PopUps, PopUps, PopUps ... - Page 2

1. If it's getting to the point where this workstation computer is going to need to go into command line for manual deletion of files, then why not save the time and effort and simply reformat?

Why settle for a plethora of spyware infections that may or may not leave the system insecure/unstable after their removal, when you could take that mass hazard and simply wipe it clean? Normally I wouldn't recommend this, as I've cleaned boxes with 2,000 counts of spyware/adware. But if the spyware gets rooted deep enough into the system, lots of it, then you can't trust the registry stability any longer nor the system stability if it altered/replaced windows specific files that you had to delete.

2. Simply observations:

Originally posted here by Und3ertak3r
You will note in the HJT log the prevelence of programs in the Startup\RUN where the files exist in the user temp folder.. AND THAT IS NOT A RED FLAG TO ANYONE?

and that is santa ? come on guys RED FLAG RED FLAG
Some of us didn't miss it but read it and saw it all there, Und3ertak3r.
The Red flags were obvious, and I agree with your Red flag list.

Phishphreek80 was right about the safe mode. Since he has loads o' junk loading at boot time, he had to use safe mode to remove the -now- non-resident items.

Most, but not all, of the remaining junk is in Molly's temp files, which means it happened during a time that Molly's account was active.

Kazaa and AOL are still loaded, which both provide Adware and will continue to slow the computer.
Using Kazaa to download files of unknown origin is "just waiting for another infection".

I'm sure the registry is full of wayward CLSID's, references to non-existant DLL's, missing file references and empty paths, among other things.

He'll never get the computer back to tip-top shape until reformats/reinstalls, guaranteed, as Guardian Alpha suggests.

(note: I said tip-top shape, not simply operational.)

3. Should you go down the re-install route :
run HJT, and save the log .........
It will give you the template for a known good clean set up.

And as a quick and dirty overview of HJT :
If it's in a temp file / folder, and it's got .exe at the end ...................................Not good, not necessarily bad, but they are the ones to watch first.

If a 'temp' file is over one week old, I delete it as a matter of course, when I'm cleaning PC's at work.

To give your system a quick kick up the Tex Ritter ............ on the desk top, R/click Internet Explorer, then properties, on the front page of the box that opens clear your 'cookies' and 'delete files', then set your history to 1, this clears the browser history after 1 day [default = 20]

And if your skill set isn't as great as you would wish, follow the instructions below :

4. Thanks to everyone who has helped so far. I have done the scans in safe mode that Phish recommended and I have clicked off the processes ZT suggested in his first post, and in the first few moments after logging on it really seemed to help. I have completly cleare my temp folder while trying to solve this problem about a week ago. I have my internet options set to clear history at the end of each day and I dump cookies and files regularly.

I may be willing to reformat at this point, but first ...... what does that mean? What will I lose when I do, and how is it done?

Thank You All Very Much

5. I may be willing to reformat at this point, but first ...... what does that mean? What will I lose when I do, and how is it done?

How to partition and format a hard disk in Windows XP

6. Agent made an excellent link that will cover most of your questions regarding formatting and reinstalling, so give it a good read. Even print it out for reference during the formatting process. It's a very simple process, so don't let the complex jargon fool you

Tip that the link didn't cover:

1. Choose NTFS when formatting. It's a much more robust, secure, and streamlined filesystem than FAT or FAT32.

7. Tip that the link didn't cover:

1. Choose NTFS when formatting. It's a much more robust, secure, and streamlined filesystem than FAT or FAT32.
Cant re-enfoce this one more... The majority of machines I have encountered with corrupted system files have been using FAT32..

As to why I was so shitty in my previous post..

It appeared that the main path of the descussion had gone to prevention, rather than assistance..to those that HAD been assisting no insult intended..

Why is it that a request like with this problem gets greeted with an exclusive "Re-Format"..(it initially didnt in this case)
For some people this may not be the best solution, certainly the easiest and best when your data in on a seperate HDD or Partition, and you make monthly images of the System drive or backups of system settings. The time and inconvienience of the backup and restore of data as well as the reconfiguring a system can be a more daunting task that just the format and installation alone
And for some people the Re-installation path could easily be the absolute last option.
As for this problem.. while it has a lot of rubbish in the machine I would not consider it a candidate for formatting..yet..

8. Why is it that a request like with this problem gets greeted with an exclusive "Re-Format"..(it initially didnt in this case)
Because it no longer becomes a matter of "which is longer/harder/more complicated to preform?", it turnes into "which way will give me a system I can depend on?" In typical spyware cases you can eliminate all problems and leave teh system just as stable as before. But when spyware digs in deep and starts linking to system dll's (even at times replacing them if running as administrator) and you "clean" them, then things start to get shakey. The registry now has gapping holes from registry links that are only half deleted, the 5 different ways of startup items in Windows are searching for additional forms of the deleted spyware, etc etc etc. Sometimes it is simply nessessary (if you want to have trust in the security of your system) to reformat and reinstall for the sake of system trust and troubleshooting in the future.

And I don't even mean security/stability in the sense of network consultants. I mean it in a end-user format. If things begin to crash more and more often because of a recent dig-deep spyware removal that foobared a good deal of the registry or system files (read: hijack this.. yuck) then they have no idea how to solve it or where to troubleshoot when they call IT. Granted, the FFR may take longer than a clean system installation. But sometimes it just needs to be done.

9. When a clean is done correctly.. the system is as stable as before, as useable as before
When Secured after the fact.. the system should be as stable and almost as usable as before (but then this result is EXACTLY the same as for a clean install)

All of the Worst infections I have worked with lately have been Pre SP2 systems..

Oh and I am selective as to which of the Anti=Virus solution that I will leave in a machine.

And IF you have read any of my encounters of Malware.. I allocate 30mins to a cleanup ..(the exception was a recent post where I allocated 45mins) if my input time exceeds that it is a clean install.. and this machine is clean compared to many of the borderline cases I have encountered.. try ~4500 malware files (no cookies or TIF here)..
Most likley OS to cop a Clean install will be Win98 then Win ME (is Win 95 still alive)..

And to you guardian alpha I treat your Reformat comment the same as any that pops in with "USE LINUX".. the reformat option had been given in earlier posts.. so your post was not a contribution.. half of you previous post is already known and some just ****..

I am ended with this pissing match..

10. hello again and also thanks again to everyone that has contributed. I still hope to not have to reformat.

I have enabled to view hidden and system files, cleared all the temp files and cookies and history (many times over)

I have also run adaware, spybot, and Cleanup312 several times each in safe mode before restarting this last time. Here is my HJT log. Again thanks to all that give advise and thanks for your patience, I really am quite the novice.

Logfile of HijackThis v1.99.1
Scan saved at 2:53:58 AM, on 4/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ipiprz.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLHOS~1.EXE
C:\Program Files\America Online 9.0a\waol.exe
C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105105845\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ipiprz.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\k2nolc531f.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Page 2 of 4 First 1234 Last

Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•