We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Hijack his Log - Pls Help
Options
Comments
-
All appears to be well with your computer.
The original infection you reported is now in quarantine.
Make sure you delete everything there [C:\quarantine] and emtpy your recycle bin.
Update Superantispyware to the latest definitions and rescan. Hopefully it will come up clean, with nothing to report.
**********
If so, and you computer is running as it should, please follow these final steps but remember …. HJT doesn't see all malware. Far from it. You must keep a watch on your computer and report any unusual happenings.
You might want to read these and bookmark the links for future reference.
If you are certain you have no more trouble you should clear out all old System Restore points then immediately create a new one so you have something to fall back on should anything go awry again. Also remember to make SR points on a regular basis.
More on System Restore ...
http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx
What may have lead up to your infection and help keep your computer free of malware …
http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html
http://www.help2go.com/Tutorials/Protect_Your_PC/Avoid_Web_Browser_Hijackers.html
http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html
There is a little duplication/crossover but all these tutorials are well worth reading.
Don’t forget to keep Superantispyware updated and use it to scan/disinfect your computer from time to time.
If you do suffer an infection again you should run first Ccleaner to clean out your system. Get Ccleaner here but ensure you install it WITHOUT the optional Yahoo Toolbar download (you must untick/uncheck the relevant box on download) …
http://www.ccleaner.com/
Also run through this before posting another HijackThis log …
http://forums.moneysavingexpert.com/showthread.html?t=133269 [first 4 posts only]
PCH0 -
Hi pchelpman
I am still gtting popups and avcentre startup messages. Could you suggest hat elseI need to do.
Thanks for your help.
Regardssca0 -
READ NEXT POST BELOW
In post 21 you remarked that you weren't getting these pop ups any more. I guess they returned then, yes?
Nothing showing in your log so we'll dog deeper.
Firstly, what "popups" are you seeing?
Make sure you have exposed all Hidden Files & Folders.
To enable the viewing of Hidden files follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and close My Computer.
***********************
ComboFix (either location will do) >
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Double click combofix.exe & follow the prompts.
Note >> Do not mouseclick combofix's window while it's running. That may cause it to stall.
When finished, it will produce a log for you. The report is called ComboFix.txt. Post that log in your next reply here.
***********************
Next, if that hasn’t fixed it, go here .....
http://www.pandasecurity.com/homeusers/solutions/activescan/
and scan your computer with Panda Activescan.
Save the scan report and post it here.
*******************
Rehide your Hidden Files & Folders by carrying out the reverse operation to that described at the start of this post & reboot to normal mode.
Again post another HJT log and your comments on what pop ups you are seeing.
PCH0 -
Please read this BEFORE YOU DO ANYTHING ...
DO NOT TRY TO USE COMBOFIX AT THE MOMENT.
Combofix is extremely powerful in its present form and the program's author has decided he needs to make changes to it.
He has therefore today removed Combofix from public use for the time being.
PCH0 -
I ran Combifix yesterday. Plse see logs below.
Regards
ComboFix 07-08-26.3 - "S C" 2007-08-27 7:53:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.105 [GMT 1:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\SAT~1\Desktop\internet explorer.lnk
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\qmhrmiloqm.dat
C:\WINDOWS\system32\qmhrmiloqm.exe
C:\WINDOWS\system32\qmhrmiloqm_nav.dat
C:\WINDOWS\system32\qmhrmiloqm_navps.dat
((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))
2007-08-26 15:07 51,200 --a
C:\WINDOWS\nircmd.exe
2007-08-24 00:05 <DIR> d
C:\DOCUME~1\Home\APPLIC~1\Apple Computer
2007-08-21 17:49 <DIR> d
C:\DOCUME~1\SAT~1\APPLIC~1\Uniblue
2007-08-21 17:48 <DIR> d
C:\Program Files\Uniblue
2007-08-20 15:03 <DIR> d
C:\Program Files\RogueRemover FREE
2007-08-18 09:52 <DIR> d
C:\DOCUME~1\Guest\APPLIC~1\Yapta
2007-08-18 09:52 <DIR> d
C:\DOCUME~1\Guest\APPLIC~1\Real
2007-08-18 00:22 1,632 --a
C:\WINDOWS\system32\d3d8caps.dat
2007-08-17 15:24 <DIR> d
C:\DOCUME~1\Home\APPLIC~1\Yapta
2007-08-17 15:24 <DIR> d
C:\DOCUME~1\Home\APPLIC~1\Real
2007-08-15 00:44 <DIR> d
C:\Program Files\SpywareBlaster
2007-08-11 15:46 <DIR> d
C:\quarantine
2007-08-11 15:29 <DIR> d
C:\DOCUME~1\SAT~1\.housecall6.6
2007-08-11 12:34 <DIR> d
C:\WINDOWS\system32\ActiveScan
2007-08-11 08:12 <DIR> d
C:\Program Files\Windows Defender
2007-08-10 20:47 <DIR> d
C:\Program Files\SUPERAntiSpyware
2007-08-10 20:47 <DIR> d
C:\DOCUME~1\SATBIR~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-10 20:47 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-01 17:30 <DIR> d
C:\Program Files\Common Files\Wise Installation Wizard
2007-07-28 13:05 <DIR> d
C:\Program Files\WebMediaPlayer
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-25 22:34
d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-25 22:13
d
C:\Program Files\Registry Genius
2007-08-25 00:14
d
C:\Program Files\Common Files\Real
2007-08-25 00:13
d
C:\DOCUME~1\SAT~1\APPLIC~1\Real
2007-08-24 15:02
d
C:\Program Files\FreshDevices
2007-08-22 17:36
d
C:\Program Files\Extra_Programs
2007-08-20 14:08
d
C:\Program Files\iTunes
2007-08-10 21:01
d
C:\DOCUME~1\SAT~1\APPLIC~1\uTorrent
2007-08-08 17:28
d
C:\Program Files\uTorrent
2007-07-30 19:19 92504 --a
C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a
C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a
C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a
C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a
C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a
C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a
C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a
C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a
C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a
C:\WINDOWS\system32\wups.dll
2007-07-11 19:59
d
C:\Program Files\Microsoft Works
2007-07-03 19:07
d
C:\DOCUME~1\SAT~1\APPLIC~1\Vso
2007-07-01 20:31
d
C:\DOCUME~1\SAT~1\APPLIC~1\Yapta
2007-06-26 07:08 1104896 --a
C:\WINDOWS\system32\msxml3.dll
2007-06-19 14:31 282112 --a
C:\WINDOWS\system32\gdi32.dll
2007-06-13 12:26 1033216 --a
C:\WINDOWS\explorer.exe
2007-04-07 20:54 87608 --a
C:\DOCUME~1\SAT~1\APPLIC~1\ezpinst.exe
2007-04-07 20:54 47360 --a
C:\DOCUME~1\SAT~1\APPLIC~1\pcouffin.sys
2006-08-25 15:45:58 617,472 --sha-w C:\WINDOWS\system32\comctl32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2001-08-23 12:00:00 253,952 --sha-w C:\WINDOWS\system32\msvcrt20.dll
2004-08-04 07:56:46 30,749 --sha-w C:\WINDOWS\system32\vbajet32.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"!!9A8C190D-FC00-49FA-A926-B29A1951E40F}"= C:\Program Files\Int_Callchecker\tbInt_.dll [2006-11-29 14:02 1190936]
[HKEY_CLASSES_ROOT\CLSID\!!9A8C190D-FC00-49FA-A926-B29A1951E40F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\Winamp3\winampa.exe" [2002-07-23 17:58]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2002-03-12 17:48]
"WheelMouse"="C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [2002-03-11 19:16]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 21:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 10:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"Yapta Tracker"="C:\Program Files\Yapta\YaptaClient.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-08-14 16:52]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"!!5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys
R3 cinemclc;CineMaster C 3.0 WDM Main Driver;C:\WINDOWS\system32\drivers\cinemclc.sys
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys
R3 vdmindvd;Cinemaster C WDM DVD Driver;C:\WINDOWS\system32\drivers\vdmindvd.sys
*Newly Created Service* - CATCHME
*Newly Created Service* - HTTPFILTER
Contents of the 'Scheduled Tasks' folder
2007-08-27 00:34:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-27 07:58:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-27 8:01:00
C:\ComboFix-quarantined-files.txt ... 2007-08-27 08:00
--- E O F ---
*********************************************************
Incident Status Location
Adware:Adware/NaviPromo Not disinfected C:\Program Files\WebMediaPlayer\uninst.exe[²ÜÇ\NSUtils.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
*********************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:26:04, on 27/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winamp3\winampa.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www./
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - !!206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O3 - Toolbar: Int_Callchecker Toolbar - !!9a8c190d-fc00-49fa-a926-b29a1951e40f} - C:\Program Files\Int_Callchecker\tbInt_.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Yapta Tracker] C:\Program Files\Yapta\YaptaClient.exe /onstartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: !!215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: !!4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: !!6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174123354774
O16 - DPF: !!9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lycos.co.uk/app/uploader/FileUploader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - A4Tech Co.,Ltd. - (no file)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
--
End of file - 6091 bytessca0 -
Hi sca,
I'm sure PCHelpman won't mind me jumping in here as I know his time is very limited at the moment.
It would appear you had a Navipromo infection which often comes with a rootkit (cloaking device). Although ComboFix appears to have shifted the majority of it, you'd better run a dedicated Navipromo tool to double check it's completely gone.
Start by deleting the following folder:
C:\Program Files\WebMediaPlayer\
Then download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip- Extract its contents to the desktop.
- Double click on navilog1.exe to install it on your computer.
- When the installation is complete, the tool will start automatically.
- If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
- Press E for English from the language Menu.
- Type 1 in the next Menu to select Search and press Enter.
- Wait for the Scan to finish (It may take a reasonable amount of time).
- Press any key as requested.
- A new document will be produced: fixnavi.txt.
- Please copy/paste the contents of this report in your next reply.
0 -
Thanks Alphonso,
It seems that thefollowing are still on the system. I will run the software and suggested and post again.
Regards
Incident Status Location
Adware adware/NaviPromo Not disinfected C:\Program Files\WebMediaPlayer\uninst.exe[²ÜÇ\NSUtils.dll]
Potentially unwanted tool application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exesca0 -
Attached as per instructions.
Regards
Search Navipromo version 2.0.9 began on 29/08/2007 at 17:31:09.92
!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Updated on 20.08.2007 at 22h30 by IL-MAFIOSO
Done in normal mode
*** Searching for installed Software ***
*** Search folders in C:\WINDOWS ***
*** Search folders in C:\Program Files ***
*** Search folders in C:\Documents and Settings\All Users\Application Data ***
*** Search folders in C:\Documents and Settings\Satb\Application Data ***
*** Search with BlackLight Engine/F-secure ***
BlackLight Engine is a product of F-secure, for more info:
http://www.f-secure.com/blacklight/blacklight_help.html
F-SECURE BLACKLIGHT ROOTKIT ELIMINATOR
======================================
Copyright 2005-2006 F-Secure Corporation. All rights reserved.
This is a beta version. It will expire on 1st of October, 2007.
Version information: 2.2.1064.
[+] Started on 08/29/07 at 17:31:16.
[+] Initializing ...
[+] Starting scan, press Ctrl-C to abort.
[+] Scanning for hidden items ....................................................................................
[+] Scan complete.
[+] Summary: 0 hidden item(s) found, 0 scheduled for renaming.
[+] Exited on 08/29/07 at 17:41:21 (return code = 0).
*** Search with GenericNaviSearch ***
!!! Possibility of legitims files in the result !!!
!!! To be always checked before manually deleting !!!
Files found :
No File found !
Suspicious Files :
No Suspicious File found !
*** Search files ***
C:\WINDOWS\pack.epk found !
*** Search registry keys ***
Search in [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]
Search in [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]
Search Magic Control Key
*** Complementary Search ***
(Search specifics files)
1)Search known files:
2)Heuristic Search :
*
**
***
****
*****
******
*******
********
3)Certificates Search :
Certificate Egroup found !
*** Search completed on 29/08/2007 at 17:42:11.98 ***sca0 -
Just a few remnants found.
- Double click on Navilog1 shortcut icon on your desktop to run it.
- Press E for English from the language Menu.
- Type 3 in the next Menu and press Enter.
- The tool will then advise you that it will restart your computer.
- Close all open windows and save personnal documents, if open, too.
- If your computer doesn't restart automatically, restart it manually.
- Choose your usual session.
- Wait for the *** Clean finished the ... *** message (It may take a reasonable amount of time)
- A new document will be produced.
- Please copy/paste the contents of this report in your next reply.
- Your desktop will now appear.
The report is also saved in the root directory, %SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt)0 -
Thanks for help again. Log attached.
Navipromo Removal version 2.0.9 started on 30/08/2007 at 17:42:50.39
Fix running from C:\Program Files\navilog1
Updated on 20.08.2007 at 22h30 by IL-MAFIOSO
Automatic removal
without Blacklight results
*** Search with GenericNaviSearch ***
!!! Possibility of legitims files in the result !!!
!!! To be always checked before manually deleting !!!
Files found deleted with backups :
No File found !
No Suspicious File found !
*** Deleting folders in C:\WINDOWS ***
*** Deleting folders in C:\Program Files ***
*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***
*** Deleting folders in C:\Documents and Settings\Sat\Application Data ***
*** Deleting files ***
C:\WINDOWS\pack.epk deleted !
*** Deleting temporary files ***
Cleanning C:\WINDOWS\Temp done !
Cleanning C:\Documents and Settings\Sat\Local Settings\Temp done !
*** Complementary Search ***
(Search specifics files)
1)Search known files:
2)Searching and deleting Heuristics :
*
**
***
****
*****
******
*******
********
3)Certificates :
Egroup Certificate deleted !
*** Copy registry to Backupnavi folder ***
Backing up registry done !
*** Clean registry ***
Registry cleaned
*** Cleaning finished on 30/08/2007 at 17:50:37.56 ***sca0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244K Work, Benefits & Business
- 598.8K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards