Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log: Please Help Diagnose


  • Please log in to reply
8 replies to this topic

#1 helpwanted

helpwanted

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 15 August 2005 - 05:47 PM

I'm having problems with ABetterInternet, BookedSpace, BargainBuddy, IranNews, and Nameshifter, just to name a few.

Logfile of HijackThis v1.99.1
Scan saved at 5:37:59 PM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\T3duZXIA\command.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\sder\dees.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\??sks\spoolsv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [kd1dim] C:\WINNT\system32\kd1dim.exe
O4 - HKCU\..\Run: [Ltho] C:\Program Files\sder\dees.exe
O4 - HKCU\..\Run: [Pkbux] C:\WINNT\system32\??sks\spoolsv.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cc...everContent.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123351854763
O16 - DPF: {70AA5212-27A9-11D5-85B6-269F99000000} (WinBlitReader Class) - http://www.winblit.com/winblit.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_6.cab
O20 - Winlogon Notify: Telephony - C:\WINNT\system32\wyssvc.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\T3duZXIA\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

[B]

BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:46 AM

Posted 17 August 2005 - 07:23 AM

Welcome helpwanted to Bleeping Computer.

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingcomputer.com/tutorials/how-to-use-cleanup/

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Command Service

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

***

Open HijackThis
click on "None of the above, just start the program".
click on the "Config" button (bottom right),
click on "Misc Tools"
click on "Delete an NT Service" (a window will pop up)
Enter the below item into that field (make sure there are NO spaces before or after the name):

cmdService

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

***

Please download, install, and update the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT scan yet.
***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\Program Files\sder\dees.exe
C:\WINNT\system32\exp
C:\WINNT\system32\kd1dim.exe
C:\WINNT\T3duZXIA\command.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp

O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe

O4 - HKCU\..\Run: [kd1dim] C:\WINNT\system32\kd1dim.exe

O4 - HKCU\..\Run: [Ltho] C:\Program Files\sder\dees.exe

O4 - HKCU\..\Run: [Pkbux] C:\WINNT\system32\??sks\spoolsv.exe

O20 - Winlogon Notify: Telephony - C:\WINNT\system32\wyssvc.dll (file missing)

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Next, run Ewido again.
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
***

Use Windows Explorer to remove these folders:
<< vul in >>
Close Windows Explorer when you are done.

***

Reboot back to normal mode.

***

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

***

Post back to this topic with the Ewido log, a fresh HijackThis log and the L2M log.


Posted Image
Life is what happens while you're making other plans

#3 helpwanted

helpwanted
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 19 August 2005 - 09:56 AM

After following the instructions -- running Clean-Up, Killbox, Ewido, etc., Dees.exe is still present on my system. I am posted the ewido log, the hijack this log, and the l2mfix log (in the order) Also, does it matter that my Windows XP home computer has multiple users? And does system restore need to be turned off?

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:35:54 AM, 8/19/2005
+ Report-Checksum: EAB46C74

+ Scan result:

:mozilla.17:C:\Documents and Settings\Marilyn\Application Data\Mozilla\Firefox\Profiles\yenzw8tg.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Marilyn\Application Data\Mozilla\Firefox\Profiles\yenzw8tg.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Marilyn\Application Data\Mozilla\Firefox\Profiles\yenzw8tg.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Marilyn\Application Data\Mozilla\Firefox\Profiles\yenzw8tg.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Marilyn\Application Data\Mozilla\Firefox\Profiles\yenzw8tg.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Marilyn\Application Data\Mozilla\Firefox\Profiles\yenzw8tg.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ommvh13g.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ommvh13g.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ommvh13g.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ommvh13g.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ommvh13g.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ommvh13g.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ommvh13g.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ommvh13g.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ommvh13g.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP990\A0114392.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP990\A0114393.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP990\A0114394.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 9:48:10 AM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\W?nSxS\nopdb.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Drew\LOCALS~1\Temp\!update.exe
C:\Program Files\sder\dees.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Drew\Desktop\HijackThis.exe
C:\WINNT\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fadkigr] C:\WINNT\system32\W?nSxS\nopdb.exe
O4 - HKCU\..\Run: [Ltho] C:\Program Files\sder\dees.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cc...everContent.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123351854763
O16 - DPF: {70AA5212-27A9-11D5-85B6-269F99000000} (WinBlitReader Class) - http://www.winblit.com/winblit.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_6.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe





L2MFIX find log 1.03d
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:46 AM

Posted 19 August 2005 - 04:51 PM

You are running HijackThis from the Desktop.
Please create a new folder for it and move the program into the new folder.

Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on
    Winfixer 2005
  • Click on Delete this entry
  • Click "Yes"
Close HijackThis.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in purple in the "Full Path of File to Delete" box in Killbox:

C:\Program Files\sder\dees.exe

Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
***

Use Windows Explorer. There may be two folder that can fit in this:
C:\WINNT\system32\W?nSxS\
There can be any letter at the ?
Let me know what you see.

***

Run AdAware and do a full system scan. Remove items found in red.

***

Reboot to normal mode.

***

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
[B]

***

Also post me a fresh HijackThis log.


Posted Image
Life is what happens while you're making other plans

#5 helpwanted

helpwanted
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 20 August 2005 - 05:46 PM

Thank you for the very prompt reply!

I have performed the operations you suggested.

You asked for the letter in the folder "C:\WINNT\system32\W?nSxS" in the location of the "?" . The letter is "i" so that it appears -- C:\WINNT\system32\WinSxS .

At your request I have copied below the following: (A) the information from the Kaspersky anti-virus scan and (:thumbsup: a fresh HijackThis log.

* * * * * * * * * * * * * * * * * * * * A. * * * * * * * * * * * * * * * * * * * * * *

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, August 20, 2005 16:13:22
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/08/2005
Kaspersky Anti-Virus database records: 136220
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 66454
Number of viruses found: 23
Number of infected objects: 78
Number of suspicious objects: 89
Duration of the scan process: 3505 sec

Infected Object Name - Virus Name
C:\backup.pst/Personal Folders/Inbox/15 Aug 2002 16:41 from info:Users of Yahoo! financial products a.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/19 Aug 2002 17:02 from info:Japanese lass' sexy pictures.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/19 Aug 2002 19:25 from mollymckenzie:Spice girls' vocal concert.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/19 Aug 2002 22:44 from pecial101:2002 Sigma Nu Fraternity, Inc. .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/20 Aug 2002 04:07 from robertbolen:Re:please try again.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/20 Aug 2002 20:11 from mama:Sisson adjourned the meeting at 2.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/21 Aug 2002 00:10 from LesleyO52:Look,my beautiful girl friend.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/23 Aug 2002 20:50 from sthigpen:Your password.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/23 Aug 2002 22:51 from byges:Tdsize(150) .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/24 Aug 2002 07:27 from postmaster:Mar 13 2002 12.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/26 Aug 2002 22:40 from icordua:Please try again.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/27 Aug 2002 16:45 from news:A funny website.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/28 Aug 2002 17:00 from weather:4.71.2618.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/30 Aug 2002 16:55 from info:Hi,congratulations.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/03 Sep 2002 08:59 from info:Sos!.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/04 Sep 2002 10:13 from Tina-uugzbp:So cool a flash,enjoy it.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/04 Sep 2002 20:50 from ELISSAS_99:Sep 13 2001 15.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/10 Sep 2002 06:05 from twilsonbmw:Darling.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/10 Sep 2002 17:02 from wmcreq:Sos!.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/12 Sep 2002 21:03 from courtneychristopher:1999. FileQuest.com .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/13 Sep 2002 07:39 from lbd15:A good tool.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/13 Sep 2002 16:29 from jmccaslin:More information, see http.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/16 Sep 2002 15:17 from wjin:Free to execute another SQL statemen.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/17 Sep 2002 16:54 from bseaman:GoLive 4.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/18 Sep 2002 02:20 from editor:.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/19 Sep 2002 22:03 from etec_nic_family:News Bulletin.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/21 Sep 2002 03:58 from jobs:Eager to see you.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/22 Sep 2002 03:27 from Jokes:How are you.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/29 Sep 2002 02:53 from ecards:Language.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/30 Sep 2002 10:54 from TIMIA01:A WinXP patch.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/02 Oct 2002 13:05 from bmclark:Ismap alt.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/17 Oct 2002 16:56 from MOMO22184:Cellpadding.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/18 Oct 2002 03:54 from Cli217:Have a new Allhallowmas.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/23 Oct 2002 06:09 from finaid7:Fw:darling.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/23 Oct 2002 12:41 from jpbyrne3:End footer code .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/23 Oct 2002 12:41 from msispi:How are you.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/23 Oct 2002 14:26 from bmc:Have a new Allhallowmas.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/25 Oct 2002 20:24 from teue:2001 Television Food Network, G.P., .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/27 Oct 2002 10:12 from OGRE:Copyright 1999 The University of Ala.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/29 Oct 2002 10:53 from wjemison:.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/30 Oct 2002 08:56 from gradapps:Have a good Allhallowmas.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/05 Nov 2002 05:58 from 2lsipri:Onmouseover.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/06 Nov 2002 09:55 from advertise:Copyright 1999 The University o.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/07 Nov 2002 11:11 from helpdesk:How are you.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/11 Nov 2002 22:05 from Fiend451:Meeting notice.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/13 Nov 2002 06:40 from ealolsipri:Your own board, FREE!.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/16 Nov 2002 17:39 from aapurser:All from Warner Bros. .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/21 Nov 2002 02:20 from jtray:New Roman.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/23 Nov 2002 03:39 from steffnee2001:Some questions.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/26 Nov 2002 05:06 from Blsipri:View Support.txt on.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/27 Nov 2002 11:49 from sakeith:Valkyrie.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/28 Nov 2002 02:59 from AleroOSV:Hi,sos!.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/02 Dec 2002 05:40 from ealolsipri:Your own board, FREE!.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/02 Dec 2002 17:49 from dhanson:MARGINHEIGHT.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/12 Dec 2002 16:51 from bbridges:Have a funny Christmas.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/16 Dec 2002 01:06 from dhanson:Ad tag ends here .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/16 Dec 2002 05:56 from bbridges:Have a funny Christmas.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/20 Dec 2002 00:04 from 20jlweeden:ClickUrl.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/29 Dec 2002 06:21 from Roy--slocum:De tout manquement .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/08 Jan 2003 06:54 from aimeebert:The Garden of Eden.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/10 Jan 2003 12:44 from rjgeib:LaunchContacth(.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/10 Jan 2003 22:00 from scottg:Welcome to my hometown.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/10 Jan 2003 23:50 from WebMaster:Look,my beautiful girl friend.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/12 Jan 2003 23:51 from big@boss.com:Re: Movies/Document003.pif Infected: Email-Worm.Win32.Sobig.a
C:\backup.pst/Personal Folders/Inbox/13 Jan 2003 01:52 from big@boss.com:Re: Sample/Document003.pif Infected: Email-Worm.Win32.Sobig.a
C:\backup.pst/Personal Folders/Inbox/15 Jan 2003 22:36 from welcome:Is our trademark..rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/19 Jan 2003 23:02 from big@boss.com:Re: Document/Untitled1.pif Infected: Email-Worm.Win32.Sobig.a
C:\backup.pst/Personal Folders/Inbox/19 Jan 2003 23:17 from big@boss.com:Re: Sample/Document003.pif Infected: Email-Worm.Win32.Sobig.a
C:\backup.pst/Personal Folders/Inbox/20 Jan 2003 19:16 from big@boss.com:Re: Sample/Document003.pif Infected: Email-Worm.Win32.Sobig.a
C:\backup.pst/Personal Folders/Inbox/21 Jan 2003 14:53 from big@boss.com:Re: Document/Untitled1.pif Infected: Email-Worm.Win32.Sobig.a
C:\backup.pst/Personal Folders/Inbox/22 Jan 2003 15:01 from big@boss.com:Re: Document/Sample.pif Infected: Email-Worm.Win32.Sobig.a
C:\backup.pst/Personal Folders/Inbox/23 Jan 2003 00:09 from search-0603962327450001:Re:dlsnyder,so co.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/23 Jan 2003 02:55 from big@boss.com:Re: Sample/Sample.pif Infected: Email-Worm.Win32.Sobig.a
C:\backup.pst/Personal Folders/Inbox/24 Jan 2003 01:35 from big@boss.com:Re: Document/Movie_0074.mpeg.pif Infected: Email-Worm.Win32.Sobig.a
C:\backup.pst/Personal Folders/Inbox/24 Jan 2003 09:33 from big@boss.com:Re: Document/Movie_0074.mpeg.pif Infected: Email-Worm.Win32.Sobig.a
C:\backup.pst/Personal Folders/Inbox/25 Jan 2003 02:17 from jacileas13:Sep 2000.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/19 Feb 2003 03:29 from webmaster:Fw:dlsnyder,your password.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/22 Feb 2003 22:04 from service:Some questions.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/26 Feb 2003 17:34 from MSN_Member_ID:How are you.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/26 Feb 2003 23:37 from congiard:Hello,let's be friends.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/27 Feb 2003 13:27 from booking:Hello,japanese lass' sexy picture.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/28 Feb 2003 05:50 from bbewing:A special funny website.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/28 Feb 2003 07:05 from rrobertson81:Fw:dlsnyder,introduction on .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/01 Mar 2003 14:46 from Carolinp:An account with such.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/02 Mar 2003 00:25 from mhobbs:You are using one of these browser.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/03 Mar 2003 04:09 from infantrybugs:Japanese lass' sexy pictures.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/03 Mar 2003 23:34 from webmaster:Mar 1 2001 18.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/07 Mar 2003 05:15 from store:A very powful tool.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/07 Mar 2003 11:57 from JReese:To the main page, please click .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/08 Mar 2003 01:27 from baileyr:Feb 6 2003 18.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/08 Mar 2003 08:24 from mbullard:CenterItX.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/10 Mar 2003 10:27 from wlebedow:Feb 19 2003 15.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/12 Mar 2003 03:32 from russallen41:A very funny website.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/13 Mar 2003 01:36 from registration:Language.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst/Personal Folders/Inbox/13 Mar 2003 07:01 from cjxn:A WinXP patch.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\backup.pst Infected: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{4C42D5BE-4C27-440A-B06D-CCDCA42C8976}\Microsoft\Outlook Express\Deleted Items.dbx/[From haagacraig <haagacraig@hotmail.com>][Date Mon, 20 May 2002 13:53:48 -0400 (EDT)]/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{4C42D5BE-4C27-440A-B06D-CCDCA42C8976}\Microsoft\Outlook Express\Deleted Items.dbx/[From jobs <jobs@Amazon.de>][Date Sat, 15 Jun 2002 09:54:16 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{4C42D5BE-4C27-440A-B06D-CCDCA42C8976}\Microsoft\Outlook Express\Deleted Items.dbx/[From jobs <jobs@Amazon.de>][Date Sat, 15 Jun 2002 09:54:16 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{4C42D5BE-4C27-440A-B06D-CCDCA42C8976}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\00E453D3.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\01636E3B Infected: Trojan.Win32.Agent.db
C:\Program Files\Norton AntiVirus\Quarantine\0170162D.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\01766A26.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\0180681B.com Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\01863C14 Infected: Trojan-Clicker.Win32.Small.ez
C:\Program Files\Norton AntiVirus\Quarantine\021A29B7.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\Program Files\Norton AntiVirus\Quarantine\0268062C.exe Infected: Trojan-Downloader.Win32.Delmed.a
C:\Program Files\Norton AntiVirus\Quarantine\0A1C48B2.dll Infected: Trojan.Win32.Agent.db
C:\Program Files\Norton AntiVirus\Quarantine\0BAA36F7.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\0BAD60F3.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton AntiVirus\Quarantine\0BB00AF0.exe Infected: Trojan-Downloader.Win32.Qoologic.o
C:\Program Files\Norton AntiVirus\Quarantine\0BCE04CF.exe Infected: Trojan.Win32.Agent.ay
C:\Program Files\Norton AntiVirus\Quarantine\0BD12ECC.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton AntiVirus\Quarantine\0BD458C8.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\Program Files\Norton AntiVirus\Quarantine\0BD702C5.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\Program Files\Norton AntiVirus\Quarantine\0BDB2CC1.fr5 Infected: Trojan.Win32.Agent.db
C:\Program Files\Norton AntiVirus\Quarantine\0BDE56BE.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\Program Files\Norton AntiVirus\Quarantine\0BE100BA.exe Infected: Trojan-Downloader.Win32.Intexp.c
C:\Program Files\Norton AntiVirus\Quarantine\0BE42AB6.dat Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton AntiVirus\Quarantine\0D0F548D.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\0D137E89.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\0D162886.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton AntiVirus\Quarantine\0D195282 Infected: Trojan-Downloader.Win32.Small.abd
C:\Program Files\Norton AntiVirus\Quarantine\0D3A765E.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton AntiVirus\Quarantine\0D3D205B Infected: Trojan-Downloader.Win32.Qoologic.v
C:\Program Files\Norton AntiVirus\Quarantine\0D471E50.dat Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton AntiVirus\Quarantine\130B332D Infected: Trojan-Downloader.Win32.Qoologic.n
C:\Program Files\Norton AntiVirus\Quarantine\130B332D.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\Program Files\Norton AntiVirus\Quarantine\193B21B4.exe Infected: Trojan-Downloader.Win32.OneClickNetSearch.f
C:\Program Files\Norton AntiVirus\Quarantine\1D513B4E Infected: Trojan-Downloader.Win32.Small.abd
C:\Program Files\Norton AntiVirus\Quarantine\1F336D29.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\1FD2020E.000 Infected: Trojan-Downloader.Win32.PurityScan.af
C:\Program Files\Norton AntiVirus\Quarantine\1FD52C0B.000 Infected: Trojan-Downloader.Win32.PurityScan.af
C:\Program Files\Norton AntiVirus\Quarantine\1FDB0003.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\1FDF2A00.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\1FE253FC.com Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\1FE57DF9.com Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\200621D5.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\Program Files\Norton AntiVirus\Quarantine\2128128C Infected: Trojan-Downloader.Win32.Qoologic.n
C:\Program Files\Norton AntiVirus\Quarantine\21321081 Infected: Trojan-Downloader.Win32.Qoologic.n
C:\Program Files\Norton AntiVirus\Quarantine\21321081.asq Infected: Trojan-Downloader.Win32.Qoologic.n
C:\Program Files\Norton AntiVirus\Quarantine\21353A7D.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\2138647A.asq Infected: Trojan-Downloader.Win32.Qoologic.n
C:\Program Files\Norton AntiVirus\Quarantine\2138647A.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\Program Files\Norton AntiVirus\Quarantine\213C0E76.dll Infected: Trojan-Downloader.Win32.Qoologic.aa
C:\Program Files\Norton AntiVirus\Quarantine\213F3872.asq Infected: Trojan-Downloader.Win32.Qoologic.aa
C:\Program Files\Norton AntiVirus\Quarantine\21450C6B.exe Infected: Trojan-Downloader.Win32.Qoologic.x
C:\Program Files\Norton AntiVirus\Quarantine\214C6064.exe Infected: Trojan-Downloader.Win32.Qoologic.x
C:\Program Files\Norton AntiVirus\Quarantine\214F0A61.dat Infected: Trojan-Downloader.Win32.Qoologic.aa
C:\Program Files\Norton AntiVirus\Quarantine\38D673CD Infected: Trojan-Downloader.Win32.Qoologic.n
C:\Program Files\Norton AntiVirus\Quarantine\3B1C75D3 Infected: Trojan-Clicker.Win32.Small.ez
C:\Program Files\Norton AntiVirus\Quarantine\3C524BB8.dll Infected: Trojan.Win32.Agent.db
C:\Program Files\Norton AntiVirus\Quarantine\3D061E35.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton AntiVirus\Quarantine\3F8A2EB8.exe Infected: Trojan.Win32.Agent.ay
C:\Program Files\Norton AntiVirus\Quarantine\41B3192F Infected: Trojan-Downloader.Win32.Qoologic.aa
C:\Program Files\Norton AntiVirus\Quarantine\41B3192F.asq Infected: Trojan-Downloader.Win32.Qoologic.n
C:\Program Files\Norton AntiVirus\Quarantine\43FE73E4.000 Infected: Trojan-Downloader.Win32.PurityScan.y
C:\Program Files\Norton AntiVirus\Quarantine\4CC157E2.htm Infected: Trojan-Clicker.JS.Linker.o
C:\Program Files\Norton AntiVirus\Quarantine\626F2F99.exe Infected: Trojan-Downloader.Win32.PurityScan.y
C:\Program Files\Norton AntiVirus\Quarantine\6DE659FC.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\6FF4092A.exe Infected: Trojan-Downloader.Win32.Qoologic.aa
C:\Program Files\Norton AntiVirus\Quarantine\79C250B9.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton AntiVirus\Quarantine\7BEB3B30 Infected: Trojan-Downloader.Win32.Qoologic.n
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP981\A0111670.exe Infected: Trojan-Downloader.Win32.Qoologic.aa
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP981\A0111696.dll Infected: Trojan-Downloader.Win32.Qoologic.aa
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP982\A0112946.dll Infected: Trojan-Downloader.Win32.Qoologic.aa

Scan process completed.

* * * * * * * * * * * * * * * * * * * B. * * * * * * * * * * * * * * * * * * * * * *

-------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:26:08 PM, on 8/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
-------------------------------------------------------------------------
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WordPerfect Office 11\Programs\wpwin11.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cc...everContent.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123351854763
O16 - DPF: {70AA5212-27A9-11D5-85B6-269F99000000} (WinBlitReader Class) - http://www.winblit.com/winblit.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - hcp://system/XPLControl.CAB
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_6.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

* * * END OF MESSAGE * * *


#6 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:46 AM

Posted 21 August 2005 - 05:36 AM

As you can see it found the quarantined items found by Norton:
C:\Program Files\Norton AntiVirus\Quarantine\....

It found a bit in the restore point (we will created a new one when we are done):
C:\System Volume Information\_restore.....

As you can see the deleted items folder in Outlook Express contains a few infected message/attachments. I'd advise you to empty your deleted items folder.
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{4C42D5BE-4C27-440A-B06D-CCDCA42C8976}\Microsoft\Outlook Express\Deleted Items.dbx

Finally, you seem to archive you received mail items. The archive is infected. I advise you to remove this archive.
C:\backup.pst


The HijackThis log looks good.
Is the computer running ok now?


Posted Image
Life is what happens while you're making other plans

#7 helpwanted

helpwanted
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 22 August 2005 - 12:14 PM

Since the C:\backup.pst files seem to be connected with Outlook, which I have never used, I am in the process of determining how to locate and delete the archived emails. As soon as I have completed your instructions in this regard, I will post back.

Except for one problem that arose during the time when I was fighting the malware battle -- and which continues -- the computer is running fine. The printer [HP DeskJet 5550] from time to time [not every time] is very slow in starting a print job, even when the document to be printed is very small. On these occasions the status box shows that the printer is spooling. Delays for this reason had never occured before. I thought I would mention this in the event it may be a by-product of adware invaders.

As previously stated, I will re-post after completing your last instructions.

Thank you.

#8 helpwanted

helpwanted
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 25 August 2005 - 08:02 AM

The Kaspersky scan identified 95 Outlook "backup.pst" files and 4 Outlook Express "Deleted Items.dbx" files. You recommended that these be deleted.

I have been attempting to import those files for permanent deletion, but without success. Could you please specify the steps to accomplish this or direct me to a helpful source of information? For me this is plowing new ground.

Thank you.

#9 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:46 AM

Posted 25 August 2005 - 06:42 PM

I'm sorry about that, I thought you were just going to delete the backup.

Here's an excelent tutorial on Outlook.


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users