Author Topic: Can't RemoveAdware (Read 7827 times)

Jeff Stornelli · « **on:** October 09, 2005, 05:59:03 AM »

Hi Guys, looking for help. I have a problem removing something called Virtumondo that redirects my browser. I tried removing cookies and temp files then running MS antispy, Norton AV, and AdawareSE in Safe Mode. I can run the MS Antispy, remove it, run it again immediately and it's still there. I'm at a loss as to what to do next. Thanks for any suggestions.

GX1_Man · « **Reply #1 on:** October 09, 2005, 09:54:45 AM »

Boot into safe mode and run the scans fromn there. If that doesn't get it, restore from earlier point when everything functioned correctly.

Always keep those scanners up to date and practice safe surfing, if using Windows!

(Gee, I'm glad I'm beyond all that now!

)

Fed · « **Reply #2 on:** October 09, 2005, 01:52:51 PM »

1st try Cwshredder, if that fails move on to Hijackthis.
System restore can potentially remove your drivers, (SPs?) & hotfixes.

dl65 · « **Reply #3 on:** October 10, 2005, 12:48:14 AM »

Jeff Stornelli....

Quote

Hi Guys, looking for help. I have a problem removing something called Virtumondo that redirects my browser.

Your pc is infected with a browser hijacker ....
Do as FED has suggested .....D/L and run a scan with hijackthis ........ http://www.download.com/HijackThis/3000-8022_4-10227353.html

Post your log here and we can help you clean your machine .

dl65

Brewhedd · « **Reply #4 on:** October 10, 2005, 06:43:02 AM »

I can't post that info, it's too long. My computer also goes to an AV site and starts downloading a program w/o my consent. If I need to, will my restore disc remove this stuff? Is a reformat necessary? I also found a file named Win32res.exe that I believe is what is reloading the garbage but can't find it w/ a search. Thanks

Fed · « **Reply #5 on:** October 10, 2005, 01:59:41 PM »

Split your Hijackthis log up so you can post it.
Did you get it analysed at the Hijackthis website?
http://www.hijackthis.de/index.php?langselect=english

dl65 · « **Reply #6 on:** October 10, 2005, 02:22:36 PM »

Jeff Stornelli......... Relax....take a deep breath ......then post your hijackthis log here .......in several sections if necessary ..........
Once you post your log , we will tell you how to clean it .......

dl65

Brewhedd · « **Reply #7 on:** October 10, 2005, 04:09:15 PM »

ok here goes
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\BigFix\BigFix.exe

Brewhedd · « **Reply #8 on:** October 10, 2005, 04:10:01 PM »

C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.fastaccess.com/launch.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayw.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [NI.UWFX5RS_0001_0808] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QREVIHEV\WFXScanR[1].exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100024222843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ddayw - C:\WINDOWS\system32\ddayw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

dl65 · « **Reply #9 on:** October 10, 2005, 08:30:53 PM »

Jeff Stornelli......Ok .....Mark the following for removal......

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayw.dll

O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [NI.UWFX5RS_0001_0808] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QREVIHEV\WFXScanR[1].exe"

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O20 - Winlogon Notify: ddayw - C:\WINDOWS\system32\ddayw.dll

That should do it ......

mark for removal and click fix marked ....now reboot and see how things are .

dl65

Brewhedd · « **Reply #10 on:** October 10, 2005, 08:51:41 PM »

dl65- Tried your suggestions and received error # 52. Bad file name or number in sub getlongpath(exe".exe)
Thanks

dl65 · « **Reply #11 on:** October 10, 2005, 09:00:35 PM »

Jeff Stornelli....... What o/s are you using and when does the error 52 appear?

dl65

dl65 · « **Reply #12 on:** October 10, 2005, 09:16:17 PM »

Jeff Stornelli......you said ...that antispyware removed it bbut it came back........If I recall .......try this .......turn off your system restore feature ....( sometimes these pests will hide in there .) Rerun your antispyware and your AV in the safe mode .......If that fixes the issue , turn back on your system restore .

dl65

Brewhedd · « **Reply #13 on:** October 11, 2005, 04:38:31 AM »

Windows XP, but the error is in "Hijackthis". Tried running AV/Adware etc in safe mode after turning off restore and deleting cookies and files. I believe you have specified the right files to delete. What a learning experience, probably will start looking into the registry a little deeper. I had my HD backed up on another drive but it was already infected. I'm wondering if a "restore" from my CD will solve this? Pain to re-install everything but I'm definitely not letting this stay on my system.

Computer Hope Forum

News:

Author Topic: Can't RemoveAdware (Read 7827 times)

Jeff Stornelli

Can't RemoveAdware

GX1_Man

Re: Can't RemoveAdware

Fed

Re: Can't RemoveAdware

dl65

Re: Can't RemoveAdware

Brewhedd

Re: Can't RemoveAdware

Fed

Re: Can't RemoveAdware

dl65

Re: Can't RemoveAdware

Brewhedd

Re: Can't RemoveAdware

Brewhedd

Re: Can't RemoveAdware

dl65

Re: Can't RemoveAdware

Brewhedd

Re: Can't RemoveAdware

dl65

Re: Can't RemoveAdware

dl65

Re: Can't RemoveAdware

Brewhedd

Re: Can't RemoveAdware