Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spirit_bomb's HJT log


  • This topic is locked This topic is locked
14 replies to this topic

#1 spirit_bomb_89

spirit_bomb_89

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 25 June 2005 - 08:35 PM

Mod Edit: This log was split from the Windows XP/NT/2000/2003 forum, where a non-HJT Team member was giving advice, that has been followed. This is the second log, after the advice was followed. The previous post have been jailed here:
blood hound virus

i dont know how to find the type of virus it is, but i deleted the ones u told me to and here is the new log.Logfile of HijackThis v1.99.1
Scan saved at 9:33:37 PM, on 6/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\svcnut32.exe
C:\WINDOWS\System32\rzvmma.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PeDevice\PeDev.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocpa.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.kungfuchess.com/
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\eltt.dll
O2 - BHO: (no name) - {C370527A-24A7-4583-BE01-72E59000EB17} - C:\WINDOWS\system32\n.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\ycomp5_6_0_0.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rzvmma.exe reg_run
O4 - HKLM\..\Run: [aakjtxc] c:\windows\system32\gvnlja.exe
O4 - HKLM\..\Run: [tcfhycz] c:\windows\system32\pekhmit.exe
O4 - HKLM\..\Run: [Windows Authority Service] C:\WINDOWS\\\\\\\\\\\
O4 - HKLM\..\Run: [eltupt] C:\WINDOWS\eltupt.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {9BB9D376-EECF-4A24-A197-6924D4BDFAEB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9BB9D376-EECF-4A24-A197-6924D4BDFAEB} - (no file) (HKCU)
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shiz...pside_web18.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {9D3676C7-5297-45BB-8124-5A76D95DBB1F} (shizmoo2 Class) - http://www.kungfuchess.com/activex/web2_57.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

i am also getting this pop up called aurora, almost everytime i open internet exxplorer and go to a different web page.

Edited by tg1911, 25 June 2005 - 09:45 PM.


BC AdBot (Login to Remove)

 


#2 spirit_bomb_89

spirit_bomb_89
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 26 June 2005 - 04:34 PM

My computer is also always trying to install microsoft money everytime i open internet explorer i beleive thisn is from the virus as well please help me!!!

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 27 June 2005 - 07:30 PM

Hello spirit_bomb_89 and welcome to the BC forums. The first thing that we must do is update your operating system.

Your operating system is extremely out of date. By not keeping your OS updated you leave yourself open to many of the infections that cannot be installed on a properly updated system. I strongly recommend that you go to the Windows Update site and install Service Pack 2. Once that is done, go back to the Windows Update site and install all available Critical Updates. This will patch your system with the most current security fixes and plug all the known holes which your present system has open.

After the update to SP2 repost a new log and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 spirit_bomb_89

spirit_bomb_89
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 28 June 2005 - 12:04 PM

Ok i will do this

#5 spirit_bomb_89

spirit_bomb_89
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 28 June 2005 - 12:08 PM

The windows update site does not load, When i click it it goes to a plain white page.

#6 spirit_bomb_89

spirit_bomb_89
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 28 June 2005 - 12:49 PM

Im not sure if this would work but i went to help and support on my computer, and searched for windows update service pack 2. and a link came up to download it so i did is says its for IT professionals, but i think its the right one.

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 28 June 2005 - 03:14 PM

Hi spirit_bomb_89. Yes, that one will work.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 spirit_bomb_89

spirit_bomb_89
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 29 June 2005 - 09:23 AM

here is my new log

Logfile of HijackThis v1.99.1
Scan saved at 10:22:51 AM, on 6/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SMSSU.EXE
C:\WINDOWS\system32\Tmntsrv32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svcnut32.exe
C:\WINDOWS\system32\rzvmma.exe
C:\WINDOWS\system32\SMSSU.EXE
C:\WINDOWS\system32\Tmntsrv32.EXE
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocpa.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.kungfuchess.com/
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rzvmma.exe reg_run
O4 - HKLM\..\Run: [aakjtxc] c:\windows\system32\gvnlja.exe
O4 - HKLM\..\Run: [tcfhycz] c:\windows\system32\pekhmit.exe
O4 - HKLM\..\Run: [Windows Authority Service] C:\WINDOWS\\\\\\\\\\\
O4 - HKLM\..\Run: [eltupt] C:\WINDOWS\eltupt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\system32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\system32\Tmntsrv32.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shiz...pside_web18.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {9D3676C7-5297-45BB-8124-5A76D95DBB1F} (shizmoo2 Class) - http://www.kungfuchess.com/activex/web2_57.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 29 June 2005 - 10:52 AM

Hi spirit_bomb_89. Alrighty then, let's get to work. Please print these directions and then proceed with the following steps in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download CCleaner and install it but do not run it yet.

Now we need to remove a service.

Part 1
  • Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  • Locate the System Startup Service service and double-click on it to open the Properties dialog.
  • Click the Stop button.
  • In the Startup type dropdown select Disabled.
  • Click the Apply button and then the Ok button.
  • Close the Services window
Part 2
  • Click Start>Run, type cmd into the Open editbox and click the Ok button.
  • Copy/paste the line below into the Command Prompt window and press the Enter key:
    • sc delete SvcProc
  • Close the Command Prompt window
Step #2

Restart in Safe Mode
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocpa.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rzvmma.exe reg_run
O4 - HKLM\..\Run: [aakjtxc] c:\windows\system32\gvnlja.exe
O4 - HKLM\..\Run: [tcfhycz] c:\windows\system32\pekhmit.exe
O4 - HKLM\..\Run: [Windows Authority Service] C:\WINDOWS\\\\\\\\\\\
O4 - HKLM\..\Run: [eltupt] C:\WINDOWS\eltupt.exe
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\system32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\system32\Tmntsrv32.EXE

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\xmllib.dll
C:\WINDOWS\eltupt.exe
C:\WINDOWS\System32\picsvr\ <-folder
C:\WINDOWS\System32\nsvsvc\ <--folder
C:\WINDOWS\system32\svcnut32.exe
C:\WINDOWS\system32\rzvmma.exe
c:\windows\system32\gvnlja.exe
c:\windows\system32\pekhmit.exe
C:\WINDOWS\system32\SMSSU.EXE
C:\WINDOWS\system32\Tmntsrv32.EXE

Now search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.shdocpa.dll
Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Run CWShredder
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
Step #7

Reboot normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix" or "clean" or "autoclean".

Step #8

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE:
  • Download and Install AdAware SE Personal v1.06, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Right-click on the list and choose Select All
  • Click the Next button to finish removing the items that were found
  • When finished, REBOOT to complete the removal of what Ad-Aware SE found
Step #9

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 spirit_bomb_89

spirit_bomb_89
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 29 June 2005 - 12:06 PM

i ALREADY HAVE A PROBLEM.in part1 when i go to start>run, services.msc it gives me this
mmc can not open the file C:\windows\system32\services.msc.

This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 29 June 2005 - 05:35 PM

Hi spirit_bomb_89. Are you logged onto this computer as an Administrator? Otherwise you won't be able to do most of the steps.

or, is this machine on a company network? If so, you might not hve access rights from the network administrator to do anything on this machine.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 spirit_bomb_89

spirit_bomb_89
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 29 June 2005 - 06:22 PM

i am an administrator and im not using a company network

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 30 June 2005 - 07:05 PM

Hi spirit_bomb_89. Try this instead for the directions to stop and remove the service:

Open Notepad and copy/paste the text in the quotebox below into the new document:

@ECHO OFF
cd\windows
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h svcproc.exe
del svcproc.exe
exit


Save the document to your desktop as rservice.bat and close Notepad. Locate the rservice.bat file on your desktop and double-click on it to run the batch file.

Then continue with the rest of the steps.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 spirit_bomb_89

spirit_bomb_89
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 03 July 2005 - 11:04 AM

I tried all this stuff and i called up dell company services and they tried to help, but they said since i cant accsess most of those administrator files. They said the virus had destroyed lots of my hard drive and other partys of my comp, and that its rapidly spreding. To get it fix and everything backed up would cost more then to just buy as new one, so we r. but i wanna thank u for ur help and if we had more time im sure we would of gotten rid of it.

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 03 July 2005 - 02:58 PM

Hi spirit_bomb_89. This isn't all that bad compared to some of the stuff we've seen.

Before I would go out a buy a new computer I would suggest reformatting the hard drive and reinstalling XP. It's certainly much cheaper but I'm sure that Dell wouldn't make any money off from that.

Since you no longer want to continue I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users