4xw1a.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\87p4xw1a.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\87p4xw1a.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\87p4xw1a.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Zedo Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Statcounter Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adserver Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/FastClick Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Com.com Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.com.com/]
Spyware:Cookie/Casalemedia Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/CentrPort Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.centrport.net/]
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/PointRoll Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/bravenetA Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/MediaTickets Reported C:\Documents and Settings\Jose\Application Data\Mozilla\Firefox\Profiles\3fov3l56.default\cookies.txt[.kinghost.com/]

I didn't run spybot or ad-aware previosly like always do.
Spybot eliminated the following: advertising.com, avenue a inc, double click, fast click, and mediaplex. Sixteen entries in total.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP