Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help computer is runing slow TROJ DLOADER.AKZ can't remove

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

help computer is runing slow TROJ DLOADER.AKZ can't remove

Unread postby lecia1 » January 3rd, 2006, 9:54 am

here is my hijacklist of problems - we can't delete anything and the computer is running very slow

Logfile of HijackThis v1.99.1
Scan saved at 7:56:00 PM, on 1/2/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: IExplorr11.clsIS - {BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A} - C:\WINDOWS\IEXPLORR11.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O2 - BHO: WebBar Class - {EE392A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\APPLIE~1\BAR.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - Startup: Register Kazaa Upgrade Suite3.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
lecia1
Regular Member
 
Posts: 18
Joined: January 2nd, 2006, 10:26 pm
Advertisement
Register to Remove

Unread postby AndyAtHull » January 3rd, 2006, 10:28 am

Hi Lecia1,

Welcome to the MR Forum. I would be happy to help you.

Firstly HijackThis is being run from a temporary folder; this means that any backups it creates as a result of fixes made with it will be lost. Please create a new folder for it and place the program into that new folder. Either copy the file HijackThis.exe and paste it into a new folder on your desktop, or create a folder such as C:\HJT\ (or a similar name) and copy and paste the file, HijackThis.exe, into that new folder. In any case, it must be moved or you will very likely end up with no backups and they may be needed. Do this before you do anything further!

Secondly it looks like you have not posted a full HJT log. Without a full log we cannot get a full description of any malicious infectections, if present.

To do so just to make sure. When opening the .txt file with the log in. Click on Edit at the top in the toolbar of the .txt file and click on Select All. Right-Click on the contents and select Copy. Then just Paste it to here.

Please tell me of anything that is making your computer running oddly. What you cannot delete etc. And post me a fresh HJT log. And I will be happy to help you
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby lecia1 » January 3rd, 2006, 4:42 pm

Hi,

I moved the Hijack this exe to it's own folder in C: However, when I do a system scan and save a log file, it is exactly the same log as I posted earlier:

I don't know why this log would be shorter than it should be, I made sure to copy/paste the entire log. Any suggestions would be great.

I cannot delete any cookies in my cookie folder, and there are some items on my desktop (like a blank notepad) that I cannot delete. I get this messege--Cannot delete <file name> Access denied. The source file may be in use.

Logfile of HijackThis v1.99.1
Scan saved at 3:30:47 PM, on 1/3/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\REGISTER KAZAA UPGRADE SUITE3.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: IExplorr11.clsIS - {BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A} - C:\WINDOWS\IEXPLORR11.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O2 - BHO: WebBar Class - {EE392A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\APPLIE~1\BAR.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - Startup: Register Kazaa Upgrade Suite3.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
lecia1
Regular Member
 
Posts: 18
Joined: January 2nd, 2006, 10:26 pm

Unread postby AndyAtHull » January 3rd, 2006, 4:46 pm

Do not worry. I just wanted to make sure you pasted the whole log.

As to the log being the same. Yes it will be. But like I said before, when the application HijackThis is in a Temp folder. It does not create a back-up of anything we do with HJT later on. Having back-ups is a vital part we need just incase we need to reverse a fix.

I will now research your log and return with a fix. My fix will be double checked by a teacher here. Just so that you get the best advice available.

Andy :D
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby AndyAtHull » January 4th, 2006, 7:48 pm


  1. I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine
  3. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  4. If you don't know, stop and ask! Don't keep going on.
  5. Please reply to this thread. Do not start a new topic.

----------

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

----------

Please note that as long as you're using any form of peer-to-peer networking and downloading files from non-documented sources, the cleanliness of which has not been verified, you can expect infestations of malware to occur. This has not always been the case, and once upon a time was fairly safe. This can no longer be said for peer-to-peer filesharing. You may continue to do so at your own risk but cannot rely upon someone always being able to clean up your system and bail you out of trouble. This practice is in all probability the source of your current malware infestation.

For comprehensive information and comparisons of P2P programs, you may want to read this linked information: http://www.benedelman.org/spyware/p2p/


----------

What I would like you to do next is to remove some bad files from Add/Remove.

Click on Start>Control Panel>Add/Remove. And uninstall these following programs.
(Note: If some programs listed below are not present, please do not panic)

My Search Bar or
MyWay Speed Bar or
My Web Search Bar
NewtonKnows
IncrediFind

Be carefull when uninstalling software. Look at the names carefully as it may catch you out.

----------

Please download Ccleaner from here. The download should start in 5 seconds.

1. Double click on the file to start the installation of the program.
2. Select your language and click OK, then next.
3. Read the license agreement and click I Agree.
4. Click next to use the default install location. Click Install then finish to complete installation.
5. Double click the CCleaner shortcut on the desktop to start the program.
6. On the "Windows" tab, under "Internet Explorer", uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
7. If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
8. Click on "Options" at the top of the window, then click on the "advanced" button.
9. Deselect "Only delete files in Windows Temp folders older than 48 hours". Click on "OK".
10.Click Run Cleaner to run the program.

Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.

After CCleaner has completed its process, click Exit. It may be a good idea to scan it more than once. It will not harm in doing so.

----------
I would like you do download CWShredder

1. CWShredder can be downloaded here, install it, check for updates, but don't use it yet.
2. Open CWShredder Close all browser windows and click on Fix--> then OK

----------

Please download the free Ad-Aware SE and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:

  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Click Proceed.
3) To start the scan, Click > "Scan Now" at left

  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
4) When the scan has completed, select Next.

  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.


Download Spybot S&D v1.4 from HERE and install. If you already have Spybot S&D, please configure it as indicated below. If you have a previous version of SpyBot, please uninstall your current version and install the newest version 1.4

Setting up Spybot S&D

1. In the Menu Bar at the top of the Spybot window you will see 'Mode. Make certain that 'default mode' has a check mark beside it.
2. Close ALL windows except Spybot S&D
3. Click the button to ‘Search for Updates’ then download and install the Updates.
4. Next click the button ‘Check for Problems'
5. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window.
6. Make certain there is a check mark beside all of the RED entries ONLY.
7. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
8. REBOOT to complete the scan and clear memory.


----------

Run HJT and place a check mark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: IExplorr11.clsIS - {BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A} - C:\WINDOWS\IEXPLORR11.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O2 - BHO: WebBar Class - {EE392A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\APPLIE~1\BAR.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL


Close all other windows except for HJT and click on Fix.

----------

Some folders may not have gone even after the HJT fix we carried out. So please look for these folders and delete them:
Navigate to these folders in RED. Use Find (F3) or Start>Search>Delete these folders, if present:

Folders...

C:\PROGRAM FILES\IncrediFind
C:\PROGRAM FILES\MYSEARCH

Files...

C:\WINDOWS\IEXPLORR11.DLL

If you have any problems deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the filename is in there, click End Process, then retry delete.
(Note the name and location of any file you cannot delete.)

----------

Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Window\Temp folder and delete all files and folders in it. Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

----------
Rastart your computer
----------

Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- Post Panda scan results in your next reply

----------

Post back with:

A fresh HJT log
Anything Panda comes up with.
And also if you wouldnt mind. Let me know the performance of your computer. :D
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby lecia1 » January 6th, 2006, 9:22 am

I have done most of what you have asked me - I ran in to a problem with the Ad-Aware SE - it rand and I did this twice and both times it found 14 critical objects - but it comes back and say can not remove them. Any Suggestions?

I di dgo to the Spybot S&D and that came up with no immediate threats?

How do I runHJT - I am not really sure what you want me to do here?

Thanks for your help.
lecia1
Regular Member
 
Posts: 18
Joined: January 2nd, 2006, 10:26 pm

Unread postby AndyAtHull » January 6th, 2006, 12:27 pm

Regarding Adware. What rights do you have on your system. Do you have Administrators rights?

When you try to use Ad-aware with an account that does not have administrator privileges, you may experience the following:

Ad-aware scans, but cannot remove anything.

Ad-aware will not start.

Ad-aware does not operate correctly.

CAUSE

This can occur because some areas of the system are not accessible to users running with a limited account, or an account that does not have administrator privileges. User account levels are features of Microsoft Windows NT, Windows 2000, and Windows XP Operating Systems.

RESOLUTION

Log in to the computer with an account that has administrator-privileges, or for users running Windows XP, use the 'Run As' tool to launch Ad-aware at an administrator level while logged in with a non-administrator account.


So log into the systems account that has Admin rights and re run adware.

-----------------------

Regarding Spybot. Don't worry. As long as you have kept it updated and rebooted it between each adware and spybot scan. Then as far as spybot is aware nothing that spybot uses as its definitions were found on your system.

Regarding HJT. Open up HijackThis(the same program you used to create a log) Then select Do a system scan only. Once its finished scanning. Check mark each entry I noted above and apart from HijackThis, close any other windows/browsers and click Fix. Then reboot.

For a fresh log select Do a system scan and save a logfile. That will create a new log. Copy and paste that along with anything else I requested.

----------------

Please follow the instructions about adware and HJT. Then continue with the fix. Any other problems. I will be here ready to answer :)

Andy
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby Elrond » January 6th, 2006, 12:51 pm

Posted in wrong place :oops:

E :)
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby lecia1 » January 7th, 2006, 4:41 pm

Thank you for your help - I was able to run AD-Aware SE and this time it removed 199objects, and 162 were quarantened. I went on to the HJT file and selected some that were listed above - not all were there - then I deleted the other programs - that were tere - I wasn't sure in documents and settins what I was to delete - but I did delete the internat options/general stuff - not sure what Windo/temp is? I rand Panda and will attach that and the new HJT file I ran after. There were 10 items Panda found - I don't know how to get rid of them. Also - should I now clean up my desktop and get rid of the program I installed to clean up my computer?

I plan to get a new Norton Anti-Viris - hoping this will help eliminate problems like this -

I await your reply. The computer seems to be starting up much faster, and running better - I appreciate all your help.

Here is the Panda Activeware results:

Incident Status Location

Spyware:Cookie/2o7.net Not disinfected C:\WINDOWS\Cookies\default@2o7[1].txt
Spyware:Cookie/Adtech Not disinfected C:\WINDOWS\Cookies\default@adtech[1].txt
Adware:Adware/DelFinMedia Not disinfected C:\WINDOWS\All Users\Application Data\wsxs\patchme.exe
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall4_88.exe
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall4_80.exe
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall5_40.exe
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall4_94.exe
Spyware:Spyware/ShopNav Not disinfected C:\WINDOWS\eltupt.exe
Adware:Adware/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll
Adware:adware/delfinmedia Not disinfected C:\keys.ini

here is the HJT file I ran after the Panda:
Logfile of HijackThis v1.99.1
Scan saved at 3:24:59 PM, on 1/7/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
lecia1
Regular Member
 
Posts: 18
Joined: January 2nd, 2006, 10:26 pm

Unread postby AndyAtHull » January 7th, 2006, 4:48 pm

Every item Panda finds does not get deleted. In my next set of instructions I will tell you how to delete these. I will also review your latest HJT log and come back with further instructions if needed. Thanks for the logs. I will post my fresh instructions shortly after they get checked by Elrond :D
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby AndyAtHull » January 7th, 2006, 9:15 pm

Fresh log. Fresh instructions. We are nearly there. But Panda came up with some other items that HijackThis did not tell us. Just some left overs

----------

You have a Spyware called ShopNav. Shopnav is a search-hijacker that is installed as a Browser Helper Object. It can update itself when you start Windows. Certain address bar searches and unknown domain name searches will be redirected to the program's controlling servers. But first follow the instructions below.

----------

Brilliant Digital is a tracking cookie that monitors your Internet activity and gathers your personal information as you surf the web. This information may be retrieved by the parent company, without your consent. This file is included with Kazaa. Panda picked this up.

C:\Program Files\Kazaa\bdcore.dll


When I recommend you remove this later it may break up Kazaa. But it is highly recomended this file gets removed.

----------

Because Adware came up with a large amount of objects I think it is the best thing to re-run this. We will re-run this with Spybot. Remember to reboot between each scan.

Open up Adware and click on the Globe to update it if needed. Then perform the same task as before:

Firstly click on Open quarantine list and Delete all that iis in there.

To start the scan, Click > "Scan Now" at left

  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
When the scan has completed, select Next.

  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.

----------

For Spybot update it before using it. Then click the button ‘Check for Problems.

When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window.
Make certain there is a check mark beside all of the RED entries ONLY.
Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
REBOOT to complete the scan and clear memory.

Open up Spybot again and click on Recovery. If anything was found. Check every object and select Purge Selected Items. Click Ok whem promted. And clos the program.

----------

To Show Hidden files in ME:

1. Double click on My Computer.
2. On the Tools menu, click Folder Options
3. On the View tab, uncheck Hide file extensions for known file types.
4. Uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
5. If you see a warning message, click Yes.
6. Click Apply.
7. Click OK.

----------

Then, using Windows Explorer, search for and DELETE the following file(s)file/folder(s) in RED, IF STILL PRESENT:

Folders...

C:\WINDOWS\All Users\Application Data\wsxs

Files...

C:\WINDOWS\eltupt.exe
C:\keys.ini
C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\NDNuninstall4_80.exe
C:\WINDOWS\NDNuninstall5_40.exe
C:\WINDOWS\NDNuninstall4_94.exe

Highly recomended you remove this...

C:\Program Files\Kazaa\bdcore.dll

If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the filename is in there, click End Process, then retry delete.
(Note the name and location of any file you cannot delete.)

----------

Open up Internet Explorer and click on Tools>Internet Options in the toolbar at the top. Then click on Delete Cookie and Delete Files. Click OK when prompted too.

----------

Post me a Fresh HijackThis log.
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby lecia1 » January 9th, 2006, 9:48 pm

Ok - I did all that you requested - there still is problem with Adware - it came up thee times I ran it and restarted - with 14 critical errors but it will not let me delete them. Then Spybot cme up with no problems found.

I deleted the other files you requested. Ran a new Hijackthis file see below
Logfile of HijackThis v1.99.1
Scan saved at 3:24:59 PM, on 1/7/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab


I want to load a new Norton AntiVirus program but it will remove all the other virus programs on my desktop - so I want to wait till you let me now everything is okay and I can do this. I'm sure it will help with the new upgraded Norton Antivirus Internet security with some of the problems I have had and have.

I also have a question - I have a new program I loaded Mavis Beacon teachs typing - it loaded but will not open to run - the screen goes black and then back to the main desktop - any suggestions. We have added more memory on the computer?

thanks again for you help.
lecia1
Regular Member
 
Posts: 18
Joined: January 2nd, 2006, 10:26 pm

Unread postby AndyAtHull » January 9th, 2006, 9:50 pm

First of all did you try Adware in an account that has admin rights like before?

And regarding Mavis Beacon teachs typing. Other than the balck screen. Did any error messages appear? Also what version are you using?
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby lecia1 » January 10th, 2006, 10:10 am

yes it was the same adware as before

and the mavis beacon is 6. version and no error message appears - it gets the black screen says mavis beacon typing - i actually was able to register this time but then nothing
goes back to the desktop
what about the norton antivirus internet?
lecia1
Regular Member
 
Posts: 18
Joined: January 2nd, 2006, 10:26 pm

Unread postby AndyAtHull » January 10th, 2006, 11:55 am

1. Open Adware in normal mode and check for updates by clicking on the Globe on the top right corner. Once updated close the program.

2. Read this. Reboot your computer into Safe Mode.

3. Run an adware scan again in an account with Admin rights. Then once scanned. Save the log file to the desktop. But try to delete the objects or put them in quarantine.

4. Reboot. If it did not delete the objects found or could not put them in quarantine. Send me the log file. Otherwise you can delete the log file.

----------

Regarding the typing program and Norton I will advice you on that once this issue is solved as I will advice you on what to run and what not to run later :)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 308 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware