please help me sort out the hijack this results

Discussion in 'adware, spyware & hijack cleaning' started by JimBeam, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. JimBeam

    JimBeam Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    6
    I share a lot of music and sometime last night I must have gotten this dropper thing, not like i know what the hell it is. Its a dropper Sobi something, its hard to read it because the screen is spinning so damn fast...

    Every time the anti-virus stuff scans it either misses it, as in the case of AVG or in NOD32, it just crashes with that spinning screen thing. Help! I'm basicaly at my wit's end!

    this is what I got out of Hijack this:

    Logfile of HijackThis v1.98.0
    Scan saved at 10:58:01 PM, on 6/30/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
    C:\PROGRAM FILES\DANTZ\RETROSPECT\RETRORUN.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\ESET\NOD32KRN.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\APOINT\APOINT.EXE
    C:\PROGRAM FILES\MAXTOR\ONETOUCH\UTILS\ONETOUCH.EXE
    C:\WINDOWS\MXOALDR.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\MXOSTRAY.EXE
    C:\PROGRAM FILES\ESET\NOD32KUI.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\WINDOWS\APOINT\APWHEEL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\PROXOMITRON NAOKO-4\PROXOMITRON.EXE
    C:\WINDOWS\SYSTEM\DLLHOST.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...er=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
    O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AdShield.AdShield - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [SynTPLpr] C:\PROGRA~1\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\PROGRA~1\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AlpsPoint] c:\windows\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR\ONETOUCH\UTILS\ONETOUCH.EXE
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [TDS3] C:\PROGRAM FILES\TDS3\TDS-3.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [Retrospect Launcher] C:\PROGRAM FILES\DANTZ\RETROSPECT\RETRORUN.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [NOD32kernel] C:\Program Files\Eset\nod32krn.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\RunServices: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - (no file)
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
    O9 - Extra button: Dell Home - {6B3B8BC0-6E5F-11D4-8889-502654C10000} - http://www.dellnet.com (file missing) (HKCU)
    O9 - Extra button: (no name) - {950B1B49-9E0B-4475-A916-8C409D543BC6} - (no file) (HKCU)
    O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {9BB641DB-045B-42B4-BAE2-CBAAD66B0CC4} (Spotlife Composer) - http://yahoo.spotlife.net/install/c...23/SLCmpser.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw14fd.law14.hotmail.msn.com...ex/HMAtchmt.ocx
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
     
  2. JimBeam

    JimBeam Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    6
    Is there anybody out there? Help, please!!!
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    JimBeam,

    Before you start, create a permanent folder on your C: drive (example: C:\HJT\ ) and move HijackThis off the desktop and into it's own folder. HijackThis must run from it's own folder as it creates backups in the folder it is ran from, so if you should delete something you needed, you will be able to restore it from the backups.

    Place a check beside the following items in HijackThis.
    Close all windows except HijackThis, and click *Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

    (if you did not set this up this way yourself, then fix it too)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080

    O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
    O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    (this is optional but recommended to be fixed as it's a resource hog)
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - (no file)
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
    O9 - Extra button: Dell Home - {6B3B8BC0-6E5F-11D4-8889-502654C10000} - http://www.dellnet.com (file missing) (HKCU)
    O9 - Extra button: (no name) - {950B1B49-9E0B-4475-A916-8C409D543BC6} - (no file) (HKCU)

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab


    Download CWShredder.
    Make sure ALL browsers and any open windows are closed before running CWShredder.
    Click the *Fix button (not the scan only) and follow the instructions you will receive when the program runs.

    Clear your IE cache: open IE --> Tools --> Internet Options --> click on "Delete Files" and put a check in the box for "Off line contents", click OK, then click the "History" button, then click "yes" to clear it, then "OK" to close the Internet Options Panel.

    And delete the contents of your Temp folder (but not the Temp folder itself).

    ****

    Download Spybot Search&Destroy, install, and bring it up-to-date by pressing the "OnLine" button, then the "Search for Updates" button.

    1. Put a check inside the items listed for download and install them.
    2. Then click on "Check for Problems". Have Spybot remove all that it lists in RED.
    3. Once Spybot S&D is finished removing the items, close the program and restart your computer.

    Download Ad-Aware6, install, and bring it up-to-date by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file.

    Follow these instructions for setting up Ad-Aware for a full scan:
    How To Perform a "Full Scan" with Ad-Aware6.


    Then followup with an on-line scan: Free Services

    I am also seeing 3 antivirus programs, Norton's, NOD32, and AVG6. It is not a good idea to have more than one antivirus running resident. Turn 2 of them off and just have one running resident, and use the other two as backup on-demand scanners. Not only having 3 antivirus programs starting up with windows can create an unstable system, it also drains resources quite quickly, especially on a Win98 computer.

    You mentioned you were having problems with your Windows Media Player. It is possible the player was corrupted by CWS. You can download a new copy of it from here and install it to replace the corrupted WMP.

    Please post a new hijackthis log here in this thread.

    Regards,

    snap
     
  4. JimBeam

    JimBeam Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    6
    Umm, how do I create the folder thing? like in windows explorer?

    --Jim

    Oh yeah, and also, I went and tried an online virus scanner at House Call-Trend Micro, just 10 minutes ago, and it said /i had a "CHM.Psyme.Y" in my temporary internet files.
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Jim,

    Yes, just click on Start --> Programs --> Windows Exporer. Then in the top menu of Windows Explorer, click on File --> New --> Folder. Give the folder a name and move Hijackthis.exe into that new folder. Open the new folder and double-click Hijackthis.exe to run it.

    Just saw your added comment there in your post about the CHM.Psyme.Y in the Temp folder. If the on-line scan wasn't able to remove the infected file, then boot your computer into safe mode by tapping your F8 key just before windows begins (or you can follow the instructions here for getting into Safe Mode

    Once in safe mode, empty the entire contents of the Temp folder (do not delete the Temp folder itself though) along with emptying IE's Temporary Internet Files (instructions above), then reboot your computer normally and run Hijackthis and post a new log.


    Regards,

    snap
     
    Last edited: Jul 2, 2004
  6. JimBeam

    JimBeam Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    6
    So after I did all of the above instructions (except for the spybot, see below) I did another hijack, it is below.

    When I ran Spybot S and D it crashed in the middle with the revolving blue screen that said "Trojan Horse Siboco AVG" and then I had to restart.

    Also, when I went to delete the temp files it refused to show me any files in windows explorer.
    So should I do that safe mode thing still?

    --Jim




    Logfile of HijackThis v1.98.0
    Scan saved at 1:21:04 AM, on 7/2/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
    C:\PROGRAM FILES\DANTZ\RETROSPECT\RETRORUN.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\APOINT\APOINT.EXE
    C:\PROGRAM FILES\MAXTOR\ONETOUCH\UTILS\ONETOUCH.EXE
    C:\WINDOWS\MXOALDR.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\MXOSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\WINDOWS\APOINT\APWHEEL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: AdShield.AdShield - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [SynTPLpr] C:\PROGRA~1\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\PROGRA~1\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AlpsPoint] c:\windows\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR\ONETOUCH\UTILS\ONETOUCH.EXE
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [TDS3] C:\PROGRAM FILES\TDS3\TDS-3.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [Retrospect Launcher] C:\PROGRAM FILES\DANTZ\RETROSPECT\RETRORUN.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9BB641DB-045B-42B4-BAE2-CBAAD66B0CC4} (Spotlife Composer) - http://yahoo.spotlife.net/install/composer/1.5.0.223/SLCmpser.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw14fd.law14.hotmail.msn.com/activex/HMAtchmt.ocx
     
  7. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi JimBeam,

    At the moment, your log looks clean. I am not seeing any sign of infection there.

    Yes, reboot your computer into safe mode again and clean out the Temp folder and your IE's Temporary Internet Files.

    Make sure you have Hidden Files and Folders Viewable
    Click Start > My Computer >Select the Tools menu >click Folder Options >Select the View Tab.
    Under the "Hidden files and folders" heading, select Show hidden files and folders.
    UN-check the "Hide protected operating system files (recommended)" option.
    Then click Yes.

    Do another on-line scan and let us know if anything else is detected.

    Also, you can run both AdAware and Spybot Search & Destroy in safe mode too. Turn off your antivirus programs so they do not interfer with the scan.

    Regards,

    snap
     
  8. JimBeam

    JimBeam Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    6
    O.K. When you said the Temp folder did you mean the temporary internet folder or the file in windows called "Temp"?

    (When I ran CWShredder it said I was clean, this was the first time around, right after I fixed the Hijack-this stuff.)

    Anyways, even now, Spybot crashes to the spinning screen about halfway into the scan.

    AVG alternates between saying I'm clean and then two hours later crashing with spinning screen jig.

    That TDS-3 job, took 6 hours last night to scan, even after I disabled AVG, Norton, and NOD32--only to crash to same spinning screen.

    I attempted to follow the Media player link but explorer said it wasn't there, but then again, it started saying a lot of other things weren't there too, that I was pretty sure was, like for example, this forum.

    I've got more, but IU'm at work now, I'll try again when I get home.

    Thanks again for all your help.

    --Jim
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Jim,

    Yes, if you have a C:Temp folder and a C:\Windows\Temp folder, then delete the contents of those Temp folders (but not the Temp folder themselves)

    I'm at a bit of a loss as to what could be causing this 'spinning screen' you are getting. Are you getting an error messages just before this happens?
    And what does the message from Internet Explorer say when you can't access a webpage?

    The details of any error messages you are getting when Spybot S&D, NOD, TDS3, etc., start to crash, would probably help alot. ;)

    Regards,

    snap
     
Thread Status:
Not open for further replies.