Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Log Help

Started by Alastairc , Feb 16 2006 03:17 AM

  • This topic is locked This topic is locked
4 replies to this topic

#1 Alastairc

Alastairc

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 16 February 2006 - 03:17 AM

PC has been getting lots of popups recently can you please have a log at my log:

Logfile of HijackThis v1.99.1
Scan saved at 09:05:11, on 16/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Inetpub\wwwroot\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\tftaise.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\tftaiseA.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Everybody\My Documents\Alastair\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....er=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tftaiseA] C:\WINDOWS\tftaiseA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - (no file)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\enp6l17s1.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MySQL - Unknown owner - C:\Inetpub\wwwroot\MySQL.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\tftaise.exe

    Advertisements

Register to Remove

#2 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 16 February 2006 - 07:39 PM

Hello and welcome to TomCoyote forums. If you are not receiving help elsewhere please follow these directions in the posted order. Where did you find all of this junk at once??

You have a nice variety of garbage, instead of trying to do it all at once we will do this:

1) Follow these directions to remove the New.New Hijacker: http://www.newdotnet.com/removal.html
It looks like this is the log: O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing This next link I am providing is for an emergency only. I have seen this hijacker removed many, many time with no problems. If you should have an emergency where you can not connect to the internet, this tool will fix the problem: http://www.cexx.org/lspfix.htm Please do not use it otherwise.

2) We need to use Spy Sweeper 4.5 - Free Trial and you will find it at the bottom of this page: http://www.webroot.c...er/latestv.html This is the only SS tool we can use. These are the instructions, follow them exactly:

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer <<< very important

3) Download CWShredder from here: http://www.softpedia...WShredder.shtml Update the program if available, then choose FIX not scan. Allow the shredder to run and remove anything it locates. Let me know what it finds.

Restart the computer and post the log from the Spysweeper sweep, information about CWShredder, a new HJT log and any feedback you think I should have. We will have more to do.

Thanks...pskelley
TomCoyote forum
Expert Member
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#3 Alastairc

Alastairc

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 17 February 2006 - 02:46 AM

thx got spysweeper and it found 27 items heres the log:

********
07:53: | Start of Session, 17 February 2006 |
07:53: Spy Sweeper started
07:53: Sweep initiated using definitions version 616
07:54: Starting Memory Sweep
07:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:56: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:56: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:56: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:56: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
07:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
07:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:04: Memory Sweep Complete, Elapsed Time: 00:10:48
08:05: Starting Registry Sweep
08:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:05: Found Adware: findthewebsiteyouneed hijack
08:05: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 125241)
08:05: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 125242)
08:05: Found Adware: effective-i toolbar
08:05: HKLM\software\effective-i\ (ID = 125658)
08:05: Found Adware: internetoptimizer
08:05: HKLM\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 128912)
08:05: HKLM\software\policies\avenue media\ (ID = 128929)
08:06: Found Adware: ist yoursitebar
08:06: HKCR\interface\{03b800f9-2536-4441-8cda-2a3e6d15b4f8}\ (8 subtraces) (ID = 147832)
08:06: HKCR\interface\{dfbcc1eb-b149-487e-80c1-cc1562021542}\ (8 subtraces) (ID = 147835)
08:06: HKLM\software\classes\interface\{03b800f9-2536-4441-8cda-2a3e6d15b4f8}\ (8 subtraces) (ID = 147838)
08:06: HKLM\software\classes\interface\{dfbcc1eb-b149-487e-80c1-cc1562021542}\ (8 subtraces) (ID = 147841)
08:06: HKLM\software\classes\typelib\{4ee12b71-aa5e-45ec-8666-2db3ad3fdf44}\ (9 subtraces) (ID = 147842)
08:06: HKLM\software\microsoft\internet explorer\toolbar\ || {86227d9c-0efe-4f8a-aa55-30386a3f5686} (ID = 147852)
08:06: HKCR\typelib\{4ee12b71-aa5e-45ec-8666-2db3ad3fdf44}\ (9 subtraces) (ID = 147861)
08:06: Found Adware: visfx
08:06: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
08:06: HKLM\system\currentcontrolset\services\windows overlay components\ (12 subtraces) (ID = 712954)
08:06: Found Trojan Horse: trojan-downloader-zlob
08:06: HKCR\nvideocodek.chl\ (2 subtraces) (ID = 820294)
08:06: HKLM\software\classes\nvideocodek.chl\ (2 subtraces) (ID = 820324)
08:06: Found Adware: enbrowser
08:06: HKLM\software\system\sysold\ (ID = 926808)
08:06: HKLM\software\microsoft\windows\currentversion\run\ || themonitor (ID = 1028873)
08:06: Found Adware: quicklink search toolbar
08:06: HKCR\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134093)
08:06: Found Adware: dollarrevenue
08:06: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
08:06: HKLM\software\classes\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134251)
08:06: HKU\S-1-5-21-1275210071-113007714-1060284298-1003\software\microsoft\internet explorer\main\ || search bar (ID = 125237)
08:06: HKU\S-1-5-21-1275210071-113007714-1060284298-1003\software\microsoft\internet explorer\main\ || search page (ID = 125238)
08:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:06: HKU\S-1-5-21-1275210071-113007714-1060284298-1003\software\effective-i\ (6 subtraces) (ID = 125657)
08:06: HKU\S-1-5-21-1275210071-113007714-1060284298-1003\software\policies\avenue media\ (ID = 128928)
08:06: HKU\S-1-5-21-1275210071-113007714-1060284298-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
08:06: HKU\S-1-5-21-1275210071-113007714-1060284298-1003\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 654042)
08:06: HKU\S-1-5-21-1275210071-113007714-1060284298-1003\software\system\sysuid\ (1 subtraces) (ID = 731748)
08:06: HKU\S-1-5-21-1275210071-113007714-1060284298-1003\software\microsoft\internet explorer\main\ || search bar (ID = 790268)
08:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:06: Registry Sweep Complete, Elapsed Time:00:01:50
08:06: Starting Cookie Sweep
08:06: Found Spy Cookie: 2o7.net cookie
08:06: everybody@2o7[2].txt (ID = 1957)
08:06: Found Spy Cookie: pointroll cookie
08:06: everybody@ads.pointroll[1].txt (ID = 3148)
08:06: Found Spy Cookie: apmebf cookie
08:06: everybody@apmebf[2].txt (ID = 2229)
08:06: Found Spy Cookie: falkag cookie
08:06: everybody@as-us.falkag[2].txt (ID = 2650)
08:06: Found Spy Cookie: atlas dmt cookie
08:06: everybody@atdmt[2].txt (ID = 2253)
08:06: Found Spy Cookie: enhance cookie
08:06: everybody@c.enhance[2].txt (ID = 2614)
08:06: Found Spy Cookie: fastclick cookie
08:06: everybody@fastclick[2].txt (ID = 2651)
08:06: Found Spy Cookie: hotlog cookie
08:06: everybody@hotlog[1].txt (ID = 2801)
08:06: Found Spy Cookie: mediaplex cookie
08:06: everybody@mediaplex[1].txt (ID = 6442)
08:06: Found Spy Cookie: qksrv cookie
08:06: everybody@qksrv[2].txt (ID = 3213)
08:06: Found Spy Cookie: realmedia cookie
08:06: everybody@realmedia[1].txt (ID = 3235)
08:06: everybody@sel.as-us.falkag[2].txt (ID = 2650)
08:06: Found Spy Cookie: spylog cookie
08:06: everybody@spylog[1].txt (ID = 3415)
08:06: Found Spy Cookie: statcounter cookie
08:06: everybody@statcounter[2].txt (ID = 3447)
08:06: Cookie Sweep Complete, Elapsed Time: 00:00:03
08:07: Starting File Sweep
08:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:07: Found Adware: command
08:07: c:\program files\network monitor (1 subtraces) (ID = -2147459771)
08:08: c:\program files\jalmp (3 subtraces) (ID = -2147459072)
08:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:08: __sysc00.exe (ID = 244277)
08:08: uni_eh.exe (ID = 245110)
08:09: netmon.exe (ID = 231443)
08:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:09: titno.exe (ID = 238242)
08:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:10: Found Adware: targetsaver
08:10: class-barrel (ID = 78229)
08:10: Found Adware: look2me
08:10: h62olgf3162.dll (ID = 159)
08:10: Found Adware: findthewebsiteyouneed hijacker
08:10: __winsysupd8.exe (ID = 245943)
08:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:12: vocabulary (ID = 78283)
08:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:12: jalmp.dll (ID = 238167)
08:13: Found Adware: surfsidekick
08:13: vcupdate.exe.config (ID = 212361)
08:13: hr8u05l9e.dll (ID = 163672)
08:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:13: icxrtmgr.dll (ID = 159)
08:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:16: __winsysban8.exe (ID = 245942)
08:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:17: __ms04530303-191.exe (ID = 244278)
08:17: uninstall.exe (ID = 237448)
08:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:20: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:20: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:21: cgmcat.dll (ID = 159)
08:21: tsupdate2[1].ini (ID = 193498)
08:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:21: uninstall_nmon.vbs (ID = 231442)
08:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:22: pf78.exe (ID = 244430)
08:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:23: arpf.cfg (ID = 208796)
08:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:27: vcclient.exe.config (ID = 212358)
08:27: File Sweep Complete, Elapsed Time: 00:20:15
08:27: Full Sweep has completed. Elapsed time 00:33:25
08:27: Traces Found: 164
08:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:27: Removal process initiated
08:27: Quarantining All Traces: look2me
08:28: Warning: QF[866]: CmprsF(): Sector size must be 512 bytes, not 50173
08:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:28: look2me is in use. It will be removed on reboot.
08:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:28: h62olgf3162.dll is in use. It will be removed on reboot.
08:28: hr8u05l9e.dll is in use. It will be removed on reboot.
08:28: cgmcat.dll is in use. It will be removed on reboot.
08:28: Quarantining All Traces: trojan-downloader-zlob
08:28: Quarantining All Traces: visfx
08:28: Quarantining All Traces: dollarrevenue
08:28: Quarantining All Traces: enbrowser
08:28: Quarantining All Traces: internetoptimizer
08:28: Quarantining All Traces: quicklink search toolbar
08:28: Quarantining All Traces: surfsidekick
08:28: Quarantining All Traces: command
08:28: Quarantining All Traces: effective-i toolbar
08:28: Quarantining All Traces: findthewebsiteyouneed hijacker
08:28: Quarantining All Traces: findthewebsiteyouneed hijack
08:28: Quarantining All Traces: ist yoursitebar
08:28: Quarantining All Traces: targetsaver
08:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
08:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
08:28: Quarantining All Traces: 2o7.net cookie
08:28: Quarantining All Traces: apmebf cookie
08:28: Quarantining All Traces: atlas dmt cookie
08:28: Quarantining All Traces: enhance cookie
08:28: Quarantining All Traces: falkag cookie
08:28: Quarantining All Traces: fastclick cookie
08:28: Quarantining All Traces: hotlog cookie
08:28: Quarantining All Traces: mediaplex cookie
08:28: Quarantining All Traces: pointroll cookie
08:28: Quarantining All Traces: qksrv cookie
08:28: Quarantining All Traces: realmedia cookie
08:28: Quarantining All Traces: spylog cookie
08:28: Quarantining All Traces: statcounter cookie
08:29: Preparing to restart your computer. Please wait...
08:29: Removal process completed. Elapsed time 00:01:34
********
07:51: | Start of Session, 17 February 2006 |
07:51: Spy Sweeper started
07:53: Your spyware definitions have been updated.
07:53: | End of Session, 17 February 2006 |

I then ran CWshredder and it didn't find any coolwebsearch

+ i removed new.new.hijacker

and heres my new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 08:44:54, on 17/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Inetpub\wwwroot\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\tftaiseA.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Everybody\My Documents\Alastair\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....er=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tftaiseA] C:\WINDOWS\tftaiseA.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\hr8u05l9e.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MySQL - Unknown owner - C:\Inetpub\wwwroot\MySQL.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

stil don't know what C:\WINDOWS\tftaiseA.exe is, any ideas?

#4 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 17 February 2006 - 06:37 AM

Please be patient, you had a lot of infection on this machine. This: hXXp://searchbar.findthewebsiteyouneed.com is CWS infection, the Shredder did remove it as you see. I could have posted all of this at once, but opted to do it this way out of concern for you.

stil don't know what C:\WINDOWS\tftaiseA.exe is, any ideas?

That item was running as a service in the first log, but not the second? You did not disable it? Upload that file please: C:\WINDOWS\tftaiseA.exe to at least one of these free online scans for identification and post the results, thanks.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustota...h/index_en.html

The experts would also like to look at file if you would help. If you would be so kind as to follow the simple directions at this link: http://www.bleepingc...mit-malware.php it may very well help others with this problem, thanks.

Instructions start here:

1) Turn off SpySweeper as it may try to stop our fix. You may benefit from the realtime protection during the trial if you wish, but once the trial is over, unless you purchase SS I would uninstall it. It is using a lot of resouces and slowing you down, as will ewido until we adjust it.

2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

3) ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(You know what these first two are, you can leave them or remove them, as you wish)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....er=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....er=6&ar=msnhome
O4 - HKLM\..\Run: [tftaiseA] C:\WINDOWS\tftaiseA.exe
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\hr8u05l9e.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\tftaiseA.exe >>> file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsne...refetch-XP.html

6) If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and any feedback you think I should have.

Thanks...Phil

Edited by pskelley, 17 February 2006 - 06:39 AM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#5 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 09 March 2006 - 05:50 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·