I need help to clean my PC

**LEONIDASDAL** · 31-08-2004

I have run HijackThis and made some fixings but problem still persisits. No way to remove annoying Toolbar on top of the screen and now permanently on the bottom and popups from Look-today, lop search, prosearch, etc...

I am using Windows 2000 and IE 6.0 and installed all MS patches and recommended updates.

I have downloaded and run SPYBOT SEARCH & DEST and SPYWARE BLASTER as well as ADAWARE 6.0. I have noted that the virus or spyware modifies the anti-spyware settings.

I also use SYMANTEC Antivirus Corporate Edition.

. Do not know how to thoroughly clean the PC (Cookies, Temps, History, etc.)

Hereunder the new log, hoping to be lucky and receive your response.

Logfile of HijackThis v1.98.1
Scan saved at 11:37:20, on 31/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Archivos de programa\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Archivos de programa\Intel\Intel(R) Active Monitor\imontray.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Archivos de programa\SpybotSch & Destroy\TeaTimer.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\ARCHIV~1\WinZip\winzip32.exe
C:\DOCUME~1\Peter\CONFIG~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod-1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Archivos de programa\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Regscopymagsslow] C:\Documents and Settings\All Users\Datos de programa\Flap Bolt Regs Copy\Defy Kind.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\SpybotSch & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender-es.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c...mplete.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l...cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FF40FBB-DAE8-4DF4-A3AA-B99D09AE436F}: NameServer = 212.145.4.97,212.145.4.98
O20 - AppInit_DLLs: MSLib.dll

Regards and thank you in advance.

PF

**HJThis** · 31-08-2004

Hello,LEONIDASDAL

There is a new and improved version of AdAware that you need to have installed on your computer. The new version is AdAware SE
If you have AdAware already installed on your system and it's NOT SE go to your Control Panel and click on Add/Remove Programs. Click on AdAware and then REMOVE and then just complete the removal process.

Once it's un-installed go to http://www.lavasoft.de/ and download the FREE version of AdAware SE. Once it's downloaded double click on the new file to start the install process.
Click Next>I accept>Next>Next> then be sure and put a dot in the bullet for Anyone Who uses this computer and then click Next>Next>

In the next dialog box remove the dot in the bullets "Start Scan" and also "Launch Help Files" and click Finish

Now if the program doesn't launch double click on the icon that should now be on your desktop to start AdAware SE

Now click on the button for Check for Updates
If updates are found click on the OK button and after it downloads to 100% click on the Finish button.

Click the Start Button
Click on the link for Customize
in the Main Window under Scan Settings
click on the red X in front of Scan within archives to change it to a green check

Then click on the button on the left labeled Advanced
click on the red X in front of Move deleted files to Recycle Bin to change it to a green check
click on the red X in front of Include Environment Information to change it to a green check

Then click on the button on the left labeled Defaults
click on the Read current settings from system

Then click on the button on the left labeled Tweak
Click on the (+) in front of Scanning Engine to expand the group
click on the red X in front of Obtain Command line of scanned processes to change it to a green check
click on the red X in front of Run scan as background process to change it to a green check
click on the red X in front of Use permanent archive caching to change it to a green check

Click on the (+) in front of Cleaning Engine to expand the group
click on the red X in front of Disable manual quarantine if auto-quarantine is selected to change it to a green check

Click on the (+) in front of Safety Settings to expand the group
click on the red X in front of Reanalyze results after scanning . . . to change it to a green check
click on the red X in front of Write protect system files after repair to change it to a green check

Click on the (+) in front of Log File to expand the group
click on the red X Create Log File for removal operations to change it to a green check

Click on the (+) in front of User Interface to expand the group
click on the red X Remember window positions to change it to a green check
click on the red X Snap windows to desktop borders to change it to a green check
click on the red X Use gridlines in results list to change it to a green check

Click on the (+) in front of Web Update Settings to expand the group
click on the red X Create and save WebUpdate log file to change it to a green check

Click on the (+) in front of Misc settings to expand the group
click on the red X Dump details about unhandled exceptions to disk to change it to a green check

Then click on the button at the bottom right labeled Proceed then click the Next button to start scanning.

Once the scan is complete you'll have a flashing Bug and a brief sound to indicate scanning is complete and Adware is found. Click on the Next and then click on each of the empty boxes to the left of the found items under SCAN SUMMARY. Then hit the Next button. Then OK. This should clean your system of all the found nasties. When it's complete simply close the program until your next scan session. Always ALWAYS check for updates before very scan.

Reboot

Now...download Spybot from
http://download.com.com/3000-8022-10...ml?tag=lst-0-2
after installing......hit.."Search for Updates".....get them all.......(Download Updates).....then "Check for Problems".......after the scan is complete..allow Spybot to remove everything listed in RED...... then close spybot and reboot....

Then show us a new scan logfile of HJT

HGD

**LEONIDASDAL** · 31-08-2004

Hello HGD

I have followed all steps and both ADAWARE SE and SPYBOT detected and cleaned 5 (among them an exe program from LOP) and 1 objects respectively.

No trace of the toolbars anymore.

Hereunder copy of the new log. You will notice that I have downloaded MRU BLASTER. Pls advise its efficiency and usefulness.

Very grateful for your help.

Logfile of HijackThis v1.98.1
Scan saved at 18:23:10, on 31/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Archivos de programa\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Archivos de programa\Intel\Intel(R) Active Monitor\imontray.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Archivos de programa\SpybotSch & Destroy\TeaTimer.exe
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\SPYWARE\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod-1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Archivos de programa\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Regscopymagsslow] C:\Documents and Settings\All Users\Datos de programa\Flap Bolt Regs Copy\Defy Kind.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\SpybotSch & Destroy\TeaTimer.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\SPYWARE\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender-es.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...87/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FF40FBB-DAE8-4DF4-A3AA-B99D09AE436F}: NameServer = 212.145.4.97,212.145.4.98
O20 - AppInit_DLLs: MSLib.dll

**HJThis** · 31-08-2004

Hi,LEONIDASDAL

Nice work now you do have these items here to remove

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod-1.dll

This here is it something that you installed if no fix it
O4 - HKLM\..\Run: [Regscopymagsslow] C:\Documents and Settings\All Users\Datos de programa\Flap Bolt Regs Copy\Defy Kind.exe

This one here don't fix for now need more info on this item
O20 - AppInit_DLLs: MSLib.dll

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:

C:\WINNT\questmod-1.dll<--This file

Then reboot see how it is let us know

HGD

**LEONIDASDAL** · 01-09-2004

Hello GHD,

Many thanks again for your reply.

I have followed all steps and the file C:\WINNT\questmod-1.dll does not appear any longer.

Before I received your reply and following some advice I found in your website, I installed SYGATE PERSONAL FIREWALL. Under IE, this program has detected (and I blocked it) an attempt to connect to i18231.bins.lop.com.

It has also detected an attempt to connect via an application: C:\WINNT\system32\ntoskrnl.exe

How to deal with these detections and identify which of them are admissible ?

Meanwhile, please find enclosed the HJT log.
Logfile of HijackThis v1.98.1
Scan saved at 16:54:06, on 01/09/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Archivos de programa\Sygate\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Archivos de programa\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Archivos de programa\Intel\Intel(R) Active Monitor\imontray.exe
C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Archivos de programa\SpybotSch & Destroy\TeaTimer.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\SPYWARE\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Archivos de programa\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\ARCHIV~1\Sygate\smc.exe -startgui
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\SpybotSch & Destroy\TeaTimer.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\SPYWARE\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender-es.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...87/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FF40FBB-DAE8-4DF4-A3AA-B99D09AE436F}: NameServer = 212.145.4.97,212.145.4.98
O20 - AppInit_DLLs: MSLib.dll

Grateful for your advice (and what to do with O20-AppInit_DLLs: MSLib.dll)

Thanks.

PS: SHOULD I RESTORE THE "HIDE PROTECTED OPERATING SYSTEM FILES" TO ITS INITIAL VALUE: that is "YES" ??
PF

**HJThis** · 01-09-2004

Hi,LEONIDASDAL

Ok this file here C:\WINNT\system32\ntoskrnl.exe

have a look here see if this info helps at all

http://soho.sygate.com/alerts/XP_def...CP445_open.htm

& is this what you are seeing
http://www.techimo.com/forum/attachm...achmentid=4509

HGD

**LEONIDASDAL** · 02-09-2004

Thank you HGD.

FYI, from the Sygate Traffic Log, I can see that the program ntoskrnl.exe was not trying to use the advised Port 445 (nor I am a XP user but W2000). In my particular case, it was trying to connect to domains such as 192.168.0.2 or 3 (belonging to Internet Assigned Numbers Authority, USA).

Also Sygate blocked svchost.exe from connecting to www.windowsupdate.com or to wustat.windows.com

Finally SPYBOT re-detected 4 objects on the Start Page (4 domains) and I deleted them but they reappear. I also notice that these 4 domains are protection disabled automatically from the SpywareBlaster list. Any idea?

Any fixing to be done to the HJT log posted yesterday ?

Best regards
PF

**owen** · 02-09-2004

HJThis,
I hope you don't mind me butting in, but I just thought I'd mention that this entry:

O4 - HKLM\..\Run: [Regscopymagsslow] C:\Documents and Settings\All Users\Datos de programa\Flap Bolt Regs Copy\Defy Kind.exe

Is a randomly generated file that usually comes along with the Prosearching hijack. You'll usually always find one of these randomly generated files in a random generated folder in C:\Documents and Settings\All Users when you have the C:\WINNT\questmod-1.dll or questmod.dll BHO. The folder the randomly generated .exe file is in needs to be deleted and that will do the trick

I need help to clean my PC

I need help to clean my PC

Similar Threads

CPU clean help

Am I clean?

Almost clean but still getting pop-ups

Clean or not too clean? That is the question...