TechSpot

Post Ishost computer - everything clear?? logs attached

By ActusReus
Aug 27, 2006
  1. had isshost... among other problems wth the computer, tried following some of the guidelines posted in other threads. So I figured now I'm hoping someone can examine the logs to see if everything's okay or not. Thank you for your help. Also one other issue. I had to download Symantec Antivirus for my laptop last year and want to get rid of it. I believe it's part of the Symantec Antivirus Client Systems pack?? but it's asking for a password to uninstall and my school won't give it to me - heh. Any ideas on getting rid of it. The tool that symantec offers doesn't work. Thank you.

    p.s. I'm attaching HJT log, Rapport.txt, and the Ewido log. Thanks for your help everyone

    the hijackthis.log is a .txt
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Poker.com

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Poker.exe

    Close task manager.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)

    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab

    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Poker.com

    Other than the above, your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :wave: :wave:

    This thread is for the use of ActusReus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. ActusReus

    ActusReus TS Rookie Topic Starter

    I appreciate the help with everything. The only problems I seem to be having are with my Freedom Antivirus displaying warning messages about my C:\Windows\Temp drive with programs in there that are listed as idd10.tmp and a whole bunch of winxx.tmp the freedom antivirus lists these as viruses.

    also when attempting to manually delete these in explorer, it says access denied for all of them
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No problem.

    Download the Pocket Killbox programme from HERE.

    Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run a full system scan with your antivirus programme and delete whatever it finds.

    Reboot into normal mode and turn system restore back on.

    Run another scan and see if those files are still there. If they are, do the following.


    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    Regards Howard :)
     
  5. ActusReus

    ActusReus TS Rookie Topic Starter

    alright I managed to killbox those programs in the windows/temp directory. The only thing (so far) that seems to be an issue, is my firewall informs me that internet explorer is accessing the internet (when I don't have a window open), followed by a dialogue box saying I have spyware on my computer and should download an antivirus program - the two variations are Sysprotect and WinAntiVirusPro2006. I'm assuming these aren't legit warnings, any idea on how to get rid of these?? thank you :) Also... after deleting the files in windows/temp - ONE was rewritten back in there after it was completely empty, an EXE...but I was able to delete it normally - a little odd... let me know what I can do to help your diagnostics. Also - I had some issues loading Safe Mode - hence why I had to killbox the exe's. I can get to the screen where I put in my password for Windows XP user, not the administrator one, and then the screen goes black with safe mode in all corners - and then it stays on that screen. thank you again for your help I can see the light at the end of this spyware tunnel
     
  6. ActusReus

    ActusReus TS Rookie Topic Starter

    new HJT log file...

    C:\windows\temp\win4f.tmp.exe is now there and I cannot delete it... wrote itself to the directory somehow... helllllppp


    C:\Windows\temp\win50.tmp.exe now written itself in
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix this entry.

    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Winantivirus or anything with that name.

    Close control panel.

    Use your task manager to end the win50.tmp.exe process, then use Killbox to delete the file

    Download and run these four tools. Follow the instructions for using each tool.

    Tool1 Tool2 Tool3 Tool4

    Use your task manager to end the win50.tmp.exe process, then use Killbox to delete the file.

    let me know the outcome.

    Regards Howard :)
     
  8. ActusReus

    ActusReus TS Rookie Topic Starter

    this is getting horribly annoying... I managed to get safe mode running... so I ran all tools possible in it... my C:\windows\temp folder was clean... now I'm getting bells and whistles going off saying there are trojans in there now, I open the folder and files are being written to the folder again... wina.tmp.exe among many other winxx.tmp and winxx.tmp.exe files.. .somethings embedded somewhere. I ran all of your programs you've recommended and followed everything exactly thus far. I'll attach the latest HJT log, among the latest other logs too. Please help... Thank you for your continued help - please let me know what else I can do to help you in your diagnostics of my system.
     
  9. ActusReus

    ActusReus TS Rookie Topic Starter

    maybe this will help... unless I'm missing something... my antivirus programs are telling me that the location of what they're calling possible trojan files are in the directory C:\documents and settings\(my username)\local settings\temporary internet files\content.ie5\ (and then a folder with a bunch of letters and numbers)... now when I point my browser there... theres a "local settings" folder,and a tempory internet fils, but the content.ie5 folder is not there, there's actually no folders in there at all... and all the warnings I have coming up are from the content.ie5 folder and my programs are saying they're only able to partially quarantine it... any ideas?? (all hidden files and folders are displayed)
     
  10. ActusReus

    ActusReus TS Rookie Topic Starter

    I actually typed the address C:\documents and settings\(my username)\local settings\ temporary internet files\content.ie5 up to that point into explorer, and it opened the folder, but when looking in sub folders (which are folders with random letter and numbers) there are no files in there that my programs are screaming about...
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Download and run the Ccleaner programme from HERE. Run the programme several times with no browser windows open.

    Then, go HERE and follow all the instructions exactly.

    Let me know the results.

    Regards Howard :)
     
  12. ActusReus

    ActusReus TS Rookie Topic Starter

    most of that I've already done, several times... at this point, I'm ready to just reformat my harddrive, and reload windows XP... my only problem is I dont' have an A:\ drive on my laptop.. no floppy... I have the system restore CD that comes with the laptop... any thoughts on reformating my hard drive and just starting over???
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You shouldn`t need a floppy in order to reformat. You should be able to do all that from your recovery disk.

    The problem I`m having, is I can`t fix what I can`t see. Your HJT log is as clean as a whistle. Where your virus problem keeps respawning from is anyones guess.

    Is your account the only one on the laptop? Do you have full administrator privileges?

    Regards Howard :)
     
  14. ActusReus

    ActusReus TS Rookie Topic Starter

    yeah I'm the only account, I have full privledges, it's my laptop... I'm so disgustingly annoyed with this. My antivirus programs and other programs are throwing bells and whistles at me about folders that I can't seem to locate. heh, look, Im not an *****, I'm moderately computer Savvy, and know my way around here fairly well... but I'm stumped... something's writing stuff somewhere... and I've juuuuust about had it... I've heard people say that refomatting a harddrive once a year is not such a bad idea. I've had this laptop for over a year now... what are your thoughts on my saving my documents to my 256mb flash drive and then wiping and reinstalling... and if that's a good idea, do you know of any websites that offer a good step by step instructional on doing so?? thank you :)
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, by all means backup your important data and reformat.

    Your recovery disk should have onscreen instructions to help you. Just boot from the recovery disk and follow the instructions. you may need to set your boot priority in your bios to boot from the cd-rom first.

    I`m sorry I wasn`t able to get your system cleaned up.

    Regards Howard :(
     
  16. ActusReus

    ActusReus TS Rookie Topic Starter

    it's alright, I appreciate all the help you did give me, besides this maybe good for the system, as it was starting to get a bit sluggish... next important question... all I have is the Operating System CD Micorsoft Windows XP Pro with Service Pack 2. It's not the ACTUAL windows XP CD. it's a CD that came with my laptop it's from HP. I know that you need an activation key when you reinstall, if I"m correct,and I don't believe this CD came with one nor was there one located anywhere when I got this (as XP came installed on the laptop) and ideas or recommondations??
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The coa should be on a sticker on the laptop somwhere, check on the bottom of the laptop.

    Alternatively, download the free SIW programme from HERE.

    Run the programme, it doesn`t install and double click on the operating system icon in the lefthand panel. It will give you a list in the righthand panel that should include your Windows product key.

    Regards Howard :)
     
  18. ActusReus

    ActusReus TS Rookie Topic Starter

    Thank you... I will back up, and reformat... this'll get rid of that stupid symantec antivirus that has vined it's way throughout my computer -boy that was a mistake... well if all is well, I'll post again in probably a couple hours :) thanks for all your help... if there's anything I can do for this site, let me know it's great what you all do here...
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All you need to do for Techspot, is help out once in a while when you can and that`ll be great.

    I`m still sorry I wasn`t able to get your system sorted. It`s not often I come up empty, but this is one of them I`m afraid.

    Regards Howard :)
     
  20. ActusReus

    ActusReus TS Rookie Topic Starter

    well... here I am... wiped, formated, reinstalled... and so far everything is working GREAT... soooo smooth. It's wonderful!! Using Mozilla for the first time - good lord where have I been and why have I not been using these wonderful programs!! heh... I'll be visiting here often, and trying to help out where I can :) I love this site, I would love to take it to all new heights. thank you for all of your help. Do you have any recommendations on programs I Should download to keep my computer safe and clean from future garbage?? Thanks for everything! As far as an antivirus and firewall I'm using Freedom Internety Security provided by Zero Knowledge (free with Adelphia).
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...