removing adware

Cienfuegos · Posted: Sat May 29, 2004 12:59 pm Post subject: removing adware

hello again,
norton pro keeps coming up with some infected files;
hnhprjrt.exe, polall1t.exe, preinstt.exe, twaintec.dll.
i also have a searchassistent on my taskbar i cant get rid off.
can anyone help me to get rid of these safely?

Logfile of HijackThis v1.97.7
Scan saved at 18:44:59, on 29-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\anvshell.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\r_server.exe
D:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
D:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/A...ngctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...3459953704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

thanks,

Cienfuegos

Marianna · Posted: Sat May 29, 2004 1:35 pm Post subject:

Hi Cienfuegos

norton pro keeps coming up with some infected files;
hnhprjrt.exe, polall1t.exe, preinstt.exe, twaintec.dll.

I can NOT see these files in your log Sad

Check the following item in HijackThis - close ALL windows\browsers except HijackThis and click "Fix checked":

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

Reboot.

Did you disable your system restore - scan again with Norton and enable your system restore again??

Would also a good idea to clean up your temp., internet temp. files regularly:

Go to Start > Control Panel > Internet Options and, on the "General" tab, select "Delete Files;" on the popup box, select "Delete all offline content."

Now go to Start > Run and type in %temp%, click, "OK." Delete all files in that folder.

Using Windows Explorer, navigate to C:\Windows\Temp and empty that folder.

Are you still having problems??

Cienfuegos · Posted: Sun May 30, 2004 11:33 am Post subject:

ok i did all of the above and got rid of some of it. Smile

tnx.

norton still comes up with these below, i check the boxes and ask it to delete them but on the next scan they still turn up Sad

these are the specified files

Bestand C:\RECYCLER\S-1-5-21-1292428093-1035525444-1801674531-1003\Dc50.tmp\polall1t.exe is een Advertentiesoftware bedreiging.

Het gecomprimeerde bestand polall1t.exe in C:\RECYCLER\S-1-5-21-1292428093-1035525444-1801674531-1003\Dc50.tmp\twaintec.cab is een Advertentiesoftware bedreiging.

Bestand C:\RECYCLER\S-1-5-21-1292428093-1035525444-1801674531-1003\Dc50.tmp\preInsTT.exe is een Advertentiesoftware bedreiging.

Het gecomprimeerde bestand preInsTT.exe in C:\RECYCLER\S-1-5-21-1292428093-1035525444-1801674531-1003\Dc50.tmp\twaintec.cab is een Advertentiesoftware bedreiging.

Bestand C:\WINDOWS\preInsTT.exe is een Advertentiesoftware bedreiging.

Het gecomprimeerde bestand twaintec.dll in C:\RECYCLER\S-1-5-21-1292428093-1035525444-1801674531-1003\Dc50.tmp\twaintec.cab is een Advertentiesoftware bedreiging.

Bestand C:\RECYCLER\S-1-5-21-1292428093-1035525444-1801674531-1003\Dc50.tmp\twaintec.dll is een Advertentiesoftware bedreiging

Marianna · Posted: Sun May 30, 2004 12:02 pm Post subject:

Hi Cienfuegos

Try this:

To clear any stubborn files from the Recycler bin, log on as Administrator or boot into Safe Mode. Click Start>Run and type 'cmd.exe' into the dialog box, click OK. A DOS prompt window will appear. Type in:

del C:\Recycler\ *

This should clear those stubborn files.

Pls. let us know how it goes Smile

Cienfuegos · Posted: Sun May 30, 2004 1:05 pm Post subject:

hmmm i tried a few times but it says that it could not find C:\Recycler\ * Sad

Marianna · Posted: Sun May 30, 2004 3:08 pm Post subject:

Cienfuegos

Only a "thought":

did you empty your recycle bin??

Cienfuegos · Posted: Mon May 31, 2004 8:40 am Post subject:

i thought i did but i didnt,hehehe Embarassed

but your time wasnt completely wasted marianna,
because there is still 1 there Wink

its C:\WINDOWS\preInsTT.exe

any clue why my pc did not find C:\Recycler\ * ???
or has that got to do with not emptying my recycle bin?

anyway many tnx for ur help u guys should win an award Smile

Cienfuegos

Marianna · Posted: Mon May 31, 2004 11:01 am Post subject:

Hi Cienfuegos

heh heh - No problem - we are ALL human Very Happy

Yep, I guess, it has to do with emptying the recycle bin.

Regarding : C:\WINDOWS\preInsTT.exe

Pls. run ad aware with the latest update! If you don't have it:

Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
Install by double-clicking on the downloaded file.
After installing but before running, update Ad-aware by using its Globe icon.
After updating, shutdown and restart Ad-aware.
Ad-aware is ready to scan and clean your system following these steps:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Press "Scan Now"
Check option "Use Custom scanning options"
Check option "Activate In-Depth Scan"
Press "Select drives\folders to scan"
Select the active partition which is usually C:
Press "Next" to let Ad-aware scan your drives...
If it finds "bad" files and registry keys, press "Next" again
Right-click in that pane and choose "select all"
Press "next"
When it asks to remove all checked items, Press "OK"
Close Ad-aware, reboot your system.

PLs. let us know how youo are doing Smile

Cienfuegos · Posted: Mon May 31, 2004 1:47 pm Post subject:

oooooh yes...
thank you marianna Razz

reconfiguring ad aware really helped it scanned a lot longer than usual

and it found the file.
i ran a scan with norton and all is clean now Laughing

thanks again and maybe u can help me again some day Wink

buy the way, lovely place canada ive been there twice,

bye, Cienfuegos

Marianna · Posted: Mon May 31, 2004 1:52 pm Post subject:

Hi Cienfuegos

Great to hear you are free from all "evil" Twisted Evil

don't forget to make a NEW restore point !

Next time you are in Canada - let me know Rolling Eyes

"de koffie is klaar" Shocked

Happy Safe Computing!

lilliebet65 · Posted: Mon May 31, 2004 1:56 pm Post subject:

Glad we were able to help. Smile

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.

To reduce the chances of future Spyware/Hijacking problems, please follow the suggestions here: http://www.computercops.biz/postt7736.html


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 649 pages served in previous 5 minutes. Page Rendered: 0.564 seconds.