Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help with a bad spyware/malware problem[RESOLVED]


  • This topic is locked This topic is locked

#31
gldneye

gldneye

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Sorry, I forgot to empty the recycle bin in the safe mode. After I emptied it, this is the latest Panda scan log:

Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/AdLogix No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\LH\Desktop\crap\l2mfix\backup.zip[cumctl32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\LH\Desktop\crap\l2mfix\backup.zip[KNDAZEL.DLL]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\LH\Desktop\crap\l2mfix\backup.zip[mvj8l91u1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\LH\Desktop\crap\l2mfix\backup.zip[uvhisapi.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\LH\Desktop\crap\l2mfix\backup.zip[guard.tmp]
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LH\Local Settings\Temp\uninstall.exe
Adware:Adware/WinTools No disinfected C:\Documents and Settings\OP\Local Settings\Temp\Toolbar3.cab[IExploreSkins.exe]
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\OP\Local Settings\Temp\Toolbar3.cab[radio.exe]
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\OP\Local Settings\Temp\Toolbar3.cab[toolbar.dll]

I can't find eZula or AdLogix in the registry.

I'll try again tomorrow.
Thanks,
gldneye :tazz:
  • 0

Advertisements


#32
gldneye

gldneye

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thatman,

here is the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:56:48 AM, on 2/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Launchboard\lnchbrd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\LH\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LaunchBoard] C:\Program Files\Launchboard\lnchbrd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1B30282C-970F-4DCC-97D1-1714277525C1} (NMInstall Control) - http://profile.homes....0_HOMESCAN.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


And here is the latest Panda scan log:

Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\keys.ini (I found a keys.something, but was not sure if it was the one to delete)
Adware:Adware/AdLogix No disinfected Windows Registry
Adware:Adware/Envolo No disinfected C:\WINDOWS\plgiki.exe (I found one plgiki.something, but was not sure if it was safe to delete that)

Sure looks a lot better than before. Do you think I should hunt down the remaining four?

Thank you,
gldneye
  • 0

#33
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi gldneye

C:\Program Files\Norton AntiVirus\navapsvc.exe, I believe that norton protects deleted files and saves them in it own type of recycle bin and that is wher the files are.

You will have to read the norton manual to get at this.
Let me know please, just taken a look at your log.

Kc :tazz:
  • 0

#34
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi gldneye

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :thumbsup:

Kc ;)
  • 0

#35
gldneye

gldneye

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thatman, :tazz:

thank you so much for your help. I could not have done it by myself, not even close. This is a terrific forum and you all provide great service for us regular users.

Again,
THANKS!!!!

gldneye ;)
  • 0

#36
Guest_thatman_*

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP