Go Back   Cyber Tech Help Support Forums > Software > Malware Removal Forum

Notices

Reply
 
Topic Tools
  #1  
Old September 15th, 2012, 06:28 PM
Simon Sudbury Simon Sudbury is offline
New Member
 
Join Date: Mar 2012
Posts: 16
Snap.Do problem

Use XP with SP3 and system hijacked by Snap.Do. I've uninstalled from add/remove and tried the procedure where you stop various processes in task manager prior to deleting various reg keys. Thing is that as soon as you stop the suggested processes you get the PC is shutting down blah blah. In addition I can't find the reg keys in the locations suggested.

Has anyone else been able to get rid of this in XP?

Thanks
Reply With Quote


  #2  
Old September 16th, 2012, 01:37 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,958
Hello Simon Sudbury,

Let's take a look.


To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"



To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

-------

Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.

-----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • If you can have an open Internet connection, and allow it to download the latest Avast engine detections.
  • If avast! antivirus is already installed, just do the next step.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


A lot, but comprehensive, and will make sure we get a good view of everything.
Reply With Quote
  #3  
Old September 16th, 2012, 10:10 AM
Simon Sudbury Simon Sudbury is offline
New Member
 
Join Date: Mar 2012
Posts: 16
Hi

Many thanks for this detailed advice. I was given similar (not same) on another forum and asked to run and provide 3 scan results. I can attach one below but don't seem to have the manage attachments feature enabled to attach the other 2. Do you know how I go about enabling this feature?


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Tony Jermyn at 18:41:59 on 2012-09-15
.
============== Running Processes ===============
.
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\stsystra.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\PC Tools\PC Tools Security\pctsGui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\uTorrent\uTorrent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
E:\Documents and Settings\All Users\Application Data\IBUpdaterService\ibsvc.exe
E:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
E:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\PC Tools\PC Tools Security\TFEngine\TFService.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Tony Jermyn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Tony Jermyn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Tony Jermyn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Tony Jermyn\My Documents\Downloads\dds (1).scr
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uLocal Page = k:\windows\system32\blank.htm
uStart Page = hxxp://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=469 36df2-99ee-4c19-a66e-43a18791e8c9&searchtype=hp
uSearch Page = hxxp://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=469 36df2-99ee-4c19-a66e-43a18791e8c9&searchtype=ds&q={searchTerms}
uSearch Bar = hxxp://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=469 36df2-99ee-4c19-a66e-43a18791e8c9&searchtype=ds&q={searchTerms}
uSearchAssistant = hxxp://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=469 36df2-99ee-4c19-a66e-43a18791e8c9&searchtype=ds&q={searchTerms}
mURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - k:\program files\pc tools security\bdt\PCTBrowserDefender.dll
mWinlogon: Userinit=e:\windows\system32\userinit.exe,k:\windo ws\system32\userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - k:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - k:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - k:\program files\askbardis\bar\bin\askBar.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - k:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - e:\program files\babylontoolbar\babylontoolbar\1.5.3.17\bh\Ba bylonToolbar.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - k:\program files\utorrentbar\prxtbuTo2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - k:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - k:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - Hotspot Shield Class
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - k:\program files\yahoo!\companion\installs\cpn\YTSingleInstan ce.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - k:\program files\askbardis\bar\bin\askBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - k:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - k:\program files\utorrentbar\prxtbuTo2.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - k:\program files\pc tools security\bdt\PCTBrowserDefender.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - e:\program files\babylontoolbar\babylontoolbar\1.5.3.17\Babyl onToolbarTlbr.dll
{ae07101b-46d4-4a98-af68-0333ea26e113}
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "e:\program files\messenger\msmsgs.exe" /background
uRun: [MediaFire Tray] "e:\documents and settings\tony jermyn\application data\mediafire express\mf_systray.exe" --boot-start
uRun: [uTorrent] "e:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [Google Update] "e:\documents and settings\tony jermyn\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "e:\program files\pc tools\pc tools security\pctsGui.exe" /hideGUI
mRun: [APSDaemon] "e:\program files\common files\apple\apple application support\APSDaemon.exe"
dRun: [CTFMON.EXE] e:\windows\system32\CTFMON.EXE
uPolicies-explorer: NoInstrumentation = 1
IE: Search the Web - e:\program files\sweetim\toolbars\internet explorer\resources\menuext.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
LSP: e:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B629A411-7D81-44AB-85AF-8D683672859B} : DhcpNameServer = 192.168.1.254
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - k:\windows\system32\rundll32.exe k:\windows\system32\mscories.dll,Install
.
============= SERVICES / DRIVERS ===============
.
R? Browser Defender Update Service;Browser Defender Update Service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? cpuz132;cpuz132
R? Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service
R? libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1
R? pctgntdi;pctgntdi
R? PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service
R? pctplsg;pctplsg
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? cpuz135;cpuz135
S? IBUpdaterService;Updater Service
S? PCTCore;PCTools KDS
S? pctDS;PC Tools Data Store
S? pctEFA;PC Tools Extended File Attributes
S? PCTSD;PC Tools Spyware Doctor Driver
S? sdAuxService;PC Tools Auxiliary Service
S? sdCoreService;PC Tools Security Service
S? SI3112r;Silicon Image SiI 3512 SATARaid Controller
S? TfFsMon;TfFsMon
S? TfNetMon;TfNetMon
S? TfSysMon;TfSysMon
S? ThreatFire;ThreatFire
.
=============== Created Last 30 ================
.
2012-09-12 17:41:08 -------- d-----w- e:\program files\Unlocker
.
==================== Find3M ====================
.
2012-07-06 13:58:51 78336 ----a-w- e:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 ----a-w- e:\windows\system32\drivers\rdpwd.sys
2012-07-03 15:07:44 832512 ----a-w- e:\windows\system32\wininet.dll
2012-07-03 15:07:43 1830912 ------w- e:\windows\system32\inetcpl.cpl
2012-07-03 15:07:42 78336 ----a-w- e:\windows\system32\ieencode.dll
2012-07-03 15:07:42 17408 ----a-w- e:\windows\system32\corpol.dll
2012-07-03 13:40:15 1866112 ----a-w- e:\windows\system32\win32k.sys
.
============= FINISH: 18:46:36.01 ===============
Reply With Quote
  #4  
Old September 17th, 2012, 12:19 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,958
Different forums use different techniques, so the requirements of one may have little in common with the other. But posting requests at more than one forum is a waste of the helpers limited time, so you need to choose which request you wish to work with. If here, I will need you to run and posted what was requested. If the other forum, be sure to let me know you plan to do the follow up there. If you choose to get help here, be sure to post in your other forum thread that you are receiving help elsewhere.
Reply With Quote
  #5  
Old September 17th, 2012, 07:37 AM
Simon Sudbury Simon Sudbury is offline
New Member
 
Join Date: Mar 2012
Posts: 16
Yes message understood but I can't comply with your request until the manage attachments feature is enabled as I don't seem to have it.
Reply With Quote
  #6  
Old September 18th, 2012, 12:48 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 49,958
This forum is different than that other. If you check other request threads here, you will see how to post the logs here, in your request thread.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 07:07 PM.