internet issues
Thread Starter
Join Date: Jun 2002
Location: UAE
Posts: 662
Likes: 0
Received 0 Likes
on
0 Posts
internet issues
Hi All
Im on Blueyonder Broadband and cannot get online?
They say im on but all i get is a screen stating page is unavailable, however this is not the standard windows page, it is various links to gambling and porn (its the gambling bit i don't want
)
And i have a advert bar at the bottom of the screen with the same type links.(only comes on once online with the page not available screen)
Obviously this is some sort of spyware hijacking my system?
I have run Lavasofts Adware remover, Search & Destroy & AVG 7 Pro but the thing is still there?
On occasion i can get online and access a maximum of two different pages before this spyware kicks in and blocks everything except the links?
Any advise as im thinking of throwing the PC out of the office window and my dog lives out there, cannot afford vet fees
Cheers
YYZ
Im on Blueyonder Broadband and cannot get online?
They say im on but all i get is a screen stating page is unavailable, however this is not the standard windows page, it is various links to gambling and porn (its the gambling bit i don't want
)And i have a advert bar at the bottom of the screen with the same type links.(only comes on once online with the page not available screen)
Obviously this is some sort of spyware hijacking my system?
I have run Lavasofts Adware remover, Search & Destroy & AVG 7 Pro but the thing is still there?
On occasion i can get online and access a maximum of two different pages before this spyware kicks in and blocks everything except the links?
Any advise as im thinking of throwing the PC out of the office window and my dog lives out there, cannot afford vet fees
Cheers
YYZ
Join Date: Jun 2004
Location: Edinburgh
Posts: 13
Likes: 0
Received 0 Likes
on
0 Posts
I am currently trying to sort out a friends PC with the same problem, they are also on Blueyonder !, wonder if there is a problem with the ISP?
Anyway the next step Im going to take is run stinger (see browser hi jack thread for url) and see what happens, I have also done the same steps as you but will let you know what I can find if I get it resolved.
Anyway the next step Im going to take is run stinger (see browser hi jack thread for url) and see what happens, I have also done the same steps as you but will let you know what I can find if I get it resolved.
Join Date: Jan 2004
Location: Bracknell UK
Posts: 357
Likes: 0
Received 0 Likes
on
0 Posts
Hi YYZ,
Please download 'Hijack This!' from here, unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give me a rundown of what’s going on in your PC. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required. I'll check it through and let you know what to do next.
Cuthbeg, I'm happy to do the same for you, so if you post up a HJT log (preferably in a new thread.. it could get confusing for me..
) I'll give it the once over for you as well.
Cheers
Liam
Please download 'Hijack This!' from here, unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give me a rundown of what’s going on in your PC. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required. I'll check it through and let you know what to do next.
Cuthbeg, I'm happy to do the same for you, so if you post up a HJT log (preferably in a new thread.. it could get confusing for me..
) I'll give it the once over for you as well.Cheers
Liam
Thread Starter
Join Date: Jun 2002
Location: UAE
Posts: 662
Likes: 0
Received 0 Likes
on
0 Posts
E-liam
Cannot post the Hijack this reply because of the below reply?
I PM a mod to try get it on?
YYZ
vBulletin Message
You have included too many images in your signature or in your previous post. Please go back and correct the problem and then continue again.
Images include use of smilies, the vB code [img] tag and HTML <img> tags. The use of these is all subject to them being enabled by the administrator.
The problem is that PPRuNe interprets : \ as
- click 'disable smilies in this post' and it should work (but i've posted it anyway 
) - Evo
Cannot post the Hijack this reply because of the below reply?
I PM a mod to try get it on?
YYZ
vBulletin Message
You have included too many images in your signature or in your previous post. Please go back and correct the problem and then continue again.
Images include use of smilies, the vB code [img] tag and HTML <img> tags. The use of these is all subject to them being enabled by the administrator.
The problem is that PPRuNe interprets : \ as
- click 'disable smilies in this post' and it should work (but i've posted it anyway ) - Evo
Last edited by Evo; 21st Oct 2004 at 08:06.
Join Date: Sep 2002
Location: Chichester, UK
Posts: 1,650
Likes: 0
Received 0 Likes
on
0 Posts
Logfile of HijackThis v1.98.2
Scan saved at 20:41:11, on 20/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\DAWNHA~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [thunk dent] C:\PROGRA~1\AxisScr\Seek Way.exe
O4 - HKLM\..\Run: [okayreadmeflawcoal] C:\Documents and Settings\All Users\Application Data\Date long okay readme\once64.exe
O4 - HKLM\..\Run: [OEM32 Tools] sres32.exe
O4 - HKLM\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\Run: [spam wipe mail corn] C:\Documents and Settings\All Users\Application Data\bore phone spam wipe\mpeg heart.exe
O4 - HKLM\..\Run: [Services] C:\winread.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe
O4 - HKLM\..\RunServices: [WindowsRegKeys update] winsysi.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OEM32 Tools] sres32.exe
O4 - HKCU\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
Scan saved at 20:41:11, on 20/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\DAWNHA~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [thunk dent] C:\PROGRA~1\AxisScr\Seek Way.exe
O4 - HKLM\..\Run: [okayreadmeflawcoal] C:\Documents and Settings\All Users\Application Data\Date long okay readme\once64.exe
O4 - HKLM\..\Run: [OEM32 Tools] sres32.exe
O4 - HKLM\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\Run: [spam wipe mail corn] C:\Documents and Settings\All Users\Application Data\bore phone spam wipe\mpeg heart.exe
O4 - HKLM\..\Run: [Services] C:\winread.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe
O4 - HKLM\..\RunServices: [WindowsRegKeys update] winsysi.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OEM32 Tools] sres32.exe
O4 - HKCU\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
Join Date: Jan 2004
Location: Bracknell UK
Posts: 357
Likes: 0
Received 0 Likes
on
0 Posts
Hi YYZ,
Print these off first, or copy them to the desktop in a notepad file, and then disconnect from the net until the instructions ask you to reconnect..
The first thing you need to do, is to place Hijack This in it’s own folder (e.g. C:\HJT\….) so it can generate backup files to the same folder; needed should an entry be accidentally deleted. Then please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
O4 - HKLM\..\Run: [thunk dent] C:\PROGRA~1\AxisScr\Seek Way.exe
O4 - HKLM\..\Run: [okayreadmeflawcoal] C:\Documents and Settings\All Users\Application Data\Date long okay readme\once64.exe
O4 - HKLM\..\Run: [OEM32 Tools] sres32.exe
O4 - HKLM\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\Run: [spam wipe mail corn] C:\Documents and Settings\All Users\Application Data\bore phone spam wipe\mpeg heart.exe
O4 - HKLM\..\Run: [Services] C:\winread.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
(Read here for more info on XoftSpy)
O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe
O4 - HKLM\..\RunServices: [WindowsRegKeys update] winsysi.exe
O4 - HKCU\..\Run: [OEM32 Tools] sres32.exe
O4 - HKCU\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here for info if needed) and delete the entire contents of the C:\Windows\Temp folder, but not the folder itself. Next please find and delete the following bolded files...
C:\winread.exe
(The following two you will have to search for, but they will probably be in the C:\Windows\System32\.. folder)
sres32.exe
winsysi.exe
..and these bolded folders...
C:\PROGRA~1\AxisScr
C:\Documents and Settings\All Users\Application Data\Date long okay readme
C:\Documents and Settings\All Users\Application Data\bore phone spam wipe
C:\Program Files\XoftSpy
(The above XoftSpy is at your discretion if you've paid for it)
Then please boot back into normal mode and download AdAware SE from here.
First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.
Next, we need to configure Ad-aware for a full scan.
Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file
· Under Click here to select drives + folders, choose:
· All of your hard drives | Proceed
3. Click on the Advanced button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information
4. Click the Tweak button and select:
· Under the Scanning Engine:
· Unload recognized processes & modules during scan
· Include additional Ad-aware settings in logfile
· Under the Cleaning Engine:
· Let Windows remove files in use at next reboot
5. Click on Proceed to save the settings.
6. Click Start and on the next screen choose:
· Use Custom Scanning Options
7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Next, please reboot again and download Spybot - Search & Destroy 1.3 from here: if you haven't already got the program.
Click on Updates | Download Updates, and follow the prompts.
Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Next reboot and go here, and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over.
There, that wasn't too painful.. was it?? :)
..and cheers for the help with posting up the log, Evo..
Cheers
Liam
Print these off first, or copy them to the desktop in a notepad file, and then disconnect from the net until the instructions ask you to reconnect..
The first thing you need to do, is to place Hijack This in it’s own folder (e.g. C:\HJT\….) so it can generate backup files to the same folder; needed should an entry be accidentally deleted. Then please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
O4 - HKLM\..\Run: [thunk dent] C:\PROGRA~1\AxisScr\Seek Way.exe
O4 - HKLM\..\Run: [okayreadmeflawcoal] C:\Documents and Settings\All Users\Application Data\Date long okay readme\once64.exe
O4 - HKLM\..\Run: [OEM32 Tools] sres32.exe
O4 - HKLM\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\Run: [spam wipe mail corn] C:\Documents and Settings\All Users\Application Data\bore phone spam wipe\mpeg heart.exe
O4 - HKLM\..\Run: [Services] C:\winread.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
(Read here for more info on XoftSpy)
O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe
O4 - HKLM\..\RunServices: [WindowsRegKeys update] winsysi.exe
O4 - HKCU\..\Run: [OEM32 Tools] sres32.exe
O4 - HKCU\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here for info if needed) and delete the entire contents of the C:\Windows\Temp folder, but not the folder itself. Next please find and delete the following bolded files...
C:\winread.exe
(The following two you will have to search for, but they will probably be in the C:\Windows\System32\.. folder)
sres32.exe
winsysi.exe
..and these bolded folders...
C:\PROGRA~1\AxisScr
C:\Documents and Settings\All Users\Application Data\Date long okay readme
C:\Documents and Settings\All Users\Application Data\bore phone spam wipe
C:\Program Files\XoftSpy
(The above XoftSpy is at your discretion if you've paid for it)
Then please boot back into normal mode and download AdAware SE from here.
First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.
Next, we need to configure Ad-aware for a full scan.
Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file
· Under Click here to select drives + folders, choose:
· All of your hard drives | Proceed
3. Click on the Advanced button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information
4. Click the Tweak button and select:
· Under the Scanning Engine:
· Unload recognized processes & modules during scan
· Include additional Ad-aware settings in logfile
· Under the Cleaning Engine:
· Let Windows remove files in use at next reboot
5. Click on Proceed to save the settings.
6. Click Start and on the next screen choose:
· Use Custom Scanning Options
7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Next, please reboot again and download Spybot - Search & Destroy 1.3 from here: if you haven't already got the program.
Click on Updates | Download Updates, and follow the prompts.
Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Next reboot and go here, and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over.
There, that wasn't too painful.. was it?? :)
..and cheers for the help with posting up the log, Evo..
Cheers
Liam
Thread Starter
Join Date: Jun 2002
Location: UAE
Posts: 662
Likes: 0
Received 0 Likes
on
0 Posts
Hi E-Liam
Well i followed your instructions to the note and then the PC decided it had to turn itself off.... and then on, then off, then on etc!
I hate computers, did a full re-install and seems to be OK for now?
Wait and see i guess.
Thanks for your help.
YYZ
Well i followed your instructions to the note and then the PC decided it had to turn itself off.... and then on, then off, then on etc!
I hate computers, did a full re-install and seems to be OK for now?
Wait and see i guess.
Thanks for your help.
YYZ
