Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pop-up problems [RESOLVED]


  • This topic is locked This topic is locked

#1
Redman1

Redman1

    New Member

  • Member
  • Pip
  • 8 posts
Hi, I have been getting a few pop-ups and warnings about spyware. I would be grateful if anyone could give me some help, cheers.

I have got a couple of programes to help clear it, but not sure if they are working, so i'm going to unistall and start fresh.

Here is a log:

Logfile of HijackThis v1.99.1
Scan saved at 11:33:08, on 24/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\CEVVWTHI.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\BCPWFYF.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\WINDOWS\TWAIN_32\1200USB\WATCH.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\EREG\REMIND32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\PACKAGER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [cevvwthi] c:\windows\system\cevvwthi.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [nbcAP14t4] C:\BCPWFYF.EXE
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunOnce: [DeleteYourSiteBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\PROGRAM FILES\YOURSITEBAR\YSB.DLL"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM\sistray.exe
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\Twain_32\1200USB\WATCH.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.co....0/ysb_mp3x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi Redman1 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log. I am sorry that it has taken us so long to get to your log but we have been experiencing technical difficulties the last couple of weeks which have now been resolved.

1. Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
2. Reboot your system

3. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review along with the SpySweeper log.

Regards,

Trevuren

  • 0

#3
Redman1

Redman1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi, Thanks for helping.

I did the Spy Sweeper twice because the first time I couldn't get a log of it. It said lack of memory. This is the one that worked.

Here it is:

********
13:04: | Start of Session, 10 November 2005 |
13:04: Spy Sweeper started
13:04: Sweep initiated using definitions version 569
13:04: Starting Memory Sweep
13:06: Memory Sweep Complete, Elapsed Time: 00:01:55
13:06: Starting Registry Sweep
13:06: Found Adware: ist software
13:06: HKU\.default\software\ist\ (1 subtraces) (ID = 129052)
13:06: HKLM\software\istsvc\ (43 subtraces) (ID = 129111)
13:06: Found Adware: ist istbar
13:06: HKLM\software\microsoft\windows\currentversion\uninstall\istsvc\ (3 subtraces) (ID = 129183)
13:06: Found Trojan Horse: phisher-sars
13:06: HKU\.default\software\sars\ (1 subtraces) (ID = 136729)
13:06: Found Adware: directrevenue-abetterinternet
13:06: HKU\.default\software\ceres\ (30 subtraces) (ID = 145764)
13:06: HKCR\ceresdll.ceresdllobj.1\ (3 subtraces) (ID = 145774)
13:06: HKCR\ceresdll.ceresdllobj\ (5 subtraces) (ID = 145775)
13:06: HKCR\clsid\{00000049-8f91-4d9c-9573-f016e7626484}\ (11 subtraces) (ID = 145783)
13:06: HKCR\interface\{bb0d5adc-028d-4185-9288-722ddce2c757}\ (8 subtraces) (ID = 145808)
13:06: HKLM\software\classes\ceresdll.ceresdllobj.1\ (3 subtraces) (ID = 145858)
13:06: HKLM\software\classes\ceresdll.ceresdllobj.1\clsid\ (1 subtraces) (ID = 145859)
13:06: HKLM\software\classes\ceresdll.ceresdllobj\ (5 subtraces) (ID = 145860)
13:06: HKLM\software\classes\clsid\{00000049-8f91-4d9c-9573-f016e7626484}\ (11 subtraces) (ID = 145867)
13:06: HKLM\software\classes\interface\{bb0d5adc-028d-4185-9288-722ddce2c757}\ (8 subtraces) (ID = 145885)
13:06: HKLM\software\classes\typelib\{92daf5c1-2135-4e0c-b7a0-259abfcd3904}\ (9 subtraces) (ID = 145902)
13:06: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000049-8f91-4d9c-9573-f016e7626484}\ (ID = 145930)
13:06: HKCR\typelib\{92daf5c1-2135-4e0c-b7a0-259abfcd3904}\ (9 subtraces) (ID = 146148)
13:06: Found Adware: ist yoursitebar
13:06: HKLM\software\microsoft\code store database\distribution units\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658}\ (10 subtraces) (ID = 147850)
13:06: Found Adware: surf accuracy
13:06: HKLM\software\sacc\ (10 subtraces) (ID = 203068)
13:06: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070)
13:06: HKLM\software\microsoft\windows\currentversion\uninstall\bsto-1\ (7 subtraces) (ID = 746835)
13:06: Found Adware: dluca
13:06: HKU\.DEFAULT\software\program info\ (1 subtraces) (ID = 125223)
13:06: HKU\.DEFAULT\software\ist\ (1 subtraces) (ID = 129108)
13:06: HKU\.DEFAULT\software\sars\ (1 subtraces) (ID = 136733)
13:06: HKU\.DEFAULT\software\ceres\ (30 subtraces) (ID = 145851)
13:06: Found Adware: hotsurprise
13:06: HKU\.DEFAULT\software\mpb\dialers\ (1 subtraces) (ID = 397809)
13:06: Registry Sweep Complete, Elapsed Time:00:00:20
13:06: Starting Cookie Sweep
13:06: Found Spy Cookie: zedo cookie
13:06: paul@zedo[1].txt (ID = 3762)
13:06: Found Spy Cookie: yieldmanager cookie
13:06: [email protected][1].txt (ID = 3751)
13:06: Found Spy Cookie: mx-targeting cookie
13:06: [email protected][2].txt (ID = 3024)
13:06: Found Spy Cookie: cliks cookie
13:06: paul@cliks[1].txt (ID = 2414)
13:06: Found Spy Cookie: servlet cookie
13:06: paul@servlet[2].txt (ID = 3345)
13:06: Found Spy Cookie: offeroptimizer cookie
13:06: paul@offeroptimizer[1].txt (ID = 3087)
13:06: Cookie Sweep Complete, Elapsed Time: 00:00:00
13:06: Starting File Sweep
13:06: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b21-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b22-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b23-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b24-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b25-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b26-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b27-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b28-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b29-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b2a-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b2b-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b2c-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b2d-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b2e-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b2f-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b30-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b31-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b32-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b33-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b34-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b35-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b36-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b37-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b38-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b39-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b3a-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b3b-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b3c-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b3d-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b3e-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b3f-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b40-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b41-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b42-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b43-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b44-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b45-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b46-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b47-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b48-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b49-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b4a-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b4b-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b4c-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b4d-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b4e-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b4f-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b50-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b51-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b52-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b53-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b54-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b55-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b56-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b57-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b58-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b59-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b5a-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b5b-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b5c-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b5d-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b5e-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b5f-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b60-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b61-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b62-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b63-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b64-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b65-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b66-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b67-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b68-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b69-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b6a-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b6b-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b6c-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b6d-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b6e-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b6f-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b70-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b71-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b72-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b73-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b74-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b75-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b76-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b77-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b78-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b79-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b7a-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b7b-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b7c-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b7d-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b7e-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b7f-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b80-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b81-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b82-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b83-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b84-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b85-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b86-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b87-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:07: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs142f6b88-51ea-11da-8e00-00115b924869.tmp". The process cannot access the file because
it is being used by another process
13:09: Found Adware: winad
13:09: c:\program files\media access (ID = -2147480020)
13:09: Found Adware: whenu savenow
13:09: c:\program files\vvsn (1 subtraces) (ID = -2147480376)
13:10: c:\program files\surfaccuracy (3 subtraces) (ID = -2147478266)
13:10: c:\program files\istsvc (ID = -2147480800)
13:10: c:\program files\yoursitebar (ID = -2147479984)
13:10: Warning: Unhandled Archive Type
13:10: Warning: Invalid Stream
13:11: File Sweep Complete, Elapsed Time: 00:04:53
13:11: Full Sweep has completed. Elapsed time 00:07:11
13:11: Traces Found: 255
13:11: Removal process initiated
13:11: Quarantining All Traces: directrevenue-abetterinternet
13:11: Quarantining All Traces: ist istbar
13:11: Quarantining All Traces: phisher-sars
13:11: Quarantining All Traces: hotsurprise
13:11: Quarantining All Traces: dluca
13:11: Quarantining All Traces: ist software
13:11: Quarantining All Traces: ist yoursitebar
13:11: Quarantining All Traces: surf accuracy
13:11: Quarantining All Traces: whenu savenow
13:11: Quarantining All Traces: winad
13:11: Quarantining All Traces: cliks cookie
13:11: Quarantining All Traces: mx-targeting cookie
13:11: Quarantining All Traces: offeroptimizer cookie
13:11: Quarantining All Traces: servlet cookie
13:11: Quarantining All Traces: yieldmanager cookie
13:11: Quarantining All Traces: zedo cookie
13:11: Removal process completed. Elapsed time 00:00:05
********

Edited by Redman1, 10 November 2005 - 07:29 AM.

  • 0

#4
Redman1

Redman1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
And here is the HiJack log:


Logfile of HijackThis v1.99.1
Scan saved at 13:31:14, on 10/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TWAIN_32\1200USB\WATCH.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\EREG\REMIND32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM\sistray.exe
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\Twain_32\1200USB\WATCH.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab




Thanks for your time.
  • 0

#5
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
  • Download Ad-Aware SE Personal 1.06:
  • Install Ad-Aware SE Personal 1.06:
    • Double-click on aawsepersonal.exe to install the program.
    • Follow the default settings for installation.
    • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
  • Update Ad-Aware SE Personal 1.06:
    • Double-click the Ad-Aware SE Personal icon on your desktop.
    • Click "Check for updates now" then click "Connect".
    • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
  • Configure Ad-Aware SE Personal 1.06:
    • Click on the Gear button at the top of the window.
    • Click "General" on the left hand side to display the General Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Automatically save logfile"
        • "Automatically quarantine objects prior to removal"
        • "Safe Mode (always request confirmation)"
        • "Prompt to update outdated definitions" - change to 7 days from the default 14.
    • Click "Scanning" on the left hand side to display the Scan Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Scan within archives"
      • "Select drives & folders to scan" - select your hard drive(s).
      • "Scan active processes"
      • "Scan registry"
      • "Deep-scan registry"
      • "Scan my IE favorites for banned URLs"
      • "Scan my Hosts file"
    • Click "Advanced" on the left hand side to display the Advanced Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Move deleted files to Recycle Bin"
      • "Include additional object information"
      • "Include negligible objects information"
      • "Include environment information"
    • Click "Defaults" on the left hand side to display the Default Settings box.
      • Make sure these items have your preferred settings in them.:
      • "Default homepage"
      • "Default searchpage"
    • Click "Tweak" on the left hand side to display the Tweak Settings box.
      • Click the + (plus) sign next to the Log Files section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Include basic Ad-Aware settings in log file"
        • "Include additional Ad-Aware settings in log file"
        • "Include reference summary in log file"
        • "Include alternate data stream details in log file"
      • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Unload recognized processes & modules during scan"
        • "Scan registry for all users instead of current user only"
        • "Obtain command line of scanned processes"
      • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Always try to unload modules before deletion"
        • "During removal, unload Explorer and IE if necessary"
        • "Let Windows remove files in use at next reboot"
        • "Delete quarantined objects after restoring"
    • Once you are done with these settings, click "Proceed" to save them.
    • This will take you back to the main screen.
  • Run Ad-Aware SE Personal 1.06:
    • Click the "Start" button.
    • Uncheck the "Search for negligible risk entries" entry.
    • Choose the "Use custom scanning options" scan mode.
    • Click the "Next" button.
    • Ad-Aware will begin to scan for malware residing on your computer.
    • Allow the scan to finish.
    • Right-click on any entry in the list and click "Select All" to select the whole list.
    • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.


2. We must disable Spy Sweeper for it may interfere with our fix

To disable SpySweeper:
  • Open SpySweeper, click >Options over to the left then >program options >Uncheck "load at windows startup".
  • Over to the left, click "shields" and uncheck all there.
  • Uncheck "home page shield".
  • Uncheck 'automaticly restore default without notifiction

3. Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - Default URLSearchHook is missing
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE
O15 - Trusted IP range: 67.19.185.246



Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum and advise me if you are aware of any remaining malware activity on your system.


Regards,

Trevuren

  • 0

#6
Redman1

Redman1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi, Cheers again for the help.

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 17:07:40, on 10/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\WINDOWS\TWAIN_32\1200USB\WATCH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM\sistray.exe
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\Twain_32\1200USB\WATCH.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab



Although I havn't been on the computer much since I did what you said, I havn't noticed any pop-ups. I'll have a look around, and remove any documents I don't need and see how it runs whilst I'm doing it.

Is there any programs you recommend to keep the computer clean?
I'll have a look on this site as well, it might have to answer already here.

Thanks again.
  • 0

#7
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please run the following program:
  • Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As": DelDomains.inf to your Desktop
    http://www.mvps.org/.../DelDomains.inf

  • Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.
  • Then please restart your computer, and post a new HijackThis log.
Regards,

Trevuren

  • 0

#8
Redman1

Redman1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi, did what you said, here's the log:



Logfile of HijackThis v1.99.1
Scan saved at 18:09:28, on 10/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TWAIN_32\1200USB\WATCH.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM\sistray.exe
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\Twain_32\1200USB\WATCH.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab



I meant to say before that for a while now, when I turn the computer on, during the load up a screen comes up saying the following:

'NAV AUTO-PROTECT Unable to determine the location of the configuration files'

Once I press ENTER it carries on loading up. Just wondered if you kne what it is?


Thanks.

Edited by Redman1, 10 November 2005 - 12:22 PM.

  • 0

#9
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

1. Re-hide your System Files and Folders to prevent any future accidents.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading deselect Show hidden files and folders.
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

2. Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

  • 0

#10
Redman1

Redman1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi, sorry to bother you.

I am just going through the things you have told me to do.

But I can't find 'tool menu' in 'my computer'

My friend says he has got it on his computer, but its not there on mine.

I am using windows 98.
  • 0

#11
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
You can disregard that portion of the instructions inasmuch as I never asked you to unhide the files.

Trevuren
  • 0

#12
Redman1

Redman1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok, thanks alot for your help.

Really appreciate it.
  • 0

#13
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
My Pleasure,

Trevuren

  • 0

#14
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP