Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removal Of "instant Access"


  • This topic is locked This topic is locked
12 replies to this topic

#1 Lorilaf2

Lorilaf2

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 09 November 2005 - 03:37 PM

Hi! New here and just following directions for removal of spyware/viruses. Ran Spybot and the adware tool, rebooted, and here is the log. I believe all is well now but thought you might check to be sure. I have purchased versions of Webroot Spysweeper and Trend Micro antivirus running at start up on the machine.

Is there anything here I can or should remove? Thanks for your time!

Logfile of HijackThis v1.99.1
Scan saved at 11:51:04 AM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\Program Files\Desktop Alert\desktopalert_1635512.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.EXE
C:\Program Files\Trend Micro\Antivirus\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Antivirus\TSC.EXE
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [winlocatorupdate] C:\WINDOWS\updatewinlocator.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vmlib] vmlib.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1635512.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Snsicon.lnk = C:\Program Files\Second Nature\Snsicon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.enigmasoftwaregroup.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: http://www.pwsacramento.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120334569109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:14 PM

Posted 09 November 2005 - 04:16 PM

Hi and Welcome to bleeping computer!! Posted Image

My name is David Posted Image

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.

There is a bit to do on the log - i can almost guaruntee ewido will remove something - it's also a good free tool to keep in your arsenal! :thumbsup:

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :flowers:
David

#3 Lorilaf2

Lorilaf2
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 18 November 2005 - 07:44 PM

:thumbsup: Thanks David. Will do shortly. Been busy trying to debug my Father-in-law's computer. It is such a mess I'll be dowloading the Aware, Spybot and such to a disk because with a 56k and all the stuff to interfere I can't wait for a download on his machine! :flowers: Might just get him a new one and start from scratch :trumpet:

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:14 PM

Posted 19 November 2005 - 08:31 AM

:thumbsup:

David

#5 Lorilaf2

Lorilaf2
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 12 December 2005 - 02:19 PM

:thumbsup:
David, finally got back to this but when I turned on my pc this morning it had WINHOUND on it!! I uninstalled it in control panel, deleted the Winhound folder out of Program Files and ran all my anti spyware stuff. Seems to have doe the trick for that one.

Attached is the Hijack log from right after ewido and then the ewido log. ewido removed 119 objects!!
Good tool! Thanks.
Look forward to what more I can do.

Logfile of HijackThis v1.99.1
Scan saved at 10:58:54 AM, on 12/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\Program Files\Desktop Alert\desktopalert_1635512.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [winlocatorupdate] C:\WINDOWS\updatewinlocator.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vmlib] vmlib.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1635512.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Snsicon.lnk = C:\Program Files\Second Nature\Snsicon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.enigmasoftwaregroup.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: http://www.pwsacramento.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120334569109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:55:02 AM, 12/12/2005
+ Report-Checksum: B5B31EC0

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{89AEAB46-8E8A-4045-9003-5614BFBFE90B} -> Spyware.Xlocator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{89AEAB46-8E8A-4045-9003-5614BFBFE90B} -> Spyware.Xlocator : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\aalejpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\abbnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\bbhpjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\bbldjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\bjbmjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\bkcpjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\cbkhjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\ccodjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\cfflpnid.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\ciapjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\cnpdjpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\dbddjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\dckajpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\ddiobjmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\debmjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\demmjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\dhommkmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\djbdjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\djgcjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\dncnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\donojnid.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\ebpmjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\echnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\ednojpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\ekljopmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\engpjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\enlojpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\eofnjpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\eokkmpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\fafpjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\fhnbopmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\fihgilmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\filpjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\fjnnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\fmfnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\fokmjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\fpfnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\gbcnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\gekmjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\giinjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\glefopmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\glnmjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\hkbmopmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\ibkhepmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\icaiopmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\icppiomd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\ifdojpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\igfemomd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\ihbbjpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\ikccjomd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\iplpcomd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\jccnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\jcnnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\jdhoopmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\jdiojpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\jhnmjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\jjoojpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\jlfmjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\kcanjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\kfjojpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\kkepjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\lbdojpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\lgacbknd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\lmmojpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\lojojpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\mcjfppmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\mebhjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\mffcjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\mijnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\mlfeilmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\mlomjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\mpbnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\nandjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\neepjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\nehniomd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\nimeiomd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\npgmjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\obnfepmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\oclmjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\oemnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\okpljnmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\olpiopmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\oopnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\pfhpjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\pficjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\pjiemkmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\pkbnjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\pkhpjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Lori Fackenthall\Local Settings\Temp\pmcpjpmd.exe -> Dialer.Generic : Cleaned with backup
C:\fdj.exe -> Trojan.LowZones.df : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@2o7[2].txt.bak -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@ads.x10[1].txt.bak -> Spyware.Cookie.X10 : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@advertising[1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@atdmt[1].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@atdmt[2].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@centrport[1].txt.bak -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@counter15.sextracker[2].txt.bak -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@counter16.sextracker[1].txt.bak -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@counter2.hitslink[2].txt.bak -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@cs.sexcounter[2].txt.dat/Documents and Settings/Lori Fackenthall/Cookies/lori fackenthall@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@doubleclick[1].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@edge.ru4[1].txt.bak -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@ehg-attenza.hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@ehg.hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@mediaplex[1].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@questionmarket[1].txt.bak -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@servedby.advertising[1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@sexlist[2].txt.bak -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@sextracker[2].txt.bak -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lori fackenthall@trafficmp[1].txt.bak -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0000781.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0000813.dll -> Adware.PSGuard : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0000818.exe -> Adware.PSGuard : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0000837.exe -> Downloader.Small.vu : Cleaned with backup
C:\WINDOWS\SYSTEM32\links.exe -> Trojan.LowZones.df : Cleaned with backup


::Report End

Thanks,
Lori

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:14 PM

Posted 13 December 2005 - 12:30 PM

Hi

You say you have got rid of WinHound but i fear that there is more lurking inside :thumbsup:

Please follow the instructions here, minus ewido! :flowers:

http://www.bleepingcomputer.com/forums/ind...=0&#entry203654

David

#7 Lorilaf2

Lorilaf2
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 14 December 2005 - 06:39 PM

Okay. Ran all you said but did not click the autoclean box in the Panda scan because I never saw it. Consequently it left the following:

Adware:adware/startpage.amb at C:\Documents and Settings\Lori Fackenthall\Favorites\Insurance Adware:adware/secure32 at C:\WINDOWS\system32\drivers\etc\hosts Adware:adware/searchforit at Windows Registry Virus:W32/Smitfraud.D at C:\WINDOWS\$NtUninstallKB905915$\wininet.dll

I can find and delete three of them if that is what needs to be done, but where would the one in the registry be?

Also, should I keep all the various scans that I have downloaded? I have a d-link wireless router hard connected to this computer and wireless to my laptop. I'm also running SpySweeper by Webroot and Trend Micro Antivirus - both as active scans starting at boot. So... How did I get so contaminated?

I am not the only one to use this computer, but my Husband rarely uses it for more than email or to play hearts. Our internet connection is Comcast and we are now using Mozilla Firefox rather than IE whenever possible. Is there anything else I could be doing to prevent these problems? :thumbsup: I'm getting tired of debugging this thing and never getting a chance to just use it!! :flowers:

You didn't ask for a hijak log but I though you might want it. Thanks for all your time in this, I really appreciate it. :trumpet:
Lori

Logfile of HijackThis v1.99.1
Scan saved at 3:12:36 PM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Desktop Alert\desktopalert_1635512.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [winlocatorupdate] C:\WINDOWS\updatewinlocator.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vmlib] vmlib.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1635512.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Snsicon.lnk = C:\Program Files\Second Nature\Snsicon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.enigmasoftwaregroup.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: http://www.pwsacramento.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120334569109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

#8 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 15 December 2005 - 10:56 PM

Hello,

David has gone for a vacation. I am sUBs & I shall be helping you with your log.

When you ran smitRem previously, it created a log, smitfiles.txt at the root of Drive C. Please post that log in your next reply.

In this round, we shall put in some passive protection & clean up the rest of your infections.

Please disable Webroot SpySweeper & Ewido's real-time scanner, as they hinder the removal of some entries. You can re-enable them when you're clean.
To disable Webroot SpySweeper:
  • Go to the Options>Program Options
  • Uncheck Load at Windows Startup
  • Click Shields & uncheck all items there
  • Uncheck Home page shield.
  • Automaticly restore default without notification
To disable Ewido's real-time scanner:
  • Double click on the Ewido icon in system try
  • Click on the status button
  • Select Remove Guard
* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *

Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

SpywareBlaster 3.4
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

Download & install - CleanUp.exe (not recommended for WinXP64)

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [winlocatorupdate] C:\WINDOWS\updatewinlocator.exe
O4 - HKLM\..\Run: [vmlib] vmlib.exe



* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\WINDOWS\updatewinlocator.exe
    C:\Documents and Settings\Lori Fackenthall\Favorites\Insurance
    C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
    vmlib.exe >> search for this file
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again, using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left

It would produce a log called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis
  • smitfiles.txt
  • Online scan
  • Antispyware.log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#9 Lorilaf2

Lorilaf2
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 17 December 2005 - 05:15 PM

Whew! I think I got all that done!
For the files to locate and delete, I did not find C:\WINDOWS\updatewinlocator.exe or vmlib.exe
I could not get the Trend antipyware tool to run the second time (would not download and could not find it already on my pc) but it found nothing the first time so I guess that is okay. Otherwise all went well. Unfortunately I did not rename the original smitrem file before re-running it so have only the latest.
I was amazed that after all that there is still something found by the online scan!
I hope this will be done soon and that it is a relatively permanent solution! I will be on vacation the 19th thru the 29th so if you don't get a chance to reply before then don't think I am ignoring you. I really appreciate all this help!

******Hijack log
Logfile of HijackThis v1.99.1
Scan saved at 1:07:31 PM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\Program Files\Desktop Alert\desktopalert_1635512.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1635512.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Snsicon.lnk = C:\Program Files\Second Nature\Snsicon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120334569109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

********* smitfiles.txt - it looks very much the same as the original

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 12/17/2005
The current time is: 12:44:08.03

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1944 'explorer.exe'
Killing PID 1944 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

******************
The online scan
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, December 17, 2005 13:44:40
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/12/2005
Kaspersky Anti-Virus database records: 165693
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 61343
Number of viruses found: 2
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 2006 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-2a0c82a4-2a3372ef.class Infected: Trojan-Downloader.Java.OpenStream.y
C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-352f55f0-3c30d056.class Infected: Trojan-Downloader.Java.OpenStream.y
C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-37d0245a-3681e915.class Infected: Trojan-Downloader.Java.OpenStream.y
C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-3a09faa7-23ca08c2.class Infected: Trojan-Downloader.Java.OpenStream.y
C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-40baf3a5-7ae18a1a.class Infected: Trojan-Downloader.Java.OpenStream.y
C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-486c9904-3930eedc.class Infected: Trojan-Downloader.Java.OpenStream.y
C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-4ee51477-266ae243.class Infected: Trojan-Downloader.Java.OpenStream.y
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP16\A0001771.dll Infected: Virus.Win32.Nsag.b

Scan process completed.
*******************


Soooo It seems to run great but I guess we are still not done.
Lori :flowers:

#10 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 17 December 2005 - 09:12 PM

Lori,

All looks well. We're almost done. We should be able to wrap this up before Xmas. :thumbsup:

It's no suprise if the Kaspersky scan found infected files. It's a very comprehensive scan. Let's get rid of the files it found.

Please copy this list to Notepad as you need your browser to be closed.

Locate & delete these files:

C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-2a0c82a4-2a3372ef.class

C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-352f55f0-3c30d056.class

C:\Documents and Settings\Lori Fackenthall\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-37d0245a-3681e915.class

C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-3a09faa7-23ca08c2.class

C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-40baf3a5-7ae18a1a.class

C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-486c9904-3930eedc.class

C:\Documents and Settings\Lori Fackenthall\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-4ee51477-266ae243.class


Let me know how that went. Also post a new HJT log

#11 Lorilaf2

Lorilaf2
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 19 December 2005 - 04:21 PM

The files deleted no problem. Here's the hijak log

Logfile of HijackThis v1.99.1
Scan saved at 1:19:37 PM, on 12/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\Program Files\Desktop Alert\desktopalert_1635512.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1635512.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Snsicon.lnk = C:\Program Files\Second Nature\Snsicon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120334569109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

:thumbsup:

#12 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 19 December 2005 - 04:35 PM

Lori,

I hope you're geared up for Christmas. It appears thatyou're heading for a CLEAN Christmas. LOL

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:
  • CLEAR & RESET SYSTEM RESTORE'S CACHE
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  • DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  • FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  • Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  • SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  • IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day. Posted Image

Please respond to this thread one more time so we can mark this thread as resolved.

#13 Lorilaf2

Lorilaf2
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 19 December 2005 - 04:59 PM

:thumbsup: :flowers: :trumpet:
Thanks so much!!
Have a great Christmas.
We're headed for Virginia tonight and is should snow there tomorrow - what fun! :inlove:
Special treat for we Californians.

Thanks again,
Lori




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users