1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Adware problems again

Discussion in 'Virus & Other Malware Removal' started by Zanderthecat, Feb 7, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Zanderthecat

    Zanderthecat Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    35
    :confused:
    A few months ago several of you helped me get rid of hundreds of adware threats. The Thread is still available, although closed, but I'm not sure just exactly what to do. I now have 3 adware threats that show up on Norton. I've been running Spybot & Spyware Blaster, but these were able to sneak in anyway. I'm still not comfortable with just jumping in and trying to get rid of these because of further horrendous things that I could do.

    I'll appreciate help and I'll stay calm!!
     
  2. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
  3. Zanderthecat

    Zanderthecat Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    35
    Here's the log file--thanks. J

    [email protected]ile of HijackThis v1.99.0
    Scan saved at 6:56:45 PM, on 2/10/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Google\ggviewer67-9.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\IWEATH~1\MiniBug.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CTURO1QB\HijackThis[1].exe

    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Tray Temperature] C:\WINDOWS\IWEATH~1\MiniBug.exe 1
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Tao Quote.lnk = ?
    O4 - Startup: Tao.lnk = C:\Program Files\Tao Quote\taoquote.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SmartUI.lnk = ?
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09885af48b07dc31cb21/netzip/RdxIE601.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E59EFD3A-8531-4F74-85D1-2EA90DC2D3D4}: NameServer = 63.168.39.7 12.162.136.13
    O23 - Service: Brother Popup Suspend service for Resource manager - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
    O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  4. Zanderthecat

    Zanderthecat Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    35
    Did I do something wrong? Did I post the wrong thing? I haven't heard the next step. Thanks so much for help.
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    hi, Don't know why they did not respond...things are pretty busy here lately tho.

    Nothing bad shows in your log.
    You can fix this item:

    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

    Unless, you know what it was for and are going to reinstall that...

    I don't know what the TAO quotes are, if they are normal and something you use, OK. Daily Tao quotes as in Chinese sayings I guess?


    HJT:
    Next time however, you need to be using Hijackthis from within it's own folder, which you have to make> you have it running in temp location now, not good as the backups it makes when and if you have to use it remove anything will be lost> Sometimes, we need the backups to put back something that a user may inadvertently do (not that we would! ;) )

    So, simply create a new folder somewhere like My Documents or Program Files and move hijackthis.exe to that folder> in other words it would show something like this for the path:

    C:\Program Files\Hijackthis\highjackthis.exe
     
  6. Zanderthecat

    Zanderthecat Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    35
    1st things 1st--Yes, it's quotes from the Tao de Ching. I teach qigong.

    Now, to the other stuff. When I run NAV, it tells me 3 Adwares Found. One is IExploreSkins.exe (c\docs & Settings/owner/localsettings/Temp/temp.cab)
    toolbar.dll (c\docsand settings/Owner/Local/Temp/tempcab)
    toolbar.dll (c\ProgramFiles/SearchToolbar)

    Probably do want to get rid of the toolbar reference above. What is the IExplore--no, that's not the question. Do I care about the IExplore??

    Tell me how to get rid of, please. :eek:
     
  7. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I would like to see a more recent HJT log please.

    If you do not have Hijackthis now, here is a link to download it:

    www.radiosplace.com

    In the list on the left, hijackthis.exe
     
  8. Zanderthecat

    Zanderthecat Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    35
    Now I'm gonna prove I don't know what to do. I did reinstall Hijack t his, per your above. If I try to open it, it tells me no, don't do that--it's a temporary file so please copy it to another folder.

    I've tried everything I know to copy it--into Docs, into Program Files--can't do it. Get the message that the source and the destination are the same. Should I just go on and run the hijack from the temporary place? And then save the log, as you previously suggested and post it here? Thanks
     
  9. Zanderthecat

    Zanderthecat Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    35
    OK--I took a chance and just did it--here's the new log. Thanks. J

    Logfile of HijackThis v1.99.1
    Scan saved at 4:58:48 PM, on 2/16/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Google\ggviewer67-9.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\IWEATH~1\MiniBug.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
    C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe
    C:\PROGRA~1\NORTON~1\navw32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Norton AntiVirus\OPScan.exe
    C:\Documents and Settings\Owner\My Documents\HijackThis.exe

    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Tray Temperature] C:\WINDOWS\IWEATH~1\MiniBug.exe 1
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Tao Quote.lnk = ?
    O4 - Startup: Tao.lnk = C:\Program Files\Tao Quote\taoquote.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SmartUI.lnk = ?
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09885af48b07dc31cb21/netzip/RdxIE601.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E59EFD3A-8531-4F74-85D1-2EA90DC2D3D4}: NameServer = 63.168.39.7 12.162.136.13
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, To create the folder to hold hijackthis:

    Open My Computer, highlight the folder you want such as My Documents> then, while it is highlighted, at the top select File>New>Folder and it will be created as New Folder....while New Folder is there, type over with what you want to name it, something like HJT or whatever you will recongnize. Next step> either download a new copy to the folder you created> or simply drag and drop OR Copy/Paste it to the folder...yes, you can copy and paste basic .exe files this way with no problem....

    Then, you should have hijackthis.exe inside it's own folder.


    You do not have any items to remove however...but,you will be all set when and if you do!


    Let's see if this will help remove what was found before:

    Boot to Safe Mode> to do this, when you restart the computer, start tapping F8 key when you first see text on screen, you should eventually get the startup menu, select down to Safe Mode with your arrow key, and press Enter to get to Safe Mode, give it plenty of time to reach the desktop as it boots more slowly this way.

    DO>


    Open Windows Explorer>

    In the list on the left side, find c\ProgramFiles/SearchToolbar\Toolbar.dll <delete the file

    Delete the Search toolbar folder.

    Check for these that should have been deleted but most likely are hanging on> temp.cab
    and whatever else you had posted that was found as Adware this or that...

    Empty the Recycle Bin, once you see that nothing in there is anything you need.


    Restart the computer, and run the various scans one at a time, make sure you have latest updates for programs...remove what they find.

    Post a new log if you like when done...I don't think it will show anything but best to check it out.
     
  11. Zanderthecat

    Zanderthecat Thread Starter

    Joined:
    Jul 6, 2004
    Messages:
    35
    OK--Thanks much. I've done what you said above. I'll just ignore my everyday scan with NAV and tell it to "ignore" when it gets to these 3 items. Got burned with all of this last year and now I'm just cautious. :)
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/327838

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice