& use HiJack to remove this
O4 - HKLM\..\Run: [GuAb] C:\WINDOWS\xfynydf.exe
Main Topics
Browse All Topics
Loading Advertisement...
Question
Can't remove spyware
I keep getting popups with these addresses:
http://bannerfarm.ace.adve
http://media.fastclick.net
I've updated and ran adaware, spybot, spy sweeper and xoft spy but i'm still having the problem. Also when i visit web pages part of the page shows "the page cannot be displayed" message.
here the hijack this log:
Logfile of HijackThis v1.91.2
Scan saved at 10:57:24, on 14/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-4
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-6
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-0
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "d:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [STOPzilla] "D:\Program Files\STOPzilla!\Stopzilla
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.10
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Advanced Tools Check] C:\Documents and Settings\Steve\Local Settings\Temp\Norton AntiVirus 2003 Professional\AdvTools\AdvC
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.ex
O4 - HKLM\..\Run: [GuAb] C:\WINDOWS\xfynydf.exe
O4 - HKLM\..\Run: [jcn] C:\WINDOWS\jcn.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [Printer Driver Helper Service] C:\WINDOWS\system32\crsrr.
O4 - HKLM\..\Run: [ReleaseRAM] C:\Program Files\R-RAM\RRAM.exe
O4 - HKLM\..\RunServices: [Windows Update Process] wmiprvsc.exe
O4 - HKCU\..\Run: [SymKeepAlive] C:\Program Files\Symantec\Web Tools\CKA.exe
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-B
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupM
O4 - HKCU\..\Run: [MemOptimizer] "E:\Steve\eMule\Incoming\T
O4 - Startup: Connection Keeper.lnk = C:\Program Files\Connection Keeper\ConKeepM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-0
O16 - DPF: {39B0684F-D7BF-4743-B050-F
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Subscribe now for full access to Experts Exchange and get
Instant Access to this Solution
- Plus...
- 30 Day FREE access, no risk, no obligation
- Collaborate with the world's top tech experts
- Unlimited access to our exclusive solution database
- Never be left without tech help again
Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.
- "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
- "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
- "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.
See what Experts Exchange can do for you.
Got a question?
We've got the answer.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
Need individual assistance?
Our experts are ready to help.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Want to learn from the best?
Read articles from industry experts.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Working on a long term project?
Store your work and research.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
What Makes Experts Exchange Unique?
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Trusted by the world's most respected brands.
Faithfully serving IT professionals since 1996.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Free Tech Articles
-
WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
-
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
-
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
-
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
-
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
-
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...
Cloud Class Webinars
- Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
- Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
- IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
- Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
- Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
- How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...
Join the Community
Give a Little. Get a Lot.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Answers
just got another popup
http://media.fastclick.net
i removed the hijack this item before getting the popup so now i'll try running the spyware programs in safe mode
I found a trojan yesterday but removed it and rescanned with no sign of it. I'm not sure which trojan it was but Norton isn't picking up an trojan activity at the moment with the popups.
should i remove that entry?
i ran the anti-spyware programs in safe mode but they found nothing. i made sure they were up to date before.
Hi! itsonelouder
You're running a very outdated version of HijackThis.
Download the latest version (1.99) from here:
http://www.gatesofdelirium
Delete your old version and install HijackThis into a folder of it's own (C:\HJT\hijackthis.exe).
Do not run it from a temp folder or your desktop.
With all browser windows closed: run it - do not fix anything.
Copy and paste your log file into the automatic analysis site at:
http://www.hijackthis.de/i
After it's been analyzed - post a Link to your log file here.
Please, do not post the log file - just a link.
Also, in your first post - your log file is incomplete.
However, you do show some problems in your first log file.
Good luck!
RF
Use spybot search & destroy - www.pcworld.com/downloads/
i've done that.
Ross, i hope i haven't been to eager but I fixed the ones that it mentioned i should fix, except for msnappau.exe in C:\Program Files\MSN Apps\Updater\01.02.3000.10
Couple of weeks back I had exactly same problem that you're having now... nothing helped and nearly formatted my PC. But, I discovered SPY Sweeper and it solved my problem.
Steps that helped me..
a) Firstly boot your PC in safe mode
b) start Your Spy Sweeper and activate all possible spy sweeper shields.
c) goto Add/remove program to remove the unknow apps.
d) Open IE. Goto Menu Tools, Internet Options, General, Click Settings and Click Objects. Now List of objects will appear in a window.. right click on each object and click remove. Remove all... becuase, system will prompt you to install them again when you will need them.
e) delete everything from windows\temp and Intenet TEMP folders.
f) empty recycle bin.
g) sweep using spy sweeper now.
h) reboot your PC into normal mode and sweep again.
Repeat above steps until spy sweeper says nothing found...
I had to repeat 5 times...
or www.bbc.co.uk
it's telling me internet explorer cannot open the search page
The 017 entry was probably related to your Internet Service Provider (PIPEX Internet) -
O17 - HKLM\System\CCS\Services\T
NameServer = 62.241.160.200 158.43.240.4
I ran it thru "WhoIs" and it's valid.
From the Main screen in HJT, click on the config box at the lower right -
then click on the "Backup" button -
Hilite the 017 entry and click on "Restore"
Click out of HijackThis
Then restsrt your computer.
See how things are working.
Also, kneH's suggestion concerning the Hosts file is a good idea.
RF
Sounds like serious spyware then.
Here's a copy paste from a IT related mate of mine... use parts of it
[quote]
To effective remove spyware, this is what you need to do:
Install Spysweeper
Install Giantantispyware (microsoft’s beta)
Install Spybot
Install Ad-Aware
Install Pest Patrol
Download Hijackthis
(update all these programs)
Reboot into SAFEMODE
run giantantispyware
run spysweeper
run ad-aware
run spybot (make sure you remove the dso exploits manually)
run pest patrol
run hijackthis
("make sure you open task manager and end task on explorer.exe")
After all these programs are complete reboot into normal mode and then run these programs again on each user.
Once these programs scan with about 0 results, reboot twice, and run one final scan of spysweeper and giantantispyware. Then go online and go to webroot's website at hffp://www.webroot.com and click on spyaudit, run spyaudit. Also make sure that you go into your internet explorer options and reset everything to defaults.
GO DOWNLOAD FIREFOX BY MOZILLA, IT WILL ALSO HELP
[/quote]
So to visit the sites... get firefox... untill you sort it anyways.
Turn off system restore before removing it all.
To remove spyware: go into safemode.
Reboot a few times.
Disconnect from internet when removing spyware
ok, i'm back. i had to restore everything i fixed in "hijack this" because i couldn't even get on this site to see you all again. i don't know what went wrong because i only fixed what i was told to, nevermind. phew!
kneH i'll have a go with those progs. ross, any ideas what went wrong or anything i should've fixed but didn't and vice versa?
that's funny, i just went into hotmail and i wasn't getting the "cannot display page" over the banners! ?? don't know how that happened
Hi!
Glad you made it back! :)
I don't know who told you to fix anything - the automatic analysis site?!?
Note: this line from one of my posts above:
>Quote
With all browser windows closed: run it - do not fix anything.
>Unquote
And from above:
The 017 entry was probably related to your Internet Service Provider (PIPEX Internet) -
O17 - HKLM\System\CCS\Services\T
NameServer = 62.241.160.200 158.43.240.4
You shouldn't have fixed this one.
Although the analysis site is useful - some of us don't like to depend on it for
a definitive, determination of what to fix.
The only reason I requested that you post your log there, instead of here is this:
http://www.experts-exchang
The "powers that be" here at EE frown on it.
:)
So how are things running?
Yes, let us know.
RF
Yes, there is - let me rewrite what was going to be my first response
before I found out you had gone ahead and fixed things.
Don't feel bad though -
when I first started "playing around" with HJT -
I pretty quickly put myself in the position of:
reformat/reinstall!
OOPS :)
At least it was my own machine!
RF
Hi!
Here's what's going on.
This entry is marked by the "Auto" analyzer as "Nasty" - not really true.
However, it is unnecessary to have running at Startup - resource hog.
C:\Program Files\MSN Apps\Updater\01.02.3000.10
Some info here:
http://www.auditmypc.com/p
http://castlecops.com/star
If you want to stop it from running at startup - click on Start, click on Run and type msconfig -
go to the Startup tab and uncheck the box related to it.
If you have a problem, just go back into msconfig and put a checkmark in it's box.
While there, you might want to go to the Services tab - check the box
"Hide All Microsoft Services" and note what services are left .
-------
The following 2 entries are for the MSN Toolbar "Auto" says "Nasty" - not really -
if you installed this yourself leave them.
(After the problems you've had - I'd leave them alone for now). :)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-4
Apps\ST\01.02.3000.1002\en
Information here: http://castlecops.com/clsi
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-6
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en
Information here: http://castlecops.com/clsi
-------
These 2 entries show the possible presence of a Trojan(s).
They may just be left overs from before.
O4 - HKLM\..\Run: [Printer Driver Helper Service] C:\WINDOWS\system32\crsrr.
Information here:
http://startup.iamnotageek
http://www.sophos.com/viru
O4 - HKLM\..\RunServices: [Windows Update Process] wmiprvsc.exe
Information here:
http://www.sophos.com/viru
-------
Your internet service provider?
It seems valid - don't fix it.
O17 - HKLM\System\CCS\Services\T
NameServer = 62.241.160.200 158.43.240.4
PIPEX Internet
-------
This one is nasty.
O4 - HKLM\..\Run: [jcn] C:\WINDOWS\jcn.exe
Have HijackThis fix the following:
O4 - HKLM\..\Run: [Printer Driver Helper Service] C:\WINDOWS\system32\crsrr.
O4 - HKLM\..\RunServices: [Windows Update Process] wmiprvsc.exe
O4 - HKLM\..\Run: [jcn] C:\WINDOWS\jcn.exe
Then: Start your computer into safe mode and search your entire computer for
any instances of the following:
jcn.exe
wmiprvsc.exe
crsrr.exe
Delete all that you find (if present)
Let me know if you find any that wouldn't let you delete them - note their location.
There's not really a reason to delete msnappau.exe -
you can stop it from running at startup with msconfig
Clean out all your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
<=This will delete all your cached internet content including cookies.
This is recommended and strongly suggested!
However, if you delete all your cookies - this can affect your stored Internet passwords
and your ability to logon automatically to various sites.
So, consider deleting all your cookies - optional!!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
Empty your "Recycle Bin".
Reboot your computer normally
Run another scan with HijackThis
Post your log to the analysis site
Then post a Link back here.
Cheers...
RF
cheers, i've done all that
http://www.hijackthis.de/l
Hi!
Well, at this point I'd say you don't have anything particularly nasty in your log.
I think you're good to go.
Here's some information on how to keep your computer clean
(remember kneH's list above):
I strongly recommend taking a look at the following applications:
* Spywareblaster <= SpywareBlaster will prevent spyware from being installed -
http://www.javacoolsoftwar
* Spywareguard <= SpywareGuard offers realtime protection
from spyware installation attempts.
http://www.wilderssecurity
* How to use Ad-Aware to remove Spyware
<= If you suspect that you have spyware installed on your computer,
here are instructions on how to download, install and then use Ad-Aware.
http://www.bleepingcompute
* How to use Spybot to remove Spyware
<= If you suspect that you have spyware installed on your computer,
here are instructions on how to download, install and then use Spybot.
Similar to Ad-Aware, I strongly recommend both to catch most spyware.
http://www.bleepingcompute
To protect yourself further:
* IE/Spyad <= IE/Spyad places over 4000 websites and domains
in the IE Restricted list
which will severely impair attempts to infect your system.
It basically prevents any downloads (Cookies etc) from the sites listed,
although you will still be able to connect to the sites.
https://netfiles.uiuc.edu/
* MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file
with one containing well know ad sites etc.
Basically, this prevents your computer from connecting to those sites
by redirecting them to 127.0.0.1 which is your local computer
http://mvps.org/winhelp200
* Google Toolbar <= Get the free google toolbar to help stop pop up windows.
http://toolbar.google.com/
And also see TonyKlein's good advice
So how did I get infected in the first place?
http://forums.net-integrat
A couple of good sights dealing with spyware:
Experts Exchange thread - lots of info:
http://www.experts-exchang
Taken from EE expert "petelongs" site:
Browser Hijacking
http://www.petenetlive.com
http://www.tryware.dk/Engl
Let us know if you have any problems!
Good luck!
RF
what excellent service! thank you very much for your help and tips Ross, the points go to you. i've just downloaded spywareguard and spywareblaster and they look very good. i'll also look at the other stuff.
anyway, i'm not quite sure how we got there because of the fixing/unfixing (i'll have to be less eager in future) but we did and i haven't had any popups and my system's had a good clean-out so great stuff, and thanks also to others who've contibuted. :)
darn, this one keeps popping-up now, i'll try those other progs
http://www1.paypopup.com/l
Hi!
{{www1.paypopup.com}} is listed on Winhelp2002's hosts file.
If you don't want to use the Hosts file - copey and paste the following into your Hosts file after
the 127.0.0.1 localhost entry -
127.0.0.1 paypopup.com
127.0.0.1 central.paypopup.com
127.0.0.1 central2.paypopup.com
127.0.0.1 www1.paypopup.com
127.0.0.1 www2.paypopup.com
127.0.0.1 www3.paypopup.com
127.0.0.1 www4.paypopup.com
127.0.0.1 www5.paypopup.com
127.0.0.1 www6.paypopup.com
127.0.0.1 www7.paypopup.com
127.0.0.1 www8.paypopup.com
127.0.0.1 www9.paypopup.com #[toolbar.cab]
127.0.0.1 www10.paypopup.com
127.0.0.1 www.paypopup.com
That should take care of that popup.
RF
You can also use the Immunize function in Spybot S&D to populate the Restricted Sites list in IE from known pop-up sites
http://www.download.com/Sp
3 Ways to Join
Business Accounts
- Perfect for organizations
- Multiple users
- Save over 36%
- Create a Business Account
Answer for Membership
- Earn free access
- Showcase your knowledge
- No credit card required
- Sign Up to Answer
Loading Advertisement...
by: MASQUERAIDPosted on 2005-02-14 at 03:12:17ID: 13303081
Are you running your removal programs in safe mode?