adware spyware

Discussion in 'adware, spyware & hijack cleaning' started by rascal_brat_1, Jul 16, 2004.

Thread Status:
Not open for further replies.
  1. rascal_brat_1

    rascal_brat_1 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    3
    I had adware and spyware problems and I bought NOADWARE application to get rid of these problems but I feel there is still some on my computer. When I go into msconfig I still see files that are related to adware such as ezula and ARUpdate. I have also scanned my computer with other free applications and they found more problems. How can I make sure I get rid of all of it.
    I would appreciate any help you can give me.
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi rascal_brat_1

    Please follow ALL the instructions, and each step in this link, carefully:
    HOW TO? Read here about how to post your log!!

    Once you have downloaded HijackThis, create a permanent folder for it on your C: (call the folder whatever you'd like) then unzip Hijackthis.exe into the new folder (do not put it in a Temp folder or desktop).

    Then open Hijackthis and run it by clicking on the Scan button. When the scan has finished, the "Scan" button will then change to a Save Log button. Press the "Save Log" button and save it to a location you can easily find it. Open the saved log and copy and paste the entire contents of the log here in this thread in your next reply.

    Please do NOT fix anything in Hijackthis by yourself. Most of what it lists will be harmless and even essential. Someone will review your log and reply back with instructions on what needs to be fixed.

    Regards,

    snap
     
  3. rascal_brat_1

    rascal_brat_1 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    3
    I downloaded hijack this and scannned and saved the log but now it tries to open in adobe photoshop and then says it cannot open because it does not recognized the file ext.
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi rascal_brat_1,

    Find the hijackthis.log file and rename the ext to .txt so it looks like this: hijackthis.txt then try and open it in notepad.
     
  5. rascal_brat_1

    rascal_brat_1 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    3
    Here is log and thanks for the help.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:27:24 AM, on 7/16/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\CANON\MULTIPASS4\MONITR32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\THOFFICE\THOFFICE.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\SYSTEM\MPS.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [monitr32] C:\PROGRAM FILES\CANON\MULTIPASS4\MONITR32.EXE I
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [help] "C:\windows\system\helper.exe "
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [THOffice] C:\Program Files\THOffice\THOffice.exe
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: Microsoft Office.lnk = D:\Program Files\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37880.5013657407
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
    O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://play.igl.net/clo/install/CLOActiveXInstallerProj1.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GINCARDS Class) - http://66.98.132.156/g_bin_eng/cards_2_0_0_36.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GINPOKER Class) - http://66.98.132.156/g_bin/poker_2_0_0_25.cab
    O16 - DPF: {A6212120-01D4-11D5-9A39-0080C8D85044} (GINSLOTS70 Class) - http://66.98.132.156/g_bin/slots70_2_0_0_16.cab
    O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
    O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi rascal_brat_1,

    Before you begin, please create a permanent folder on your C: drive (example: C:\HJT\ ) and move HijackThis into it's own folder. HijackThis must run from it's own folder (not the Desktop or Temp folders) as it creates backups in the folder it is ran from, so if you should delete something accidently, then you'll have those backups to restore from.

    Then In HijackThis, place a check beside the following items.
    Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)


    These one's are optional to fix but recommended:

    (this is not needed. See here: http://www.windowsstartup.com/wso/detail.php?id=4062)
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe

    (this is a resource hog and not needed in startup)
    O4 - Startup: Microsoft Office.lnk = D:\Program Files\Office\OSA9.EXE

    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    (include these if you do not recognize them or want to keep them)
    O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GINCARDS Class) - http://66.98.132.156/g_bin_eng/cards_2_0_0_36.cab
    O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GINPOKER Class) - http://66.98.132.156/g_bin/poker_2_0_0_25.cab
    O16 - DPF: {A6212120-01D4-11D5-9A39-0080C8D85044} (GINSLOTS70 Class) - http://66.98.132.156/g_bin/slots70_2_0_0_16.cab

    -----

    (I have no idea what these are for. Do you recognize them? If not, can you locate the files and right-click on them, choose Properties, and see if there is anything under the tabs to help identify what programs they are for)
    O4 - HKLM\..\Run: [THOffice] C:\Program Files\THOffice\THOffice.exe
    O4 - HKLM\..\Run: [help] "C:\windows\system\helper.exe "


    If you have not done so already, download one (or both) of these spyware removal programs:

    Ad-Aware6 build 6.181, install it, and bring it up-todate by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file. Follow these instructions for setting up Ad-Aware for a full scan: How To Perform a "Full Scan" with Ad-Aware6. Do a full system scan and reboot when the scan is finished.

    Spybot Search&Destroy v1.3, install it, and bring it up-to-date by pressing the "Search for Updates" button, and download all updates. Once it is up-to-date, click on the "Check for Problems" button. When the scan is finished, select what is found in Red and choose "Fix selected problems" button. Reboot after the scan.

    Post back a new hijackthis log in your next reply.

    Regards,

    snap
     
Thread Status:
Not open for further replies.