Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Annoying pop ups (searc-h.com, 2xx.paypopup.com) [RESOLVED]


  • This topic is locked This topic is locked

#1
octobermango

octobermango

    Member

  • Member
  • PipPip
  • 13 posts
Hello everyone,

I'm new to posting.

I've been experiencing very annoying pop-ups lately (www.searc-h.com, 2xx.paypopup.com, icannnews.com, etc).

I've got adaware se personal running, as well as spyware blaster. I HAD spybot. I've got the google toolbar installed as well. I'm running out of options. Please help.

Should I run a hijackthislog?

sincerely, confused
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi octobermango and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.
  • Click on My Controls at the top right hand corner of the window.
  • In the left hand column, click "View Topics"
  • If you click on the title of your post, you will be taken there
2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
  • Run HijackThis
  • Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  • POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

  • 0

#3
octobermango

octobermango

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:08:12 PM, on 01/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MGACTRL.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MGA Control Center] Mgactrl.exe
O4 - HKLM\..\Run: [Colorific Control Panel] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel32.dll
O4 - HKLM\..\Run: [SSL] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sload] "C:\WINDOWS\SLOAD.exe"
O4 - HKLM\..\Run: [dop] C:\WINDOWS\dop.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\PROGRAM FILES\ACTIVE DESKTOP CALENDAR\ADC.EXE
O4 - Startup: MGA QuickDesk.lnk = C:\Program Files\Matrox MGA PowerDesk\qdesk\mgaqdesk.exe
O4 - Startup: folder.htt
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: folder.htt
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O15 - Trusted Zone: *.sxload.com
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

We need to make sure all hidden files are showing so please:
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
* Click Start, Programs and Accessories and open Windows Explorer.
* Select a hard drive from the left hand side of the Windows Explorer window.
* Select View the Entire contents of this drive



Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel32.dll
O4 - HKLM\..\Run: [SSL] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [sload] "C:\WINDOWS\SLOAD.exe"
O4 - HKLM\..\Run: [dop] C:\WINDOWS\dop.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - Startup: folder.htt
O4 - Global Startup: folder.htt
O15 - Trusted Zone: *.sxload.com




Now with all the items selected and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to Start To Safe Mode Using the F8 method in Windows 98/98SE/ME

To start your computer in Safe Mode:
*turn the computer on
*as the computer restarts, press and hold down the Ctrl key until the Windows 98 startup menu appears. (This also works with the F8 key following the same steps)
*Choose Safe mode from the startup menu,
*press Enter
*Windows starts in Safe mode.
*Restart your computer when finished troubleshooting

Using Windows Explorer, locate the following files/folders (with all their content), and DELETE them (if they are present):

C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SYSTEM\Kernel32.dll
C:\WINDOWS\SLOAD.exe
C:\WINDOWS\dop.exe
C:\PROGRAM FILES\COMMON FILES\WINTOOLS<==Folder

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Regards,

Trevuren

  • 0

#5
octobermango

octobermango

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
hello,

I have done everything up until 'fix selected', after which i get the message:

Unable to delete the file:
04-Startup:folder.htt

The file may be in use. Use a process killer like ProcView to shutdown the program and run hijackthis again to delete the file.

I also got the same message for

O4 - Global Startup: folder.htt

btw...i had typed in something into "run" earlier today and it has created an icon on the desktop. it's extension was folder.htt

Edited by octobermango, 01 October 2005 - 09:37 PM.

  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Don't worry about it. It is just an optional. Please finish the fix and post your log.

Thanks,

Trevuren

  • 0

#7
octobermango

octobermango

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I'm unable to delete svchost.exe and kernel32.dll, even though they are present. They actually appear in the close program dialog box after pressing ctrl alt del.

sload.exe, dop.exe and wintools were not present.


Logfile of HijackThis v1.99.1
Scan saved at 12:19:37 AM, on 02/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MGACTRL.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MGA Control Center] Mgactrl.exe
O4 - HKLM\..\Run: [Colorific Control Panel] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\PROGRAM FILES\ACTIVE DESKTOP CALENDAR\ADC.EXE
O4 - Startup: MGA QuickDesk.lnk = C:\Program Files\Matrox MGA PowerDesk\qdesk\mgaqdesk.exe
O4 - Startup: folder.htt
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: folder.htt
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html

Edited by octobermango, 01 October 2005 - 10:20 PM.

  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Whatever you did, yoyu did it PERFECTLY :tazz:

Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren
  • 0

#9
octobermango

octobermango

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks, but not exactly perfectly. I'm still getting the pop-ups. Right now, I got the searc-h.com one.

Edited to add: another searc-h.com pop up

Edited by octobermango, 01 October 2005 - 10:33 PM.

  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I beg to differ. You perfectly carried out all the instructions that you received.

1. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
  • Download Ad-Aware SE Personal 1.06:
  • Install Ad-Aware SE Personal 1.06:
    • Double-click on aawsepersonal.exe to install the program.
    • Follow the default settings for installation.
    • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
  • Update Ad-Aware SE Personal 1.06:
    • Double-click the Ad-Aware SE Personal icon on your desktop.
    • Click "Check for updates now" then click "Connect".
    • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
  • Configure Ad-Aware SE Personal 1.06:
    • Click on the Gear button at the top of the window.
    • Click "General" on the left hand side to display the General Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Automatically save logfile"
        • "Automatically quarantine objects prior to removal"
        • "Safe Mode (always request confirmation)"
        • "Prompt to update outdated definitions" - change to 7 days from the default 14.
    • Click "Scanning" on the left hand side to display the Scan Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Scan within archives"
      • "Select drives & folders to scan" - select your hard drive(s).
      • "Scan active processes"
      • "Scan registry"
      • "Deep-scan registry"
      • "Scan my IE favorites for banned URLs"
      • "Scan my Hosts file"
    • Click "Advanced" on the left hand side to display the Advanced Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Move deleted files to Recycle Bin"
      • "Include additional object information"
      • "Include negligible objects information"
      • "Include environment information"
    • Click "Defaults" on the left hand side to display the Default Settings box.
      • Make sure these items have your preferred settings in them.:
      • "Default homepage"
      • "Default searchpage"
    • Click "Tweak" on the left hand side to display the Tweak Settings box.
      • Click the + (plus) sign next to the Log Files section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Include basic Ad-Aware settings in log file"
        • "Include additional Ad-Aware settings in log file"
        • "Include reference summary in log file"
        • "Include alternate data stream details in log file"
      • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Unload recognized processes & modules during scan"
        • "Scan registry for all users instead of current user only"
        • "Obtain command line of scanned processes"
      • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Always try to unload modules before deletion"
        • "During removal, unload Explorer and IE if necessary"
        • "Let Windows remove files in use at next reboot"
        • "Delete quarantined objects after restoring"
    • Once you are done with these settings, click "Proceed" to save them.
    • This will take you back to the main screen.
  • Run Ad-Aware SE Personal 1.06:
    • Click the "Start" button.
    • Uncheck the "Search for negligible risk entries" entry.
    • Choose the "Use custom scanning options" scan mode.
    • Click the "Next" button.
    • Ad-Aware will begin to scan for malware residing on your computer.
    • Allow the scan to finish.
    • Right-click on any entry in the list and click "Select All" to select the whole list.
    • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.
2. Download a trial version of SpySweeper
  • Install the application
  • Update its definitions
  • Run the program
  • Let it remove everything it wants
  • Finally, when it has finished its work, REBOOT your system.
3. Please let me know about the popups

Regards,

Trevuren

  • 0

Advertisements


#11
octobermango

octobermango

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hello,

I was able to put a green check on all that you've specified, except for "During removal, unload explorer and IE if necessary" under Cleaning Engine. I've finished running adaware. During this time, I got many pop ups. I am currently running spy sweeper. It has found one adware so far: icannnews.

I will let this keep running.

I'd like to thank you for your time and help. It is very much appreciated.

Edited to add: Stupid question, but, will I be able to disconnect from the internet while running spy sweeper?

Edited by octobermango, 01 October 2005 - 11:32 PM.

  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
After running SpySweeper and Rebooting, I would like you to run the following program:

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe. This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.

Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

Regards,

Trevuren

  • 0

#13
octobermango

octobermango

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hello,

No pop ups so far!!! :tazz:

This is the virus log information:

File File C:\WINDOWSFile C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\HEADER.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\KNOBCFRM.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\FOOTER.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\INDEX.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\KNOBFOOT.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\KNOBHEAD.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\KNOBPOST.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\DISCUSS.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\KNOBAFTR.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\KNOBSRCH.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\STATUS.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\KNOBTOC.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\SEARCH.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\SCHEDULE.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\KNOBAHDR.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\REQDTOC.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\REQDSRCH.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\REQDPOST.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\REQDHEAD.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\REQDFOOT.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\REQDCFRM.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\REQDAHDR.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\REQDAFTR.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\ARCHIVE.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\MEMBERS.HTM infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\images\folder.htt infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\folder.htt infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\Webs\folder.htt infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\1033\folder.htt infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Templates\folder.htt infected by "Virus.VBS.Redlof.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft Office\Stationery\1033\CurrencyTraces of "Parite.b" found and cleaned !!!

Edited by octobermango, 02 October 2005 - 10:05 PM.

  • 0

#14
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
. Please download the 30-day free trial of Kaspersky anti virus

. Install the program
. Run the definition update module.
. Scan your whole system and let the program remove anything it wants.
. When finished, REBOOT your system
. Post a fresh log


Trevuren
  • 0

#15
octobermango

octobermango

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hello,

I installed the antivirus program. After rebooting, I was not able to run it. My computer froze numerous times. I kept getting error messages such as:

"systray/spysweeper/kavsvc/mprexe/rundll32/etc has caused an error in <unknown>"

I was finally able to uninstall the antivirus program.

I am not experiencing any pop ups.

I'm not sure if this is all, but THANK-YOU very much for all your help!

Edited to add: I opened Windows Media Player and spy sweeper alerted that icannnews would attempt to run on my system. I am doing a sweep now. Will I go back to getting annoying pop ups after spy sweeper free trial has expired???

Edited by octobermango, 03 October 2005 - 05:43 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP