Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
8 replies to this topic

#1 Magic

Magic

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 13 October 2004 - 04:33 PM

One of my users has fallen victim to this stupid trojan. I've run spybot and Symantec but continue to be notified by Symantec that it has found Trojan.Killfile or AdRmove in hostx.exe. Here is the log file with some entries edited for proprietary information.

Logfile of HijackThis v1.98.2
Scan saved at 2:08:34 PM, on 10/13/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummbird\inetd32.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\suss.exe
c:\program files\timbuktu pro\tb2launch.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
c:\program files\timbuktu pro\tb2pro.exe
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\Explorer.EXE
C:\program files\timbuktu pro\tb2logon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINNT\inf\mainwin.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\s118048\LOCALS~1\Temp\vrsc.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\s118048\LOCALS~1\Temp\vrsc.dat
O2 - BHO: CATLEvents Object - {6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B} - C:\DOCUME~1\s088848\LOCALS~1\Temp\niwniam.dat
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\s118048\LOCALS~1\Temp\vrsc.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\s118048\LOCALS~1\Temp\vrsc.dat
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\s118048\LOCALS~1\Temp\vrsc.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AeXSWDUsr] C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [csrv] C:\WINNT\inf\csrv.exe
O4 - HKLM\..\Run: [*csrv] C:\WINNT\inf\csrv.exe
O4 - HKLM\..\Run: [*mainvss] C:\WINNT\Fonts\mainvss.exe
O4 - HKLM\..\Run: [*cmdabr] C:\WINNT\system\cmdabr.exe
O4 - HKLM\..\Run: [*odbchard] C:\WINNT\Speech\odbchard.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [*dllacc] C:\WINNT\Tasks\dllacc.exe
O4 - HKLM\..\Run: [*imgcab] C:\WINNT\Driver Cache\imgcab.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [*mainwin] C:\WINNT\inf\mainwin.exe
O4 - HKLM\..\RunOnce: [Register OCX] regsvr32.exe /s msdxm.ocx
O4 - HKLM\..\RunOnce: [*mainwin] C:\WINNT\inf\mainwin.exe rerun
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP\PGPtray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\PLUGINS\NPVDP32P.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http:///
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.soundclick.com/CFIDE/classes/CFJava.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O20 - AppInit_DLLs: AeXPrcssAppInitNT.dll

Edited by Magic, 13 October 2004 - 06:02 PM.


BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:03 AM

Posted 14 October 2004 - 01:02 AM

Hi

Your log shows that you are seriously behind on windows updates. It is essential that you update your windows before we continue to help you as the infections could reoccur. Go to http://www.windowsupdate.com and if it asks to install software, let it. Then click on the Scan link and let it do its thing. When its done you will see on your left a section called critical updates. Click on that section and install everything that you can. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed. Then post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 Magic

Magic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 14 October 2004 - 11:28 AM

cryo, will do. Sorry about that.

#4 Magic

Magic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 15 October 2004 - 03:20 PM

Cryo,

Here is the new log. I ran all of the udates I'm allowed to run on it. :

Logfile of HijackThis v1.98.2
Scan saved at 11:12:33 AM, on 10/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummbird\inetd32.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\suss.exe
c:\program files\timbuktu pro\tb2launch.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\Explorer.EXE
C:\program files\timbuktu pro\tb2logon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINNT\addins\sacc.exe
c:\program files\timbuktu pro\tb2pro.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = **.logicon.com;*.prb.net;<local>
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\\LOCALS~1\Temp\vrsc.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\\LOCALS~1\Temp\vrsc.dat
O2 - BHO: CATLEvents Object - {6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B} - C:\DOCUME~1\\LOCALS~1\Temp\ccas.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\\LOCALS~1\Temp\vrsc.dat
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\\LOCALS~1\Temp\vrsc.dat
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AeXSWDUsr] C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [csrv] C:\WINNT\inf\csrv.exe
O4 - HKLM\..\Run: [*csrv] C:\WINNT\inf\csrv.exe
O4 - HKLM\..\Run: [*mainvss] C:\WINNT\Fonts\mainvss.exe
O4 - HKLM\..\Run: [*cmdabr] C:\WINNT\system\cmdabr.exe
O4 - HKLM\..\Run: [*odbchard] C:\WINNT\Speech\odbchard.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [*dllacc] C:\WINNT\Tasks\dllacc.exe
O4 - HKLM\..\Run: [*imgcab] C:\WINNT\Driver Cache\imgcab.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [*mainwin] C:\WINNT\inf\mainwin.exe
O4 - HKLM\..\Run: [*sacc] C:\WINNT\addins\sacc.exe
O4 - HKLM\..\RunOnce: [*sacc] C:\WINNT\addins\sacc.exe rerun
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINNT\system32\bkinst.exe ren time:1097863303
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP\PGPtray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\PLUGINS\NPVDP32P.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://infoweb.sp.trw.com/
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.soundclick.com/CFIDE/classes/CFJava.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O20 - AppInit_DLLs: AeXPrcssAppInitNT.dll

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:03 AM

Posted 15 October 2004 - 04:13 PM

Oops, there is a problem.
User is missing: C:\DOCUME~1\USER MISSING\LOCALS~1\Temp\vrsc.dat

If you have chosen not to reveal this information :thumbsup: I can post the instructions and you should insert by yourself the missing username. This shouldn't be a problem if you have the required computer skills and you understand the cleaning process.

Take a look here how the fix for Virtumondo works:
http://www.bleepingcomputer.com/forums/t/3546/hjt-log-need-help-cleaning-computer/

There is also a Self Help Guide here: How to remove Virtumonde DEL-457 Host.exe malware

Is something else missing in your log ?

Edited by cryo, 15 October 2004 - 04:18 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 Magic

Magic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 18 October 2004 - 01:53 AM

Cryo,

I didn't remove anything else other then company names and home pages. I did remove the users name because I didn't want to reveal how the users are identified. Other then that all the lines are there, just some info on the lines removed. I didn't delete any lines. I will follow the instructions to remove the virus. Do I need to follow both directions or just the self help guide?

Edited by Magic, 18 October 2004 - 02:01 AM.


#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:03 AM

Posted 18 October 2004 - 03:47 AM

Do I need to follow both directions or just the self help guide?

Only my directions :thumbsup: . I don't encourage this procedure, but let's try.

You should copy these instructions in Notepad and replace <insert the right username here> with the right username.
Then copy and paste the full path + filename in Killbox "Full path of file to delete" field (follow the instructions below).

Example:
If the right username = cryo
C:\Documents and Settings\<insert the right username here>\Local Settings\Temp\whatever.dat

will look after replacement like this

C:\Documents and Settings\cryo\Local Settings\Temp\whatever.dat

This is the fix:

You must be logged on to the computer with an account that has administrative credentials.

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Download KillBox here:
KillBox. Unzip it to your desktop.

Disconnect from the Internet.

Note: please read this carefully, as the steps do repeat a few times, but the last step does change a bit.

Start Killbox.exe

Select the Delete on reboot option.

1. In the field labeled "Full path of file to delete" enter C:\Documents and Settings\<insert the right username here>\Local Settings\Temp\vrsc.dat
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

If the above file (vrsc.dat) is also present in another user account, insert the right username and repeat the above step.

2. In the field labeled "Full path of file to delete" enter C:\Documents and Settings\<insert the right username here>\Local Settings\Temp\ccas.dat
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

3. Next In the field labeled "Full path of file to delete" enter C:\WINNT\sysupd.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

4. Next In the field labeled "Full path of file to delete" enter C:\WINNT\inf\csrv.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

5. Next In the field labeled "Full path of file to delete" enter C:\WINNT\Fonts\mainvss.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

6. Next In the field labeled "Full path of file to delete" enter C:\WINNT\system\cmdabr.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

7. Next In the field labeled "Full path of file to delete" enter C:\WINNT\Speech\odbchard.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

8. Next In the field labeled "Full path of file to delete" enter C:\WINNT\Tasks\dllacc.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

9. Next In the field labeled "Full path of file to delete" enter C:\WINNT\Driver Cache\imgcab.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

10. Next In the field labeled "Full path of file to delete" enter C:\WINNT\inf\mainwin.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

11. Next In the field labeled "Full path of file to delete" enter C:\WINNT\addins\sacc.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

12. Next In the field labeled "Full path of file to delete" enter C:\WINNT\system32\bkinst.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

13. Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\System32\hostx.exe
Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files
Press the Clear Selected Items button.
Close the program.

Connect to the Internet.

Reboot and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 Magic

Magic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 26 October 2004 - 04:05 PM

cryo,

Sorry it took so long to get back to you. After all the trouble of doing the logs the users PC was replaced with a new one due to age so it's a non issue for now. Thanks for your help.

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:03 AM

Posted 21 November 2004 - 04:08 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users