93sc Posted April 6, 2006 I have been fighting with this for about a day now. I have run Avast mutiple times inand out of safe mode, spybot, and norton and I can't get rid of whatever it is thats on this machine. The closest I have come to figuring things out is trojano-2873, but it keeps comming back. If anyone can give me something else to try before we reinstall that would be great. Thanks Logfile of HijackThis v1.99.1 Scan saved at 1:32:25 PM, on 4/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Ixia\Endpoint\endpoint.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\win3207947423132.exe C:\WINDOWS\CheckS02.exe C:\windows\mousepad9.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sathre-Bergquist, Inc. R3 - Default URLSearchHook is missing F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yxhxh.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,jsnbryn.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsvF1.dll O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmftjs.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [win3207947423132] C:\WINDOWS\win3207947423132.exe O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe O4 - HKLM\..\Run: [w0b6a022.dll] RUNDLL32.EXE w0b6a022.dll,I2 0002616d00b6a022 O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sathre.com O17 - HKLM\Software\..\Telephony: DomainName = sathre.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sathre.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sathre.com O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\kcdlt1.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Ixia Performance Endpoint (IxiaEndpoint) - Ixia - C:\Program Files\Ixia\Endpoint\endpoint.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe Share this post Link to post Share on other sites
Trevuren Posted April 6, 2006 Hi 93sc and welcome to the PC Pitstop Forums . My name is Trevuren and I will be helping you with your log. You have a few more things going on here than I think you are aware of. A. I notice that you are using more than one antivirus program. This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you either (1) configure only one antivirus program to enable automatic realtime scanning, and leave the rest disabled most of the time, or (2) go to Start -> Control Panel -> Add/Remove Programs and uninstall all but one antivirus program B. 1. Please download Ewido Anti-Malware Install ewido anti-malware Launch ewido, there should be an icon on your desktop, double-click it. The program will now open to the main screen. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. You will need to update ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.(the status bar at the bottom will display ("Update successful") Exit Ewido, do not run the scan yet! If you are having problems with the updater, you can use this link to manually update ewido.ewido manual updates 2. Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". 3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.Save it in the same folder you made earlier (c:\BFU). Do not do anything with these yet! Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. 4. Once in Safe Mode, Open Ewido: Click on scanner Click on Complete System Scan and the scan will begin. You will be prompted to clean the first infection. Select "Perform action on all infections", then proceed. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop or a location where you can find it easily. Close ewido anti-malware. 5. Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log. Regards, Trevuren Share this post Link to post Share on other sites
93sc Posted April 6, 2006 The only reason I had 2 AV programs running was that Norton wasn't doing anything and I was trying to fix this current infection. I have mutipule Ewido Logs becuase I could not run a full scan without the program crashing. I had to run the memory scan, let it clean itslef out, then the registry scan and so on till I could run the full scan. I will be including everything I have for eth sake of completness. Thanks again for your help. HJT: Logfile of HijackThis v1.99.1 Scan saved at 4:03:36 PM, on 4/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Ixia\Endpoint\endpoint.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sathre-Bergquist, Inc. R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,jsnbryn.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsvF1.dll O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmftjs.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [w0b6a022.dll] RUNDLL32.EXE w0b6a022.dll,I2 0002616d00b6a022 O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe O4 - HKLM\..\Run: [igtkhr] C:\WINDOWS\system32\iopsht.exe reg_run O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ecbmi] C:\WINDOWS\system32\iopsht.exe reg_run O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sathre.com O17 - HKLM\Software\..\Telephony: DomainName = sathre.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sathre.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sathre.com O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\kcdlt1.dll (file missing) O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Ixia Performance Endpoint (IxiaEndpoint) - Ixia - C:\Program Files\Ixia\Endpoint\endpoint.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe Ewido memory: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 2:39:15 PM, 4/6/2006 + Report-Checksum: BE699C80 + Scan result: [868] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Cleaned with backup [1208] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Error during cleaning ::Report End Ewido fast: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 3:00:53 PM, 4/6/2006 + Report-Checksum: 788D4FBD + Scan result: [868] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Error during cleaning [880] C:\WINDOWS\system32\yxhxh.exe -> Downloader.Qoologic.bj : Cleaned with backup [920] C:\WINDOWS\system32\yxhxh.exe -> Downloader.Qoologic.bj : Error during cleaning [928] C:\WINDOWS\system32\yxhxh.exe -> Downloader.Qoologic.bj : Error during cleaning [952] C:\WINDOWS\system32\iopsht.exe -> Downloader.Qoologic.bj : Cleaned with backup [1208] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Error during cleaning C:\WINDOWS\CheckS02.exe -> Trojan.VB.tg : Cleaned with backup C:\WINDOWS\country.exe -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup C:\WINDOWS\hosts -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup C:\WINDOWS\keyboard8.exe -> Downloader.VB.aaa : Cleaned with backup C:\WINDOWS\kl1.exe -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup C:\WINDOWS\mousepad8.exe -> Trojan.VB.ali : Cleaned with backup C:\WINDOWS\optimize.exe -> Downloader.Dyfuca.ex : Cleaned with backup C:\WINDOWS\secure32.html -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup C:\WINDOWS\system32\iopsht.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\WINDOWS\system32\jsnbryn.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\WINDOWS\system32\olfwt.dat -> Downloader.Qoologic.bj : Cleaned with backup C:\WINDOWS\system32\q.exe -> Dropper.Agent.hl : Cleaned with backup C:\WINDOWS\system32\q3.exe -> Dropper.Agent.hl : Cleaned with backup C:\WINDOWS\system32\q5.exe -> Dropper.Agent.hl : Cleaned with backup C:\WINDOWS\system32\qndsregp.exe -> Adware.ZenoSearch : Cleaned with backup C:\WINDOWS\system32\w0b6a022.dll -> Downloader.Agent.ahv : Cleaned with backup C:\WINDOWS\system32\yxhxh.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\WINDOWS\system32\z1.exe -> Dropper.Agent.hl : Cleaned with backup C:\WINDOWS\system32\z3.exe -> Dropper.Agent.hl : Cleaned with backup C:\WINDOWS\system32\__delete_on_reboot__ovptycy.dll -> Downloader.Qoologic.bj : Cleaned with backup C:\WINDOWS\toolbar.exe -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup C:\WINDOWS\uniq -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup ::Report End Ewido registry: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 2:38:38 PM, 4/6/2006 + Report-Checksum: BA702D86 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup ::Report End Ewido Full: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 3:58:02 PM, 4/6/2006 + Report-Checksum: B398158C + Scan result: [868] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Cleaned with backup [1208] C:\WINDOWS\system32\ovptycy.dll -> Downloader.Qoologic.bj : Cleaned with backup [1036] C:\WINDOWS\system32\iopsht.exe -> Downloader.Qoologic.bj : Error during cleaning C:\Documents and Settings\Administrator.SATHRE\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned with backup C:\Documents and Settings\Administrator.SATHRE\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][2].txt -> TrackingCookie.Trafficmp : Cleaned with backup C:\Documents and Settings\jacobroe\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Adrevolver : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Centrport : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned with backup C:\Documents and Settings\robsathre\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\159715C5-AB90-4A9F-B495-7D5F49\274EB106-FD8C-4AC7-818B-5E7CC9 -> Adware.NewDotNet : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\159715C5-AB90-4A9F-B495-7D5F49\3B10D8E8-256F-4C89-95C5-70E10C -> Adware.NewDotNet : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\159715C5-AB90-4A9F-B495-7D5F49\66A472CD-E111-4A05-98D5-C86464 -> Adware.NewDotNet : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\159715C5-AB90-4A9F-B495-7D5F49\79FDDB4E-4EFF-49FF-9E8A-3ED5A2 -> Adware.NewDotNet : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\159715C5-AB90-4A9F-B495-7D5F49\A0AAB791-E86A-402C-846B-725E4A -> Adware.NewDotNet : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\DE9FF0D8-9FC5-40ED-BA30-461DA2\5A387052-66FE-482E-A0C7-DE70E1 -> Adware.WebHancer : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\DE9FF0D8-9FC5-40ED-BA30-461DA2\6F3945EA-3549-4AD9-9B0A-8EB138 -> Adware.WebHancer : Cleaned with backup C:\WINDOWS\system32\__delete_on_reboot__iopsht.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\WINDOWS\system32\__delete_on_reboot__ovptycy.dll -> Downloader.Qoologic.bj : Cleaned with backup ::Report End BFU Log: BFU v1.00.9 Windows XP SP2 (WinNT 5.01.2600 SP2) Script started at 3:59:05 PM, on 4/6/2006 Option Unload Explorer: Yes Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found) Failed: ServiceDisable Network Monitor (service not found) Failed: ServiceDisable Command Service (service not found) Failed: ServiceDelete Network Monitor (service not found) Failed: ServiceDelete cmdService (service not found) Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found) Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found) Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler|{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F} (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetwork (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|ms-update (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetworking (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|virtual-ie (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|MS DATABASE (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|xp (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|winlog (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|wmplayer (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|tetriz3 (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CQ4d6 (key not found) Option pause between commands: 300 ms Option pause between commands: 50 ms Failed: FolderDelete C:\Program Files\MsConfigs (folder not found) Failed: FolderDelete C:\Program Files\winupdates (folder not found) Failed: FolderDelete C:\Program Files\winupdate (folder not found) Failed: FolderDelete C:\Program Files\winsupdater (folder not found) Failed: FolderDelete C:\Program Files\MsUpdate (folder not found) Failed: FolderDelete C:\Program Files\MsMovies (folder not found) Failed: FolderDelete C:\Program Files\wmplayer (folder not found) Failed: FolderDelete C:\Program Files\outlook (folder not found) Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed) Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed) Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF982C.tmp (operation failed) Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFACD4.tmp (operation failed) Failed: FolderDelete C:\Program Files\Maxifiles (folder not found) Failed: FolderDelete C:\Program Files\DNS (folder not found) Failed: FolderDelete C:\Program Files\EQAdvice (folder not found) Failed: FolderDelete C:\Program Files\FCAdvice (folder not found) Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found) Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found) Failed: FolderDelete C:\Program Files\InetGet2 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found) Failed: FolderDelete C:\Program Files\Network Monitor (folder not found) Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found) Failed: FolderDelete C:\Program Files\Update06 (folder not found) Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found) Script completed. Share this post Link to post Share on other sites
Trevuren Posted April 6, 2006 A. Please run the following program: Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As": DelDomains.inf to your Desktophttp://www.mvps.org/winhelp2002/DelDomains.inf Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal. Then please restart your computer, and post a new HijackThis log. Note: You will have to reimmunize with SpywareBlaster, IE-SPYADS, and/or Spybot after doing this if you were using these features before. B. Please disable Ewido Security Suite (EwidoGuard) 1. Launch Ewido 2. In the main window, click "Realtime protection" (in green indicating "Active") to change to inactive. C. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) Choose to "show hidden files and folders," Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. Close the window with ok Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,jsnbryn.exe O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsvF1.dll O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmftjs.dll O4 - HKLM\..\Run: [w0b6a022.dll] RUNDLL32.EXE w0b6a022.dll,I2 0002616d00b6a022 O4 - HKLM\..\Run: [igtkhr] C:\WINDOWS\system32\iopsht.exe reg_run O4 - HKCU\..\Run: [ecbmi] C:\WINDOWS\system32\iopsht.exe reg_run O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\kcdlt1.dll (file missing) Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode Restart the computer. As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. Use the arrow keys to select the Safe mode menu item Press Enter. Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present): C:\WINDOWS\system32\jsnbryn.exe C:\WINDOWS\system32\nsvF1.dll C:\WINDOWS\system32\irsmftjs.dll C:\WINDOWS\system32\w0b6a022.dll C:\WINDOWS\system32\iopsht.exe C:\WINDOWS\system32\irssyncd.exe Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. Regards, Trevuren Share this post Link to post Share on other sites
93sc Posted April 7, 2006 (edited) That seemed to go well. None of those files that I was supposed to delete were present when I went looking for them while in safe mode. Thanks again for all the help. Logfile of HijackThis v1.99.1 Scan saved at 7:27:27 AM, on 4/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Ixia\Endpoint\endpoint.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\userinit.exe C:\Program Files\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sathre.com O17 - HKLM\Software\..\Telephony: DomainName = sathre.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sathre.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sathre.com O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Ixia Performance Endpoint (IxiaEndpoint) - Ixia - C:\Program Files\Ixia\Endpoint\endpoint.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe Edited April 7, 2006 by 93sc Share this post Link to post Share on other sites
Trevuren Posted April 7, 2006 Things are looking up!!! As a precautionary measure, please run the following online scan and post the results along with a fresh HJT log. If everything is OK, we will be able to start our final cleanup procedures: Please do an online scan with Kaspersky Online Virus Scanner Next Click on Free Virus Scanner, then Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected:Scan using the following Anti-Virus database:Standard Scan Options:Scan ArchivesScan Mail Bases Click OK Now under select a target to scan:Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information into your next post. Regards Trevuren Share this post Link to post Share on other sites
93sc Posted April 7, 2006 Getting closer it seems. ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Friday, April 07, 2006 15:10:04 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 7/04/2006 Kaspersky Anti-Virus database records: 175530 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan Statistics: Total number of scanned objects: 53283 Number of viruses found: 7 Number of infected objects: 22 Number of suspicious objects: 0 Duration of the scan process: 2774 sec Infected Object Name - Virus Name C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00CC0000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01800000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03840000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07940000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980000.VBN Infected: Trojan-Clicker.Win32.Small.jf C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980001.VBN Infected: Trojan-Clicker.Win32.Small.jf C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980002.VBN Infected: Trojan.Win32.VB.tg C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980003.VBN Infected: Trojan.Win32.VB.tg C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08AC0000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08AC0001.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B040000.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B040001.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600000.VBN Infected: Trojan-Downloader.Win32.Small.cpu C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600001.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600002.VBN Infected: Trojan-Downloader.Win32.Small.cpu C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600003.VBN Infected: Trojan-Downloader.Win32.Qoologic.bj C:\w.exe Infected: Trojan-Downloader.Win32.Agent.aie C:\WINDOWS\system32\drsmartload482a.exe Infected: Trojan-Downloader.Win32.Adload.af C:\WINDOWS\system32\Win3.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf C:\WINDOWS\system32\Win3.exe Infected: Trojan-Clicker.Win32.Small.jf C:\WINDOWS\YazzleBundle-1119.exe/data0002 Infected: Trojan.Win32.Scapur.k C:\WINDOWS\YazzleBundle-1119.exe Infected: Trojan.Win32.Scapur.k Scan process completed. Share this post Link to post Share on other sites
Trevuren Posted April 7, 2006 A. I have included, for your convenience, a link to a PDF on how to manage your corporate version. This should enable you to clear everything out. http://www.upenn.edu/computing/virus/docs/...61/navce76u.pdf If this is not the correct version, just Google Norton Corporate Antivirus Quarantine. B. A. Please download the Killbox by Option^Explicit. Note:In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select "Delete on Reboot Then click the "All Files" button. Please copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C C:\w.exe C:\WINDOWS\system32\drsmartload482a.exe C:\WINDOWS\system32\Win3.exe C:\WINDOWS\YazzleBundle-1119.exe Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually. B. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. C. After all this is done, please tell me if everything appears to be OK so we can finish up. Regards, Trevuren Share this post Link to post Share on other sites
93sc Posted April 7, 2006 Both of those seem to have worked as you layed them out. Share this post Link to post Share on other sites
Trevuren Posted April 7, 2006 Please post one last HJT log for me to check and if everything is OK, we will commence our final but essential cleanup procedures. Trevuren Share this post Link to post Share on other sites
93sc Posted April 7, 2006 Logfile of HijackThis v1.99.1 Scan saved at 4:41:40 PM, on 4/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Ixia\Endpoint\endpoint.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\userinit.exe C:\Program Files\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sathre-Bergquist, Inc. O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sathre.com O17 - HKLM\Software\..\Telephony: DomainName = sathre.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sathre.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sathre.com O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Ixia Performance Endpoint (IxiaEndpoint) - Ixia - C:\Program Files\Ixia\Endpoint\endpoint.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe Share this post Link to post Share on other sites
Trevuren Posted April 7, 2006 Congratulations, your log shows that your SYSTEM IS CLEAN There are a few things you must do once you are completely clean: 1. Re-hide your System Files and Folders to prevent any future accidents. Reconfigure Windows XP to hide hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading deselect "Show hidden files and folders". Check the "Hide protected operating system files (recommended)" option. Click Yes to confirm. Click OK. 2. Please run ATF Cleaner again 3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files: TO DISABLE SYSTEM RESTORE Right-click "My Computer", and then left click "Properties". Left click on "System Restore Tab" Check box beside "Turn Off System Restore" Left click on "Apply" Reboot your System TO ENABLE SYSTEM RESTORE Remove check mark from "Turn Off System Restore" Click on "Apply" Here are some tips to reduce the potential for spyware infection in the future: Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. And also see TonyKlein's good advice So how did I get infected in the first place? (My Favorite) Regards, Trevuren Share this post Link to post Share on other sites
93sc Posted April 8, 2006 Thank you very very much. You guys rule. Share this post Link to post Share on other sites
Trevuren Posted April 8, 2006 Our Pleasure, Trevuren Share this post Link to post Share on other sites
.png.9d4b89b15b2cd5e65edd93a0e6823dce.png)
