Author Topic: Zumlif's merged topic (Read 2844 times)

zumlif · « **on:** October 05, 2006, 02:34:03 PM »

I have 2 unwanted icons in my lower L.H. toolbar. A yellow flashing triangle with an exclamation mark and a blue circle with a white question mark which alternates with a red circle with a diagonal red line. Also I keep getting a box with "System Alert...... clickthis balloon to download official security sotware". I use AVG antivirus, Spyware Catcher and ewido antispyware. I have run scans with all of of these, I have used Add andRemove programs to get rid of VirusBurst but these 2 icons and their associated System Alert boxespersist. If I activate the red circle I think it loads VirusBurst again. The yellow triangle box Says "System Alert: Trojan_Spy.Win32@mx". My scans showed several bits ofspyware and Trojans and dealt with them. Any help gratefully received. On switching on today the red circle seems to have disappeared probably temporarily. I have run Hijackthis and have the log available. I now have "Security Alert:Networm-i.Virus@fp"
Celeron 2.4, 20g and 40g hdd, 512 ram, Nvidia graphics, XP Pro + SP2, broadband with router.

zumlif · « **Reply #1 on:** October 05, 2006, 05:48:40 PM »

I have followed instructions and below is the result of running Smitfraudfix. I use AVG but it didn't trap my infection.

SmitFraudFix v2.105

Scan done at 18:32:40.76, 05/10/2006
Run from C:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Phil

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Phil\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Phil\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\iMediaCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7be183d2-a42d-4915-bf60-ec86fbf002cf}"="horologium"

[HKEY_CLASSES_ROOT\CLSID\{7be183d2-a42d-4915-bf60-ec86fbf002cf}\InProcServer32]
@="blank"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7be183d2-a42d-4915-bf60-ec86fbf002cf}\InProcServer32]
@="blank"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="interceptor.dll"

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

SpyDie · « **Reply #2 on:** October 05, 2006, 08:44:48 PM »

Hi & welcome to the LandzDown forum.

Could you have a go at this please?

First, please follow the instructions below. You may want to print or save these instructions to text where you can access them in safe mode.

A. Please download the following:

Please download HijackThis© from: http://www.thespykiller.co.uk/files/HJTsetup.exe .
At the download prompt, choose "Save".
Navigate to the saved file and double-click the installer, HJTsetup.exe.
HijackThis will be installed on your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.
When the installation is complete, exit HijackThis.

Download CCleaner from this direct link: http://www.ccleaner.com/downloadbin.asp?f=2 .
Download AVG Anti-Spyware from HERE. Save the file to your desktop so you can locate it.
- Double-click the AVG Anti-Spyware icon on the desktop to launch the set up program.
- The installation will require a restart of the computer.

B. Launch AVG Anti-Spyware to update to the latest definition files.

On the main screen select the "Update" icon
Click "Start Update". The update will start and a progress bar will show the updates being installed.
If you have problems with the updater, you can use this link to manually update AVG Anti-Spyware -- manual updates

C. AVG Anti-Spyware settings

Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
In the Settings screen click "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- DE-Select "Only if threats were found"
- Close AVG Anti-Spyware

D. Instructions for using CCleaner:

Close all open programs, including Internet Explorer, Fire Fox and any instances of Windows Explorer.
Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
A pop up box will appear advising this process will permanently delete files from your system.
To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
Then select the following items
In the Windows Tab:
- Clean all entries in the "Internet Explorer" section.
- Clean all the entries in the "Windows Explorer" section.
- Clean all entries in the "System" section except Windows Log Files.
In the Applications Tab:
- Clean all in the Firefox/Mozilla section if you use it.
- Clean all in the Opera section if you use it.
- Clean Sun Java in the Internet Section.
- Please UNcheck "Utilities" (i.e., Ad-Aware, AVG and other security program logs.)

Click the "Run Cleaner" button and it will scan and clean your system.
Click exit.

E. Please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

F. Scanning and system cleaning with AVG Anti-Spyware.

Lauch AVG Anti-Spyware by double-clicking the icon on the desktop. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
ewido will now begin the scanning process. Be patient as this may take a little time.
While scanning, AVG Anti-Spyware will list any infections found on the left side.
When the scan is completed, the recommended action should be set to Quarantine. If not click Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close AVG Anti-Spyware.

G. Restart in normal mode and run the Housecall online virus scan located at: http://housecall.trendmicro.com/housecall/start_corp.asp

Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system. When the scan is finished, please restart your computer.

H. Double-click the HijackThis icon on your desktop.

Select "Scan"
When the scan is completed, select "Save log"
Select a name for this first log and a text file will be produced in Notepad.
Please have Word Wrap turned OFF in Notepad (Click Format > UNcheck Word Wrap).

H. Copy/paste the following logs as a reply to this thread:

AVG Anti-Spyware log
HijackThis log

zumlif · « **Reply #3 on:** October 07, 2006, 08:27:22 PM »

Thank you for your recommendations. I have followed your instructions. I found Housecall reluctant to run. It kept hanging. It eventually ran and took over 1-1/2 hours to run. It found a number of items and recommended a rescan which I did and it found another one. I tried rescanning today but it won't complete. It hung on "Preparing" and 2-1/4 mins. and stopped.

Logfile of HijackThis v1.97.7
Scan saved at 18:49:16, on 07/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\NORMAN\NVC\BIN\ZANDA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\NORMAN\NVC\BIN\CCLAW.EXE
C:\NORMAN\NVC\BIN\NVCSCHED.EXE
C:\NORMAN\NVC\BIN\NJEEVES.EXE
C:\NORMAN\NVC\BIN\NIP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\OPISTAT\OPISTAT\OPISTAT.EXE
C:\MY SCROLL\MYSCROLLRT.EXE
C:\NORMAN\NVC\BIN\ZLH.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\DAP\DAP.EXE
C:\E-TIME\ETIME.EXE
C:\NORMAN\NVC\BIN\NYMSE.EXE
C:\ROBOTYPE\ROBOTYPE.EXE
C:\DREAMBREED DREAMBIRTHDAY\DREAMBIRTHDAY.EXE
C:\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\NORMAN\NVC\BIN\NIU.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://contexualsearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v21.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://contexualsearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://contexualsearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v21.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by V21
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/uk/bookmark/7_0/tnetscape.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\h2a416n5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CNetscape_UK.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\h2a416n5.slt\prefs.js)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\DAP\DAPBHO.DLL
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: (no name) - {A5D6007D-C3F3-1154-3D80-9430820C232B} - C:\PROGRAM FILES\32FUNK01\FLAW LOVE.DLL (file missing)
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\ONSPEED\PBHELPER.DLL
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Play One Great - {09EF72D8-98BA-7559-B720-8BC2678D0C2C} - C:\PROGRAM FILES\32FUNK01\FLAW LOVE.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [OpiStat] C:\PROGRA~1\OPISTAT\OPISTAT\OPISTAT.EXE
O4 - HKLM\..\Run: [My Scroll] "C:\My Scroll\MyScrollRT.exe" -autorun
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\NVC\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [DownloadAccelerator] C:\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Norman ZANDA] C:\NORMAN\NVC\BIN\ZANDA.EXE /LOAD
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [MPG E-Time ] C:\E-TIME\ETIME.EXE /s
O4 - Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeed.exe
O4 - Startup: RoboType auto-start.lnk = C:\Robotype\Robolib.rtl
O4 - Startup: DreamBreed DreamBirthday.lnk = C:\DreamBreed DreamBirthday\DreamBirthday.exe
O4 - Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LwbWheel.exe.lnk = C:\Browser Mouse\1.0\LwbWheel.exe
O8 - Extra context menu item: &Download with &DAP - C:\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\DAP\dapextie2.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\ONSPEED\ONSPEED.EXE/227
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\ONSPEED\ONSPEED.EXE/250
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O10 - Broken Internet access because of LSP provider 'nmtracer.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.v21.co.uk/
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37959.6109143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

AVG
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:34:04 06/10/2006

+ Scan result:

HKU\S-1-5-21-1177238915-1682526488-725345543-1003\Software\Internet Security -> Adware.IntCodec : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8D40C074-7719-4484-8F94-2D76498E5BDD}\RP41\A0020105.dll -> Downloader.Agent.ayq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8D40C074-7719-4484-8F94-2D76498E5BDD}\RP40\A0019676.dll -> Downloader.Zlob.afe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8D40C074-7719-4484-8F94-2D76498E5BDD}\RP40\A0019694.exe -> Downloader.Zlob.anu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8D40C074-7719-4484-8F94-2D76498E5BDD}\RP41\A0020090.exe -> Downloader.Zlob.anu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8D40C074-7719-4484-8F94-2D76498E5BDD}\RP41\A0020106.exe -> Downloader.Zlob.anu : Cleaned with backup (quarantined).
:mozilla.101:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.102:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.103:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.140:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.141:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.81:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.82:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.92:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.93:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.94:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.11:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Phil\Cookies\phil@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.110:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Phil\Cookies\phil@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.23:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.89:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.90:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.91:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.27:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.46:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.26:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Phil\Cookies\phil@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.108:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned.
:mozilla.120:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Phil\Cookies\phil@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.116:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.117:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.118:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.119:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.24:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.25:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.67:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.70:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.71:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.12:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.14:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.15:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.6:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.7:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.72:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.75:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.78:C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\ot3odsfz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Media-Codec -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\Media-Codec\iesplugin.dll -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\Media-Codec\isamonitor.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\Media-Codec\pmsngr.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

I hope it all means something to you. I see Norman appears. That is some antivirus software I stopped using some while ago and I uninstalled it. It looks as if there are remants of it left.
zumlif

SpyDie · « **Reply #4 on:** October 08, 2006, 07:46:30 PM »

Hi,

Strange that HouseCall didn't work well. Let's see how this goes:

Start HijackThis, close all open windows (if any) leaving only HijackThis running. Place a check against the following, if found, and press "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://contexualsearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://contexualsearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://contexualsearch.com/searchbar.html
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: (no name) - {A5D6007D-C3F3-1154-3D80-9430820C232B} - C:\PROGRAM FILES\32FUNK01\FLAW LOVE.DLL (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL
O3 - Toolbar: Play One Great - {09EF72D8-98BA-7559-B720-8BC2678D0C2C} - C:\PROGRAM FILES\32FUNK01\FLAW LOVE.DLL (file missing)
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunServices: [Norman ZANDA] C:\NORMAN\NVC\BIN\ZANDA.EXE /LOAD

Please restart the computer and once back into Windows, re-scan with HijackThis, save a fresh logfile and post it here please.

Also, please delete these folders:

C:\PROGRAM FILES\CXTPLS\
c:\Program Files\AutoUpdate\

SpiritWind · « **Reply #5 on:** October 08, 2006, 11:20:39 PM »

Hi Zumlif :

I see you took my recommendation on the pcmag forums to come here;
very good . However, you are using an "old" version ( 1.97.7 ) of HijackThis;
if possible, should uninstall it, then get the latest version by going to :
http://www.thespykiller.co.uk/files/HJTsetup.exe and following the
"Instructions" in SpyDie's 1st post about "properly" installing it .

zumlif · « **Reply #6 on:** October 09, 2006, 05:35:55 PM »

Thank you SpyDie,
I will do as you suggest. In the meantime I have run Housecall again and it seems to pick up the same malware/grayware each time. I decided to download the free trial version of PCCillin's security suite and ran a scan which took about 80 mins. Lo and behold there were the same infections again. They have all been quarantined so is the scan picking up the same stuff each time? Fortunately I have plenty of time as I retired 20 years ago. I am live in London, UK and I buy a British magazjne called ComputerActive which I think is very good. It is offering a couple of items at very advantageous prices to subscribers viz. MadeSafe Spyware pro and MadeSafe Home. They claim it is "Watertight security for your PC" so I think I will invest a few coppers in them.
Best wishes.

SpyDie · « **Reply #7 on:** October 09, 2006, 08:50:00 PM »

Hiya,

I'm also from the UK, Bristol

Have no heard of the program, so I can't recommend against it or for it, so it's entirely up to you - I will however, try and get some information about it.

As to PCCillin, well it's from the same people as who created the HouseCall online scan, so it'll use the same definition files. What you saw picked up in the HouseCall scan would be picked up in the program. I don't think HouseCall removed them all, so PCCillin should have made sure thye were really gone. You can't trust an online scan 100%.

Let me know how things get on.

zumlif · « **Reply #8 on:** October 16, 2006, 04:51:42 PM »

Hello Spydie and Spiritwind,
Sorry to be so long replying but I have had some had some reloading hard disk problems. I have 2 disks, 20gb and 40gb. The larger was corrupted and the smaller was the infected one. I have now brought the larger only into service with no signs of viruses or what have you. I ran Hijackthis (new version) and none of the items appeared so I assume everything is OK. Thank you both very much indeed. It seems as if Spydie and I are almost neighbours, give or take a couple of hundred miles.
One last thing - when I boot up, on the third b&w screen there are 2 lines with a choice of Microsoft Windows XP to load. I have now only 1 system. What can I do to skip this screen? It is not much of a problem but irritating. The first line doesn't seem to work properly and I have to select line 2 and press "enter" to boot.
Best wishes.

SpyDie · « **Reply #9 on:** October 16, 2006, 05:49:22 PM »

Hiya,

Well the screen you talk about get's it's "choices" from the file Boot.ini. First:

Click Start, click Run, type sysdm.cpl, and then click OK. A new window will appear. Click the 'Advanced' tab, click 'Settings' under Startup and Recovery. Under the heading System Startup, click Edit. This will launch a new Notepad window with the contents of Boot.ini in it. Copy/paste the results.

Other than this, are things OK now?

zumlif · « **Reply #10 on:** October 17, 2006, 11:04:52 AM »

Hello SpyDie,
Herewith the result:-

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Obviously now there is an almost duplicate entry. I looked at msconfig,boot.ini and there is the 2nd. line. Where do I delete it and which line?

Everything is now running smoothly (until the next catastrophe)
Regards.
zumlif

SpyDie · « **Reply #11 on:** October 17, 2006, 05:37:14 PM »

OK, first make a backup of the boot.ini file. You'll need to 'show hidden files and folders' because it's a hidden file by default.

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, you should see the boot.ini file in C:\.

Right-click on it and click 'Copy', then right-click and select 'Paste'.

Editing this file incorrectly would render Windows basically useless, so before I go any further, please confirm which entry you have to choose when you boot up the computer? It is the 2nd line right?

zumlif · « **Reply #12 on:** October 18, 2006, 09:03:50 AM »

Hello SpyDie,
OK, I have done that. Yes, it is the 2nd. line down on the boot screen which works.
Regards

SpyDie · « **Reply #13 on:** October 18, 2006, 02:44:47 PM »

Hi,

Great and in which case, open up boot.ini by either opening it from C:\ (since it is now visible) or through the same way as you did before.

Remove it's current contents, so the Notepad window is blank, and copy/paste the box below:

Code: [Select]

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Which removes the first option, and changes the default to the real partition, this points the computer where Windows is actually located.

Click File > Save, then restart the computer.

zumlif · « **Reply #14 on:** October 20, 2006, 01:25:11 PM »

Hello SpyDie,
It worked without any problems. All now seems to be OK and I can get back to merely wasting my time on the computer instead of struggling to make it work. I think we can now consider this topic closed.
Once again ,thanks very much. Your assistance has been invaluable.
Best Wishes

LandzDown Forum

News:

Author Topic: Zumlif's merged topic (Read 2844 times)

zumlif

Zumlif's merged topic

zumlif

Re: Zumlif's merged topic

SpyDie

Re: Zumlif's merged topic

zumlif

Re: Zumlif's merged topic

SpyDie

Re: Zumlif's merged topic

SpiritWind

"Old" version of HijackThis

zumlif

Re: Zumlif's merged topic

SpyDie

Re: Zumlif's merged topic

zumlif

Re: Zumlif's merged topic

SpyDie

Re: Zumlif's merged topic

zumlif

Re: Zumlif's merged topic

SpyDie

Re: Zumlif's merged topic

zumlif

Re: Zumlif's merged topic

SpyDie

Re: Zumlif's merged topic

zumlif

Re: Zumlif's merged topic