Aller au contenu principal

CANNOT REMOVE SPYWARE

Commentaires

20 commentaires

  • Support

    Please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload the following files so I can examine them and distribute them to Adaware and other AntiMalware companies.

    Just press new topic, Please start a new post and a short message. Then press attach then press the browse button and then navigate to & select the files on your computer. If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

     

    Name the topic: For CalamityJane from craig at LS I will get an email notice from there when you have posted.

     

    Submit all Files in these two folders:

     

    C:\Documents and Settings\All Users\Application Data\Wayliteclocknoun (submit all files in this folder)

     

    C:\DOCUMENTS AND SETTINGS\Adele\APPLICATION DATA\AXISFO... (submit all files in this folder - folder name is longer than those first letters and contain spaces, for example: Axis Fo... If there are not any files in that folder, is ok - don't worry about it.

     

    Note: You DO NOT need to register to upload suspicious files for examination or use any other part of this site

     

    You will not see the files that have been uploaded as they only show to the authorised users who can download them

    0
  • Support

    Hi craig,

     

    I also need a HijackThis log too. Here is the instruction on how to do that:

    Instructions on creating a HijackThis Log

    http://www.lavasoftsupport.com/index.php?showtopic=216

    0
  • Customer

    Hi craig,

     

    I also need a HijackThis log too. Here is the instruction on how to do that:

    Instructions on creating a HijackThis Log

    http://www.lavasoftsupport.com/index.php?showtopic=216


     

    Thanks, here is my hijack this logLogfile of HijackThis v1.99.1

    Scan saved at 19:54:55, on 28/05/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    C:\Program Files\ewido anti-malware\ewidoctrl.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\Explorer.EXE

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

    C:\WINDOWS\system32\RunDll32.exe

    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    C:\Program Files\Real\RealPlayer\RealPlay.exe

    C:\Program Files\QuickTime\qttask.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLHostManager.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLServiceHost.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Program Files\Messenger\msmsgs.exe

    C:\Program Files\AOL 9.0\aoltray.exe

    c:\program files\common files\aol\1135861362\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLServiceHost.exe

    C:\Program Files\blueyonder IST\bin\mpbtn.exe

    C:\Program Files\AOL 9.0\waol.exe

    C:\Program Files\AOL 9.0\shellmon.exe

    C:\Program Files\Common Files\AOL\aoltpspd.exe

    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

    C:\WINDOWS\hh.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\DOCUME~1\Craig\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder

    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {24C5F4B4-07EC-83E8-9667-E125F7A8DA7B} - C:\DOCUME~1\Adele\APPLIC~1\AXISFO~1\SeekBone.exe (file missing)

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135861362\ee\AOLHostManager.exe

    O4 - HKLM\..\Run: [bearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

    O4 - HKLM\..\Run: [ClockNounDupeMags] C:\Documents and Settings\All Users\Application Data\Wayliteclocknoun\HOPE SITE.exe

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135374014359

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{5A08088C-26EA-4DD1-BC0F-F6D94C9A83DA}: NameServer = 205.188.146.145

    O17 - HKLM\System\CS1\Services\Tcpip\..\{5A08088C-26EA-4DD1-BC0F-F6D94C9A83DA}: NameServer = 205.188.146.145

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O18 - Filter: text/html - (no CLSID) - (no file)

    O18 - Filter: text/plain - (no CLSID) - (no file)

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

    0
  • Support

    Yep, you have a LOP infection. Most likely from installing Bear Share. Bear Share free version with "sponsor" - the sponsor is LOP, ugh.

     

    Using p2p programs is a good way to find new infections. But if you must use one, at least get one that doesn't come with spyware/adware parasites on the install. A good list to consult is posted here:

     

    Clean and Infected File Sharing Programs

    http://www.spywareinfoforum.info/articles/p2p/

     

    And you'll have to be very careful with files downloaded using p2p networks, usually more than half of the files you find there are infested with all sorts of malware.

     

    Hold on while I write up the fix steps. I'll be right back in a few.

    0
  • Support

    Hi Craig,

     

    You uploaded the wrong folder contents. I didn't ask for Limewire...but the files from these two folders (named) in bold

    if you still have them

     

    C:\Documents and Settings\All Users\Application Data\Wayliteclocknoun (submit all files in this folder)

     

    C:\DOCUMENTS AND SETTINGS\Adele\APPLICATION DATA\AXISFO... (submit all files in this folder - folder name is longer than those first letters and contain spaces, for example: Axis Fo... If there are not any files in that folder, is ok - don't worry about it.

    0
  • Support

    Once you have uploaded the files, come back here and follow these steps to remove the LOP infection.

     

    1. 1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

     

     

    2. Reboot into Safe Mode

    How to start the computer in Safe mode

    http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

     

     

    3. Once in Safe mode, open HijackThis and choose *scan only*. When it finishes place a checkmark next to these entries, then press the *fix checked* button

     

    O2 - BHO: (no name) - {24C5F4B4-07EC-83E8-9667-E125F7A8DA7B} - C:\DOCUME~1\Adele\APPLIC~1\AXISFO~1\SeekBone.exe (file missing)

     

    O4 - HKLM\..\Run: [ClockNounDupeMags] C:\Documents and Settings\All Users\Application Data\Wayliteclocknoun\HOPE SITE.exe

     

    O18 - Filter: text/html - (no CLSID) - (no file)

     

    O18 - Filter: text/plain - (no CLSID) - (no file)

     

    Stay in safe mode and delete these two folders:

     

    C:\Documents and Settings\All Users\Application Data\Wayliteclocknoun

     

    C:\DOCUMENTS AND SETTINGS\Adele\APPLICATION DATA\AXISFO...

     

    5. Reboot back into normal mode. Scan once more with HijackThis and post a fresh log please.

    0
  • Customer

    Hi Craig,

     

    You uploaded the wrong folder contents. I didn't ask for Limewire...but the files from these two folders (named) in bold

    if you still have them

     

    C:\Documents and Settings\All Users\Application Data\Wayliteclocknoun (submit all files in this folder)

     

    C:\DOCUMENTS AND SETTINGS\Adele\APPLICATION DATA\AXISFO... (submit all files in this folder - folder name is longer than those first letters and contain spaces, for example: Axis Fo... If there are not any files in that folder, is ok - don't worry about it.


     

    Hi, calamity jane,i cannot find these files or folders anywhere on my computer. If they are to do with bearshare i uninstalled that weeks ago and the only file sharing program i have now is limewire. Would deleting everything to do with limewire help get rid of my infection.

    0
  • Support

    Ah, ok! Those may have just been leftovers we're seeing in the registry then. Proceed the fix I posted above using Hijackthis and after doing that, reboot. Scan again and post a fresh HijackThis log please

    0
  • Customer

    Ah, ok! Those may have just been leftovers we're seeing in the registry then. Proceed the fix I posted above using Hijackthis and after doing that, reboot. Scan again and post a fresh HijackThis log please

     

    Here are the results of my new scan, many thanks

    Logfile of HijackThis v1.99.1

    Scan saved at 22:29:45, on 06/06/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

    C:\Program Files\ewido anti-malware\ewidoctrl.exe

    C:\WINDOWS\System32\svchost.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

    C:\WINDOWS\system32\RunDll32.exe

    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    C:\Program Files\Real\RealPlayer\RealPlay.exe

    C:\Program Files\QuickTime\qttask.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Program Files\Messenger\msmsgs.exe

    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLHostManager.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLServiceHost.exe

    C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

    c:\program files\common files\aol\1135861362\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLServiceHost.exe

    C:\Program Files\blueyonder IST\bin\mpbtn.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

    C:\WINDOWS\hh.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Documents and Settings\Craig\My Documents\hijackthis main one\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135861362\ee\AOLHostManager.exe

    O4 - HKLM\..\Run: [bearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

    O4 - Global Startup: BlueSoleil.lnk = ?

    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135374014359

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

    0
  • Support

    Looks good

     

    If you uninstalled BearShare, you can use HijackThis to *fix checked* on this entry:

    O4 - HKLM\..\Run: [bearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

     

    Is everything looking ok now on your end?

    0
  • Support

    Hi craig,

     

    Can you post a fresh HijackThis log please?

    0
  • Customer

    Looks good

     

    If you uninstalled BearShare, you can use HijackThis to *fix checked* on this entry:

    O4 - HKLM\..\Run: [bearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

     

    Is everything looking ok now on your end?


     

    Hi calamity jane, i am sorry to say that things are not looking good at my end as i still keep getting these advertising pop-up things coming up.PLEASE HELP.......

    0
  • Support

    Nothing really showing in the HijackThis log

     

    Download Silent runners here (follow the instructions on that page)

    http://www.silentrunners.org/sr_scriptuse.html

     

    If you have antivirus script protection, please allow it (silentrunners.vbs) to run. While waiting, a box will say done.

    Wait until there is a All Done message !!, Then open and post the log next to it.

    0
  • Customer

    Hi craig,

     

    Can you post a fresh HijackThis log please?


     

    Here is my latest hijack this post

    Logfile of HijackThis v1.99.1

    Scan saved at 21:49:42, on 07/06/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

    C:\Program Files\ewido anti-malware\ewidoctrl.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\Explorer.EXE

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

    C:\WINDOWS\system32\RunDll32.exe

    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    C:\Program Files\Real\RealPlayer\RealPlay.exe

    C:\Program Files\QuickTime\qttask.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Program Files\Messenger\msmsgs.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLHostManager.exe

    C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLServiceHost.exe

    c:\program files\common files\aol\1135861362\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLServiceHost.exe

    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

    C:\WINDOWS\hh.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Program Files\AOL 9.0\waol.exe

    C:\Program Files\AOL 9.0\shellmon.exe

    C:\Program Files\Common Files\AOL\aoltpspd.exe

    C:\Documents and Settings\Craig\My Documents\hijackthis main one\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder

    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135861362\ee\AOLHostManager.exe

    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

    O4 - Global Startup: BlueSoleil.lnk = ?

    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135374014359

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{5A08088C-26EA-4DD1-BC0F-F6D94C9A83DA}: NameServer = 205.188.146.145

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

    0
  • Customer

    Nothing really showing in the HijackThis log

     

    Download Silent runners here (follow the instructions on that page)

    http://www.silentrunners.org/sr_scriptuse.html

     

    If you have antivirus script protection, please allow it (silentrunners.vbs) to run. While waiting, a box will say done.

    Wait until there is a All Done message !!, Then open and post the log next to it.


     

    Thanks, but before i do this i have just noticed that when i am on my user name settings ie craig i do not seem to be getting any pop-ups but as soon as i switched over to my wifes settings ie adele they started popping up again. Now then one difference in our desktops is that my wife on hers has 2 folders , one from bearshare and one from limewire of music my son has downloaded. In these folders there are purely the songs he has downloaded but could this be the cause of my problems and would just deleting them maybe solve them. Would another hijackthis log in my wifes name show you anything differnt.

    0
  • Support

    Would another hijackthis log in my wifes name show you anything differnt.

    Yes, it may. Please log into your wife's account, scan and post a HijackThis log from it please.

     

    The malware files are likely NOT in the Bearshare or Limewire folders. Installing either of these programs can give you a separate install of spyware. The HijackThis log will show me this.

    0
  • Customer

    Yes, it may. Please log into your wife's account, scan and post a HijackThis log from it please.

     

    The malware files are likely NOT in the Bearshare or Limewire folders. Installing either of these programs can give you a separate install of spyware. The HijackThis log will show me this.


     

     

     

    Sorry about all this calamity jane but many thanks anyhow, here is the log in my wifes name.

     

    Logfile of HijackThis v1.99.1

    Scan saved at 18:46:26, on 08/06/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

    C:\Program Files\ewido anti-malware\ewidoctrl.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\Explorer.EXE

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

    C:\WINDOWS\system32\RunDll32.exe

    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    C:\Program Files\Real\RealPlayer\RealPlay.exe

    C:\Program Files\QuickTime\qttask.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\Messenger\msmsgs.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLHostManager.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLServiceHost.exe

    c:\progra~1\intern~1\iexplore.exe

    c:\program files\common files\aol\1135861362\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLServiceHost.exe

    C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

    C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe

    C:\Program Files\blueyonder IST\bin\mpbtn.exe

    C:\Program Files\AOL 9.0\waol.exe

    C:\Program Files\AOL 9.0\shellmon.exe

    C:\Program Files\Common Files\AOL\aoltpspd.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

    C:\WINDOWS\hh.exe

    C:\Documents and Settings\Craig\My Documents\hijackthis main one\HijackThis.exe

     

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135861362\ee\AOLHostManager.exe

    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [listrdr] C:\DOCUME~1\Adele\APPLIC~1\PLANIN~1\Boremfcd.exe

    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

    O4 - Global Startup: BlueSoleil.lnk = ?

    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe

    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135374014359

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{5A08088C-26EA-4DD1-BC0F-F6D94C9A83DA}: NameServer = 205.188.146.145

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

    0
  • Support

    And I see it!

     

    Copy these instructions to have handy as we need to do this step with all browsers and any open windows closed, with ONLY HijackThis open.

     

    Make sure your PC is configured to show hidden files

    How to Show Hidden Files

    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

     

     

    Click Start.

     

    Open My Computer.

     

    Select the Tools menu and click Folder Options.

     

    Select the View Tab.

     

    Under the Hidden files and folders heading select Show hidden files and folders.

     

    Uncheck the Hide protected operating system files (recommended) option.

     

    Click Yes to confirm.

     

    Click OK.

     

    .....................

    Now, scan with HijackThis and when it finishes, checkmark this entry in the list:

     

    O4 - HKCU\..\Run: [listrdr] C:\DOCUME~1\Adele\APPLIC~1\PLANIN~1\Boremfcd.exe

     

    Delete this folder:

    C:\DOCUMENTS AND SETTINGS\Adele\APPLICATION DATA\PLANIN... (folder starts with those letters and will be longer and may contain spaces, for example: Plan In..

     

    If you are unable to delete the folder because it is in use, reboot into SAFE MODE to delete it.

     

    Then, reboot back to normal mode (or just plain reboot if you didn't have to go into safe mode to delete).

     

    And scan once more with HijackThis to make a log and post the fresh log back here please.

    0
  • Customer

    And I see it!

     

    Copy these instructions to have handy as we need to do this step with all browsers and any open windows closed, with ONLY HijackThis open.

     

    Make sure your PC is configured to show hidden files

    How to Show Hidden Files

    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Click Start.

     

    Open My Computer.

     

    Select the Tools menu and click Folder Options.

     

    Select the View Tab.

     

    Under the Hidden files and folders heading select Show hidden files and folders.

     

    Uncheck the Hide protected operating system files (recommended) option.

     

    Click Yes to confirm.

     

    Click OK.

     

    .....................

    Now, scan with HijackThis and when it finishes, checkmark this entry in the list:

     

    O4 - HKCU\..\Run: [listrdr] C:\DOCUME~1\Adele\APPLIC~1\PLANIN~1\Boremfcd.exe

     

    Delete this folder:

    C:\DOCUMENTS AND SETTINGS\Adele\APPLICATION DATA\PLANIN... (folder starts with those letters and will be longer and may contain spaces, for example: Plan In..

     

    If you are unable to delete the folder because it is in use, reboot into SAFE MODE to delete it.

     

    Then, reboot back to normal mode (or just plain reboot if you didn't have to go into safe mode to delete).

     

    And scan once more with HijackThis to make a log and post the fresh log back here please.


     

    Hi, calamity jane, below is my latest log. Also do i need to undo the show hidden files and folders and recheck the hide protected operating system files. Also would it make sense to empty my recycle bin where the planin folder has been sent

    Logfile of HijackThis v1.99.1

    Scan saved at 21:07:22, on 08/06/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    C:\WINDOWS\Explorer.EXE

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

    C:\Program Files\ewido anti-malware\ewidoctrl.exe

    C:\WINDOWS\System32\svchost.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

    C:\WINDOWS\system32\RunDll32.exe

    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    C:\Program Files\Real\RealPlayer\RealPlay.exe

    C:\Program Files\QuickTime\qttask.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\Messenger\msmsgs.exe

    C:\Program Files\MSN Messenger\msnmsgr.exe

    C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLHostManager.exe

    C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLServiceHost.exe

    C:\Program Files\blueyonder IST\bin\mpbtn.exe

    c:\program files\common files\aol\1135861362\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe

    C:\Program Files\Common Files\AOL\1135861362\ee\AOLServiceHost.exe

    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

    C:\WINDOWS\hh.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Documents and Settings\Craig\My Documents\hijackthis main one\HijackThis.exe

     

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135861362\ee\AOLHostManager.exe

    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

    O4 - Global Startup: BlueSoleil.lnk = ?

    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe

    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135374014359

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

    0
  • Support

    Hi, calamity jane, below is my latest log.
    Looks good Are the popups gone?

     

    Also do i need to undo the show hidden files and folders and recheck the hide protected operating system files. Also would it make sense to empty my recycle bin where the planin folder has been sent

    Yes, and yes

    0

Vous devez vous connecter pour laisser un commentaire.