Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

i dare anyone to solve this problem [resolved]

Started by sabesin2001 , Nov 21 2005 03:10 AM

  • This topic is locked This topic is locked

#16
sabesin2001
Posted 23 November 2005 - 11:51 PM

sabesin2001

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
oh i'm sorry, that was really stupid of me, i was trying to run it in the run dialog, thanks for being patient.

i ran it and tried to run the apropos fix again in safemode, but i get the same error about 'find'. i did the env.txt thing again in case you wanted to see the updated one:

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\John Williams\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JOHN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\John Williams
IBMSHARE=C:\IBMSHARE
LOGONSERVER=\\JOHN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.pyo;.pyc;.py;.pyw
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
PYTHONCASEOK=1
PYTHONPATH=C:\IBMTOOLS\utils\support;C:\IBMTOOLS\utils\logger
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
RRU=C:\Program Files\IBM\IBM Rapid Restore Ultra\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TCL_LIBRARY=C:\IBMTOOLS\Python22\tcl\tcl8.4
TEMP=C:\DOCUME~1\JOHNWI~1\LOCALS~1\Temp
TK_LIBRARY=C:\IBMTOOLS\Python22\tcl\tk8.4
TMP=C:\DOCUME~1\JOHNWI~1\LOCALS~1\Temp
USERDOMAIN=JOHN
USERNAME=John Williams
USERPROFILE=C:\Documents and Settings\John Williams
windir=C:\WINDOWS
  • 0

Advertisements

#17
Swandog46
Posted 24 November 2005 - 07:52 PM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Strange; it looks the same. I notice you have a number of non-standard (programming) tools installed, such as the Java Runtime Environment and Python (great language by the way!) --- is it possible that your machine is set up to run a script or something at boot that resets the environmental variables to your user-defined (non-standard) settings?

Here's what I want to try: no reboots in between. Please boot into Safe Mode, go to Start -> Run -> cmd (remember to run the Command Prompt again fully!), and again at the command prompt enter:

set path=c:\windows;c:\windows\system32

Then press Enter. Remember to put a space between 'set' and 'path', but no spaces around the equals sign or the semicolons.

Then immediately go back to the desktop and run the RunThis.bat from the AproposFix folder. Post the log if it runs through this time.

If this STILL doesn't work, we'll try something a little more drastic. :tazz:
  • 0

#18
sabesin2001
Posted 24 November 2005 - 09:03 PM

sabesin2001

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
SUCCESS!!!!

to answer your first question, i installed java runtime environment because i think a friend advised me to. pythonn i have no idea, and if my computer was set up to run a script or something than i didn't do it on purpose.

but anyway, i did the instructions and nothing, but then i tried running RunThis.bat from the same command prompt as the one i typed
set path=c:\windows;c:\windows\system32 into, and it ran finally! this is the output from it:
Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\John Williams\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CoiRtAz8HM8m]
@="1.o.pvZaaZaaba.EBr 3zZaaZpca5v q\\51aRXRSDLgfaCQHUDQRaRgFggidObRXR"
"Device"="\\\\.\\PfcENUM"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\s3g3350p.sys"
"DriverName"="SPBPCI"
"HideUninstallerName"="C:\\Program Files\\Souws nt\\lmodramp.exe"
"HDll"="C:\\WINDOWS\\system32\\ccfcji32.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="CP.LAV"
"InstallationId"="{X9dcc57b-edcc-61d2-373f-84c2330bfad2}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Souws nt\\unlundll.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\mf3adhlp.exe"
"Version"="2.0.128"
"CrMnTmt"=dword:0036ee80

************

Removing hidden service:
Service SPBPCI removed.

Removing hidden folder:

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\s3g3350p.sys succeeded!
Deletion of file C:\WINDOWS\system32\mf3adhlp.exe succeeded!
Deletion of file C:\WINDOWS\system32\ccfcji32.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CoiRtAz8HM8m]
[-HKEY_LOCAL_MACHINE\Software\CoiRtAz8HM8m]

Done!

Finished!

Here is the hijack this log that it told me to post:

Logfile of HijackThis v1.99.1
Scan saved at 10:00:12 PM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\John Williams\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


Now i am ecstatic that my device manager, "safely add/remove hardware" icon is back, network connections s is back, etc, but i guess we should get down to the business of making sure my computer gets totally clean. the last time i had virus problems i think that i wasn't able to completely get rid of them from my cache files, since they kept reappearing even though i used cc cleaner, so i'll do whatever to make sure it gets and stays clean. thank you times a million for the help so far.
  • 0

#19
Swandog46
Posted 26 November 2005 - 10:31 AM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
So sorry for the wait :)

Looks great! :tazz:

Please delete the following folder:

C:\Program Files\Souws nt

Then reboot, run a full scan with Norton Antivirus, and let me know if it finds anything. Also let me know how it seems to be running. :)
  • 0

#20
sabesin2001
Posted 26 November 2005 - 02:14 PM

sabesin2001

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
seems to be running much better. haven't had a single popup since i ran the apropos fix. i deleted that program files folder. norton did not find anything. spyware doctor found 84 things, but all were cache or cookies stuff. i've run cc cleaner before but upon reboot those files always seem to return, so even though i'm not having any problems spyware search programs always seem to find a bunch of files.
  • 0

#21
Swandog46
Posted 26 November 2005 - 05:12 PM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Everything looks great --- your HijackThis log is completely clean. :)
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. :tazz:

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :)

Edited by g2i2r4, 27 November 2005 - 04:38 AM.

  • 0

#22
g2i2r4
Posted 27 November 2005 - 04:40 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Thank you Swandog46 for assisting :tazz:

sabesin2001: Shall I close this topic?
  • 0

#23
sabesin2001
Posted 27 November 2005 - 10:50 AM

sabesin2001

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
you're a lifesaver swandog, thank you so much.

i consider this problem solved, you can close the topic g2i2r4, and thanks for the assistance.
  • 0

#24
g2i2r4
Posted 27 November 2005 - 12:40 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You're welcome :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP