Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer Not Working Right - Websearch


  • This topic is locked This topic is locked
6 replies to this topic

#1 Spearol

Spearol

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 11 November 2005 - 05:48 PM

I think my Internet Explorer IE 6 is broken. I have used my online banking for a few years. All of a sudden, last week, I can no longer access it. In attempting to track down the problem, I keep hitting one road block after another described below. I just want to be able to use my online banking again.


My PC uses XP Professional Version 5.1 (Build 2600.xpsp_sp2_gdr/050301-1519: Service Pack 2) and Internet Explorer: 6.0.2900.2180 with Service Pack 2. (I cannot see the Internet Explorer version in the About Internet Explorer popup from the Internet Explorer menu. Version:, Cipher Strength:, Product ID: are all blank in the IE popup located under Help in menubar. However, MS Anti Spyware in the System Explorer’s Utility shows this version of Internet Explorer is 6.0.2900.2180.)

1. I ran Microsoft AntiSpyware Beta 1 and PC Security Shield (The Shield Antivirus 2005) several times in the last week. Many items were found and cleaned. I ran one more time as I was drafting my problem report and only one Spyware was found and removed

2. Recently, instead of renewing my Norton Virus software, I purchased a download of PC Security Shield Pro Professional 2005 and installed it.

3. I do not know if this is related or not, but now when I access my bank website online http://www.kitsapcreditunion.org/ some of the pictures will not load and I cannot login: https://www.kitsapcuhb.org/onlineserv/HB/ Instead I get the following javascript error:

STOP. JavaScript Check. Our Internet Access Service requires you to have JavaScript enabled on your browser. Please enable JavaScript in your browser's options, then retry. Retry.

4. So I searched the web on the JavaScript Check error and received advice to enable scripting as follows, however, it was already enabled.
Security Settings for Internet Options
Scripting
Active Scripting – Enable
Allow paste operations via script – Enable
Scripting of java applets - Enable

5. At one point I uninstalled PC Security Shield Pro Antivirus and Firewall. I have since reinstalled the Antivirus tool since it did not fix the javascript error.

6. I noticed another popup that kept coming up while I was trying to refresh my banking website after I would enable more security settings within the browser.

Dinst.exe – Bad image X The application or DLL c:\WINDOWS\dsr.dll is not a valid Windows image. Please check this against your installation disk. OK

First I attempted to search for this file and discovered that my Search window would not work. I navigated from Start to Search. The popup displays with no title in the title bar. A menu appears, but the popup sits there blank and I cannot search for files on my computer.

Secondly, I tried the Find functionality from Internet Explorer, but it doesn’t work either. The pop-up pops up, but the Find Next button is grayed out so I cannot search a web page. The Find pop-up will not close on Cancel, but only if I click on the red X.

The Find feature is also not working within Notepad.

Finally, I searched the web on this error message and was advised to repair and/or reinstall Internet Explorer.

7. I tried to reinstall using my XP install disk. It did not fix the problem so I tried to find a version on the web, however, I cannot access the Microsoft update sites for some odd reason. The screens just shows up as blank.

http://windowsupdate.microsoft.com/

http://update.microsoft.com/microsoftupdate/v6/default.aspx


8. http://www.foxnews.com website displays with lots of news stories, but the Latest Headlines webpart is blank.


9. Here is Hijack This logfile

Logfile of HijackThis v1.99.1
Scan saved at 2:34:50 PM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\WINDOWS\ProDsl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\WINDOWS\system32\esskdei.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Starfish\TrueSync\TSTool.exe
C:\Program Files\PhotoWorks\PhotoWorks Digital Partner\Acquire.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\PROGRAM FILES\PCSECURITYSHIELD\SHIELDANTIVIRUS\VRRES.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Documents and Settings\Kathi\Local Settings\Temporary Internet Files\Content.IE5\8T0VYD2J\hijackthis_sfx[1].exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Documents and Settings\Guest\My Documents\steves games\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [tcjlnak] c:\windows\system32\hsojoi.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O4 - Startup: PhotoWorks Acquire.lnk = C:\Program Files\PhotoWorks\PhotoWorks Digital Partner\Acquire.exe
O4 - Startup: PhotoWorks Upload Scheduler.lnk = C:\Program Files\PhotoWorks\PhotoWorks Digital Partner\PhotoWorksWiz.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks Upload UI Control) - http://services.photoworks.com/Pixami/PixamiSFWUploader.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/smdesktop.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/M....cab?5,0,1730,0
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46456702-B89C-42DE-A1D9-6169A8BFCB91}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

BC AdBot (Login to Remove)

 


#2 RavenMind

RavenMind

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 17 November 2005 - 02:16 AM

Hi and welcome to Bleeping Computer!

I'm sorry it's taken so long for someone to reply, but as you can see, it's pretty busy here. I am currently reviewing your log, and will be back to address your problem A.S.A.P. Please note that this is under the supervision of a fully certified Analyst.

Please subscribe to this thread by going to the top & clicking on Options > Track this topic, so that you are notified when a reply has been made.

Please be patient with me during this time.

Thank you,

RavenMind

#3 RavenMind

RavenMind

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 18 November 2005 - 12:34 AM

Hello again, and thank you for being patient while I reviewed your log!

Please copy then paste this page into Notepad & save it.
You may also want to print out a copy of these instructions so you can refer back to them offline. You may be asked to download some tools/programs, so please stay in Normal Mode unless otherwise directed. At the end of the fix you may choose to delete these tools, or keep them for future use.

In regards to your bank website… I’m not sure if this is malware related or not, so I’m going to start by having you run through the fix and clear your Java cache. If this doesn’t work then we’ll try a few other things once you’ve been given a clean bill of health.
  • Enable the viewing of hidden files/folders:

    Go to My Computer > Tools > Folder Options > “View” tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible too.


  • Disable MSAS:

    Please disable Microsoft AntiSpyware, as it may hinder the removal of some entries. You can re-enable it after you're clean.
    • Right click the Microsoft AntiSpyware icon located in the system tray.
    • Click on Security Agents Status (Enabled)
    • Click on Disable Real-time Protection
  • Downloads:

    CleanUp!

    The Temp folders are a popular place for malware to hide out, plus installation programs tend to leave a lot of junk in there. Download and install CleanUp! to clean out your temps, but do not run it yet.


    dsrfix.zip by Atribune

    Save the file to your desktop.
    • Double-Click on dsrfix.zip and extract it to your desktop.
    • This will create a new folder on your desktop named dsrfix.
    • Do Not open that folder yet.
    Ewido Security Suite:.

    Download & install Ewido, then update it's database. Do not run it yet.


    AdAware SE Personal
    • Download and install the program, keeping the default options. However, some of the settings will need to be changed before your first scan.
    • Close ALL windows except Ad-Aware SE.
    • Click on the ‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
    • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
      • In the ‘General’ window make sure the following are selected in green:
        • Under [Safety]:
          • Automatically save log-file
        • Automatically quarantine objects prior to removal
        • Safe Mode (always request confirmation)
      • Under [Definitions]:
        • Prompt to update outdated definitions - set the [number of days]
    • Click on the ‘Scanning’ button on the left and select in green:
      • Under [Driver, Folders & Files]:
        • Scan Within Archives
      • Under Select drives & folders to scan:
        • choose all hard drives
      • Under [Memory & Registry]: all green
        • Scan Active Processes
        • Scan Registry
        • Deep Scan Registry
        • Scan my IE favorites for banned URL’s
        • Scan my Hosts file
    • Click on the [‘Advanced’] button on the left and select in green:
      • Under [Shell Integration]:
        • Move deleted files to recycle bin
      • Under [Logfile Detail Level]: all green
        • include addtional object information
        • DESELECT - include negligible objects information
        • include environment information
      • Under [Alternate Data Streams]:
        • Don't log streams smaller than 0 bytes
        • Don't log ADS with the following names: [CA_INOCULATEIT]
    • Click the ‘Tweak’ button and select in green:
      • Under [Scanning Engine]:
        • Unload recognized processes during scanning
        • Scan registry for all users instead of current user only
      • Under [Cleaning Engine]:
        • Let Windows remove files in use at next reboot
      • Under [Log Files]:
        • Include basic Ad-aware SE settings in logfile
        • Include additional Ad-aware SE settings in logfile
        • Please do not Select: Include Module list in logfile
    • Click on ‘Proceed’ to save the settings.
    • Exit the program. We will run it later.
  • Reboot into Safe Mode.

    Restart the computer. While it’s booting up, tap the F8 key until a numbered menu appears. Choose “Safe Mode”, press Enter, and Windows will continue to load.


  • Program Removals:

    Uninstall the following entries via the Add/Remove panel, (Start > Settings > Control Panel > Add/Remove Programs). Some programs may not appear, do not be alarmed, but please check for each.

    Best Offers Shopping (or similar)

    Ebates/MoeMoneymaker

    SpySpotter
    - This program is considered rogueware and should be uninstalled. Rogue or Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection, and may actually contain adware/spyware.

    PC Security Shield – I’m very sorry you purchased PC Security Shield. I’m going to leave the program as a strongly recommended optional. This program, while not having a main entry, is mentioned alongside other rogueware programs on the Rogue AntiSpyware List. In addition, other programs made by this company are listed as rogue, and are described as follows: “false positives work as goad to purchase; poor, misleading scan reporting; deceptive advertising/"scan" on home page; advertises through adware; recruits affiliates through spam; dubious corp. associations.” SpywareWarrior, the site that hosts the Rogueware list was even spammed by the VP of Affiliate Marketing for PCSecurityShield.com attempting to recruit them as an affiliate. Twice. Please read the entry under “Privacy Defender” here & the article here if you need further reasons why you should uninstall this program. If you are thinking about purchasing any security software in the future I would strongly urge you to check the rogue list, and/or ask around about it here or at another reputable forum. As far as removal is concerned, I will list the PC Shield entries in GREEN. (Please remove via Add/Remove first.)


  • Run a Scan with AdAware:
    • Launch AdAware
    • Click ‘Start’
    • Choose 'Perform Full System Scan'
    • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
    • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
    • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
    • Right-click on the list and choose [Select All]
    • Click the [Next] button to finish removing the items that were found
    • When finished, REBOOT (back to Safe Mode), to complete the removal of what Ad-Aware SE found
  • HijackThis Entry Fixes:

    Now run a scan in HijackThis. Place a check mark next to the following entries if they still exist:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\Run: [tcjlnak] c:\windows\system32\hsojoi.exe
    O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
    O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe

    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

    Please make sure to close all open windows & browsers, then click Fix Checked.


  • DSRFix:

    Open the dsrfix folder on your desktop.
    • Double-Click on dsrfix.bat
    • A window will pop up briefly then close, this is normal.
    Now reboot your system, (back to safe), and continue with the fix.


  • File Deletions:

    Delete the following FILES indicated in RED and FOLDERS indicated in BLUE, if they still exist.

    C:\WINDOWS\system32\esskdei.exe
    C:\Program Files\TBONAS
    C:\WINDOWS\Belt.exe
    C:\PROGRAM FILES\SPYSPOTTER
    c:\windows\system32\hsojoi.exe
    C:\Program Files\PCSecurityShield <<<FOLDER
    C:\Program Files\Ebates_MoeMoneyMaker


  • Clear Java Cache
    • Click "Start" > "Settings" > "Control Panel"
    • Click the "Java Plugin" icon
    • Click the "Cache" tab
    • Click the "Clear" button
    • Click "OK" to confirm
    Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel


  • Run Cleanup!

    Configure the program as follows:
    • Click Options...
    • Move the arrow down to Custom CleanUp!
    • Put a check next to the following:
      • Empty Recycle Bins
      • Delete Cookies
      • Delete Prefetch files
      • [X]Scan local drives for temporary files (Please uncheck this option)
      • Cleanup! All Users
    • Click OK
    • Press the CleanUp! button to start the program. Reboot when prompted.
    * CleanUp! will delete all the files in your temp folders without making a backup! If you have a 64 bit Operating System do NOT run CleanUp. Let me know and we will use another utility.


  • Ewido Scan:

    Run Ewido:
    • Click "Scanner"
    • Click "Complete System Scan" to begin scanning.
    • Click "OK" when prompted to clean files
    • With the first file it prompts to clean, select the option - "Perform action on all infections", choose "Clean" and click "OK".
    • Once finished, click the Save Report button
    • Save the report to your desktop
    Close Ewido


  • Reboot into Normal Mode.


  • Online Scan:

    Using Internet Explorer, perform on online scan with Panda ActiveScan
    ** click on "Free use ActiveScan" located on the top right hand corner
    • Click Scan your PC & a 'pop up' window will appear. (Ensure that your pop up blocker doesn't block it.)
    • Click Scan Now
    • Enter your e-mail address & click Scan Now
      It will begin downloading Panda’s 8 MB ActiveX control. (Be sure your Internet Explorer settings will accept the ActiveX)
    Begin the scan by selecting My Computer
    • If it finds any malware, it will offer you a report.
    • Click on see report. Then click Save report
  • Replacement AV:

    If you decided to remove PC Security Shield then you really need to get another antivirus on ASAP. You can go with Norton again if you like, but many consider it to be “bloatware”, a resource hog, and nearly impossible to remove from your system without formatting. Here are a few good free AV’s you can try. I’ve personally used AVG and Avast, and both work well.Here are some free firewalls as well, since you mentioned having not reinstalled the PCSS firewall:
Please post the following items in your next reply:
  • Fresh HJT log run in Normal Mode
  • Panda scan log
  • Ewido log
  • How is your computer behaving now?


#4 Spearol

Spearol
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 27 November 2005 - 08:41 PM

Hi There,

Thank you sooo very much for responding. I was shocked that you actually did.

Could not download Panda, still cannot use online banking, Still cannot update MSUpdate site to get a new browser or get this one repaired. Find Next still doesn't work in browser. And yes the browser settings appear to allow scripting - they just still don't work which is how I recognized I had the problem.

best offers still popup, couldn't remove Best Offers from Add/Remove as it required an online connection, but I think Ewido deleted it cuz it doesn't show up in Add/Remove programs,

Couldn't remove PC Shield Firewall from Add/Remove either for same reason and it is now partially removed from file structure but still shows up in Add/Remove programs. PC Shield could not remove becuz of missing files removed during Ewido.

I removed what I could of PC Shield stuff and downloaded AVG per your suggestion. PC Shield may be what made it so I can no longer use Active X/Java controls - I don't know. But I was using online banking up until I installed that. I am just sick over this. Kathi


1. See Hijack This logfile below
2. I could not download the Panda stuff
3. See Ewido log below


Logfile of HijackThis v1.99.1
Scan saved at 5:27:35 PM, on 11/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\WINDOWS\ProDsl.exe
C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\PhotoWorks\PhotoWorks Digital Partner\Acquire.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Documents and Settings\Guest\My Documents\steves games\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O4 - Startup: PhotoWorks Acquire.lnk = C:\Program Files\PhotoWorks\PhotoWorks Digital Partner\Acquire.exe
O4 - Startup: PhotoWorks Upload Scheduler.lnk = C:\Program Files\PhotoWorks\PhotoWorks Digital Partner\PhotoWorksWiz.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks Upload UI Control) - http://services.photoworks.com/Pixami/PixamiSFWUploader.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/smdesktop.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/M....cab?5,0,1730,0
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46456702-B89C-42DE-A1D9-6169A8BFCB91}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:54:56 PM, 11/27/2005
+ Report-Checksum: 54DE002F

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1015.dll\\.Owner -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1015.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
HKU\S-1-5-21-869750193-951796526-1614765859-1006\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
HKU\S-1-5-21-869750193-951796526-1614765859-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
[872] C:\WINDOWS\system32\tmxjgsj.exe -> Trojan.Agent.cp : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20051127-134513-776.dll -> Spyware.ActivShopper : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\012F4B8A-1C00-4344-8179-CD688A\5961713B-3C33-42DA-AA6A-DA75C1 -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\2DC5CD6A-7121-4749-8B8E-08CAEF\E9353C6E-47EB-4C83-B6F5-6CE698 -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3C67CB1E-81B4-44FA-B227-4E5B23\45EA88ED-8D18-42E0-BAA5-DCB4F2 -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4B2B98CF-5F79-42B8-8B64-C56FFF\458C415C-43CE-4660-BBFA-8787E0 -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\73DF0A48-83EB-48ED-B6C1-BEA4FF\CD8C9275-EDDF-41ED-8A3F-BCD88C -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7FBFF044-0925-4CBB-9D2A-8896D4\099E2535-79D3-4CCD-A6C1-DED8CC -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\EC54234B-802A-4508-8615-65F4EF\F7403A04-44F4-4107-8B56-DA3A05 -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\FD0524A4-A327-4BD8-88A3-2E6DCC\EB318112-57E2-437D-9092-204B29 -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\FD0A924A-8098-4EC2-B435-44EB40\A3B2E310-AB0E-40F6-9BB4-EA5332 -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1022\A0185351.dll -> Trojan.Agent.ic : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1032\A0187152.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1032\A0187168.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1032\A0187169.exe -> Spyware.AdSquash : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1032\A0187170.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1034\A0187293.dll -> Trojan.Agent.ic : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1034\A0188284.exe -> Spyware.AdSquash : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1034\A0188285.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1034\A0188287.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1035\A0189685.dll -> Trojan.Agent.ic : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1035\A0190680.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1035\A0190681.exe -> Spyware.AdSquash : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1035\A0190683.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1036\A0190689.dll -> Trojan.Agent.ic : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1036\A0190690.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1036\A0190691.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1037\A0190704.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1037\A0190706.exe -> Spyware.AdSquash : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1037\A0190708.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1038\A0190747.exe -> Trojan.Poler.a : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1038\A0190750.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1080\A0190764.exe -> Trojan.Poler.a : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1080\A0190765.exe -> Trojan.Poler.a : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1081\A0190782.exe -> Trojan.Poler.a : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1083\A0191782.exe -> Trojan.Poler.a : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1084\A0191795.exe -> Trojan.Poler.a : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1084\A0191803.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1084\A0191813.exe -> Trojan.Poler.a : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1084\A0192073.exe -> Trojan.Poler.a : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1084\A0192076.dll -> Spyware.ActivShopper : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1084\A0192077.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1084\A0192078.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1084\A0192079.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1084\A0192084.exe -> Trojan.Poler.a : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1084\A0192614.exe -> Trojan.Poler.a : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\svcproc.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\DrPMon.dll -> Trojan.Agent.ic : Cleaned with backup
C:\WINDOWS\SYSTEM32\tmxjgsj.exe -> Trojan.Poler.a : Cleaned with backup


::Report End

#5 RavenMind

RavenMind

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 28 November 2005 - 03:27 PM

Hi Kathi. I'm glad to see you were able to respond back! I am currently reviewing your log, and will get back to you A.S.A.P. :thumbsup:

RM

#6 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 03 December 2005 - 06:32 PM

Hello! :thumbsup:
Ravenmind is gonna be away fer a bit so i'm gonna hijack this thread! haha


Download nailfix.exe from http://www.noidea.us/easyfile/file.php?dow...050711214630636

Boot Into Safe Mode
Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Run Downloaded Program
1. Launch Nailfix.exe
2. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
3. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.


Start HijackThis Fix
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions

C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe


Stop NT Service

Part1
* Click Start>Run, type services.msc into the Open editbox and click the Ok button.
* Locate the "System Startup Service" service and double-click on it to open the Properties dialog.
* Click the Stop button.
* In the Startup type dropdown select Disabled.
* Click the Apply button and then the Ok button.
* Close the Services window
Part 2* Click Start>Run, type cmd into the Open editbox and click the Ok button.
* Copy/paste the line below into the Command Prompt window and press the Enter key:
* sc delete SvcProc
* Close the Command Prompt window
Reboot your system in Normal Mode.


Downloads again...
Download FindIt's.zip http://www.bleepingcomputer.com/forums/ind...e=post&id=40938 to your desktop.

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat. Save That file and post it here


Please post a fresh Hijack This log and FindIt log

Edited by Skate_Punk_21, 03 December 2005 - 06:38 PM.

If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#7 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 15 December 2005 - 08:18 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users