Sat Sep 04, 2004 4:36 pm
Scan with HijackThis!, and post the log.Shollia wrote:Virus spyware.. whateverheh... they both suck
I have all of the spyware remover programs and none of them are helping. Adaware is up to date... it does catch something but like I already said.. the spyware keeps coming back.
When norton caught the program.. I went and found the file and deleted it.. that worked for about 2hrs but once again.. it came back.
I do have hijack this but I don't know how to use it properly.. don't wanna delete anything I'm not supposed to
Sat Sep 04, 2004 7:43 pm
And Sgollia if it keeps coming back it mite be a certain site your going to that keeps putting it on your computer.
Sat Sep 04, 2004 10:52 pm
Articfox wrote:And Sgollia if it keeps coming back it mite be a certain site your going to that keeps putting it on your computer.
Not any of the sites I go to now.
I know I got it from a site I had gone to when I was looking for reference pics months ago.
I've had this problem for a while now but Norton blocked it from changing my homepage or anything, but now for some reason it isn't (yes it's updated as well).. *shrugs*
Anywho.. here's the hijack log
Logfile of HijackThis v1.98.0
Scan saved at 6:50:50 PM, on 9/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Eric\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eric\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eric\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON PictureMate] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB002" /M "PictureMate"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Startup: Epson printer Registration.lnk = E:\E_reg\EPSONREG.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta ... ysinfo.cab
O18 - Filter: text/html - {F5D027A0-0D63-4F80-B4BD-2D9B5752ECA1} - C:\WINDOWS\System32\oalnk.dll
O18 - Filter: text/plain - {F5D027A0-0D63-4F80-B4BD-2D9B5752ECA1} - C:\WINDOWS\System32\oalnk.dll
Sun Sep 05, 2004 12:09 am
Please move HijackThis! to a permanent folder (for backups) ex c:\HijackthisShollia wrote:Articfox wrote:And Sgollia if it keeps coming back it mite be a certain site your going to that keeps putting it on your computer.
Not any of the sites I go to now.
I know I got it from a site I had gone to when I was looking for reference pics months ago.
I've had this problem for a while now but Norton blocked it from changing my homepage or anything, but now for some reason it isn't (yes it's updated as well).. *shrugs*
Anywho.. here's the hijack log
Logfile of HijackThis v1.98.0
Scan saved at 6:50:50 PM, on 9/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Eric\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eric\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eric\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON PictureMate] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB002" /M "PictureMate"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Startup: Epson printer Registration.lnk = E:\E_reg\EPSONREG.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta ... ysinfo.cab
O18 - Filter: text/html - {F5D027A0-0D63-4F80-B4BD-2D9B5752ECA1} - C:\WINDOWS\System32\oalnk.dll
O18 - Filter: text/plain - {F5D027A0-0D63-4F80-B4BD-2D9B5752ECA1} - C:\WINDOWS\System32\oalnk.dll
and check
O18 - Filter: text/html - {F5D027A0-0D63-4F80-B4BD-2D9B5752ECA1} - C:\WINDOWS\System32\oalnk.dll
O18 - Filter: text/plain - {F5D027A0-0D63-4F80-B4BD-2D9B5752ECA1} - C:\WINDOWS\System32\oalnk.dll
Sun Sep 05, 2004 12:21 am
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eric\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eric\LOCALS~1\Temp\sp.html
Those should also be removed. It's pointing to a local page that could be redownloading the spyware.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eric\LOCALS~1\Temp\sp.html
Those should also be removed. It's pointing to a local page that could be redownloading the spyware.
Sun Sep 05, 2004 12:37 am
Okedoke... deleted those... *crosses fingers* hope it works..
And thanks all for the help.. it's much appreciated!
EDIT: Didn't work... closed IE.. opened it back up and my homepage changed to about:blank
O18 - Filter: text/html - {F5D027A0-0D63-4F80-B4BD-2D9B5752ECA1} - C:\WINDOWS\System32\oalnk.dll
O18 - Filter: text/plain - {F5D027A0-0D63-4F80-B4BD-2D9B5752ECA1} - C:\WINDOWS\System32\oalnk.dll
Are back
And thanks all for the help.. it's much appreciated!
EDIT: Didn't work... closed IE.. opened it back up and my homepage changed to about:blank
O18 - Filter: text/html - {F5D027A0-0D63-4F80-B4BD-2D9B5752ECA1} - C:\WINDOWS\System32\oalnk.dll
O18 - Filter: text/plain - {F5D027A0-0D63-4F80-B4BD-2D9B5752ECA1} - C:\WINDOWS\System32\oalnk.dll
Are back
Sun Sep 05, 2004 1:22 am
It's starting to look like viral behavior. There might be a parasite that Norton cannot detect.
http://housecall.trendmicro.com/
Run the free Housecall scan to see if you have a virus.
http://housecall.trendmicro.com/
Run the free Housecall scan to see if you have a virus.
Sun Sep 05, 2004 1:55 am
I have tried to remove 'The Game of Life' off my computer with 'Roller Coaster Tycoon' and 'The Game of Life' won't seem to delete. I delete the Hasbro Interactive folder containing the two games but apparently 'The Game of Life' is still there (According to Add/Remove Programs). How do I get it off my computer?
Sun Sep 05, 2004 2:07 am
-nm its been fixed-
Sun Sep 05, 2004 4:00 am
Soujiro wrote:It's starting to look like viral behavior. There might be a parasite that Norton cannot detect.
http://housecall.trendmicro.com/
Run the free Housecall scan to see if you have a virus.
Computer won't let me download whatever it is that's on the site. Keeps giving me that error thing and then says it's some backdoor thing. *shrugs*
Anywho.. I went into the system32 folder and located oalnk.dll deleted it and everything is ok so far.
I know it's going to come back though.
Think I'm just gonna have to reformat
Sun Sep 05, 2004 4:47 am
Ammer wrote:I have tried to remove 'The Game of Life' off my computer with 'Roller Coaster Tycoon' and 'The Game of Life' won't seem to delete. I delete the Hasbro Interactive folder containing the two games but apparently 'The Game of Life' is still there (According to Add/Remove Programs). How do I get it off my computer?
Would that be Sim Life? Just curious...
But to answer your query, try individually deleting everything from the folder, that mite work, probably won't though but its worth a try.
Sun Sep 05, 2004 6:28 am
Apparently there's a problem with Trend-Micro's site. It's not a backdoor, it uses a Java-based virus scanner.
Sun Sep 05, 2004 9:10 am
Ammer wrote:I have tried to remove 'The Game of Life' off my computer with 'Roller Coaster Tycoon' and 'The Game of Life' won't seem to delete. I delete the Hasbro Interactive folder containing the two games but apparently 'The Game of Life' is still there (According to Add/Remove Programs). How do I get it off my computer?
Removing the program manually does not remove it's uninstall entry. To do so, you need to edit your registry.
Run regedit.exe. Navigate to HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Uninstall.
You should see a whole lot of "folders" under that "folder" (key) (left side of the registry editor window) -- click on each one, and see the value for "DisplayName" (right side of the window) is 'The Game of Life'. Delete the "folder" that contains that value (left side, should have a long GUID (hexadecimal sequence) name), and it will no longer appear in the uninstall list.
Mon Sep 06, 2004 1:59 am
Hunter Lupe wrote:Ammer wrote:I have tried to remove 'The Game of Life' off my computer with 'Roller Coaster Tycoon' and 'The Game of Life' won't seem to delete. I delete the Hasbro Interactive folder containing the two games but apparently 'The Game of Life' is still there (According to Add/Remove Programs). How do I get it off my computer?
Removing the program manually does not remove it's uninstall entry. To do so, you need to edit your registry.
Run regedit.exe. Navigate to HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Uninstall.
You should see a whole lot of "folders" under that "folder" (key) (left side of the registry editor window) -- click on each one, and see the value for "DisplayName" (right side of the window) is 'The Game of Life'. Delete the "folder" that contains that value (left side, should have a long GUID (hexadecimal sequence) name), and it will no longer appear in the uninstall list.
Thank you very much. It worked.
Tue Sep 07, 2004 11:58 pm
How do I enable everything?