Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Reply
 
Topic Tools
  #1  
Old December 31st, 2004, 11:33 PM
tonyv930 tonyv930 is offline
New Member
 
Join Date: Dec 2004
Posts: 11
Midaddle - please help me get rid of this crap

I am running Windows 2000, and I have tried every procedure I can find about "midaddle", but I still can't seem to get rid of it once and for all. Some of the suggestions don't seem to apply to my machine's state (e.g., some of the files named on some sites [doxdesk.com] don't appear on my machine). I know that I need to get rid of some stuff (e.g., yQS9pf0kT.dll), but I don't want to damage my system by deleting the wrong stuff.

Here's my latest Hijackthis log file. Thanks in advance for your help.

Logfile of HijackThis v1.98.2
Scan saved at 2:43:12 PM, on 12/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\?hkntfs.exe
C:\Documents and Settings\tonyv\Application Data\uacs.exe
C:\program files\cox\applications\app\Prism.exe
C:\ScanPanel\ScnPanel.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\DOCUME~1\tonyv\LOCALS~1\Temp\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {638B6059-BE65-21EF-D576-6C5508F7734D} - C:\WINDOWS\system32\yzvswaf.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\tonyv\Local Settings\Temp\yQS9pf0kT.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [0N6Z76.exe] c:\documents and settings\tonyv\local settings\temp\0N6Z76.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AuthConsoleStart] c:\program files\cox\applications\app\cox.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Nzqxf] C:\WINDOWS\system32\?hkntfs.exe
O4 - HKCU\..\Run: [Lesa] C:\Documents and Settings\tonyv\Application Data\uacs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdc...cx_tgctlcm.jsp
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb01f.cab
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - http://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/192b189a...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://ebony.gov.bc.ca/mapplace/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ri.cox.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ri.cox.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ri.cox.net
Reply With Quote


  #2  
Old January 1st, 2005, 02:04 AM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,300
Hi tonyv930 ,
Welcome to CTH

Download latest HijackThis 1.99 from HERE
It will auto install to C:\Program Files for you, just click on the "Unzip" button.

Delete your old Hijackthis folder.

Remove Viewpoint Manager from Add/Remove Programs

2.
Close ALL Internet Explorer Windows, only have HijackThis running.
In HijackThis, Check the boxes for the below entries, then click on "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: (no name) - {638B6059-BE65-21EF-D576-6C5508F7734D} - C:\WINDOWS\system32\yzvswaf.dll

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\tonyv\Local Settings\Temp\yQS9pf0kT.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [0N6Z76.exe] c:\documents and settings\tonyv\local settings\temp\0N6Z76.exe

O4 - HKCU\..\Run: [Nzqxf] C:\WINDOWS\system32\?hkntfs.exe

O4 - HKCU\..\Run: [Lesa] C:\Documents and Settings\tonyv\Application Data\uacs.exe

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe026.dll

O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb01f.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/192b189...ip/RdxIE601.cab

3.
Reboot into Safe Mode...(reboot and tap F8 immediately after BIOS screen....choose Safe mode from menu)
Make sure you set windows to see: Hidden Files and Folders

Then delete the below files and folders:

C:\WINDOWS\system32\?hkntfs.exe<--- delete the file

C:\Documents and Settings\tonyv\Application Data\uacs.exe<--- delete the file

C:\Program Files\Viewpoint<--- delete the Viewpoint folder


While still in Safe Mode, Remove all the files and sub-folders from the below TEMP Folders: ( do not delete the TEMP folder itself) ( do this regularly for all users)

C:\documents and settings\tonyv\local settings\temp

C:\temp ( if present )

C:\windows\temp

The TIF ( Temporary Internet Files) can also be emptied regularly, via:
Control Panel--Internet Options--General tab--"Delete Files",
Also tick the "delete all offline content" box .

Empty Recycle Bin

Reboot computer and post back a new HJT log to this thread, please.

Cheers.


Download Ad-aware SE Personal to finish cleaning up.
It is critical that you UPDATE Ad-aware, before scanning.
Use the "Perform full system scan" mode.
See Perform full system scan in Adaware SE for full details.

and also download:
SPYBOT S+D 1.3
UPDATE Spybot S+D 1.3, before scanning.
Remove all RED entries Spybot S+D displays.
Reply With Quote
  #3  
Old January 2nd, 2005, 05:04 AM
tonyv930 tonyv930 is offline
New Member
 
Join Date: Dec 2004
Posts: 11
Mike,

Thanks for your prompt reply. I followed your instructions, with the following exceptions.

1) I left "Sidestep" in place. I installed is a few years ago, but I haven't used it in a while. It never gave me any problems, but please let me know if I should really get rid of it.

2) I left the "Real Networks" DPF in place. I don't know what it does, but I do use Real Networks from time to time. Again, please let me know if I should really get rid of it.

Your other suggestions seem to have made a difference. My status bar is back, and I haven't noticed any flights to "ads345.com". Personally, I think the creators of this "crapware" should be shot, drawn, and then quartered.

I look forward to your response regarding my new log file.

Now, here is the updated log file:

Logfile of HijackThis v1.99.0
Scan saved at 9:31:08 PM, on 1/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\cox\applications\app\Prism.exe
C:\ScanPanel\ScnPanel.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AuthConsoleStart] c:\program files\cox\applications\app\cox.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdc...cx_tgctlcm.jsp
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb01f.cab
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - http://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/192b189a...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://ebony.gov.bc.ca/mapplace/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ri.cox.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ri.cox.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ri.cox.net
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Curtains for Windows System Service - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Unknown - C:\WINDOWS\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Reply With Quote
  #4  
Old January 2nd, 2005, 01:41 PM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,300
Hi tonyv930,

Sidestep is fine. I forgot it is OK now. Any 016 DPF entries can go, they are only ActiveX objects that assist in downloads and are recreated on next visit to the site.The RealNetWork is not a nasty so it can stay.

The HijackThis log looks good.

Cheers
Reply With Quote
  #5  
Old January 3rd, 2005, 04:43 AM
tonyv930 tonyv930 is offline
New Member
 
Join Date: Dec 2004
Posts: 11
Hi Mike,

Thanks again for your help. My system is running much better, and I haven't had a popup since I swept away all the crapware. Your assistance has helped me to maintain a reasonable level of sanity throughout this ordeal.

I do have a couple of questions/comments about your instructions.

1) COMMENT: you said to delete the file "?hkntfs.exe". I had to select both the "Show hidden files and folders", as well as uncheck the box "Hide protected operating system files", before it showed up anywhere. In addition, the leading unicode character in the filename made it show up at the bottom of the alpha list, not where you would expect to find it. It did not escape my attention, however, and it has since been DELETED.

2) QUESTION: just for my own information, do you have any idea what that beastie "?hkntfs.exe" was supposed to do? I saw a couple of posts about it, and they were quite scary.

3) QUESTIONS: you said to delete "uace.exe". When I found it, I also noticed another file of the same size, called "tare.exe". Do you know what either of these files are supposed to do? Where might they have come from? Should I delete BOTH "uacs.exe" and "tare.exe"?

Your expert commentary is greatly appreciated.
Reply With Quote
  #6  
Old January 3rd, 2005, 08:50 AM
electricbliss electricbliss is offline
New Member
 
Join Date: Jan 2005
Location: Minnesota, USA
Posts: 2
I have a problem with this too but I hate to admit that this is very confusing for me. May I ask what a Hijackthis file or program is? Sorry for the annoying newbie questions!
Reply With Quote
  #7  
Old January 3rd, 2005, 03:57 PM
tonyv930 tonyv930 is offline
New Member
 
Join Date: Dec 2004
Posts: 11
electricbliss,

No need to apologize. If you don't ask the questions AND then you get burned, THAT'S annoying.

HijackThis is a free utility that allows you to scan and repair your running system. Basically, you close all your windows except for HijackThis, then run a scan. It generates a log file that the experts at this forum can use to diagnose your problems. REMEMBER, don't try to fix anything with HijackThis, until you have checked with the experts. Just run the scan first, and post it to this forum for analysis.

Believe me, it works like a charm. Before I swept my system, I was getting a ton of popups. In addition, a BHO (Browser Helper Object) was hijacking my browser to collect info about the web sites that I was visiting, all for the purpose of serving me with more advertising. This "crapware", as I like to call it, was put on my system without my consent, and it was causing my browser to crash more often than not. As you can see by my posts and responses in this thread, HijackThis has been a lifesaver for me.

For some reason, the version at Cybertechhelp is an older one (1.97.7), but click on the "info" link next to it for a description of the utility. One of the places you can find the latest HijackThis (ver 1.99) is at www.majorgeeks.com/download3155.html

Good luck with fixing your problems.

-Tony
Reply With Quote
  #8  
Old January 3rd, 2005, 11:50 PM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,300
Hi tonyv930,

Thanks for the intoductory to electricbliss

I think? the CTH link has been updated, now.

The "?hkntfs.exe", I have been associating with ShopNav, a search page hijacker.

For "tare.exe". and "uace.exe" , right-click , choose "Properties" and then click the 'Version" tab. In the '"Other version info'" window you will get more info.
If no version tab, and files are same date and size, probably safe to delete, or rename and move out to a backup folder. The "uace.exe" file is always a different/random name, and appears with a few hijackers.

Cheers
Reply With Quote
  #9  
Old January 7th, 2005, 09:55 PM
tonyv930 tonyv930 is offline
New Member
 
Join Date: Dec 2004
Posts: 11
Mike,

Thanks again for the info. Happy to be of service with electricbliss.

Until the next time!

Cheers,
Tony
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 08:39 AM.