Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJack This Log


  • This topic is locked This topic is locked
10 replies to this topic

#1 netrouter

netrouter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 20 September 2005 - 09:20 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:22:01 AM, on 9/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LxrJD31s.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cmd.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\WINNT\system32\NTCommLib3.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Tech5\Desktop\HijackThis1991.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 - HKLM\..\Run: [NTCommLib3] C:\WINNT\system32\NTCommLib3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {0A10042D-B8E6-11D1-BC4D-006008CCBF84} (ActiveProject Inbox 10.5.2) - https://www.clientwebservices.biz/MACTECExt...t/en-us/atx.cab
O16 - DPF: {0A10052B-B8E6-11D1-BC4D-006008CCBF84} (ActiveProject Version Checker 10.5.2) - https://www.clientwebservices.biz/MACTECExt...-us/verctrl.cab
O16 - DPF: {0A100764-B8E6-11D1-BC4D-006008CCBF84} (ActiveProject Grid 10.5.2) - https://www.clientwebservices.biz/MACTECExt.../en-us/Grid.cab
O16 - DPF: {0A100775-B8E6-11D1-BC4D-006008CCBF84} (ActiveProject PopupMenu 10.5.2) - https://www.clientwebservices.biz/MACTECExt...s/PopupMenu.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125351886203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125407796578
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: PDK Debug Listener (pdkdebug) - ActiveState - C:\Perl\bin\pdkdebug.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:32 AM

Posted 24 September 2005 - 10:35 PM

Hello netrouter and welcome to BleepingComputer.

This log appears clean. Are you having any specific problems?
Derfram
~~~~~~

#3 netrouter

netrouter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 25 September 2005 - 03:56 PM

When I run Spybot it keeps finding Admess. I use Spybot to remove Admess, but once I reboot it keeps coming back.

thank you,

netrouter

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:32 AM

Posted 25 September 2005 - 11:14 PM

HijackThis isn't currently seeing adware.admess. Let's try a different tool.

Download Silent Runners.
- Unzip it into it's own folder.

Open the folder into which you unzipped SilentRunners.
- Double click to run SilentRunners.vbs.
- If your antivirus complains, tell it to allow this script.
- When asked if you would like to perform 'Supplementary Searches', click YES.
- This script takes a while, please wait until you get an 'All Done' message.
Copy and paste the content of the Silent Runners textfile you get afterwards in your next reply.
Derfram
~~~~~~

#5 netrouter

netrouter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 26 September 2005 - 07:36 AM

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"VMware Tools" = "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" ["VMware, Inc."]
"VMware User Process" = "C:\Program Files\VMware\VMware Tools\VMwareUser.exe" ["VMware, Inc."]
"NTCommLib3" = "C:\WINNT\system32\NTCommLib3.exe" [null data]
"(Default)" = (empty string)

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Tech5" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
HIJACK WARNING! "DataBasePath" = "C:\WINNT\nsdb"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Lexar JD31, LxrJD31s, "LxrJD31s.exe" [null data]
OracleOraHome92Agent, OracleOraHome92Agent, "C:\oracle\ora92\bin\agntsrvc.exe" ["Oracle Corporation"]
VMware Tools Service, VMTools, "C:\Program Files\VMware\VMware Tools\VMwareService.exe" ["VMware, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 100 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 5 seconds.
---------- (total run time: 129 seconds)

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:32 AM

Posted 26 September 2005 - 09:29 AM

I would like you to have two files scanned for me. Go to the Jotti's malware scan site and submit the following files for a malware scan:

C:\WINNT\system32\NTCommLib3.exe
C:\WINNT\system32\LxrJD31s.exe


Post the results of the scans in your next reply.

Edited by ddeerrff, 26 September 2005 - 09:31 AM.

Derfram
~~~~~~

#7 netrouter

netrouter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 26 September 2005 - 04:19 PM

File: NTCommLib3.exe
Status: INFECTED/MALWARE
MD5 e473f41460cb2f320e1ade9a067ce31c
Packers detected: UPX
Scanner results
AntiVir Found Backdoor-Server/Agent.BC.19
ArcaVir Found Trojan.Agent.Bc
Avast Found nothing
AVG Antivirus Found BackDoor.Agent.DR
BitDefender Found Backdoor.Agent.BC
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found W32/Agent.BC-bdr
Kaspersky Anti-Virus Found Backdoor.Win32.Agent.bc
NOD32 Found nothing
Norman Virus Control Found W32/Agent.GWR
UNA Found Backdoor.Agent
VBA32 Found Backdoor.Win32.Agent.bc

File: LxrJD31s.exe
Status: OK
MD5 4fcf1669b80a47724851274558e68bf9
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

#8 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:32 AM

Posted 26 September 2005 - 06:54 PM

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O4 - HKLM\..\Run: [NTCommLib3] C:\WINNT\system32\NTCommLib3.exe

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files (Don't be concerned if they can not be found):

C:\WINNT\system32\NTCommLib3.exe
C:\WINNT\system32\tcpservice2.exe
C:\WINNT\system32\wstart.dll


Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.
REGEDIT4
[-HKEY_CLASSES_ROOT\AppID\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21}]
[-HKEY_CLASSES_ROOT\AppID\WStart.DLL]
[-HKEY_CLASSES_ROOT\WStart.WHttpHelper]
[-HKEY_CLASSES_ROOT\WStart.WHttpHelper.1]
[-HKEY_CLASSES_ROOT\CLSID\{9896231A-C487-43A5-8369-6EC9B0A96CC0]
[-HKEY_LOCAL_MACHINE\Software\WSoft]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9896231A-C487-43A5-8369-6EC9B0A96CC0}]
Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as fixmess.reg. Close Notepad.

Then double-click on the fixmess.reg file, and when it prompts to merge or add, say yes.


Reboot and post a fresh HJT log. Did we kill the beast?
Derfram
~~~~~~

#9 netrouter

netrouter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 28 September 2005 - 08:07 PM

Everything looks good. Thank you.

Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 7:57:52 PM, on 9/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LxrJD31s.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\Documents and Settings\Tech5\Desktop\HijackThis1991.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {0A10042D-B8E6-11D1-BC4D-006008CCBF84} (ActiveProject Inbox 10.5.2) - https://www.clientwebservices.biz/MACTECExt...t/en-us/atx.cab
O16 - DPF: {0A10052B-B8E6-11D1-BC4D-006008CCBF84} (ActiveProject Version Checker 10.5.2) - https://www.clientwebservices.biz/MACTECExt...-us/verctrl.cab
O16 - DPF: {0A100764-B8E6-11D1-BC4D-006008CCBF84} (ActiveProject Grid 10.5.2) - https://www.clientwebservices.biz/MACTECExt.../en-us/Grid.cab
O16 - DPF: {0A100775-B8E6-11D1-BC4D-006008CCBF84} (ActiveProject PopupMenu 10.5.2) - https://www.clientwebservices.biz/MACTECExt...s/PopupMenu.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125351886203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125407796578
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {C3A57B60-C117-11D2-BD9B-00105A0A7E89} (SAXFile ActiveX Control) - https://www.clientwebservices.biz/MACTECExt...ileTransfer.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: PDK Debug Listener (pdkdebug) - ActiveState - C:\Perl\bin\pdkdebug.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:32 AM

Posted 28 September 2005 - 10:28 PM

Log looks clean...great job!

Keep HijackThis along with it's backup folder for a bit just in case there arises a need for the backup files it has created. Any other tools we downloaded or files we created can be uninstalled or deleted. If we have enabled viewing of Hidden and System files, go back and re-hide these files.

If this is a Windows XP system: After you have used your machine a while, and are confident that all is well, we can do a little final cleanup.

Purge Restore points:

XP System Restore periodically creates a partial system backup. It is quite likely that some of the now removed malware has been 'backed up' in those files.

Start->Control Panel->System, System Restore.
Check "Turn off System Restore".
Immediately reboot (all your restore points will be deleted by this).
Then Start->Control Panel->System, System Restore again.
UnCheck "Turn off System Restore" and create a new clean restore point..

Run Disk Cleanup

Click on the Start button and then on Run. Type in cleanmgr then click on OK. Be sure the (C:) drive is selected and click OK. It may take a bit for "Compress old files" to complete. Check all the boxes and click on OK, then OK again.


Now that you are clean, please follow these steps in order to keep your computer safe and secure:

How did I get infected?, With steps so it does not happen again!
Simple and easy ways to keep your computer safe and secure on the Internet

Glad we were able to be of help.
Derfram
~~~~~~

#11 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:32 AM

Posted 07 October 2005 - 02:41 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users