PS. Check Windows Update, there maybe a patch you have not picked up, hence your DSO Exploits. You may also wish to install Spywareblaster available here: http://www.javacoolsoftware.com/spywareblaster.html This should assist in stopping spyware and if you use Instant Messenger services then from the company that produce Zone Alarm Firewall there is IM Secure available here: http://www.zonelabs.com/store/content/catalog/products/sku_list_ims.jsp I forgot to mention in the first post all software products mentioned have freeware versions. M

0

thanks I have spybot search and destroy and it is fully updated. I have adaware and thats fully updated too. both delete it but its back the next time they are run. I have zone alarm. watch a'patch' - don't understand the jargon and don't know what I'm looking for. have just downloaded 'spyhunter' as per your MASTAK virus message. I'll let you know how I get on. Thanks for your time Zeta Housecall won't delete 'divxc.exe' and my AVG6 doesn't find it.

0

I agree with Mark that SpywareBlaster is a very good program to keep malware out. You will still need to get rid of the current malware first. Derek.W

0

When virus/spyware has disabled regedit (and usually msconfig) it should run OK from safe mode. You may want to run msconfig from safe mode, click the startup tab and post back what's listed there. I've found that it's usually something listed there that is the culprit.

0

thanks Dave - what am I looking for in safe mode and how do I 'post back' Zeta

0

You should get rid of spydoctor because any program that gives a false indication of nasties in order to goad you into purchase is effectively scumware. See here: ROGUE ANTI-SPYWARE Just for our information you could type regedit in the Run box from Safe Mode and see if you then get the registry screen. I would then "back straight out" if you are unfamiliar with the registry. Try msconfig in the Run box from Safe Mode too. I think what Dave had in mind is for you to type a list of what is there (NotePad would do fine for this), then Copy/Paste it on here so that we can have a look at it. It would also be worth you downloading a freebie program called HijackThis. Run it then paste the log into the analyser on this website: HIJACK-THIS AUTO ANALYSIS Only allow HijackThis to delete the "definite nasties" not anything that is just being questioned. If it queries LoadPowerProfile entries then they need a bit of manual analysis so are best left alone at this stage - probably perfectly OK. Derek.W

0

First of all thanks for the anti-rogue spyware list - I have deleted spyware doctor. I also mentioned that I had downloaded spyhunter - not only did it wan me to pay straigth away it then gave me spyware - hence this is deleted also. I have 'hijack this' and here is that log -Logfile of HijackThis v1.98.2 Scan saved at 20:38:02, on 19/11/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.50 (5.50.4134.0600) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.exe C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.exe C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.exe C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.exe C:\WINDOWS\SYSTEM\QTTASK.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\LOADQM.exe C:\WINDOWS\SYSTEM\DIVXC.exe C:\WINDOWS\SYSTEM\HPSJVXD.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\PROGRAM FILES\AHEAD\INCD\INCD.exe C:\PROGRAM FILES\NORTON CRASHGUARD\CG16EH.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\MSWHEEL.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.exe C:\WINZIP\WINZIP32.exe C:\MY DOCUMENTS\HIJACKTHIS.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qlfxdgrgpplneeekvj.net/Vnm5BTpNGiyU7m6ZrJjYRZgOBOgaNVtwzBLZ9/Uq5fcjj3aHNlxE8AMXIj68MPVa.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local> N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.ntlworld.com/home.html"); (C:\Program Files\ntl45\Communicator\Users\ntl\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe" O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.exe O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON CRASHGUARD\CGMenu.exe" O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.exe O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Divx Codec WinXP] DIVXC.exe O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe O4 - HKLM\..\Run: [HPSCANMonitor] c:\windows\SYSTEM\hpsjvxd.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\SYSTEM\E_S10IC2.exe /P19 "EPSON Stylus CX3200" /O7 "EPUSB1:" /M "Stylus CX3200" O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.exe O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.exe" /Q O4 - HKCU\..\RunOnce: [Divx Codec WinXP] DIVXC.exe O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.exe O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: Dell Home - {E7A04260-0FF9-11D4-B613-0050DADD6112} - http://www.euro.dell.com/countries/uk/enu/gen/default.htm (file missing) (HKCU) O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://showpower.sdcf.biz//new1/msits.exe let me know if you still want me to copy and paste a list of what in my 'msconfig' thanks again Zeta

0

Ah, that's not what I said. The intention was that you post the HijackThis log into the analyzer on the second link I gave you. I won't pretend to be particularly expert at these logs but I've run it through the analyzer and searched with Google for info about what showed up. Run Hijack again and get it to delete these: "BOTH entries" like this for Divx: O4 - HKLM\..\Run: [Divx Codec WinXP] DIVXC.exe O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://showpower.sdcf.biz//new1/msits.exe The two Divx entries are a virus, and the one at 016 is a Trojan. I am not too sure about this one but it looks pretty weird to me: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qlfxdgrgpplneeekvj.net/Vnm5BTpNGiyU7m6ZrJjYRZgOBOgaNVtwzBLZ9/Uq5fcjj3aHNlxE8AMXIj68MPVa.php I would suggest you delete this too, on the basis that it can always be restored from the backup in the unlikely event that it is necessary. I assume it is greek to you too? Make sure in HijackThis (Config button) that there is a tick in "Make backups before fixing items" - there probably will be. Having done that by all means post the msconfig info as a list on this post if need be (yes, I do mean here this time). Derek.W

0

thanks Derek - I'm really not trying to be gormless - it comes natural to me (only joking) - will do what you said tonight and let you know how I get on as well as giving the start up info. Bless ya Zeta

0

Hijack won't delete the 2 divx entries! the 016 DPF 10000000000000000000etc is no longer there to delete! I deleted the strange looking search bar address no probs. Can you tell me an easy way of posting a copy of my startup stuff in safe mode apart from hand typing it all thanks Zeta

0

As regards the obstinate divxc.exe it would be worth shoving that in the search string in Google. Don't forget the "Groups" option either. I did get quite a few hits but only looked at enough of them prove it was a "nasty". Maybe someone out there has found a cure. Again on the divxc.exe symptom. If you don't unearth anything, post that particular problem on our Security & Virus forum. They are certainly likely to know much more about it than I do (which is not a lot). As for msconfig, maybe there is another way to crack it without having to do that typing. With the exception of ScanRegistry (important) you can "temporarily" untick anything in the Startup tab. The same applies to the Config.sys and Autoexec.bat tabs. The last two are only important for DOS games and the like, although if you have a virus boot scan line in autoexec.bat this should be kept in place. Unticking all questionable entries in the tabs I've given might prove the point, then they can be put back one by one until you find the problem entry (which we can then discuss). Of-course the entry for the nasty, if any, might well put itself back in again from what you've said.... Take a look at this website because there is little point unticking "known good entries" (such as ScanRegistry, SystemTray, and the two LoadPowerProfile entries). STARTUP ITEMS I guess that's enought to be going on with. Shout back if anything isn't clear. Derek.W

0

All the '04' items in your hijackthis log are in msconfig--startup. Other items in msconfig can load from the start menu or win.ini. But they should be listed in your hijackthis log also. So you probably don't need to list the msconfig--startup entries. I had suggested it in lieu of something like hijackthis. Assuming you can run regedit in safe mode you might try deleting the divxc references that way. You'd browse to HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/CURRENT_VERSION and then check the RUN folders for the enteries. The other one is located in HKEY_CURRENT_USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENT_VERSION also in the RUN folders.

0

Aha. I hadn't realised that the 04 entries mean msconfig entries, which is pretty obvious when I now look at them. Yes, run with DAVE on this and treat the startup/msconfig stuff in my #17 as "interesting info" for some future time. Shout if you need a hand in the registry (assuming you can get there using regedit). Derek.W

0

YOU BEAUTIES -SORTED. Did exactly what Dave said and regedit + msconfig now open in run. I ran spybot and it found 'mediaplex' spyware so I deleted it and rebooted, visited a few websites and then spybot again and got the 'congratulations' message. I think I'm ok now and can't thank you enough - you've been really patient with me. Just one final question do I need ALL of the following - adaware + spybot + cwshredder + spywareblaster + registry mechanic? Zeta

0

Probably best keep them all. Ad-Aware & SpyBot do more or less the same thing but often one will find something the other will miss. SpywareBlaster is good because it keeps malware out rather than fixing it after it arrives - very fast to update too and doesn't actually have to be run (as you know). In a perfect world it could be argued that SpywareBlaster makes Ad-Aware & SpyBot unecessary but sadly that perfect world tends not to exist. Something can always creep in between updates and these packages are by no means synchronised. RegistryMechanic is quite different. I know less about that particular one but I think it is a registry fixer, trimming out redundancies and false links which might cause problems. Not particularly aimed at "nasties" but could easily trim up loose ends after their removal. Pity you have to pay for it tho (assuming you've got that far). There are some freebie registry cleaners around but not so many as there used to be. Names that spring to mind are EasyCleaner and RegSeeker. Some are no longer available as freebies but older versions are sometimes still out there on the net. If the registry cleaner topic interest you it might be worth raising a new post because I'm a tad behind the times with my own collection. Glad to hear you got it sorted. Derek.W

0

many many thanks again I didn't sort it - you did. Bless ya And thanks to DAVEINCAPS too. Zeta x

0

Phew, glad you mentioned DAVEINCAPS. It's not a competition on here but it was Dave's registry fix that eventually came up with the goods. Derek.W

0

Yeah, we're glad you got it fixed. I usually put adaware and spybot on the computers I put together. As Derek says, they complement each other. I also put cwshredder on. It deals with some web page/home page hijackers that the other two don't cover.

0