mbbradford
asked on
Cant get rid of q3567836.exe, an adware.winshow variant.
I am running a Dell laptop (Inspiron 4100) with windows xp and dsl. I reformatted the harddrive and reinstalled xp and all my applications three days ago, but it took only 2 days of my kids browing the net for me to get infected again.
Norton antivirus 2004 finds the subject executable and identifies it as an adware.winshow threat but is unable to remove it (delete failure). The "security response" document describes its threat only to change the browser homepage and cause pop-ups, which I am in fact experiencing. When it becomes active, internet explorer goes to www.lookfor.cc.
NAV shows the path to the executable as the temporary internet files folder, but it will now show there and it cannot be deleted. When configuring the folder to show all hidden files and not to hide system files, the q3567836.exe does not show up. I am new to windows xp, so maybe I dont know how to view and unprotect this kind of file so that I can see and delete it.
I have run through the remove procedure in the samentec security response with no success. None of the keys show up in the registry when looking for them with regedit. My Spyhunter spyware program also does not find it, but NAV always does but fails to delete it.
This question is similar to the prior question "Unable to remove Adware.Winshow" from author Vereecken. It was useful to me but:
- I did not find winshow.dll and therefor cannot delete it.
- I did not find the register keys as listed in the symantec security response
- I disabled windows messanger
- I disabled the internet tool option "enable install on demand" (too late unfortunately)
- I did find the HOSTS file and deleted it.
This appears to be something new, a variant of the old virus. It's not that damaging, but I had to reformat my harddrive to clean up the previous mess, and so lesson learned, I will have to learn how to scan and clean and maintain my system and invest in the uninteresting process just to keep a basic windows system up and running for my kids. God, I miss my Mac. So I might as well draw the line right here with this one and find some way to get rid of it. Any advise?
Thanks to all.
Norton antivirus 2004 finds the subject executable and identifies it as an adware.winshow threat but is unable to remove it (delete failure). The "security response" document describes its threat only to change the browser homepage and cause pop-ups, which I am in fact experiencing. When it becomes active, internet explorer goes to www.lookfor.cc.
NAV shows the path to the executable as the temporary internet files folder, but it will now show there and it cannot be deleted. When configuring the folder to show all hidden files and not to hide system files, the q3567836.exe does not show up. I am new to windows xp, so maybe I dont know how to view and unprotect this kind of file so that I can see and delete it.
I have run through the remove procedure in the samentec security response with no success. None of the keys show up in the registry when looking for them with regedit. My Spyhunter spyware program also does not find it, but NAV always does but fails to delete it.
This question is similar to the prior question "Unable to remove Adware.Winshow" from author Vereecken. It was useful to me but:
- I did not find winshow.dll and therefor cannot delete it.
- I did not find the register keys as listed in the symantec security response
- I disabled windows messanger
- I disabled the internet tool option "enable install on demand" (too late unfortunately)
- I did find the HOSTS file and deleted it.
This appears to be something new, a variant of the old virus. It's not that damaging, but I had to reformat my harddrive to clean up the previous mess, and so lesson learned, I will have to learn how to scan and clean and maintain my system and invest in the uninteresting process just to keep a basic windows system up and running for my kids. God, I miss my Mac. So I might as well draw the line right here with this one and find some way to get rid of it. Any advise?
Thanks to all.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I installed spybot search and destroy. It found other things which I cleaned up, but not the pesky q3567836.exe.
I also installed the HijackThis and here is the log:
Logfile of HijackThis v1.97.7
Scan saved at 1:23:39 AM, on 12/31/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\Atievx x.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\dllhos t.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wpabal n.exe
C:\WINDOWS\System32\wuaucl t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Renee Bradford\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackTh is.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=22776
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = res://mshp.dll/index.html# 22776
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = res://mshp.dll/index.html# 22776
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = res://mshp.dll/index.html# 22776
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E 79D4EC6F80 6} - C:\Program Files\Submit\submithook.dl l
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1 F953DA7377 3} - C:\Documents and Settings\Renee Bradford\Application Data\iefeatsl\iefeatsl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4 759FF704C2 2} - C:\DOCUME~1\RENEEB~1\APPLI C~1\iefeat sl\msiesh. dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office10\ EXCEL.EXE/ 3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0 F47A330807 8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7 C6C9569B8C 7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{F 1D8ED64-B5 DA-49CB-BB A7-E91628A F37BE}: NameServer = 206.141.193.55 66.73.20.40
I should also add that I deleted the first four (R1 and R0 as I recognized the website that I dont want, and the same for the O17. This did not fix the problem with q3567836.exe, but I can't get to yahoo anymore.
Thanks for your help guys. Im going to bed, so will not respond till tomarrow.
Bruce
I also installed the HijackThis and here is the log:
Logfile of HijackThis v1.97.7
Scan saved at 1:23:39 AM, on 12/31/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\Atievx
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\dllhos
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wpabal
C:\WINDOWS\System32\wuaucl
C:\WINDOWS\System32\svchos
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Renee Bradford\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackTh
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
O17 - HKLM\System\CCS\Services\T
I should also add that I deleted the first four (R1 and R0 as I recognized the website that I dont want, and the same for the O17. This did not fix the problem with q3567836.exe, but I can't get to yahoo anymore.
Thanks for your help guys. Im going to bed, so will not respond till tomarrow.
Bruce
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Shivsa,
cws shreader seems to have found and deleted it. Also the browser problems have stopped.
Here is a new hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 2:31:39 AM, on 12/31/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atievx x.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuaucl t.exe
C:\Documents and Settings\Renee Bradford\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E 79D4EC6F80 6} - C:\Program Files\Submit\submithook.dl l
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office10\ EXCEL.EXE/ 3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0 F47A330807 8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7 C6C9569B8C 7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{F 1D8ED64-B5 DA-49CB-BB A7-E91628A F37BE}: NameServer = 206.141.193.55 66.73.20.40
What next? PS I really am going to bed now.
Thanks for your help.
cws shreader seems to have found and deleted it. Also the browser problems have stopped.
Here is a new hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 2:31:39 AM, on 12/31/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atievx
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuaucl
C:\Documents and Settings\Renee Bradford\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
O17 - HKLM\System\CCS\Services\T
What next? PS I really am going to bed now.
Thanks for your help.
shivsa,
Why did you repeat my post about CWShredder?
Why did you repeat my post about CWShredder?
ASKER
Just one additional comment,
I just reran NAV and it seems to find the same adware file q3567836.exe in the same location in the temporary internet files folder. How come I cant see it with browser and how come I cant delete it?
thanks again, bruce
I just reran NAV and it seems to find the same adware file q3567836.exe in the same location in the temporary internet files folder. How come I cant see it with browser and how come I cant delete it?
thanks again, bruce
ASKER
Sorry Guys, I didn't read your instructions well enough the first time.
I just reran the csw shreader (did not find the winshow file this time), REBOOT as you had asked, and captured a new hijack log for you:
Logfile of HijackThis v1.97.7
Scan saved at 2:56:12 AM, on 12/31/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\ NDETECT.EX E
C:\Documents and Settings\Renee Bradford\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E 79D4EC6F80 6} - C:\Program Files\Submit\submithook.dl l
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office10\ EXCEL.EXE/ 3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0 F47A330807 8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7 C6C9569B8C 7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
I just reran the csw shreader (did not find the winshow file this time), REBOOT as you had asked, and captured a new hijack log for you:
Logfile of HijackThis v1.97.7
Scan saved at 2:56:12 AM, on 12/31/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\
C:\Documents and Settings\Renee Bradford\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi War1,
i did not refresh before posting first time. sorry about that.
second time i posted to make sure mbbradford does this step, because in this case it was pretty sure he has to do this and get rid of things.
to
mbbradford,
your system is clean as said by war1, so remove the last suspected O2 entry and u are done.
i did not refresh before posting first time. sorry about that.
second time i posted to make sure mbbradford does this step, because in this case it was pretty sure he has to do this and get rid of things.
to
mbbradford,
your system is clean as said by war1, so remove the last suspected O2 entry and u are done.
ASKER
Hi Shivsa and War1
This is what I did today.
- reinstalled windows xp (created a new admin name since the q3567836.exe was in the path of the old sys admin. I deleted the old user account, and then tried to delete the path to the temp internet files folder but it refused to be deleted)
- ran a NAV scan, which finally comes up clean, although I mistyped the name of a website and instead of getting the "unable to find page" page, I was taken to a new unknown search engine, so maybe I still have a part of the adware.winshow virus somewhere
- turned off system restore
- ran hijack this again, and deleted the file for submithook.dll
- reenabled system restore and created a new restore point
- ran hijack again and captured this log: (am i finally clean?)
Logfile of HijackThis v1.97.7
Scan saved at 12:41:18 PM, on 12/31/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\Atievx x.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\dllhos t.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuaucl t.exe
D:\HijackThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.sbc.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0 F47A330807 8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7 C6C9569B8C 7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{F 1D8ED64-B5 DA-49CB-BB A7-E91628A F37BE}: NameServer = 206.141.193.55 66.73.20.40
One last question: I still cannot delete the old sysadmin folder for temporary internet files, which has a single file in there (index.dat) Can I delete it somehow?
Thanks to both of you.
This is what I did today.
- reinstalled windows xp (created a new admin name since the q3567836.exe was in the path of the old sys admin. I deleted the old user account, and then tried to delete the path to the temp internet files folder but it refused to be deleted)
- ran a NAV scan, which finally comes up clean, although I mistyped the name of a website and instead of getting the "unable to find page" page, I was taken to a new unknown search engine, so maybe I still have a part of the adware.winshow virus somewhere
- turned off system restore
- ran hijack this again, and deleted the file for submithook.dll
- reenabled system restore and created a new restore point
- ran hijack again and captured this log: (am i finally clean?)
Logfile of HijackThis v1.97.7
Scan saved at 12:41:18 PM, on 12/31/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\Atievx
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\dllhos
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuaucl
D:\HijackThis.exe
R0 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
O17 - HKLM\System\CCS\Services\T
One last question: I still cannot delete the old sysadmin folder for temporary internet files, which has a single file in there (index.dat) Can I delete it somehow?
Thanks to both of you.
ASKER
Extra points
u can try to delete goin into safe mode.
or try from dos.
and also post the error while deleting if any.
or try from dos.
and also post the error while deleting if any.
The reason that you cannot delete the index.dat file is that the system is using it. You can delete the file in command prompt or DOS.
A friend of mine has this same problem using Windows ME. I got her to post up a hijack log. Any help?
Logfile of HijackThis v1.97.7
Scan saved at 12:27:57 AM, on 2/19/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32 .DLL
C:\WINDOWS\SYSTEM\MSGSRV32 .EXE
C:\WINDOWS\SYSTEM\mmtask.t sk
C:\WINDOWS\SYSTEM\MPREXE.E XE
C:\WINDOWS\SYSTEM\MSTASK.E XE
C:\WINDOWS\SYSTEM\SSDPSRV. EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\ STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY. EXE
C:\WINDOWS\SYSTEM\HPSYSDRV .EXE
C:\WINDOWS\DELAYRUN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.E XE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\SPEEDSTREAM DSL\SPDSTRM.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPM GR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\HPHMON05 .EXE
C:\WINDOWS\SYSTEM\HPZTSB09 .EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EX E
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\SPOOL32. EXE
C:\WINDOWS\SYSTEM\QTTASK.E XE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.E XE
C:\WINDOWS\SYSTEM\HPZIPM12 .EXE
C:\WINDOWS\TEMP\TD_0001.DI R\HIJACKTH IS.EXE
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.home.bellsouth.net
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,SearchAssist ant = ,
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E 79D4EC6F80 6} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DL L (file missing)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3 ECD647AA55 4} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN \MYSRCHAS. DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi o - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\SYSTEM\MSDXM.OC X
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Suppor t\PCHSchd. exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw rScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv .exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [DSL Monitor] C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B 6180B-DCAB -4093-8EE8 -616445751 7F0}\hphup d05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPM GR.EXE"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\SYSTEM\HPHMON05 .EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09 .exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig .exe /reminder
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK. EXE" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw rScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv. exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\ StateMgr.e xe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUND LLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis \bin\matcl i.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3 BD15D84E66 8} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D 3488ABDDC6 B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5 D2C442ADFD E} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us /win/QuickTimeInstaller.ex e
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4 4455354000 0} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
-Jazhawk
Logfile of HijackThis v1.97.7
Scan saved at 12:27:57 AM, on 2/19/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\SYSTEM\MPREXE.E
C:\WINDOWS\SYSTEM\MSTASK.E
C:\WINDOWS\SYSTEM\SSDPSRV.
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.
C:\WINDOWS\SYSTEM\HPSYSDRV
C:\WINDOWS\DELAYRUN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.E
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\SPEEDSTREAM DSL\SPDSTRM.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPM
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\HPHMON05
C:\WINDOWS\SYSTEM\HPZTSB09
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EX
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.
C:\WINDOWS\SYSTEM\QTTASK.E
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.E
C:\WINDOWS\SYSTEM\HPZIPM12
C:\WINDOWS\TEMP\TD_0001.DI
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKLM\Software\Microsoft\In
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Suppor
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [DSL Monitor] C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPM
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\SYSTEM\HPHMON05
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUND
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {62475759-9E84-458E-A1AB-5
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
-Jazhawk
Jazhawk,
I noticed you have MyWay and some other unknown Browser Helper Object (BHO). This may help you and others out there. I have been battling the spyware, malware, adware issue for awhile now. Although SpyBot is an excellent utility in removing quite a bit, there are still items it misses. One of the important item missed seems to be the loader which reinstalls everything after you reboot. I have developed a list of all the registry entries, folders and files that MyWay, MySearchBar and FunWebProducts (All affiliated with each other) install. If you are comfortable with the registry, manual removal of these entries will then allow you to delete any of the rogue files left.
Here's the list: (I apologize for the format. Copied from an Excel spreadsheet.) I can send it to anyone requesting it.
MyWebSearch Entries
Type Path Entry
Registry Local Machine-Software MySearch
Registry Local Machine-Software MyWay
Registry Local Machine-Software MyWebSearch
Registry Local Machine-Software FunWebProducts
Registry Local Machine-Software-Microsoft -InternetE xplorer-To olbar 014DA6C9-189F-421a-88CD-07 CFE51CFF10
Registry Local Machine-Software-Microsoft -InternetE xplorer-To olbar 0494D0D9-F8E0-41ad-92A3-14 154ECE70AC
Registry Local Machine-Software-Microsoft -InternetE xplorer-To olbar 07B18EA9-A523-4961-B6BB-17 0DE4475CCA
Registry Local Machine-Software-Microsoft -Office-Ou tlook-Addi ns MyWebSearch.OutlookAddin
Registry Local Machine-Software-Microsoft -Office-Wo rd-Addins MyWebSearch.OutlookAddin
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Explorer-Browser Helper Objects 00A6FAF1-072E-44cf-8957-58 38F569A31D
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Explorer-Browser Helper Objects 014DA6C1-189F-421a-88CD-07 CFE51CFF10
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Explorer-Browser Helper Objects 0494D0D1-F8E0-41ad-92A3-14 154ECE70AC
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Explorer-Browser Helper Objects 06849E9F-C8D7-4D59-B87D-78 4B7D6BE0B3
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Explorer-Browser Helper Objects 07B18EA1-A523-4961-B6BB-17 0DE4475CCA
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Internet Settings-User Agent-Post Platform FunWebProducts
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Internet Settings-User Agent-Post Platform FunWebProducts-MyWay
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Run MyWebSearch Email Plugin
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Uninstall MySearch Uninstall
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Uninstall MyWay Speedbar Uninstall
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Uninstall MyWebSearch bar Uninstall
Registry Local Machine-Software-Microsoft -Windows-C urrent Version-Uninstall MyWebSearch Email Clients Uninstaller
Registry Current User-Software MySearch
Registry Current User-Software MyWay
Registry Classes-Root FunWebProducts.HTMLMenu
Registry Classes-Root FunWebProducts.HTMLMenu.1
Registry Classes-Root FunWebProducts.HTMLMenu.2
Registry Classes-Root FunWebProducts.PopSwatterB arButton
Registry Classes-Root FunWebProducts.PopSwatterB arButton.1
Registry Classes-Root FunWebProducts.PopSwatterS ettingsCon trol
Registry Classes-Root FunWebProducts.PopSwatterS ettingsCon trol.1
Registry Classes-Root MySearchToolBar.NetscapeSh utdown
Registry Classes-Root MySearchToolBar.NetscapeSh utdown.1
Registry Classes-Root MySearchToolBar.NetscapeSt artup.1
Registry Classes-Root MySearchToolBar.NetscapeSt artup
Registry Classes-Root MySearchToolBar.SettingsPl ugin
Registry Classes-Root MySearchToolBar.SettingsPl ugin.1
Registry Classes-Root MyWay.HTMLMenu
Registry Classes-Root MyWay.HTMLMenu.1
Registry Classes-Root MyWay.PopSwatterBarButton
Registry Classes-Root MyWay.PopSwatterBarButton. 1
Registry Classes-Root MyWay.PopSwatterSettingsCo ntrol
Registry Classes-Root MyWay.PopSwatterSettingsCo ntrol.1
Registry Classes-Root MyWayToolBar.NetscapeShutd own
Registry Classes-Root MyWayToolBar.NetscapeShutd own.1
Registry Classes-Root MyWayToolBar.NetscapeStart up
Registry Classes-Root MyWayToolBar.NetscapeStart up.1
Registry Classes-Root MyWebSearch.OutlookAddin
Registry Classes-Root MyWebSearch.OutlookAddin.1
Registry Classes-Root MyWebSearchToolBar.Setting sPlugin
Registry Classes-Root MyWebSearchToolBar.Setting sPlugin.1
Directory C:\Program Files FunWebProducts
Directory C:\Program Files MySearch
Directory C:\Program Files MyWay
ActiveX C:\WINNT\Downloaded Program Files [FunWebProducts] 1D4DB7D2-6EC9-47A3-BD87-1E 4168-4E07B B
ActiveX C:\WINNT\Downloaded Program Files [MySearch] 58F0B492-A42E-435A-BCBF-C6 B2608077BA
ActiveX C:\WINNT\Downloaded Program Files [MySpeedBar] 79B96C72-C0D0-4DC8-BC7E-9F 314A918228
Notes:
All "0"s are Zeros
Add/Remove Programs removes all entries except:
Directory C:\Program Files FunWebProducts
Directory C:\Program Files MySearch
Directory C:\Program Files MyWay
ActiveX C:\WINNT\Downloaded Program Files [FunWebProducts] 1D4DB7D2-6EC9-47A3-BD87-1E 4168-4E07B B
ActiveX C:\WINNT\Downloaded Program Files [MySearch] 58F0B492-A42E-435A-BCBF-C6 B2608077BA
ActiveX C:\WINNT\Downloaded Program Files [MySpeedBar] 79B96C72-C0D0-4DC8-BC7E-9F 314A918228
Registry Local Machine-Software MySearch
Registry Local Machine-Software MyWay
Registry Local Machine-Software MyWebSearch
Registry Local Machine-Software FunWebProducts
Registry Current User-Software MySearch
Registry Current User-Software MyWay
SpyBot confirmed a successful clean after manual removal of the above entries.
Document By:
R. Scott Graschel
02/17/04
I noticed you have MyWay and some other unknown Browser Helper Object (BHO). This may help you and others out there. I have been battling the spyware, malware, adware issue for awhile now. Although SpyBot is an excellent utility in removing quite a bit, there are still items it misses. One of the important item missed seems to be the loader which reinstalls everything after you reboot. I have developed a list of all the registry entries, folders and files that MyWay, MySearchBar and FunWebProducts (All affiliated with each other) install. If you are comfortable with the registry, manual removal of these entries will then allow you to delete any of the rogue files left.
Here's the list: (I apologize for the format. Copied from an Excel spreadsheet.) I can send it to anyone requesting it.
MyWebSearch Entries
Type Path Entry
Registry Local Machine-Software MySearch
Registry Local Machine-Software MyWay
Registry Local Machine-Software MyWebSearch
Registry Local Machine-Software FunWebProducts
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Local Machine-Software-Microsoft
Registry Current User-Software MySearch
Registry Current User-Software MyWay
Registry Classes-Root FunWebProducts.HTMLMenu
Registry Classes-Root FunWebProducts.HTMLMenu.1
Registry Classes-Root FunWebProducts.HTMLMenu.2
Registry Classes-Root FunWebProducts.PopSwatterB
Registry Classes-Root FunWebProducts.PopSwatterB
Registry Classes-Root FunWebProducts.PopSwatterS
Registry Classes-Root FunWebProducts.PopSwatterS
Registry Classes-Root MySearchToolBar.NetscapeSh
Registry Classes-Root MySearchToolBar.NetscapeSh
Registry Classes-Root MySearchToolBar.NetscapeSt
Registry Classes-Root MySearchToolBar.NetscapeSt
Registry Classes-Root MySearchToolBar.SettingsPl
Registry Classes-Root MySearchToolBar.SettingsPl
Registry Classes-Root MyWay.HTMLMenu
Registry Classes-Root MyWay.HTMLMenu.1
Registry Classes-Root MyWay.PopSwatterBarButton
Registry Classes-Root MyWay.PopSwatterBarButton.
Registry Classes-Root MyWay.PopSwatterSettingsCo
Registry Classes-Root MyWay.PopSwatterSettingsCo
Registry Classes-Root MyWayToolBar.NetscapeShutd
Registry Classes-Root MyWayToolBar.NetscapeShutd
Registry Classes-Root MyWayToolBar.NetscapeStart
Registry Classes-Root MyWayToolBar.NetscapeStart
Registry Classes-Root MyWebSearch.OutlookAddin
Registry Classes-Root MyWebSearch.OutlookAddin.1
Registry Classes-Root MyWebSearchToolBar.Setting
Registry Classes-Root MyWebSearchToolBar.Setting
Directory C:\Program Files FunWebProducts
Directory C:\Program Files MySearch
Directory C:\Program Files MyWay
ActiveX C:\WINNT\Downloaded Program Files [FunWebProducts] 1D4DB7D2-6EC9-47A3-BD87-1E
ActiveX C:\WINNT\Downloaded Program Files [MySearch] 58F0B492-A42E-435A-BCBF-C6
ActiveX C:\WINNT\Downloaded Program Files [MySpeedBar] 79B96C72-C0D0-4DC8-BC7E-9F
Notes:
All "0"s are Zeros
Add/Remove Programs removes all entries except:
Directory C:\Program Files FunWebProducts
Directory C:\Program Files MySearch
Directory C:\Program Files MyWay
ActiveX C:\WINNT\Downloaded Program Files [FunWebProducts] 1D4DB7D2-6EC9-47A3-BD87-1E
ActiveX C:\WINNT\Downloaded Program Files [MySearch] 58F0B492-A42E-435A-BCBF-C6
ActiveX C:\WINNT\Downloaded Program Files [MySpeedBar] 79B96C72-C0D0-4DC8-BC7E-9F
Registry Local Machine-Software MySearch
Registry Local Machine-Software MyWay
Registry Local Machine-Software MyWebSearch
Registry Local Machine-Software FunWebProducts
Registry Current User-Software MySearch
Registry Current User-Software MyWay
SpyBot confirmed a successful clean after manual removal of the above entries.
Document By:
R. Scott Graschel
02/17/04
*** advertising removed by Netminder, Site Admin ***
and post the log file here.
and then try to run this
CoolWebShredder
http://www.spychecker.com/program/cwshredder.html