1
   

Twaintec and Heretofind probs

Forums: Computers
Email this Topic Print this Page
 
 
imapom
 
Reply Wed 3 Nov, 2004 02:41 am
Having looked through the forum, I can see there's a lot of people in the same boat as me. I've tried following the main links and using the processes detailed in those posts, but I have problems even getting started on some of them.

First, I've got both of these pesky blighters, and for some reason I can't update my browser - I get to the MS page but it won't scan for updates. Is it worth downloading a scanning with Smartkiller and Cwwshredder anyway?

Second when I look at the list of registry keys for getting rid of heretofind, I don't have those listed by others in this forum - I'll post the list here. Somehow.

I'm at a loss. Help needed please - before my PC slows to geological time. It just got hijacked coming here...

Thanks in advance - but if I don't get back here, the PC's been ditched.
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 1,210 • Replies: 13
No top replies

 
Don77
 
  1  
Reply Wed 3 Nov, 2004 05:20 am
Hi imapom
Could you please post a HJT log,
Update Ad-aware,CWShredder and Spybot, also update your Anti Virus, run a scan in normal mode then again in safe mode,
you can get into safe mode by taooing the F8 key on start up,

Let take a look at your log and see if we can help you out,
0 Replies
 
imapom
 
  1  
Reply Wed 3 Nov, 2004 01:29 pm
Don77

Thanks for the note - gobsmacked at the amount of crap this stuff causes.

I've run a HJT scan and removed the items that were the same as those highlighted in other posts. The next step of identifying the Registry Keys was the bit I had to skip. I managed to download Smartkiller and nothing came up. Already run updated Adaware and latest upate of Kaspersky Anti-virus Personal.

Also managed to download Stinger - but then things got weird. The program took two goes to run, and then whilst trying to get CWShredder, the PC crashed twice - and at one stage wouldn't even power up. Cannot update Windows either.

Have left it alone for now, and am currently using another PC for this. I'll see if I can get a HJT log and post it here, but see the end of my last message for a possible result...
0 Replies
 
Don77
 
  1  
Reply Wed 3 Nov, 2004 06:21 pm
See if you can't copy the HJT log to a floppy and carry it over to the computer your on, Then post the log here, Lets have a look before you ditch it,
0 Replies
 
imapom
 
  1  
Reply Sun 7 Nov, 2004 03:37 am
OK, if this works the logfile should be below... All and any advice gratefully accepted.

Thanks in advance.

Logfile of HijackThis v1.98.2
Scan saved at 8:36:59 PM, on 7/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\PROGRAM FILES\SONY HANDHELD\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TEL.PACIFIC
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [kavsvc] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Corel Network monitor worker - {3C6D55C0-221B-11D9-823C-444553540000} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3C6D55C0-221B-11D9-823C-444553540000} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {3C6D55C0-221B-11D9-823C-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3C6D55C0-221B-11D9-823C-444553540000} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
0 Replies
 
Don77
 
  1  
Reply Wed 10 Nov, 2004 07:34 pm
Hmmm don't see anything bad running in your log, Except for running 2 Anti Virus programs, might be causing you some conflicts
0 Replies
 
imapom
 
  1  
Reply Mon 15 Nov, 2004 12:50 am
Thanks Don77 for the feedback - I think with that in mind, and the fact that the PC has been running v slow since Norton was added, I'll take the Kaspersky off (I've got the CD) and see if it makes a difference.

But I've still got something lurking. Should I run Norton in safe mode and reboot?? And just how the hell can you get rid of these bl**dy things once and for all?????
0 Replies
 
Don77
 
  1  
Reply Mon 15 Nov, 2004 05:23 am
If your able to get back online on the computer, update, Ad-aware,Spybot and Nortons, Boot to safe mode and run them in safe mode,

Did you happen to safe the original post from HJT prior to you cleaning some of the items ?
if so please post it,
0 Replies
 
imapom
 
  1  
Reply Mon 15 Nov, 2004 01:41 pm
I reckon I can get back online now - took Kaspersky off and now have some semblence of alacrity. Will run in Safe later. If I can find the original HJT log, I'll post here - but I've had a bit of a clear out of temp and no-longer-used files.

Cheers
0 Replies
 
imapom
 
  1  
Reply Mon 22 Nov, 2004 01:51 pm
Hmm - can't seem to open the original Log file - but there is definitely something strange going on still. I occasionally get the Heretofind lower toolbar come up and there's still the sense that the browser gets hijacked. Ran the scan in safe for both Adaware and Norton - took a Dialer off, but still seems weird.

The other thing that has happened is that when I clear the Temp Internet files, I now get DAT files which can neither be deleted nor opened as they're being used by another application - I need educating!

I've also made use of the database on the Symantec website (www.symantec.com and look for "Latest Viruses" or similar) to check names of possible viruses and how to delete them.

I think it might be getting close to that time of removing all my personal files and getting that can of petrol working...
0 Replies
 
Don77
 
  1  
Reply Mon 22 Nov, 2004 04:02 pm
Lets see a new log,
Maybe we will see something,
Can't hurt at this point...
0 Replies
 
imapom
 
  1  
Reply Tue 23 Nov, 2004 12:58 am
OK, here goes.... Appreciate the help.

Logfile of HijackThis v1.98.2
Scan saved at 5:59:06 PM, on 23/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SONY HANDHELD\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TEMP\APHA.DAT
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TEL.PACIFIC
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Corel Network monitor worker - {3C6D55C0-221B-11D9-823C-444553540000} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3C6D55C0-221B-11D9-823C-444553540000} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {3C6D55C0-221B-11D9-823C-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3C6D55C0-221B-11D9-823C-444553540000} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
0 Replies
 
Don77
 
  1  
Reply Tue 23 Nov, 2004 05:24 am
Still not seeing anything,
Lets try this,
I don't think it will find anything, But just ruling them out as we go,
Close Ad-Aware and Ad-Watch (if running)
Download the free VX2 Cleaner Here
Install the VX2 Cleaner
Start Ad-Aware
Go to "Add-ons"
Select the VX2 Cleaner add-on and click "Run Tool"
If your computer isn't infected, click "Close".

If your computer is infected

Select "Clean System"
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer
0 Replies
 
imapom
 
  1  
Reply Wed 24 Nov, 2004 02:49 am
Can't seem to download the software properly - keeps showing plug-in as Badentrypoint and nothing there to run.

Heretofind is still with me as it just lurked up getting to this post. I also occasionally get a warning that something has been found on the PC that is a security risk, but there is no website or name attached to the note.

I'm going to try Spybot again - couldn't download it last time I tried about a week ago - never know.

Cheers
Pom
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » Twaintec and Heretofind probs
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 09/20/2024 at 09:24:41