Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Adware detected


  • Please log in to reply

#1
SharonMurray

SharonMurray

    Member

  • Member
  • PipPip
  • 34 posts
Hi,

I'm still trying to clean up my computer after a virus infection. I've run SpybotSD and AdAware, and online scans with Trend Housecall and Panda Active scan, as well as my PC based McAfee. You might think this is overkill, but I've had a lot of problems trying to tidy everything up.

The good news is that now I'm getting clean results from everything except Panda Active scan, which has found the following in my registry, but can't clean them:

Adware:Adware/SAHAgent
No disinfected
C:\WINNT\downloaded program files\setup.inf (NB I can't find this file in the folder named)

Adware:Adware/VirtualBouncer
No disinfected
Windows Registry

I've looked up how to manually clean them, but as far as I can tell, none of the actual files I need to remove are there, and I can't find any reference to 'sah' or 'bouncer' in my registry

Could Panda be picking up on a couple of left over traces? Is there anyway I can locate and remove the entries causing the problem so that Panda produces clean results? Or should I just ignore these results?

I hope someone can help.
Thank you,
Sharon
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi SharonMurray

Welcome to geekstogo ;)

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Kc :tazz:
  • 0

#3
SharonMurray

SharonMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Thank you thatman.

Here's the log file:

Logfile of HijackThis v1.99.0
Scan saved at 17:58:53, on 22/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE
C:\Program Files\FreeRAM\FreeRAM XP Pro 1.40.exe
C:\Documents and Settings\Sharon Murray\Start Menu\Programs\Startup\TASKMGR.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINNT\System32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ravenfolk.org.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: load=c:\commpro\bin\01comm32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM\FreeRAM XP Pro 1.40.exe" -win
O4 - Startup: TASKMGR.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v..._img=oppoutcrop
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.micro...ate/sdkinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4CFAB2C-356C-46C6-AA29-8F5898CEFCDA}: NameServer = 194.74.65.68 194.72.9.38
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVSvc - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

Thanks again,
Sharon :tazz:
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi SharonMurray :cheers:

CleanUp! - Download it and install it.
Let it clean all your temp folders, c:\Windows\Temp

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :thumbsup:

Kc ;)
  • 0

#5
SharonMurray

SharonMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Thank you again thatman. Its good to know my system is clear, although I've been attacked again since then, this time with the Gaobot worm. It was detected and cleaned straight away though, and I've had no problems since, so I think everything is clear again now.

About the advice you have given me:
I downloaded Cleanup but was afraid to run it because it seems as though its just going to go ahead and delete a lot of stuff that I won't know about. Can I be certain it won't remove something I need?

I haven't downloaded Spyware Blaster yet. Will it conflict with my McAfee Firewall? I have installed Microft's Anti-spyware. Will there be any conflict between this and Spywareblaster.

I've got all the latest patches for windows. I've also got Sun's Java (do I need to remove microsoft's version?)

That just leaves changing my browser. How do I get hold of the Firefox browser you mention?

Thank you again for all your help. Its reassuring to have someone who knows what they are talking about looking at the processes running on my machine.

Regards,
Sharon
  • 0

#6
Koretek

Koretek

    Member

  • Member
  • PipPipPip
  • 340 posts
Woo,
that was a lot of questions there Sharon,

Here we go:
I downloaded Cleanup but was afraid to run it because it seems as though its just going to go ahead and delete a lot of stuff that I won't know about. Can I be certain it won't remove something I need?

yes, it will ONLY dump all the little things you would never get around to like your Temp files which you dont need, histories of when you last opened a program or a page and junk like that, RUN THIS many nasties live in Temp folders and it was a very good suggestion!

I haven't downloaded Spyware Blaster yet. Will it conflict with my McAfee Firewall? "

"I have installed Microft's Anti-spyware. Will there be any conflict between this and Spywareblaster."?

No, I run both on my PC, ( I use MSN Beta dn Syware Search and Destroy) but I would make a decision whether you want to keep Mcafee or MSN Beta, there not both needed and take up a ton fo system resources, if it was my call no doubt Mcafee is a goner!Spyware and the MSN Beta are a perfect compliment and run very well together both catching stuff in real time and you can set them to display anything before deleting or to go ahead and fix depending on your paranoia level!

"I've got all the latest patches for windows. I've also got Sun's Java (do I need to remove microsoft's version?)"

No, there not both needed but you dont have to undo anything.

Ok, last question the browser............ http://www.mozilla.org/

You must be a rough shopper boy! :tazz:

Edited by Koretek, 28 February 2005 - 06:15 PM.

  • 0

#7
SharonMurray

SharonMurray

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Thank you Koretek.

I have now installed and run Cleanup. Too soon to tell, but my PC does seem to be more responsive.

I've downloaded and installed Spyware Blaster, and enabled all protection.

I haven't made my mind up about Microsoft's Antispyware and McAfee, but I'll bear your comments in mind.

And I've now installed and am using Firefox browser.

I'm still getting two Adware hits in the registry when I run Panda Activescan. Can you suggest a good and safe Registry Cleaner?

Thanks again,
Sharon :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP