[RANDRECO.exe keeps coming back!] -
RANDRECO.exe keeps coming back!
Discuss RANDRECO.exe keeps coming back!
Posted by: n05tr4d4177u5
Can someone please help, no matter how many times i delete randreco.exe and jfsauo.exe from my windows and system32 folder, then keep coming back, and they run processes . Can someone take a look at my Hijack log file and tell me what to fix ??
Logfile of HijackThis v1.97.7
Scan saved at 9:48:31 PM, on 12/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\installer.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Tweak-XP\Tweak-xp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Tweak-XP\blads.exe
C:\Program Files\Linksys\WUSB11 v25 Config Utility\WUSB11Cfg.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\jfsafuo.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\jim\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {60F06ACA-B076-CE7F-1D2B-01B08026E4CA} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RunProg] C:\WINDOWS\System32\server.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [zikxohdsa] C:\WINDOWS\system32\jfsafuo.exe
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [mouse] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global User Startup: Instant Wireless Configuration Utility.lnk = ?
O4 - Global User Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Ebates (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: Yahoo! Hearts - [url]http://download.games.yahoo.com/games/clients/y/ht1_x.cab[/url]
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/pote_x.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - [url]http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
Posted by: southernlady
n05tr4d4177u5, Welcome to Tech Forums and I'll be glad to help but I need you to do a few things. One, you have an old copy of HiJack this and I need you to get an updated version.
Go here and download the newest version of HiJack This (version 1.98.2)
[url]http://www.majorgeeks.com/download3155.html[/url]
Create a folder on your hard drive somewhere like in "My Documents" or in My Programs but [b]NOT[/b] on the desktop or in a temporary folder. That creates problems if you do. and name it Hijackthis unzip'Hijack This to that folder. The reason for this is that Hijackthis backup files may be deleted if it is being run from a temporary folder.
Next turn off Systen Restore: [url]http://www.spyware911.net/forum/index.php?showtopic=16[/url]
Then please download Adaware from the link below first
[url]http://www.majorgeeks.com/download506.html [/url]Scan it with your A/V first, then
Install it and & update it B4 scanning. In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favorites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognized processes
during scanning.' Also in 'tweaks' under 'cleaning engine' set it to
'Automatically try to unregister objects prior to deletion' & 'let Windows
remove files in use at next reboot.'
Select 'activate in-depth scan' before starting scan.
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object.
Reboot
And post a new log. Liz
Posted by: n05tr4d4177u5
Thank you Very much for responding to my post, here is the new hijack log . I did everything u said.
Logfile of HijackThis v1.98.2
Scan saved at 1:08:13 AM, on 12/5/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Tweak-XP\Tweak-xp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Tweak-XP\blads.exe
C:\Program Files\Linksys\WUSB11 v25 Config Utility\WUSB11Cfg.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {60F06ACA-B076-CE7F-1D2B-01B08026E4CA} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RunProg] C:\WINDOWS\System32\server.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [mouse] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global User Startup: Instant Wireless Configuration Utility.lnk = ?
O4 - Global User Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: Yahoo! Hearts - [url]http://download.games.yahoo.com/games/clients/y/ht1_x.cab[/url]
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/pote_x.cab[/url]
Posted by: southernlady
You've been hijacked by something called Newdot.net.
Go to Add/Remove programs and uninstall these:
QuickSearch Search Bar
New.Net (NewDotNet)
If New.Net will not uninstall do the following:
First Click [url]http://www.spyware911.net/downloads.htm[/url] to download LspFix
You may not need it, but go ahead and download it just in case.
Now go [url]http://www.spyware911.net/downloads.htm[/url] and download and run the New.Net uninstaller.
If you lose your internet connection after running the New.Net uninstaller, Run LspFix, and click the "I know what I'm doing" checkbox. (Don't do anything else)
Then click Finish.
That should restore the internet connection.
Then scan again with AdAware SE just like you did before.
Restart your computer.
Then go [url]http://www.majorgeeks.com/download2471.html[/url] and download Spybot Search & Destroy.
Install the program and launch it.
Before scanning press Online and Search for Updates .
Put a check mark at and install all updates.
Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in [COLOR=red]RED[/COLOR].
Restart your computer.
Come back here and post another Hijack This log and we'll get rid of what's left. Liz
Posted by: n05tr4d4177u5
hello Southern lady, i have installed spybot search and destroy , and delteed what it found. Here is the 3rd Hijackthis log
Logfile of HijackThis v1.98.2
Scan saved at 1:16:31 PM, on 12/5/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Tweak-XP\Tweak-xp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Tweak-XP\blads.exe
C:\Program Files\Linksys\WUSB11 v25 Config Utility\WUSB11Cfg.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60F06ACA-B076-CE7F-1D2B-01B08026E4CA} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RunProg] C:\WINDOWS\System32\server.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [mouse] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global User Startup: Instant Wireless Configuration Utility.lnk = ?
O4 - Global User Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: Yahoo! Hearts - [url]http://download.games.yahoo.com/games/clients/y/ht1_x.cab[/url]
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/pote_x.cab[/url]
Posted by: southernlady
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
[b]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =[/b]
[b]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = 127.0.0.1[/b]
[b]R3 - Default URLSearchHook is missing[/b]
[b]O2 - BHO: (no name) - SOFTWARE - (no file)[/b]
[b]O2 - BHO: (no name) - {60F06ACA-B076-CE7F-1D2B-01B08026E4CA} - (no file)[/b]
[b]O4 - Global Startup: Instant Wireless Configuration Utility.lnk = ?[/b]
[b]O4 - Global User Startup: Instant Wireless Configuration Utility.lnk = ?[/b]
[b]O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)[/b]
Then go here: [url]http://tinyurl.com/6jn9l[/url] You have a trojan called the SubSeven 2.0 Server Trojan
[b]O4 - HKLM\..\Run: [RunProg] C:\WINDOWS\System32\server.exe[/b]
Once it is dealt with, go to safe mode [url]http://www.spyware911.net/forum/index.php?showtopic=15[/url] navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Go to Start > Run and type [b]%temp%[/b]in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Then reboot and post another HiJack Log.
Any question? Liz
Posted by: mikesgroovin
also, [url=http://www.securemost.com/articles/rm_mx-targeting.htm]view this site[/url]....
it may help
Posted by: southernlady
PestPatrol is great BUT it's not free and we can do this without having him have to pay for something.
Let's get the computer clean and I have a whole list of things for people to do to avoid getting infected again. Liz
Posted by: mikesgroovin
no, i certainly agree with ya....i didn't see the pestpatrol link there at first. i don't think that it's needed either. i as just looking at the entrees in the log below. all of which can be removed manually.
Posted by: southernlady
Btw, I did bookmark the site cause it did have some good info. Liz
Posted by: mikesgroovin
yea, it's kind of a pain to remove the MX-trackers manually (i can relate it to trying to remove outlook express manually *sigh* what a pain!) but, fortunatly a lot of the "MXware" miniapps are written in the same fashion.
Posted by: n05tr4d4177u5
ok SouthernLady, here is the 4rth hijackthis log file
Logfile of HijackThis v1.98.2
Scan saved at 10:46:30 PM, on 12/5/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Tweak-XP\Tweak-xp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Tweak-XP\blads.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [mouse] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global User Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Hearts - [url]http://download.games.yahoo.com/games/clients/y/ht1_x.cab[/url]
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/pote_x.cab[/url]
Posted by: southernlady
n05tr4d4177u5, your log is [b][u][size=3][color=blue]CLEAN[/color][/size][/u][/b]!!!
Now to keep it that way, read these two articles.
[quote][b][u]How did I get infected in the first place[/u][/b]
This advice is reposted from the advice given by Tony Klein, the acknowledged spyware & malware expert who supports many forums on the net.
I have added a few minor updates to it
You usually get infected because your security settings are too low.
Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:
1) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself.
2) Go to IE > Tools > Windows Update > Product Updates, and install ALL Security Updates listed.
It's important to always keep current with the latest security fixes from Microsoft. Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.
3) Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.
Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.
So why is activex so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?
And some more advice:
4) Install Javacool's SpywareBlaster [url]http://www.majorgeeks.com/download2859.html[/url] It will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.
Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer)
Press "select all", then "kill all checked", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer.
Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.
Let's also not forget that SpyBot Search and Destroy [url]http://www.majorgeeks.com/download2471.html[/url] has the Immunize feature which works roughly the same way.
It can't hurt to use both.
5) Another brilliant program by Javacool we recommend is SpywareGuard. [url]http://www.majorgeeks.com/download3045.html[/url]
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard. It now also features Download Protection and Browser Hijacking Protection!
6) IE-SPYAD [url]https://netfiles.uiuc.edu/ehowes/www/resource.htm[/url] puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
7) The IE hosts [url]http://mvps.org/winhelp2002/hosts.htm[/url] file blocks ads, banners, cookies, web bugs, and even most hijackers. This is accomplished by blocking the Server that supplies these little gems.
Example - the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by the DoubleClick Server to the web page you are viewing. This also prevents the server from tracking your movements.It Now includes most major parasites, hijackers and unwanted Search Engines!
In many cases this can speed the loading of web pages by not having to wait for these ads, banners, hit counters, etc. to load.
This also helps to protect your Privacy by blocking servers that track your viewing habits, known as "click-thru tracking".
However as time has progressed the focus of this project has changed from blocking ads/banners to protecting the user from the many parasites that now exist on the Internet. It doesn't serve much purpose if you block the ad banner from displaying, but get hijacked by a parasite from an evil script or download contained on the web site. The object is to surf faster while preserving your Safety, Security and Privacy.
Incidentally, another site with an enormous amount of information on computer security, and which is well worth a visit is [url]http://www.wilders.org/[/url]
Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests. [url]http://www.jasons-toolbox.com/BrowserSecurity/[/url]
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
If you are using XP or windows 2000 or 2003 then this application will also help a lot to prevent hijacking
[url]http://www.prevx.com/default.asp[/url]
And make sure your Antivirus and firewall is switched on and kept updated[/quote]
[quote][b][u]Normal maintenance[/u][/b]
Run regular maintenance on your PC...just as you would keep your house clean, your PC
runs better when it's organized as well.
1) Use Disk Clean up and get rid of unneeded files. Compress old ones
2) Go thru your Add/Remove program and get rid of anything you haven't used lately, esp
if you have the disk for it and can reinstall it or download it at a later date should
you decide you want it again. Just letting it sit on your hard drive taking up space is
ridiculous if you aren't using it.
3) Run the Disk Defrag on a periodic basis. If you have Norton Systemworks, set it up so
that you can see how degragged your computer is and let it tell you when to defrag.
4) Remember to do a drive check every so often. You do this going to MY COMPUTER then
SELECT YOUR DRIVE(C) right click it and go down to PROPERTIES on the pop up box select
the second tab along TOOLS and click the top box CHECK ERRORS NOW.
And then ALWAYS. ALWAYS download and install any Critical Updates that Windows lets you
know about. If you don't have your configuration set so that it will tell you and you
aren't in the habit of checking periodically (like every other day) then set it so that
Windows WILL let you know there is a Critical Update. This step is an absolute necessity.
Then go and download these FREE programs:
1) Ad-aware [url]http://www.majorgeeks.com/download506.html[/url] (removes all adverts and ad self
launch programs,feed up with pop ups get it)
2) Spy-bot [url]http://www.majorgeeks.com/download2471.html[/url] (same as ad-aware but always
better two have two in this case because they'll double check everything)
3) AVG free [url]http://www.majorgeeks.com/download886.html[/url] (ok for basic scan but know not to
detect major viruses) or Avast Home Edition: [url]http://www.majorgeeks.com/download1968.html[/url]
4) Zone Alarms [url]http://www.majorgeeks.com/download388.html[/url] (has a free and a paid version)
5) Sygate [url]http://www.majorgeeks.com/download3356.html[/url] (Has a free and a paid version
or see the other firewall option
6) A Popup Blocker if your ISP doesn’t come with one:
[url]http://lists.gpick.com/pages/Ad~PopUp_Tools.htm[/url]
This one has been recommended by a number of people here on this web site:
Google Toolbar [url]http://www.google.com[/url] (Can only be used with IE tho)
And this one, I have personal experience with and is excellent. It can be used with ANY
browser:
POW [url]http://www.analogx.com.[/url]
Then you should download:
1) An Antivirus program:
Avast Home Edition: [url]http://www.majorgeeks.com/download1968.html[/url]
AVG free [url]http://www.majorgeeks.com/download886.html[/url]
Norton 2004 or 2005 [url]http://www.norton.com[/url] (a good professional antivirus,always as up to
date virus definitions)
Panda Titanium [url]http://www.pandasoftware.com[/url] (another good one but slightly slows down
computer applications etc)
AVG 7 pro [url]http://www.grisoft.com/us/us_index.php[/url] (again its ok but i found that it takes
slightly longer for virus definitions to come out)
2) There are two other Firewall options:
Norton firewall [url]http://www.norton.com[/url] (good again stops a lot of unwanted internet
activity but does become annoying if your have Bearshare, Kazaa etc installed)
Kerio [url]http://www.kerio.com/kpf_home.html[/url]
3) For making copies of your hard drive (good if you need to transfer your hard drive
contents or if your hard drive keeps crashing.:
Norton Ghost: [url]http://www.norton.com[/url]
Drive image [url]http://www.r-tt.com[/url] (a software program that makes a up to date recovery
point separate from system restore,good if you know your computer keeps crashing)
4) For fixing Registry and disk problems:
PC Bug Doctor [url]http://www.pcbugdoctor.com[/url] (corrects many problem but not deep registry
ones)
PC Doctor Oncall [url]http://www.pcdocrx.net/cgi-bin/view...2004/index.html[/url] (does full system
check fixes almost any problems)
Ashampoo WinOptimizer Platinum Suite 2
[url]http://www.ashampoo.com/[/url] (Drive Cleaner, Registry Cleaner, Internet Cleaner, DLL Cleaner,
Internet Tuner, StartUp Tuner, File Wiper, and File Associator. Free up valuable space on
your hard drive. Speed up general system performance.)
Norton Systemworks 2003 or 2004: [url]http://www.norton.com[/url]
For a good listing of all this, go to: [url]http://www.wilders.org/[/url]
I hope this list helps.[/quote]
You also might want to consider an alternate browser like Firefox. If you do, let me know and I will be glad to help with the plugins and extensions. And I hope NOT to see you in this forum again :) Liz