spybot problem

Discussion in 'adware, spyware & hijack cleaning' started by littleidiot, May 28, 2004.

Thread Status:
Not open for further replies.
  1. littleidiot

    littleidiot Registered Member

    Joined:
    May 28, 2004
    Posts:
    5
    I install spybot but it doesn't run. maybe something is blocking it. I opened an email with a pf pile and then both outlook express and spybot don't run. now i reinstall spybot but it doesn't run also..what can i do?
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi there,

    Please follow the instructions over here: https://www.wilderssecurity.com/showthread.php?t=15913

    Then create a folder on your C: drive and unzip HijackThis into it. Do not put HijackThis in the Temp folders or on your Desktop as backups there will be easily lost. Once HijackThis is in it's own folder, double-click the HijackThis.exe file to open the program, then click the "Scan" button. Once the scan is finished, the Scan button will change into a "Save Log" button. Save the log and open it in Notepad, then copy and paste ALL the contents of the log here in a reply post.

    Please do NOT fix anything in HijackThis until advised by an Expert. Most of what it lists will be harmless and even essential to your computer's operation.

    Regards,

    snap
     
  3. littleidiot

    littleidiot Registered Member

    Joined:
    May 28, 2004
    Posts:
    5
    hijack this done (what must i do now?)

    after an email with a pf file my outllok express and spybot don't work. i run adware and hijack this. this is the log. what must i di now? thnx




    Logfile of HijackThis v1.97.7
    Scan saved at 3:34:09 πμ, on 29/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\soundman.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\FlashGet\JetCar.exe
    C:\Documents and Settings\motokouzi\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
    O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/el/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37663.435462963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8E9F9F50-587B-4BBA-94F9-0CE469B53545}: NameServer = 195.170.0.2 195.170.2.1
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi littleidiot,

    Before you begin, please create a new, permanent folder on your C: drive and move HijackThis.exe out of the temp folder and into the new folder.
    Hijackthis creates backups in the folder it is ran from, and running it from a temp folder will result in lost backups.

    Once you have moved Hijackthis into it's own folder, scan with it again and place a check beside the following items. Make sure you close ALL browsers and any open windows (except HijackThis) then click the *Fix checked* button.

    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe

    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe

    Boot your computer into safe mode by tapping the F8 key just before Windows begins to load.

    Then find and delete the following listed in bold:
    C:\Program Files\MyWay <--entire folder
    C:\WINDOWS\System32\winupd.exe <--file

    Reboot your computer normally, then post a new hijackthis log here in this thread, to be checked.

    Regards,

    snap
     
  5. littleidiot

    littleidiot Registered Member

    Joined:
    May 28, 2004
    Posts:
    5
    i found 3 files with winupd.exe, 1)winupd.exeopen, 2)winupd.exeopenopen, 3)winupd.exeopenopenopen, but i delete only the first.
    nowo_O?

    here is the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:36:34 πμ, on 29/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\soundman.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\hi\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
    O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/el/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37663.435462963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
    Last edited: May 29, 2004
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi littleidiot,

    Good job. Just a leftover:
    Check the following item in HijackThis and click Fix checked:

    O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\System32\winupd.exe

    Please read How did this happen and can I prevent it?

    Regards,

    Pieter
     
  7. littleidiot

    littleidiot Registered Member

    Joined:
    May 28, 2004
    Posts:
    5
    thnx, I've done it, but what about my outlook and spybot? they still don't work. and i think that my pc is working slowly. i think..i'm waiting news, thnx!
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  9. littleidiot

    littleidiot Registered Member

    Joined:
    May 28, 2004
    Posts:
    5
    hi I'm here again. message in my screen: Files that are required for windows to run properly have been replaced by unrecognized versions. To maintain system stability windows must restore the original versions of these files. Insert your win xp cd rom now. then i put the win xp cd rom and tells me that all working excellent. but after a few minutes the message is on again. help..
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi littleidiot,

    You can force the replacement.

    Click Start > Run > type or cop&paste sfc /scannow (if you type, there is a space between sfc and /scannow)
    In this case make sure the Windows CD is inserted before you click OK.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.