InterviewSolution
Saved Bookmarks
InterviewSolution
| 1. |
Solve : Can't RemoveAdware? |
|
Answer» Hi Guys, looking for help. I have a problem removing something called Virtumondo that REDIRECTS my browser. I tried removing cookies and temp files then running MS antispy, Norton AV, and AdawareSE in Safe Mode. I can run the MS Antispy, remove it, run it again immediately and it's still there. I'm at a loss as to what to do next. Thanks for any suggestions.Boot into safe mode and run the scans fromn there. If that doesn't get it, restore from earlier point when everything functioned correctly. Hi Guys, looking for help. I have a problem removing something called Virtumondo that redirects my browser. Your pc is infected with a browser hijacker .... Do as FED has suggested .....D/L and run a scan with hijackthis ........ http://www.download.com/HijackThis/3000-8022_4-10227353.html Post your log here and we can help you clean your machine . dl65 I can't post that info, it's too long. My computer also goes to an AV site and starts downloading a program w/o my consent. If I need to, will my restore disc remove this stuff? Is a reformat necessary? I also found a file named Win32res.exe that I believe is what is reloading the garbage but can't find it w/ a search. ThanksSplit your Hijackthis log up so you can post it. Did you get it analysed at the Hijackthis website? http://www.hijackthis.de/index.php?langselect=english Jeff Stornelli......... Relax....take a deep breath ......then post your hijackthis log here .......in several sections if necessary .......... Once you post your log , we will tell you how to clean it ....... dl65 ok here goes C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\BellSouth Internet Tools\blsloader.exe C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\BigFix\BigFix.exeC:\Program Files\BellSouth\Connection MANAGER\CManager.exe C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.fastaccess.com/launch.asp O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayw.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" O4 - HKLM\..\Run: [NI.UWFX5RS_0001_0808] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QREVIHEV\WFXScanR[1].exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100024222843 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O20 - Winlogon Notify: ddayw - C:\WINDOWS\system32\ddayw.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: LexBce Server (LexBceS) - LEXMARK International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Jeff Stornelli......Ok .....Mark the following for removal...... O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayw.dll O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [NI.UWFX5RS_0001_0808] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QREVIHEV\WFXScanR[1].exe" O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O20 - Winlogon Notify: ddayw - C:\WINDOWS\system32\ddayw.dll That should do it ...... mark for removal and click fix marked ....now reboot and see how things are . dl65 dl65- Tried your suggestions and received error # 52. Bad file name or number in sub getlongpath(exe".exe) ThanksJeff Stornelli....... What o/s are you using and when does the error 52 appear? dl65Jeff Stornelli......you said ...that antispyware removed it bbut it came back........If I recall .......try this .......turn off your system restore feature ....( sometimes these pests will hide in there .) Rerun your antispyware and your AV in the safe mode .......If that fixes the issue , turn back on your system restore . dl65 Windows XP, but the error is in "Hijackthis". Tried running AV/Adware etc in safe mode after turning off restore and deleting cookies and files. I believe you have specified the right files to delete. What a learning experience, probably will start looking into the registry a little deeper. I had my HD backed up on another DRIVE but it was already infected. I'm wondering if a "restore" from my CD will solve this? Pain to re-install everything but I'm definitely not letting this stay on my system. |
|