|
Do you have Adware, Spyware, Virus/Trojan or a Browser Hijacker?
|
|
Senior Member
|
21. November 2004 @ 17:26 |
Link to this message
|
Do you have Adware, Spyware, Virus/Trojan or a Browser HiJacker ??
Even if you dont have any of the above that you know of, running these programs will help you keep clear of these nasties and keep your computer in tip top shape.
First program to run is
Adaware SE Personal A free program by Lavasoft, which you can download from
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1
First off, after you have installed this, click on the Update Icon which looks like
Click on the Connect button, this will search and make sure it has the latest updates.
If it doesnt have the latest updates it will say it has found updates.
Click on Ok, if it has the latest, click on Finish with the Green Tick.
Now the updating is done, now its time to scan your computer.
Click on the Start button at the bottom right hand side of the screen, then click Next.
This is now scanning your Hard drive for Adware, this may take a little while depending on your hard drive size and the amount of files you have.
Once it has finished click Next.
It will now show you the Critical Objects.
Right click somewhere in that area then select Select all objects.
Now click on the Negligible Objects tab then do the same.
Then click Next. It will now say, XX objects will be removed. Continue?
Click on Ok.
Now you can close the program and run Spybot.
The Second program to run is
Spybot - Search and Destroy also another free program, which you can download from
http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10289035.html?tag=lst-0-2
Ok, like Adaware, you will need to update this.
You can do this by clicking the Update Icon which looks like this
Now click on the Search for Updates button at the top of the screen.
This will connect to the Spybot servers and check to see if there is any updates.
If there is, they will be listed in the white space below the buttons, otherwise it will say No New Updates.
Click on the CheckBoxes next to each of the updates then click on Download Updates.
Ok, now your all up to date, click on Search & Destroy on the top left hand side, then click on Check for Problems.
The speed will vary once again from Hard Drive size etc.
This in most cases takes longer then Adaware.
Once its scanned, they should have Ticks already in the Check Boxes, if they dont, tick them.
Now click on Fix Selected Problems near the Check for Problems button
Now that you have run those, now its time to run an Online Virus Scan.
Go to http://housecall.trendmicro.com
Under the Scan Your PC heading, click on Scan Now. Its Free!
Now from the drop down box, [B]Select the Country you are from then click Go
Once it has updated you are ready to select your hard drive and scan.
If you are running Windows XP, you will need to choose the Install ActiveX when the warning bar appears, otherwise it wont go any further.
Click in the Check Box next to the drive you want to scan (eg C:\) then on the right hand side Click in the Check Box near AutoClean
Now click on Scan
Let that scan. It will then display if you have any viruses, and if it cant auto clean, click on the file then click on Delete on the right.
[NEW ADDITION 13/12/04]
How to Remove Browser Hijacker
Download Adware Away (free 5 day trial) from
http://www.download.com/Adware-Away/3000-8022_4-10342100.html?tag=lst-0-1
Open up Adware Away
Now click on the Scan Button, and this will do a scan on some potential security
issues.
It will also see if there is a keylogger installed.
3/4 of the way through this scan, it will say detect keylogger, make sure you
press ENTER and not click on the button.
Once it has complete, click Next
Generally it will have a few SERVICE: xxx -- Not Necessary, you dont relaly need to
worry about that, and usually there is a C:\Windows\System32\userinit.exe, you dont need
to worry about that either. If there is anything else, put a tick then go Fast
Fix.
Now on the left hand side click on Remove Hijackers.
Down the bottom it will have Scan Allb
Once it has scanned it will show something like Totally Found [xx] Malware Objects!
Scan About:Blank Hijacker ... Start
Scan About:Blank Hijacker ... Finished
Scan About:Blank Hijacker (Real blank page ) ... Start
Found [10] About:Blank Hijacker (Real blank page ) Objects.
Scan About:Blank Hijacker (Real blank page ) ... Finished
Scan About:Blank Hijacker Variant 5 ... Start
Found [0] About:Blank Hijacker Variant 5 Objects.
Remove About:Blank Hijacker Variant 5 ... Finished
Now, find About:Blank Hijacker (Real blank page ) in the top right hand box, then select
Remove.
You will now see something like
Remove About:Blank Hijacker (Real blank page ) ... Start
The following operation will make your desktop disappear, don't worry about it.
Totally [10] About:Blank Hijacker (Real blank page ) Objects were removed.
Remove About:Blank Hijacker (Real blank page ) ... Finished
Click on Scan All again, and it should now say - Totally Found [0] Malware
Objects!
Move onto the next one, which is Remove Adwares. Do the same to Adwares, Spywares and
Trojan & Worms.
Now you are complete.
Now you should be Adware, Spyware and Virus FREE.
I Recommended that you run these every week or every fortnight to keep your computer clean and running nice, with not nasties (except Adware away as its only a 5 day trial)
CJC
This message has been edited since posting. Last time this message was edited on 12. December 2004 @ 14:46
|
|
Advertisement
|
 |
|
|
|
tarroso
Suspended due to non-functional email address
|
24. November 2004 @ 01:42 |
Link to this message
|
Help! I don't know what else to do!
I've scanned my sustem with Ad-aware, Spybot and Hijackthis. I've also made a scan with Norton Antivirus. These are all updated, I've done this today. I think I still have something, because I can't open google.com (only google.fi) or hotmail.com.
The Hijackthis gave me the following results:
Logfile of HijackThis v1.97.7
Scan saved at 13:26:12, on 24-11-2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ESB.exe
C:\WINDOWS\System32\4mtcsb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\Synaptics\SynTP\SynTPLpr.exe
C:\Programas\Synaptics\SynTP\SynTPEnh.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\mshepl.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Cisco Systems\VPN Client\cvpnd.exe
C:\Programas\Ficheiros comuns\EPSON\EBAPI\eEBSVC.exe
C:\Programas\Ficheiros comuns\EPSON\EBAPI\SAgent2.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\Programas\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Virtual CD v4 SDK\system\vcssecs.exe
C:\Programas\Norton Internet Security\ccPxySvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\rsvp.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\eu\Ambiente de trabalho\HijackThis.exe
C:\Programas\Symantec\LiveUpdate\AUpdate.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pesquisa.clix.pt/ie5.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.clix.pt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer disponibilizado por Clix
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uminho.pt:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programas\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX3200 (cópia 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P29 "EPSON Stylus CX3200 (cópia 1)" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [UStorage] c:\programas\u-storage tools2.1\ustorage.exe sys_auto_run C:\Programas\U-Storage Tools2.1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [xjggtzhjkfr] C:\WINDOWS\system32\xjotdxy.exe
O4 - HKCU\..\Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Clock] C:\WINDOWS\osk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Sitecom WLAN Client Utility.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.clix.pt
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38083.4124421296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99FA1E8A-704B-4512-83E1-79720170518C}: NameServer = 209.47.15.118,64.157.143.38,194.100.224.4,194.100.224.2
If someone could help me I would appreciate it, because I really donn't know what's going on. Thanks!
|
Senior Member
|
24. November 2004 @ 14:12 |
Link to this message
|
Sorry for the delay, been busy at work.
Go in and delete 4mtcsb.exe file
Click in the boxes next to these and click Fix
C:\WINDOWS\System32\4mtcsb.exe
C:\WINDOWS\mshepl.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pesquisa.clix.pt/ie5.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.clix.pt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer disponibilizado por Clix
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uminho.pt:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
**O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe (Dont know what this is, if you do, keep it, if not tick)
O4 - HKLM\..\Run: [xjggtzhjkfr] C:\WINDOWS\system32\xjotdxy.exe
O4 - HKCU\..\Run: [Clock] C:\WINDOWS\osk.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.clix.pt
O17 - HKLM\System\CCS\Services\Tcpip\..\{99FA1E8A-704B-4512-83E1-79720170518C}: NameServer = 209.47.15.118,64.157.143.38,194.100.224.4,194.100.224.2
CJC
|
|
tarroso
Suspended due to non-functional email address
|
25. November 2004 @ 08:58 |
Link to this message
|
|
I've done everything except deleting that file because it seemed like my easy start button needed that. I've scanned my computer with norton antivirus, F-Secure, Spybot, Ad-Aware, Hijackthis and Giant Antispyware. F.Secure found some trojans and renamed them. I deleted the renamed files. Still I have problems, I still can't connect to google.com, msn.com, symantec.com, windows update and now it's very difficult to connect to msn messenger. I'm starting to believe the best option is to format the whole thing, because no one seems to know what's up with my computer :(
Anyway, I appreciate the help, and I hope someone will help me until saturday, otherwise I will spend Sunday backing up my disks
|
Senior Member
|
25. November 2004 @ 11:44 |
Link to this message
|
|
Hey
Try deleting your Temp files and Temp Internet Files.
By the sounds of it your computer has been pretty well infected with a fair bit of stuff.
Its possible the trojan/virus etc has changed something in the HOSTS file which is telling your comptuer to look elsewere for those sites.
CJC
|
|
tarroso
Suspended due to non-functional email address
|
25. November 2004 @ 13:01 |
Link to this message
|
|
Hi,
Well, I did all that but the I noticed some weird dns servers which appeared in the hijackthis logs ofother people with the same problem. Then I went to my network connections settings and I found out that there were 4 dns servers in the favorites. Two of them were very alike and so I assumed that they were the "real" ones. The other two were those I mentioned, and they were active. I deleted them from the favorites and I put again the "real" ones (one as alternate). I made a reboot and nnow everything seems ok, I think I will see how it goes for a couple of days and if it's not ok I will post here again and have my disks formatted. Do you think I messed up? Thank you very much for your help :)
|
Senior Member
|
25. November 2004 @ 14:12 |
Link to this message
|
|
At least its working :-)
Glad you kind of got it sorted.
If you have any more problems, post away.
CJC
|
|
tarroso
Suspended due to non-functional email address
|
25. November 2004 @ 22:21 |
Link to this message
|
|
Well, I just wanted to say that those "strange" DNS servers weren't recognized by the company from which I get the internet connection. So I guess they were really fake.
|
|
tarroso
Suspended due to non-functional email address
|
25. November 2004 @ 22:22 |
Link to this message
|
|
By the way, here they are:
209.47.15.118
64.157.143.38
|
Senior Member
|
25. November 2004 @ 23:54 |
Link to this message
|
|
The First IP is registered to:
Colosseum Online Inc. COLOSS-VLAN155-BLK1
The Second IP is:
Level 3 Communications, Inc.
CJC
|
|
tarroso
Suspended due to non-functional email address
|
26. November 2004 @ 00:01 |
Link to this message
|
|
Is that suspicious? I mean it isn't legitimate, is it?
|
Senior Member
|
26. November 2004 @ 00:05 |
Link to this message
|
|
Both those places look like they could be a ISP or a large company cause they both have a fair amount of IPs, so it could just be one of their clients.
I think its suspicious
CJC
|
|
tarroso
Suspended due to non-functional email address
|
26. November 2004 @ 00:09 |
Link to this message
|
|
OK, but they're gone anyway and all I have is the ones that my internet company gave me. Thanks!
|
|
DopeFreak
Member
|
6. December 2004 @ 16:16 |
Link to this message
|
|
Get Mcaffe Anti Spyware it is the best by far but use both adaware se Mcaffe gets rid of major spyware that fuks up the computer adaware only cathces the minor
Butterfly
|
AfterDawn Addict
|
6. December 2004 @ 19:16 |
Link to this message
|
|
So does Norton Internet Security. IMO Norton is the best by far.
|
Senior Member
|
6. December 2004 @ 20:01 |
Link to this message
|
|
I agree with Geestar20, Using all types of AntiVirus etc programs on not only my computer, but customer computers, Nortons is one of the best.
CJC
|
|
tarroso
Suspended due to non-functional email address
|
7. December 2004 @ 03:09 |
Link to this message
|
|
yes, i thought norton was the best, but it didn't detect anything and f-secure detected some trojans. so i don't know what to think. anyway i thnik my computer is still healthy, and that's what matters to me.
|
AfterDawn Addict
|
7. December 2004 @ 04:17 |
Link to this message
|
Quote:
i thought norton was the best, but it didn't detect anything and f-secure detected some trojans
The Norton 2005 and Internet Security detects Viruses an spyware and has a personal firewall...what more can you ask for.
Quoted from nortons web site:
Quote:
Symantec's Norton Internet Security 2005 provides essential protection from viruses, hackers, and privacy threats. Norton AntiVirus is the world?s most trusted antivirus solution.* Norton Personal Firewall keeps personal data in and hackers out. And Norton Privacy Control, Norton AntiSpam, and Norton Parental Control safeguard you and your family from other common online risks.
http://www.symantec.com/sabu/nis/nis_pe/features.html
This message has been edited since posting. Last time this message was edited on 7. December 2004 @ 04:18
|
|
tarroso
Suspended due to non-functional email address
|
7. December 2004 @ 05:25 |
Link to this message
|
|
ok, you're probably right, i didn't have the norton 2005, i had the version that came with my computer about 6 months ago, the firewall and the antivirus. i'll check the new version. thanks!
|
|
DarrenOk
Newbie
|
7. December 2004 @ 05:39 |
Link to this message
|
|
I have just uninstalled Adaware 6.0 latest update which identified no problems. I installed Adaware se personal and it has found approx 100. Make your own conclusions up.
|
AfterDawn Addict
|
7. December 2004 @ 06:11 |
Link to this message
|
|
I dont think Adaware 6.0 updates any more??
But I know Adaware se personal is constantly updated, and its free as 6.0 is not.
|
|
DarrenOk
Newbie
|
7. December 2004 @ 06:37 |
Link to this message
|
|
Thanks for that. Does anyone know much about Navexcel. It is a big pain, I have uninstalled it as everyone says using control panel, add/remove programs. But immediately after doing this startup on Win XP after I pick my sign on name is very very slow. When it eventually gets to my desktop I get the message "The Navexcel search toolbar has been successfully uninstalled. Some files may still be in use and will be removed when windows is restarted." I then have to choose ok/cancel. I have restarted many times and this message still comes up and logon takes ages. Anyone have any ideas? I have contacted Navexcel, no response yet though.
|
|
DopeFreak
Member
|
7. December 2004 @ 13:15 |
Link to this message
|
|
Norton doesnt get the viruses out of the system files that runs windows. Mcaffe does i tryed both of em out, but norton is better to get rid of downloaded and installed files thats it.
Butterfly
|
|
minibarr
Suspended due to non-functional email address
|
23. December 2004 @ 19:35 |
Link to this message
|
|
Just wanted to say thanks for all the info CJC Was going crazy trying to figure out which ones to use. I have norton anti virus but I understand now that it is simply not enough. You saved me a lot of foot work thru the net. This is a great site!
|
|
Advertisement
|
|
|
|
ghillie
Newbie
|
9. January 2005 @ 06:03 |
Link to this message
|
|
Download 'Hijack This' run it at next startup before running any programs, and then remove this line:
04 - HKLM\..\RunOnce:[NavExcelBar.dll]rundll32.exe"C:\WINDOWS\remover.dll",_remove@16
Presto. it's gone (it worked for mine)
|
