Another antimalware popup victim

Brian Schmidt · 2006/07/09

Hello, THis is my first post to this BBS. I have a problem similar to many others that are posting but I found that it said to start my own thread so here it is. I have an icon in my lower right tray that is a circle with a question mark in it and over this is flashing a red circle-slash icon. Every few minutes a popup come up and says my computer is infected and I need to use antimalware to clean and protect from parasite programs. I have tried a couple programs to clean but it hasn't helped. I have HJT setup on my desktop but it hasn't been run yet. Can anyone help me to proceed with getting rid of this popup?
Brian

Geri · 2006/07/09

Hi Brian Schmidt
Welcome to Windowsbbs

First you need to move Hijackthis to a permanent directory on your hard drive, say C:\HJT "“ The Desktop or a temporary folder is not a suitable location for backups made by HJT when entries are fixed.
To do this click on start, click my computer, double click your C drive, make a new folder name it HJT. Now go and right click on Hijackthis click copy, go back to the folder you made, right click and click paste. Delete the one on your desktop.

Run HJT and save log. Post it back here to this thread and someone will have a look at it.
Geri

Brian Schmidt · 2006/07/09

Re: Another antimalware victim

Here is the copy of the HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 3:18:34 PM, on 7/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\CTSvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\PROGRA~1\MICROS~4\MSSQL$~1\binn\sqlservr.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\YEDIEx.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\faxsvc.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\AOL\1111108544\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe
C:\program files\common files\aol\1111108544\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1111108544\ee\aolsoftware.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1111108544\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Siemens SpeedStream Wireless USB.lnk = C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.multicastmedia.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://J:\CDVIEWER\CdViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2453017D-DA4E-47A8-9608-ADEFC2626113}: NameServer = 192.168.0.200
O17 - HKLM\System\CS2\Services\Tcpip\..\{2453017D-DA4E-47A8-9608-ADEFC2626113}: NameServer = 192.168.0.200
O17 - HKLM\System\CS3\Services\Tcpip\..\{2453017D-DA4E-47A8-9608-ADEFC2626113}: NameServer = 192.168.0.200
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O21 - SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - C:\WINNT\system32\jevtxpg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YEDIEx - Unknown owner - C:\WINNT\system32\YEDIEx.exe

PeteC · 2006/07/09

Hi Brian

Your HJT log indicates that your computer is infected with SpywareQuake ....

O21 - SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - C:\WINNT\system32\jevtxpg.dll

There is an automated removal procedure over at Bleeping Computer ....

http://www.bleepingcomputer.com/forums/topic47826.html

Scroll down to the Automated Removal Instructions and follow through.

When you have finished restart the computer in Safe mode and scan again with HJT and post the log here.

Brian Schmidt · 2006/07/09

Ihave completed the previous steps. The icon and pop up are gone! During the last step in which Panda Online did the scan, it still reported finding 48 instances of adware/spyware and 3 instances of hacker/potentially bad tools.
Here is the repeated HJT log file:
Logfile of HijackThis v1.99.1
Scan saved at 10:33:40 PM, on 7/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1111108544\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Siemens SpeedStream Wireless USB.lnk = C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.multicastmedia.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://J:\CDVIEWER\CdViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2453017D-DA4E-47A8-9608-ADEFC2626113}: NameServer = 192.168.0.200
O17 - HKLM\System\CS2\Services\Tcpip\..\{2453017D-DA4E-47A8-9608-ADEFC2626113}: NameServer = 192.168.0.200
O17 - HKLM\System\CS3\Services\Tcpip\..\{2453017D-DA4E-47A8-9608-ADEFC2626113}: NameServer = 192.168.0.200
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YEDIEx - Unknown owner - C:\WINNT\system32\YEDIEx.exe

What if anything do I do now?

Thank You !

PeteC · 2006/07/10

Brian - your HJT log is clean

However it would be wise to run another check and clean up the adware, etc which Panda found and which it may not have removed ....

Please download and install the 30 day trial version of Ewido Anti-Spyware

Run the program either from the Desktop icon if you chose to install one or from Start > Programs. On the main screen select the Update icon followed by the "Update now" link and click on the Start Update button. The update will start and a progress bar will show the updates being installed.

When the update has completed select the Scanner icon at the top of the window and click on the Settings tab.

On the Settings screen click on Recommended actions and then on Quarantine.

Under Reports select Automatically generate report after every scan and deselect Only if threats were found.

Close Ewido Anti-spyware. Do not run a scan just yet.

Boot into Safe Mode and log onto your usual account.

To use the F8 key to start Windows XP in Safe mode
Restart the computer.
Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
As soon as the BIOS loads, begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
Using the arrow keys on the keyboard, select Safe mode and then press Enter.
Click to expand...

Do not open any other windows or programs while Ewido is scanning as this may interfere with the scanning proccess.

Start Ewido Anti-spyware by double-clicking the icon on your desktop or from Start > Programs and select the Scanner icon at the top of the window followed by the Scan tab and click on Complete System Scan. The scanning process will start and may take some time.

When the scan is complete if any infections were detected you will prompted for an action - select Apply all actions.

Then select the Reports icon at the top of the window and click on the Save report as button in the lower left hand corner of the screen and save it as a text file (be sure to remember where you saved that file, this is important).

Close Ewido and reboot your system back into Normal Mode and post the Ewido scan report here.

For future reference you might also like to read this ....

Keep your Computer free from Viruses, Trojans, Spyware and other Malware

Brian Schmidt · 2006/07/10

Pete, I did as instructed however when starting the Ewido program in safe mode, nothing happened for a long time, just stared at desktop.. What next?
Brian

PeteC · 2006/07/10

I've not come across that before - try running it in Normal mode and if that plays up try uninstalling Ewido and reinstalling.

Brian Schmidt · 2006/07/11

Pete, It comes up in regular mode. I unistalled ,shut down and then reinstalled and tried again. I left the computer in safe more for quite awhile after attempting to start Ewido...when I returned to the computer there was a box with a message from Ewido.exe that said... "There is no disk in the drive. Please insert a disk into drive \device\harddisk6\DR12 ". When I cancelled out of this box, another one came up and said something about something happening with the application but I didn't catch it all.
What should I do next?
Brian

PeteC · 2006/07/11

Brian

I've no idea what's going on - let's try and sort this out step by step ....

It comes up in regular mode.
Click to expand...

You will have to elaborate on that - will Ewido run in normal (regular) mode ?

When you double click on the Desktop icon do you see the screenshot below?

When you click on the Scanner Button do see the second screenshot below?

When you click on Complete System Scan do you see the third screenshot below?

How far do you get?

k9orthodoc · 2006/07/13

Pete, THis is Brian . I haven't been able to get back on your system with my normal e mail address , on my computer...even though it was saying thank you for logging in , etc, etc, I would still have a yellow banner telling me I was a guest with limited access. I sent e mails to the administrator but he says there is nothing wrong with your system. He had me logout to clear cookies, etc but no go. Anyway I am on a third computer. To my knowledge it has no adware/spyware type software...something the administrator said may be present on my computers preventing me from getting back on . ( THe software programs you have asked my to download and use?) I also registered a new email and logon so anyway here I am.
I followed the last instructions with regards to Ewido. In normal mode it comes up fine and does a complete scan. It was just in safe mode that nothing happened and I got that funky message about no disk in drive. What is the reason we want to do the scan in safe mode vs normal mode. Thank You!
Brian

PeteC · 2006/07/13

Brian

I have no idea why you were unable to access the Board - I can assure you that the software I asked you to install - HJT and Ewido are not the cause - I have both on my computer with no problems at all.

I am puzzled as to why you cannot run Ewido in Safe mode and will seek another opinion on this. In Safe mode any malware present, particularly trojans are less likely to be active and resist removal - that is my understanding of the situation - which may not be 100% correct

Was anything found by Ewido? If you can copy the log across and post it here it would be helpful.

Brian Schmidt · 2006/07/14

Pete ,
Here is a copy of te report generated by Ewido at completion of its scan, ( in regular mode)

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:42:11 AM 7/14/2006

+ Scan result:

C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe -> Heuristic.Win32.Dialer : No action taken.
C:\Program Files\U.S. Robotics\ControlCenter\controlcenter_update\ControlCenterUpdate4.00.027to4.00.050.exe/Reminder.exe -> Heuristic.Win32.Dialer : No action taken.
C:\Program Files\U.S. Robotics\ControlCenter\controlcenter_update\ControlCenterUpdate4.00.027to4.00.050.exe/ctrlcntr.exe -> Heuristic.Win32.Dialer : No action taken.
C:\Program Files\U.S. Robotics\ControlCenter\ctrlcntr.exe -> Heuristic.Win32.Dialer : No action taken.
C:\Program Files\Verizon Wireless\QuickLink Mobile\QuickLink Mobile.exe -> Heuristic.Win32.Dialer : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@112.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@ad-logics[1].txt -> TrackingCookie.Ad-logics : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@z1.adserver[1].txt -> TrackingCookie.Adserver : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@servedby.advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
M:\Documents and Settings\Administrator.CLINIC\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@bfast[1].txt -> TrackingCookie.Bfast : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@centrport[2].txt -> TrackingCookie.Centrport : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@com[2].txt -> TrackingCookie.Com : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@commission-junction[1].txt -> TrackingCookie.Commission-junction : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@a.as-us.falkag[1].txt -> TrackingCookie.Falkag : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@as-us.falkag[1].txt -> TrackingCookie.Falkag : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@c.as-us.falkag[1].txt -> TrackingCookie.Falkag : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@gator[2].txt -> TrackingCookie.Gator : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@goclick[1].txt -> TrackingCookie.Goclick : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@ehg-hillspet.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@ehg-iams.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@ehg-learningco.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@linksynergy[1].txt -> TrackingCookie.Linksynergy : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@sales.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@overture[2].txt -> TrackingCookie.Overture : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@ads.pointroll[1].txt -> TrackingCookie.Pointroll : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@qksrv[1].txt -> TrackingCookie.Qksrv : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt -> TrackingCookie.Ru4 : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@edge.ru4[1].txt -> TrackingCookie.Ru4 : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.
M:\Documents and Settings\Administrator.CLINIC\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@valueclick[2].txt -> TrackingCookie.Valueclick : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@webstat[2].txt -> TrackingCookie.Web-stat : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@ads.x10[1].txt -> TrackingCookie.X10 : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@count.xhit[2].txt -> TrackingCookie.Xhit : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
M:\Documents and Settings\Win4.CLINIC\Cookies\win4@zedo[2].txt -> TrackingCookie.Zedo : No action taken.

::Report end

THe M drive is from an old computer that I installed in this one. I have never erased any of its contents nor do I use or direct anything to it at this time. I did it to have access to the data since it was in our business network. I have no use for its data now so if I should just erase/format that drive let me know.

Brian

PeteC · 2006/07/14

Brian

Looking at the Ewido log it would appear that you did not set it up to do anything other than scan - everything found is suffixed by No Action Taken.

However, apart from a couple of tracking cookies the only other thing it found was a heuristic.Win32 dialler in the US Robotics folder which I suggest is perfectly legit.

Your M drive has a number of tracking cookies in the location listed. I would just delete those, unless you particularly want to wipe (format) the M drive.

I see you are back with us on your normal account

Speaking with THE malware expert on the Board he has not heard of Ewido not running in Safe mode or seen the message re There is no disk in the drive and suggests a problem elsewhere. No idea where.

Brian Schmidt · 2006/07/14

Pete,
Yes I am back on with original logon, just using a different computer. When I am at the Windowsbbs homepage, and have logged on, I have a yellow banner telling me I am on as a guest, limited access, etc. When I scroll down and select the topic of virus, adware removal where are posts have been, the yellow banner is absent, my name is in teh upper right corner telling me I have 8000+ unread posts. I scroll down to our thread and when I try to reply it takes me to a screen for putting in my info again. I don't get it but at least I have another computer at work I can get on with. Thanks for all your help.

PeteC · 2006/07/14

You're welcome

Re. BBS - are you allowing cookies? Mine are set Medium High and WindowsBBS is in the Trusted Zone.

Log in or Sign up

Another antimalware popup victim

Brian Schmidt Inactive Thread Starter

Geri Inactive Alumni

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

k9orthodoc Inactive

PeteC SuperGeek Staff

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

Share This Page

Log in or Sign up

Another antimalware popup victim

Brian Schmidt Inactive Thread Starter

Geri Inactive Alumni

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

k9orthodoc Inactive

PeteC SuperGeek Staff

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

Brian Schmidt Inactive Thread Starter

PeteC SuperGeek Staff

Share This Page

Useful Searches