1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please help!

Discussion in 'Virus & Other Malware Removal' started by Z108, Feb 4, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Z108

    Z108 Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    2
    Hi guys, tried everything I know, followed $teve’s advice to James61 on 23-Jan-2005 but still can't remove BullsEye and Serch Relevancy from add/remove programs (though removed lots of others, thanks) and also have problem with removing C:\WINDOWS\system32\services.exe. Could you help please.

    Logfile of HijackThis v1.99.0
    Scan saved at 20:44:34, on 04/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\ZoneLabs\isafe.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AnVir Task Manager\AnVir.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\Documents and Settings\Natasha\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AnVir Task Manager] "C:\Program Files\AnVir Task Manager\AnVir.exe" Minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c6.cab
    O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,

    First> you are running hijackthis from the temp folder, that's not good- you will lose it plus the backups it makes when the temp files are deleted (usually part of the fix- so move hijackthis.exe to a folder you create---make a new folder in Program Files, My Documents, or someplace that is a permanent folder...it must be in it's own, separate folder, seen like this:

    C:\Documents and Settings\Natasha\My Documents\hijack this\HijackThis.exe

    You can use My Computer to navigate to the My Documents folder, highlight that folder, at the top of window select File>New>Folder and rename it to hijackthis..you now have a separate folder to hold hijackthis.exe.

    You can simply download a new copy and ignore your old one.

    www.radiosplace.com
    ______________________________

    If you mean the following process, it is legitimate and needed.

    C:\WINDOWS\system32\services.exe

    It is OK when it is in System32, you may have read about service.exe, which is usually a trojan. One little letter IS a big difference in computer filenames. What told you services.exe is bad?

    You do have some malware.

    From Control Panel> Add/Remove Programs, uninstall::

    Bullseye Network
    Bargain Buddy or similar

    Get these:


    You will need both of these programs, and these versions...though you might have both, one or the other may be older than what I am posting and will not be as effective as they can be! You need to check the Build of AdAware you have, it's right on the main window, we are using AdAware SE personal edition (the free one) v. 1.05 now, and even though you are just installing it, it will have some detection updates just after you install it, unless you get very lucky!

    SpyBot Search and Destroy v. 1.3> is the latest. The older versions are abandoned and will not give you any more updates!

    Both of those programs are available here:

    http://www.majorgeeks.com/downloads31.html

    Here are the directions for installing, updating, and using them:
    AdAware:

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.

    SpyBot 1.3:

    Install the program and launch it.

    Before scanning press Online and Search for Updates .

    Put a check mark at and install all updates.

    Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

    Restart your computer.


    Post a new Hijack log here, in your thread, as a reply.

    Running AdAware and Spybot will not completely take care of what you have, there is usually some manual deletion and a bit of hijackthis work to do.
     
  3. Z108

    Z108 Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    2
    Thank you really lots, it does look much better now.
    Do you believe I got read of everything?

    Logfile of HijackThis v1.99.0
    Scan saved at 19:20:33, on 06/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\ZoneLabs\isafe.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AnVir Task Manager\AnVir.exe
    C:\Program Files\Maxthon\Maxthon.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\hijack this\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AnVir Task Manager] "C:\Program Files\AnVir Task Manager\AnVir.exe" Minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, The log looks OK now! Good work. Let us know if you have any problems.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326789

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice