Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

adm's HJT log


  • This topic is locked This topic is locked
10 replies to this topic

#1 adm

adm

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 09 October 2005 - 12:13 PM

I too am a new member with a similar problem.


This is my first time posting and I'm at my wit's end trying to remove a Vundo virus from my computer. A Norton AntiVirus appears on my desktop that I cannot remove. Saying it has detected a virus on your computer. The object name is C:\WINNT\system32\mljgd.dll. There's also a virus with the name vtsqp.dll.

I've spent several days with the technicians at symantic (at a cost of $70) in which we tried a number of methods to get rid of the virus (actually two viruses now) to no avail. Whenever we try to kill the virus, the most common message is that the program or a program is still running. The Symantic Vundo fix tool says it can't locate the virus. The NortonAntivirus tool locates the two viruses but can't quarantine or remove the viruses.

I used the method that was recommended on this board which required the downloading of Processexplorernt (Do I need an XP version of this software?), killbox and fixvundo. I followed the instructions the best I could and everything seemed to go as it should but when I rebooted the computer, the box appeared again and when I ran a hijack this scan the two viruses remain.

One more thing, whenever I try to delete the viruses, backup copies of the virus appear on my desktop. However, these copies don't contain the virus. I don't know if this means anything.

The Symantic technicians are now telling I need my XP Windows CD. I don't remember ever receiving an XP CD with the computer. If I did get a disk with my computer I have it somewhere. I donít know why but this sounds like a drastic measure to me. Is there anything else I can do before I go to this measure? Below is my hijack this file. Right now I'm concentrating on removing the two 02 threads that show where the virus is. I'm considering deleting all the 02 code. Will this have any ramifications? Any help I can get will be appreciated. Thank you in advance.


Here is the result of my hijack this scan:

Logfile of HijackThis v1.97.7
Scan saved at 5:00:57 PM, on 10/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\mljgd.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\vtsqp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ComcastHSI (HKLM)
O9 - Extra button: Support (HKLM)
O9 - Extra button: Help (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

BC AdBot (Login to Remove)

 


#2 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 10 October 2005 - 03:24 PM

Hi adm,

Let's see if we can get things a bit more cleaned up for you.
Your Vundo infection is still there. Do not delete anything at this time. We need to be able to see those file names.

Your HijackThis is very outdated and does not show all the entries that I need to see. Please unzip it to a folder other than your Desktop.

Please download version 1.99.1:
Download HijackThis from one of these locations:
http://www.majorgeeks.com/download3155.html
http://209.133.47.12/~merijn/files/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
http://www.downloads.subratam.org/hijackthis.zip
If you get the zipped version, extract the file. (Choose "save" not "run" the hijackthis.exe file.) Do not just doubleclick on it! This opens HijackThis in a temporary folder. This would interfere with the possibility to make back-ups.
Unzip to a folder other than your Desktop or a Temp folder.
To create a folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder.
Double-click on the .exe to scan.
Select "Scan and Save Log".
After the scan save the log somewhere.
. Do Ctrl-A to Select all, and then copy and paste
its contents into this thread. After that we will have more information on what bad files need to be removed. Thanks.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#3 adm

adm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 10 October 2005 - 08:02 PM

Hi Bugbatter,

Here is the updated hijackthis log. I hope this helps. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 8:55:21 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\Program Files\Common Files\Symantec Shared\NMain.exe
c:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\msiexec.exe
C:\Documents and Settings\Administrator\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\mljgd.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\vtsqp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mljgd - C:\WINNT\SYSTEM32\mljgd.dll
O20 - Winlogon Notify: vtsqp - C:\WINNT\system32\vtsqp.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#4 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 11 October 2005 - 11:43 AM

Thanks for updating HJT. This fix is should take care of your problem, but we are duplicating it because you have a double Vundo infection.
Here we go......Take your time and allow time for the tools to run....

Please print these instructions out for use in Safe Mode. Follow them in the sequence specified here. We will be runningVundoFix twice.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.13 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


    .
  • At this point press enter one time.

  • Next you will see:

    Type in the file path as instructed by the forum staff.
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.


  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINNT\system32\mljgd.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

  • Next you will see:

    Please type in the second file path as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.


  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINNT\system32\dgjlm.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.


  • The fix will run then HijackThis will open.

  • In HiJackThis, please place a check next to the following items:
    :O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\mljgd.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O20 - Winlogon Notify: mljgd - C:\WINNT\SYSTEM32\mljgd.dll

    Click FIX CHECKED

  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.

  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins

  • Delete Cookies

  • Delete Prefetch files

  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode again open the VundoFix folder and doubleclick on KillVundo.bat

  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.13 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


    .
  • At this point press enter one time.

  • Next you will see:

    Type in the file path as instructed by the forum staff.
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.


  • At this point please type the following file path (make sure to enter it exactly as below!):
    C:\WINNT\system32\vtsqp.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

  • Next you will see:

    Please type in the second file path as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    C:\WINNT\system32\pqstv.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items:
    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\vtsqp.dll
    O20 - Winlogon Notify: vtsqp - C:\WINNT\system32\vtsqp.dll
  • Click FIX CHECKED
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Please run CleanUp! again.
It may ask you to reboot at the end, click NO.

Then, please run Pandaís online virus scan at:
http://www.pandasoftware.com/products/activescan.htm
Save the results from the scan.

Copy the results of the last ActiveScan and paste them here along with a new HijackThis log and both vundofix.txt files from the vundofix folder into this topic.
Thanks! :thumbsup:

Edited by Bugbatter, 11 October 2005 - 11:59 AM.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#5 adm

adm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 11 October 2005 - 09:50 PM

Hello Bugbatter,

Things did not go entirely as planned but it appears to have turned out well. Upon rebooting, there's no sign of the Norton Antivirus window.

When getting to the end of the VundoFix process a Norton appeared stating:

"Malicious Script Detected High Risk
"Your computer is halted and needs to do something about this script"

Object Windows Script host shell object
Activity Run
File C:\Documents and Set...\startthistivbs

The first time this appeared I closed the screen and the program did not automatically open the hijackthis folder. So I rebooted and went through the VundoFix process again. This time it said it could not find the mljgd.dll code.

It didn't automatically go to hijackthis so I opened the hijackthis folder manually.

The second time the Norton window appeared (when trying to remove the second Vundo virus) I noticed a little scroll down menu where I chose to allow this action just once. Anyway, this time the hijack window appeared as you said it would.

When running the hijack scan, each time the 02 item (O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\mljgd.dll and O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\vtsqp.dll) was missing. The 020 winlogon in each case listed the vudo virus name but said it was missing. I clicked the remaining items each time.

Everything else went as you said it would and now the virus is gone.

Thank you, thank you, thank you

Below are the results you requested. The ActiveScan lists a couple of items that give me pause.


Incident Status Location

Spyware:spyware/virtumonde No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\ok.class-756da23d-5356c358.class
Dialer:Dialer.BOO No disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-1ac02c55-4a791160.class
Dialer:Dialer.BOO No disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-305f4c99-38aeef31.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-287c52a1-63db116d.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-34e2b6fd-395deaa1.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-13842965-15889198.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-149704b7-2da7099d.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-235c1389-468aad02.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2917008a-7be249e8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-35c903d4-52333484.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3abeb9f9-239817db.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-43247d2e-3b2dea4c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4b3e6ecf-56c97eb8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5299c94c-20faa7b8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-53ee459b-2b74497d.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-550ba951-60a819df.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5870ec18-4b106806.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5943938a-15e078f6.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5d062e13-5ae24715.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-635f7fd4-5f3d4e10.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd9b55f-31bc8c29.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7b4b4a94-4dc045cf.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7e4223df-7c92299f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7f936ea1-66faf15f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-865f904-56fa8f2c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv237.jar-2d8175f5-1ba9f180.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv237.jar-2d8175f5-1ba9f180.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv281.jar-35b5240a-51f656e1.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv281.jar-35b5240a-51f656e1.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv314.jar-5ed3b975-1545bd85.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b189c-559f6531.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b189c-559f6531.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1c609254-3ad5e2ad.zip[Dummy.class]


Logfile of HijackThis v1.99.1
Scan saved at 10:42:10 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 164 'smss.exe'
Threads [168][172][176]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 780 'explorer.exe'
Killing PID 780 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 236 'winlogon.exe'
Killing PID 236 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.

#6 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 12 October 2005 - 01:30 PM

You're welcome. You did a super job! :thumbsup: I'm glad you stayed "cool" and kept going when NAV got in the way.
There is still a bit of "dust" that we can take care of.

Please print these instructions so you can refer to them easily.

Let's empty your Java cache. Go to: Start > Control Panel > Java Plug-in (or Java Console) > click on *CACHE > CLEAR > (*Rather than "CACHE", this might show as "Temporary Internet Files> Delete")
(It would be good to update to the latest version of Java, but I will include that in my Prevention Tips later.)

Regarding SpyHunter, here is some info:
http://castlecops.com/startuplist-5284.html
Be sure to follow the link to more reading. If you are using Ad-aware and Spybot, you will not need SpyHunter.
Should you choose to remove it, do so using Add/Remove Programs. (More info here: http://www.enigmasoftwaregroup.com/support...le.shtml?id=40)
Reboot.

As far as Viewpoint, that is up to you depending on your needs. Viewpoint is associated with a program called viewmgr.exe and the ViewPoint Media Player.
Viewpoint is bundled with AOL, AOL Instant Messenger, Netscape 7, etc and sometimes not mentioned in the license agreement. Source
Viewpoint is also bundled with Adobe Atmosphere and hardware manufacturers pre-install some of these applications
ViewPoint Toolbar may redirect your search queries and also transmits non personally identifiable information back to their servers
Viewpoint Manager is a media player often bundled with AIM software. It is not technically considered malware, but is borderline adware and is often installed without a user's knowledge.
Viewpoint media player is installed with AIM, AOL and a number of other products. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player.
For AOL and AIM it is needed to use their 3D icons known as Super Buddies and for customized themes, etc.
** Note: Removing Viewpoint Media Player may cause the program that bundled it to not function as intended.
If you want to remove Viewpoint:
End process on ViewManager in Task Manager. (Ctrl+Alt+Delete)
Remove it in Add/Remove Programs via the Control Panel, and reboot.

Launch HijackThis.
If you have removed Viewpoint, tick this entry in HJT if it still exists:
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

If you removed SpyHunter, tick this one as well if it still exists:
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.e

Close all windows except HJT and click "Fix Checked".

Then delete the Viewpoint folder in Program Files.

If you removed SpyHunter:
If Spyhunter is the only folder in C:\Program Files\Enigma Software Group delete the entire Enigma folder. On the other hand, if there is another program in Enigma, delete only the SpyHunter folder.
C:\Program Files\Enigma Software Group\SpyHunter <--folder

Reboot.

It would be good to run a few follow-up scans just to confirm that things have been cleaned up.
All three of these are excellent programs to keep and use regularly. You will need to keep them updated, though.
Ad-aware *
Please download Ad-aware version SE Personal 1.06 from one of these locations:
http://castlecops.com/downloads-file-451.html
http://www.download.com/3000-2144-10045910.html
http://www.majorgeeks.com/download506.html
Install by double-clicking on the downloaded file.
If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.
12. Shutdown/restart

Spybot S&D*
Download Spybot S&D 1.4 here:
http://safer-networking.org/en/news/2005-05-31.html
or
http://www.majorgeeks.com/download2471.html

Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in RED by pressing "Fix selected problems".
Close Spybot S&D, reboot your system.

Please download ewido security suite trial version.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.
*Click on ewido>scanner
Then select "Settings"
Under the bottom section "What to Scan?" make sure "Scan every file" is checked.
Select "OK" and you will return to scanning options.
*Click on Complete System Scan and the scan will begin.

This scan can take quite a while to run, so please be patient .
While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose Clean. Then put a check next to 'Perform action on all infections' . Doing this, enables the scan to proceed automatically until its completion. Click OK

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. The best place to save it would probably be your Desktop.
Now close ewido security suite.
Please copy and paste the results from that scan back to this topic for review.


*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button

That should have you in pretty good shape. :flowers:

If everything seems to be running well at your next post, I'll give you instructions for flushing System Restore, so you have a clean Restore Point to go to if you ever need it.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#7 adm

adm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 12 October 2005 - 09:03 PM

Thanks for the additional instructions Bugbatter. I have to wait until tomorrow to do the additional dusting. I do have SpyHunter installed and I run constantly when I'm online. Should I update it?

#8 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 13 October 2005 - 06:53 AM

I recommend removing SpyHunter and keeping Ad-aware and Spybot. Please read the information that I provided a link to. In addition, I will provide info on installing SpywareGuard and SpywareBlaster later. With all that protection, you will not need SpyHunter.

Edited by Bugbatter, 13 October 2005 - 06:57 AM.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#9 adm

adm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 16 October 2005 - 09:36 PM

Hi Bugbatter,

I finally had a chance to add and remove the software.

I did everything you suggested. I removed spyhunter and viewpoint manager, neither item appeared on HJT transcript. I deleted Spyhunter from the Enigma folder. However, there is still a spyhunter folder in my program file. There is an uninstall function in the folder, should I use it?

As you suggested I downloaded Ad-Aware and ran a scan. It found four items which are currently quarantined. Should I delete the items?

I downloaded and ran Spybot S&D. No threats were found.

I downloaded and ran ewido security suite. The first scan I accidently stopped early where it found six items. When I ran it again, the original six items were not there but it found 139 items and cleaned them all. The previous six items appear in the quarantined folder along with the the other 139 items. Should I delete the folder.

Thank you again for following through with this extra help. Below are the results of the second ewido security suite scan. I recognize most of these cookies and they are from sites I subscribe to. I ran a third scan and it came out clean, no infections of any kind.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:23:03 PM, 10/16/2005
+ Report-Checksum: 3ABE18F4

+ Scan result:

C:\found.000\file0000.chk -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@247realmedia[1].txt.bak -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@247realmedia[2].txt.bak -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ads.addynamix[1].txt.bak -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ads.addynamix[2].txt.bak -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@adtech[2].txt.bak -> Spyware.Cookie.Adtech : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@advertising[1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@advertising[2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@atdmt[1].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@atdmt[2].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@bfast[1].txt.bak -> Spyware.Cookie.Bfast : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@bfast[2].txt.bak -> Spyware.Cookie.Bfast : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@blp.valueclick[1].txt.bak -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@blp.valueclick[2].txt.bak -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@bluestreak[1].txt.bak -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@bluestreak[2].txt.bak -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@casalemedia[1].txt.bak -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@casalemedia[2].txt.bak -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@centrport[1].txt.bak -> Spyware.Cookie.Centrport : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@centrport[2].txt.bak -> Spyware.Cookie.Centrport : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@clickagents[1].txt.bak -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@clickagents[2].txt.bak -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@commission-junction[1].txt.bak -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@counter.hitslink[1].txt.bak -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@counter.hitslink[2].txt.bak -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@counter2.hitslink[2].txt.bak -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@data.coremetrics[1].txt.bak -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@doubleclick[1].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@doubleclick[2].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-amlawmedia.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-bahamasministry.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-bizjournals.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-bizjournals.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-brandsaver.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-cbs.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-cbs.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-comcast.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-comcast.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-comscore.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-comscore.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-crain.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-crain.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-cygnusbm.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-dig.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-dig.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-findlaw.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-foxsports.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-frenchculinary.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-guardian.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-guardian.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-idg.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-interval.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-j2.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-knightridder.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-luggageonline.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-newsinternational.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-patheo.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-playboy.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-proflowers.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-randomhouse.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-randomhouse.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-rivals.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-rivals.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-salonmedia.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-salonmedia.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-sothebys.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-techtarget.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-triseptsoultions.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-uniontrib.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-viacom.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-viacom.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg-winnercomm.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@ehg.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@euniverseads[1].txt.bak -> Spyware.Cookie.Euniverseads : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@fastclick[1].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@fastclick[2].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@gator[1].txt.bak -> Spyware.Cookie.Gator : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@hg1.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@hg1.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@linksynergy[1].txt.bak -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@linksynergy[2].txt.bak -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@mediaplex[1].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@mediaplex[2].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@phg.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@phg.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@pro-market[1].txt.bak -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@pro-market[2].txt.bak -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@qksrv[1].txt.bak -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@qksrv[2].txt.bak -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@questionmarket[1].txt.bak -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@questionmarket[2].txt.bak -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@revenue[1].txt.bak -> Spyware.Cookie.Revenue : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@revenue[2].txt.bak -> Spyware.Cookie.Revenue : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@servedby.advertising[1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@servedby.advertising[2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@sexlist[1].txt.bak -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@sexlist[2].txt.bak -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@sextracker[1].txt.bak -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@sextracker[2].txt.bak -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@spylog[1].txt.bak -> Spyware.Cookie.Spylog : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@spylog[2].txt.bak -> Spyware.Cookie.Spylog : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@statse.webtrendslive[1].txt.bak -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@statse.webtrendslive[2].txt.bak -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@targetnet[1].txt.bak -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@targetnet[2].txt.bak -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@test.coremetrics[1].txt.bak -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@trafficmp[1].txt.bak -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@trafficmp[2].txt.bak -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@twci.coremetrics[1].txt.bak -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@valueclick[1].txt.bak -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@valueclick[2].txt.bak -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@weborama[2].txt.bak -> Spyware.Cookie.Weborama : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@x10[2].txt.bak -> Spyware.Cookie.X10 : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@xxxcounter[1].txt.bak -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@z1.adserver[1].txt.bak -> Spyware.Cookie.Adserver : Cleaned with backup
C:\RECYCLER\S-1-5-21-3774274427-638741990-3244092944-500\Dc5\Backup\administrator@z1.adserver[2].txt.bak -> Spyware.Cookie.Adserver : Cleaned with backup


::Report End

#10 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 17 October 2005 - 06:07 PM

Welcome back. :thumbsup: We're almost done....
If you removed SpyHunter using Add/Remove Programs, then go ahead and delete the entire SpyHunter folder that is in your Program Files.
The uninstall file will not be needed.

I usually wait about 2-3 weeks before emptying the Ad-aware quarantine, just to make sure everything is running well.

Yes, those ewido items are just cookies.
When you launch Ewido, click on Quarantine to see the list of files it contains. Right click on each one that you want to remove and then click "Remove Finally" in the lower right corner.
A notification box will pop up asking "Do you really want to delete the selected files?"
Choose Yes and Ewido will delete the files.
At the very bottom it will say "File(s) removed from quaratine.

After something like this it is a good idea to purge the Restore Points and start fresh.
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)

Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

You may have already taken some of these steps:

** Make sure your Sun Java has been updated to Version 5.0 Update 5.
http://www.java.com/en/download/manual.jsp


1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

3. Download and install the following free programs:
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
Periodically check for updates.

4. Keep your antivirus software and firewall software up to date.
Note: Zone Alarm Firewall (Zone Labs) http://www.zonelabs.com/store/content/home.jsp is free.
Also Sygate has an optional free version: http://smb.sygate.com/download_buy.htm

5. You might consider installing Mozilla / Firefox.
http://www.mozilla.org/

6. I would check for updates in SpyBot once a week or so.
Check for updates in Ad-aware frequently.

If you have recently installed ewido, it is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button

7. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

8. I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

9. You might want to take a look at this article, too.
http://computercops.biz/postlite7736-.html

Happy and Safe Surfing! :flowers:

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#11 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 25 October 2005 - 08:50 PM

Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request. If you should have a new issue, please start a new topic.
This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users