|
|
woofit1
regular
Reg'd: Thu
Posts: 52
Loc: Blackpool UK
|
|
A web page keeps popping up without me loading it. I wonder can anyone help. Having read other posts I've downloaded HijackThis and the log is as follows:
Logfile of HijackThis v1.97.2
Scan saved at 17:37:16, on 19/09/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\WVO_CTRL.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DelFin\PromulGate\PgMonitr.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Outlook Express\msimn.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netscapeonline.co.uk/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by etelecom
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.uk.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{2C2C1BED-5B1C-4bf2-BC2A-86BF224B01AB} - (no file)
R3 - URLSearchHook: SrchHook Class - {2C2C1BED-5B1C-4bf2-BC2A-86BF224B01AB} - C:\WINDOWS\System32\SRHOOK.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem212.dll
O2 - BHO: Comodo TTB BHO - {D80E1356-AC78-4218-961C-A7689B4CB7FE} - C:\WINDOWS\System32\TTBBHO.DLL
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [Comodo_WebVisibleObject] C:\WINDOWS\System32\WVO_CTRL.EXE
O4 - HKLM\..\Run: [DAupdate] C:\Program Files\NavEnhance\DoubleAgent\DAupdate.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UpdateMedia] C:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\MGI\MGI PhotoSuite III\Temp\MGI00000.html
O9 - Extra button: TTB Pane (HKLM)
O9 - Extra button: FastNet99 (HKLM)
O9 - Extra 'Tools' menuitem: &FastNet99 (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Win32 Classes -
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://62.129.133.7/mt/dialers/nl/UK/exe/99935000.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37603.4019675926
O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C95B2D3-06F2-4DFB-ACC2-408A6CCBAE78}: NameServer = 195.92.195.95 195.92.195.94
Is there anything there that shouldn't be there?
Thanks in advance.
|
|
putasolutions
regular
Reg'd: Tue
Posts: 12087
Loc: Infinity and beyond
|
|
The phrase OUCH!!! springs to mind 
Restart Hijack this andput a check mark next to the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by etelecom
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{2C2C1BED-5B1C-4bf2-BC2A-86BF224B01AB} - (no file)
R3 - URLSearchHook: SrchHook Class - {2C2C1BED-5B1C-4bf2-BC2A-86BF224B01AB} - C:\WINDOWS\System32\SRHOOK.dll
O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem212.dll
O2 - BHO: Comodo TTB BHO - {D80E1356-AC78-4218-961C-A7689B4CB7FE} - C:\WINDOWS\System32\TTBBHO.DLL
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
O4 - HKLM\..\Run: [Comodo_WebVisibleObject] C:\WINDOWS\System32\WVO_CTRL.EXE
O4 - HKLM\..\Run: [DAupdate] C:\Program Files\NavEnhance\DoubleAgent\DAupdate.exe
O4 - HKLM\..\Run: [UpdateMedia] C:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: TTB Pane (HKLM)
O9 - Extra button: FastNet99 (HKLM)
O9 - Extra 'Tools' menuitem: &FastNet99 (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: Win32 Classes -
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://62.129.133.7/mt/dialers/nl/UK/exe/99935000.cab
Click Fix Checked
Go to Start | Control Panel | Add/Remove Programs
highlight New.net
Click Remove
Restart your computer
Go to C:\Program Files
Delete the following Folders
Date Manager
PrecisionTime
MediaUpdate
MediaLoads Enhanced
Open C:\Windows Folder
Find and delete the following
nem214.dll
wsem212.dll
Now go to the C:\WINDOWS\System32 folder and open it
Find the following and delete them
SRHOOK.dll
TTBBHO.DLL
WVO_CTRL.EXE
Restart your computer and post a new Hijack this log
Of all the Things I've lost, I miss my mind the most
|
woofit1
regular
Reg'd: Thu
Posts: 52
Loc: Blackpool UK
|
|
Sorry for delay in replying but I have been away from my PC for weekend.
When I restarted HijackThis, 3 of the entries in the previous log were no longer there
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{2C2C1BED-5B1C-4bf2-BC2A-86BF224B01AB} - (no file)
and
O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
So I proceeded without them and clicked Fix Checked.
I then went to Add/Remove but couldn't find New.net nor could a Search find it. When I came to deleting the Folders in Program Files, I couldn't find PrecisionTime in the Windows Folder but a Search revealed 2 backup-2003092 files which referred to PrecisionTime although it said path to them was invalid.
Here is the latest log:
Logfile of HijackThis v1.97.2
Scan saved at 12:33:12, on 23/09/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netscapeonline.co.uk/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.uk.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\MGI\MGI PhotoSuite III\Temp\MGI00000.html
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Win32 Classes -
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://62.129.133.7/mt/dialers/nl/UK/exe/99935000.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37603.4019675926
O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C95B2D3-06F2-4DFB-ACC2-408A6CCBAE78}: NameServer = 195.92.195.95 195.92.195.94
|
putasolutions
regular
Reg'd: Tue
Posts: 12087
Loc: Infinity and beyond
|
|
These still need to be removed by hijack this
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: Win32 Classes -
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://62.129.133.7/mt/dialers/nl/UK/exe/99935000.cab
O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
Click fix checked, restart computer
Of all the Things I've lost, I miss my mind the most
|
woofit1
regular
Reg'd: Thu
Posts: 52
Loc: Blackpool UK
|
|
Tried 3 times but none of the outstanding items will delete  When I press Fix Checked then Yes I receive the following message
Backup ,mof LSP hijackers is not possible because of technical limitations. (IOW, I don't know how). Since only two programs hijack the LSP (mew.net and WebEnhancer) and both, this should not pose a problem.
Should you wish to restore either for testing purposes or complete insanity, you need to reinstall the program.
What now?
|
woofit1
regular
Reg'd: Thu
Posts: 52
Loc: Blackpool UK
|
|
Bricat
Got your Email but the post doesn't show on the thread ??? When I click on the link in the Email the message "The post you are looking for could not be found." displays on the WU page. I've not touched my Cookies settings.
I have managed to get rid of the 016 entries but the five 010 entries refuse to be deleted!
|
putasolutions
regular
Reg'd: Tue
Posts: 12087
Loc: Infinity and beyond
|
|
Ok try this,
Go to this page, download and run lspfix
See if those still exist in HJT afterwards
Of all the Things I've lost, I miss my mind the most
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28203
Loc: belfast
|
|
i didn't send you an email!!
i know what it was , it was an email notification of the post which i deleted, ( i was about 1 minute behind puta's post,) as usual. LOL
Computers are like Old Testament gods; lots of rules and no mercy.Edited by bricat on 23/09/2003 15:38 (server time).
|
woofit1
regular
Reg'd: Thu
Posts: 52
Loc: Blackpool UK
|
|
Puta,
Downloaded and ran LSPfix, which said it had dealt with errors, restarted, ran HJT again but all 5 010 entries are still there. Did it again (LSPfix, restart, HJT) and they're still there
Bricat,
Your deleted Email still came through via OE but was obviously deleted from this thread.
Both,
Hi guys, this is Arandora operting for my son-in-law to be under his WU forum name on his PC, while he gets on with other stuff. (His PC is in his hotel (Arandora Star) in Blackpool and he keeps getting interrupted by guests and prospective customers - how unthinking of them!
Back home now to rejoin you on my PC and see what awaits me there.
|
putasolutions
regular
Reg'd: Tue
Posts: 12087
Loc: Infinity and beyond
|
|
Have a read through this page
Of all the Things I've lost, I miss my mind the most
|
Arandora
regular
Reg'd: Wed
Posts: 2408
Loc: Fylde Coast
|
|
Right. I'll get back on to it when I return to Hotel tomorrow.
PS
Puta
Got and replied to your PM
The thirst for knowledge is sometimes sweeter than a pint of Stella!
|
greysts
regular
Reg'd: Thu
Posts: 17690
Loc: Colchester
|
|
Every time I click on that link, AdWatch jumps in to say it's detected a pop-up and blocks the page. Any ideas before I suspend Adwatch?
|
arney
regular
Reg'd: Mon
Posts: 990
Loc: Ireland/NYC
|
|
Press Ctrl and click on the link ? hope that helps.
I havent lost my marbles, I just give them away
|
greysts
regular
Reg'd: Thu
Posts: 17690
Loc: Colchester
|
|
Hi Arney
Yeah, I can do that but it wiill suspend AdWatch for that link and I don't want to do that until I know a bit more about the page. I'm pretty sure Puta wouldn't have posted it if there was anything dodgy about it but this is the very first link I have ever used which AdWatch stopped. I changed my AdWatch settings the other day so I'm going back to look at that before I go any further.
Found it. I must have told AdWatch to block popups when I was playing with the settings. I've unticked that one and the link now works. I've still got the Google pop up blocker switched on and that seems quite happy.
Edited by greysts on 24/09/2003 11:27 (server time).
|
putasolutions
regular
Reg'd: Tue
Posts: 12087
Loc: Infinity and beyond
|
|
It may be that there is a pop up involved as it is a direct link to New.net site. Allegedly to a removal tool
Of all the Things I've lost, I miss my mind the most
|
woofit1
regular
Reg'd: Thu
Posts: 52
Loc: Blackpool UK
|
|
Yeah, Arandora here! New.net is no more, it is a deceased site! 
Having installed Spybot, when I first ran it, the only entry it wouldn't immunise was, yes, you've guessed it, New.net. However, it said it may do after closing down and restarting, which I did and it did.
Thanks for all your help.
May need to get back to you as Woofit1 has now got W32 sbybot worm on his Laptop. He is reluctant to try and fix it himself because of the cautionary warnings by NAV 2002 Pro which identified the problem. He is going to go back to PC World his supplier to see if they can help before he tries himself.
Know any quick/safe fixes?
Oh, sorry, here's the latest (pristine, I hope) Spybot log
Logfile of HijackThis v1.97.2
Scan saved at 12:35:39, on 24/09/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netscapeonline.co.uk/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.uk.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\MGI\MGI PhotoSuite III\Temp\MGI00000.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37603.4019675926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Edited by woofit1 on 24/09/2003 13:10 (server time).
|
putasolutions
regular
Reg'd: Tue
Posts: 12087
Loc: Infinity and beyond
|
|
Glad that is solved
No point in taking it back to PC world, as they will just format the hard drive and start again
Make sure that he turns off System restore, before restarting anti virus scanning
Of all the Things I've lost, I miss my mind the most
|
woofit1
regular
Reg'd: Thu
Posts: 52
Loc: Blackpool UK
|
|
Sacked off goin to PC World & done the norton scan & found W32 Spybot Worm virus & Quarantined it as it can't be repaired or it seems can't as norton anti-virus surgests be deleted either, as for "DELETING THE VALUE FROM THE REGISTRY" as far as I can see there is no zero byte files in my startup folder & having never had to remove a virus before Nortons instructions are making me twitch in a nervous " what if I remove a legitimate tftp file " type way ..Please if theres any "lets say for example step by step advice" you could offer me to back up Nortons instructions..
|
putasolutions
regular
Reg'd: Tue
Posts: 12087
Loc: Infinity and beyond
|
|
You will need to turn off system restore temporarily before doing a full scan
Of all the Things I've lost, I miss my mind the most
|
woofit1
regular
Reg'd: Thu
Posts: 52
Loc: Blackpool UK
|
|
Hey There
Disabled System Restore..Whats this removal tool frim Avg. Agrisoft site Lol mentions is it better more straight forward than Nortons advice..
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
