Adware problems again

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Zanderthecat

Thread Starter
Joined
Jul 6, 2004
Messages
35
:confused:
A few months ago several of you helped me get rid of hundreds of adware threats. The Thread is still available, although closed, but I'm not sure just exactly what to do. I now have 3 adware threats that show up on Norton. I've been running Spybot & Spyware Blaster, but these were able to sneak in anyway. I'm still not comfortable with just jumping in and trying to get rid of these because of further horrendous things that I could do.

I'll appreciate help and I'll stay calm!!
 

Zanderthecat

Thread Starter
Joined
Jul 6, 2004
Messages
35
Here's the log file--thanks. J

[email protected]ile of HijackThis v1.99.0
Scan saved at 6:56:45 PM, on 2/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Google\ggviewer67-9.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\IWEATH~1\MiniBug.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CTURO1QB\HijackThis[1].exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Tray Temperature] C:\WINDOWS\IWEATH~1\MiniBug.exe 1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Tao Quote.lnk = ?
O4 - Startup: Tao.lnk = C:\Program Files\Tao Quote\taoquote.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09885af48b07dc31cb21/netzip/RdxIE601.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E59EFD3A-8531-4F74-85D1-2EA90DC2D3D4}: NameServer = 63.168.39.7 12.162.136.13
O23 - Service: Brother Popup Suspend service for Resource manager - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

Zanderthecat

Thread Starter
Joined
Jul 6, 2004
Messages
35
Did I do something wrong? Did I post the wrong thing? I haven't heard the next step. Thanks so much for help.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
hi, Don't know why they did not respond...things are pretty busy here lately tho.

Nothing bad shows in your log.
You can fix this item:

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

Unless, you know what it was for and are going to reinstall that...

I don't know what the TAO quotes are, if they are normal and something you use, OK. Daily Tao quotes as in Chinese sayings I guess?


HJT:
Next time however, you need to be using Hijackthis from within it's own folder, which you have to make> you have it running in temp location now, not good as the backups it makes when and if you have to use it remove anything will be lost> Sometimes, we need the backups to put back something that a user may inadvertently do (not that we would! ;) )

So, simply create a new folder somewhere like My Documents or Program Files and move hijackthis.exe to that folder> in other words it would show something like this for the path:

C:\Program Files\Hijackthis\highjackthis.exe
 

Zanderthecat

Thread Starter
Joined
Jul 6, 2004
Messages
35
1st things 1st--Yes, it's quotes from the Tao de Ching. I teach qigong.

Now, to the other stuff. When I run NAV, it tells me 3 Adwares Found. One is IExploreSkins.exe (c\docs & Settings/owner/localsettings/Temp/temp.cab)
toolbar.dll (c\docsand settings/Owner/Local/Temp/tempcab)
toolbar.dll (c\ProgramFiles/SearchToolbar)

Probably do want to get rid of the toolbar reference above. What is the IExplore--no, that's not the question. Do I care about the IExplore??

Tell me how to get rid of, please. :eek:
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, I would like to see a more recent HJT log please.

If you do not have Hijackthis now, here is a link to download it:

www.radiosplace.com

In the list on the left, hijackthis.exe
 

Zanderthecat

Thread Starter
Joined
Jul 6, 2004
Messages
35
Now I'm gonna prove I don't know what to do. I did reinstall Hijack t his, per your above. If I try to open it, it tells me no, don't do that--it's a temporary file so please copy it to another folder.

I've tried everything I know to copy it--into Docs, into Program Files--can't do it. Get the message that the source and the destination are the same. Should I just go on and run the hijack from the temporary place? And then save the log, as you previously suggested and post it here? Thanks
 

Zanderthecat

Thread Starter
Joined
Jul 6, 2004
Messages
35
OK--I took a chance and just did it--here's the new log. Thanks. J

Logfile of HijackThis v1.99.1
Scan saved at 4:58:48 PM, on 2/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Google\ggviewer67-9.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\IWEATH~1\MiniBug.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Tray Temperature] C:\WINDOWS\IWEATH~1\MiniBug.exe 1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Tao Quote.lnk = ?
O4 - Startup: Tao.lnk = C:\Program Files\Tao Quote\taoquote.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09885af48b07dc31cb21/netzip/RdxIE601.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E59EFD3A-8531-4F74-85D1-2EA90DC2D3D4}: NameServer = 63.168.39.7 12.162.136.13
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, To create the folder to hold hijackthis:

Open My Computer, highlight the folder you want such as My Documents> then, while it is highlighted, at the top select File>New>Folder and it will be created as New Folder....while New Folder is there, type over with what you want to name it, something like HJT or whatever you will recongnize. Next step> either download a new copy to the folder you created> or simply drag and drop OR Copy/Paste it to the folder...yes, you can copy and paste basic .exe files this way with no problem....

Then, you should have hijackthis.exe inside it's own folder.


You do not have any items to remove however...but,you will be all set when and if you do!


Let's see if this will help remove what was found before:

Boot to Safe Mode> to do this, when you restart the computer, start tapping F8 key when you first see text on screen, you should eventually get the startup menu, select down to Safe Mode with your arrow key, and press Enter to get to Safe Mode, give it plenty of time to reach the desktop as it boots more slowly this way.

DO>

flrman1 said:
Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Also navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box, and OK. The Temp folder will open. Click Edit > Select All then File > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.

Open Windows Explorer>

In the list on the left side, find c\ProgramFiles/SearchToolbar\Toolbar.dll <delete the file

Delete the Search toolbar folder.

Check for these that should have been deleted but most likely are hanging on> temp.cab
and whatever else you had posted that was found as Adware this or that...

Empty the Recycle Bin, once you see that nothing in there is anything you need.


Restart the computer, and run the various scans one at a time, make sure you have latest updates for programs...remove what they find.

Post a new log if you like when done...I don't think it will show anything but best to check it out.
 

Zanderthecat

Thread Starter
Joined
Jul 6, 2004
Messages
35
OK--Thanks much. I've done what you said above. I'll just ignore my everyday scan with NAV and tell it to "ignore" when it gets to these 3 items. Got burned with all of this last year and now I'm just cautious. :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top