[Done]Here is the other machine with problems

Discussion in 'adware, spyware & hijack cleaning' started by nico2002831, Jul 17, 2004.

Thread Status:
Not open for further replies.
  1. nico2002831

    nico2002831 Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    This is the second one I mentioned in the proir post.
    Again I already ran Spybot and AdAware.
    Please help.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:45:26 PM, on 7/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\COMMON~1\tsa\tsm.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\AIM95\aim.exe
    C:\PROGRA~1\COMMON~1\tsa\ts.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Downloads\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
    O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D4FF-ED78A787AD2D} - (no file)
    O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - (no file)
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
    O4 - HKLM\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
    O4 - HKLM\..\Run: [SQInstaller] SQInstaller.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSTRAF\Cache\SelectedContextSearch.htm
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37692.8326736111
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Here is the other machine with problems

    Hi nico2002831

    Press Ctrl+Alt+Del and 'end task' on any of the follow that are present:

    idctup20.exe
    tsm.exe
    SQInstaller.exe


    Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked.
    Make sure all browser and all Windows Explorer windows are closed before fixing

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
    O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D4FF-ED78A787AD2D} - (no file)
    O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - (no file)

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [] C:\WINDOWS\System32\

    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe

    O4 - HKLM\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe

    O4 - HKLM\..\Run: [SQInstaller] SQInstaller.exe

    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

    O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSTRAF\Cache\SelectedContextSearch.htm

    NOTE.........even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\Program Files\TV Media <------folder
    C:\WINDOWS\System32\idctup20.exe
    C:\PROGRA~1\COMMON~1\tsa <---folder

    Then reboot and use AdAware as described :
    HERE

    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system .

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
    Then browse to the C:\Windows\Temp folder and delete all files in it.
    Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
  3. nico2002831

    nico2002831 Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Re: Here is the other machine with problems

    Hi Thanks for helping out again.
    I followed your instruction and it is better bt still not clean.
    When I run Spybot there are a few items that will not go away even with a startup scan.
    2 items under VX2/f
    and 2 items under Xupiter.orbitexplorer

    Here is the new Hijack this log

    Logfile of HijackThis v1.97.7
    Scan saved at 10:00:02 PM, on 7/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Downloads\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37692.8326736111
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Here is the other machine with problems

    Hi :)


    that's "weird" - I can't find it in the log..... but......

    try this for Xupiter.orbitexplorer:

    http://www.doxdesk.com/parasite/Xupiter.html

    ........

    As Spybot "warning" to: 2 items under VX2/f - that seems to be a "bug" - I had the same "problem" and I IGNORED it for now ! Patrick from spybot knows about it!

    One little "clean-up" - let HJT fix this:

    R3 - Default URLSearchHook is missing

    click "Fix checked" and reboot

    Otherwise your log looks clean to me :) Great Job
    :D
     
  5. nico2002831

    nico2002831 Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Re: Here is the other machine with problems

    Hi Marianna,
    I followed the instructions on the link you sent and now when I scan with Spybot S&D the Xupiter entry no longer shows up.
    But the VX/2 still shows.
    The entries are as follows
    HKEY_USERS\S1-5-18\Software\MxTarget Registry Key
    HKEY_USERS\DEFAULT\Software MxTarget Registry Key

    You mentioned it was a bug so I guess I will leave it alone.
    Just prior to following the instructions for the Xupiter removal I got a pop up that took up the entire screen and was difficult to close. do you think this was a Xupiter problem which should now be gone?

    Thanks so much for the assistance!!!
     
  6. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Here is the other machine with problems

    Hi :)

    Could you run HIjackThis again and post a fresh log? thanks :)
     
  7. nico2002831

    nico2002831 Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Re: Here is the other machine with problems

    Here is the new log, it looks like some stuff came back.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:07:12 PM, on 7/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\WINDOWS\explorer.exe
    C:\Downloads\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.i--search.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.i--search.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.i--search.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.i--search.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.i--search.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [SystemSearch] REGEDIT.EXE -s C:/WINDOWS/sys.reg
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37692.8326736111
     
  8. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Here is the other machine with problems

    Hi nico

    Download cwshredder here Close all browser windows and click on the fix/next button.

    Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked.
    Make sure all browser and all Windows Explorer windows are closed before fixing

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.i--search.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.i--search.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.i--search.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.i--search.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.i--search.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

    O4 - HKLM\..\Run: [SystemSearch] REGEDIT.EXE -s C:/WINDOWS/sys.reg

    NOTE.........even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:/WINDOWS/sys.reg

    Then reboot and use AdAware as described :
    HERE

    Then use the Disk Cleanup Utility to empty all your Temp folders.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.

    Problem gone?
     
  9. nico2002831

    nico2002831 Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Re: Here is the other machine with problems

    Hi Marianna,
    This is very wierd!!!
    I follwed your instructions and all looked OK in Hijack this but as soon as I click "Save Log" in Hijack This small IE window with a "w" in it pops up then goes away, then I get an error saying "Windows cannot find 'mms:///'. Make sure you typed the name correctly, and then try again, To search for a file, click the start button, then click search"

    Then out of curiosity I rescan with Hijack this and all of the i-search entries are back!!!!
    I went through the cleaning process again and just for troubleshooting purposes instead of running hijack this, I launched Notepad by itself "because this is what Hijack this Launches when you click save log"
    and it happened again!!!
    It looks like something latched onto notepad or something.
    Any ideaso_O
     
  10. nico2002831

    nico2002831 Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Re: Here is the other machine with problems

    Hi Marianna,
    I think I fixed it, I looked at the file size of notepad.exe on the infected machine and it was 20kb but on a clean machine with the same OS it was 65kb so I copied it from the clean machine and replaced the bad one on the infected machine and it seems to be OK now.

    I really appreciate all the help you have provided!!!
     
  11. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Here is the other machine with problems

    HI Nico :)

    SUPER ! Thanks for your feedback !

    Happy Safe computing !
     
Thread Status:
Not open for further replies.