Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Hijacked, Psguard, And More


  • This topic is locked This topic is locked
70 replies to this topic

#1 Sherman8r44

Sherman8r44

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Location:Lawng Oiland, New Yawk
  • Local time:05:17 AM

Posted 30 November 2005 - 11:35 AM

Hi. I am running Windows ME and I have a jumble of problems. My HJT file is at the bottom of this post.

I have had three major infections of spyware in recent times. The first two I recovered from okay, nothing terrible remained after I anti-spywared the hard drive. However, this third has been crippling--I think Internet Explorer has been seriously messed with for the following reasons:
1. When I open it up, to the home page www.yahoo.com, it gives me a "this page cannot be displayed" error message.
2. When I click File, Edit, View, etc. and go to the drop down list it gives a description of the action. This may just be my paranoia, or maybe my settings were messed with. The scariest part is that there are two suspicious entries that stood out to me under Settings: there is an element of the drop-down list called "Sun Java Console", which ironically gives no decription on the bottom, and there is "Scan and protect your PC". I am afraid to click ANYTHING, even change my web settings, because of all this.
3. There are, of course, added favorites. Correction--there WERE added favorites; I deleted them.
4. When I log into my yahoo account from other computers, everything goes okay, but I cannot check my Fantasy Football and Basketball teams--I don't think I was thrown out of both, so this is extremely strange. Also, my weather changed from New York to Minnesota. :thumbsup:

I tried to follow the Preparation Guide as best as I could, but I obviously couldn't run any of the online virus scans or get a firewall or Windows updates. Luckily, I already had "Dr. Web CureIT antivirus" and Kaspersky eScan Antivirus ver. 4.4.7. THey each found ~6-12 problems in the first 10 minutes, but after another 2 hours they both were only 10% through (I ran them at seperate times, of course). So I never finished with them. I did eveything else and deleted what I could. Obviously, because of my situation, I am posting this from a computer that is not mine.

NEXT, ONTO THE COMPUTER'S PROBLEMS.
1. Although the background is no longer a link to spyware, it is now a dull blue color instead of the regular teal/light green.
2. On the desktop, these items remain:
UnSpyPC Scanner and Monitor (shortcut, it installed itself on my computer)
P.S.Guard (shortcut, it installed itself on my computer)
DAT files labeled "1", "2", and "3"
NOTE--I have had P.S.Guard in the past. It comes with an uninstaller for some reason, and I used to be able to uninstall it. Unfortunately, it stops responding whenever I try (even in safe mode!). Even when SPybot or Adaware say they have destroyed it, it has always come back. Now, it doesn't even leave. Plus, I can't run Ewido because of Windows ME. I HATE PSGUARD!!!

3. My computer is still rather slow and unstable. I'm sure other problems exist; I just haven't found them yet.



Logfile of HijackThis v1.99.1
Scan saved at 9:35:00 PM, on 11/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\SAITEK\SAITEK GAMING EXTENSIONS\SAICNFIG.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\GAMEUTIL.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F1 - win.ini: run=C:\WINDOWS\HPFsched.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\system\MP_S3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: GameUtil.lnk = C:\WINDOWS\SYSTEM\GameUtil.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.systemquote.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.12,85.255.112.83



PLEASE HELP ME!!! THANKS IN ADVANCE FOR ALL YOUR HELP!!! :flowers:

Edited by Sherman8r44, 30 November 2005 - 07:26 PM.


BC AdBot (Login to Remove)

 


m

#2 Sherman8r44

Sherman8r44
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Location:Lawng Oiland, New Yawk
  • Local time:05:17 AM

Posted 04 December 2005 - 02:25 PM

I can't find out how to edit my original post, so here are my corrections.

1. The yahoo fantasy sports server was down on that particular day, and I never had my weather on New York in the first place. The spyware didn't mess with yahoo or anything.

2. I am back to posting on my computer. I realized my Wi-Fi wasn't plugged in, and that's why I had the "page cannot be displayed" error message. D'oh!

3. I'm gonna try the online antivirus/malware removers.

#3 Sherman8r44

Sherman8r44
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Location:Lawng Oiland, New Yawk
  • Local time:05:17 AM

Posted 04 December 2005 - 02:40 PM

Hmm, new problem--when I went to the Panda and BitDefender pages, the buttons to initialize the check weren't clickable. House call told me to "activate Java Script". Now I don't want to touch any Java settings because a wierd button called "Sun Java Console" is now under tools, as I said earlier, and I guess it messed with my Java settings. I still have plenty of problems that need help!

#4 Sherman8r44

Sherman8r44
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Location:Lawng Oiland, New Yawk
  • Local time:05:17 AM

Posted 05 December 2005 - 11:45 PM

Spyware is getting progressively worse now that I did Windows Update!! PLEASE HELP ME!!!!

Here's my updated HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:42:17 PM, on 12/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SAITEK\SAITEK GAMING EXTENSIONS\SAICNFIG.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\GAMEUTIL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F1 - win.ini: run=C:\WINDOWS\HPFsched.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\system\MP_S3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: GameUtil.lnk = C:\WINDOWS\SYSTEM\GameUtil.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.systemquote.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.12,85.255.112.83

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:17 AM

Posted 07 December 2005 - 12:54 PM

Hi and :thumbsup: to BleepingComputer!

My name is David Posted Image

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://forums.subratam.org/index.php?act=A...e=post&id=43811
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.12,85.255.112.83

Click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

David

#6 Sherman8r44

Sherman8r44
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Location:Lawng Oiland, New Yawk
  • Local time:05:17 AM

Posted 07 December 2005 - 05:16 PM

Hi Dave,

I appreciate the help very much! I followed all instructions but unfortunately Spybot Teatimer found three things changed and it automatically denied those changes:

12/7/2005 5:07:37 PM Denied value "wextract_cleanup0" (new data: "") deleted in System Startup global entry!
12/7/2005 5:07:49 PM Denied value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
12/7/2005 5:07:56 PM Denied value "Start Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome") changed in Browser page!
12/7/2005 5:07:58 PM Denied value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!

I hope this didn't hurt the results--I'll turn it off in the future.
Okay, now to the results...


Fixwareout ver 1.003
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\axjmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...

Misc files



And the HJT File:

Logfile of HijackThis v1.99.1
Scan saved at 5:11:03 PM, on 12/7/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\SAITEK\SAITEK GAMING EXTENSIONS\SAICNFIG.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\GAMEUTIL.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F1 - win.ini: run=C:\WINDOWS\HPFsched.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\system\MP_S3.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\SYSTEM\advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\TEMP\IXP002.TMP\"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: GameUtil.lnk = C:\WINDOWS\SYSTEM\GameUtil.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.systemquote.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.zonelabs.com
O15 - Trusted Zone: http://donwloads.zonelabs.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...642/mcfscan.cab :thumbsup:

Edited by Sherman8r44, 07 December 2005 - 05:55 PM.


#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:17 AM

Posted 08 December 2005 - 11:39 AM

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (HKCU)

________________

Manually delete this folder:

C:\Program Files\UnSpyPC
________________

Reboot and post a new HJT log
David

#8 Sherman8r44

Sherman8r44
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Location:Lawng Oiland, New Yawk
  • Local time:05:17 AM

Posted 08 December 2005 - 04:40 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:35:44 PM, on 12/8/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\SAITEK\SAITEK GAMING EXTENSIONS\SAICNFIG.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\GAMEUTIL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F1 - win.ini: run=C:\WINDOWS\HPFsched.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\system\MP_S3.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: GameUtil.lnk = C:\WINDOWS\SYSTEM\GameUtil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.systemquote.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.zonelabs.com
O15 - Trusted Zone: http://donwloads.zonelabs.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...642/mcfscan.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

Thanks,
Dan

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:17 AM

Posted 09 December 2005 - 12:38 PM

Clean Log!! Posted Image
How's everything running?

David

#10 Sherman8r44

Sherman8r44
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Location:Lawng Oiland, New Yawk
  • Local time:05:17 AM

Posted 09 December 2005 - 12:51 PM

Excellent! :thumbsup: The comp is running pretty well, but the Sygate Firewall I downloaded always stops responding for some reason. Thank you so very much for all your help!

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:17 AM

Posted 09 December 2005 - 01:18 PM

Ok! Glad i was able to help you! :thumbsup:

The log is clean! :flowers:

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

David

Edited by D-Trojanator, 10 December 2005 - 07:47 AM.


#12 Sherman8r44

Sherman8r44
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Location:Lawng Oiland, New Yawk
  • Local time:05:17 AM

Posted 10 December 2005 - 02:04 PM

Sorry to bring this back out, but I wanted to make sure my comp was 100% clean before making a restore point. I ran Spybot, and it found PSGuard, which I deleted. I then restarted the comp and ran Adaware SE, only to find 30 critical objects! I restarted the comp, tried again, and found 14 of the critical objects came back. It seems some of the objects were related to PSGuard, while others were tracking cookies. I deleeted everything, and then I ran a Computer Associates eTrust Online Virus Scan, because I had a feeling that trojans/viruses keep redownloading this crap. So here are my results from the Virus scan:

A0121567.CPY Win32.Alemod.N infected C:\_RESTORE\TEMP\
A0150374.CPY Win32.Alureon.U infected C:\_RESTORE\TEMP\
A0150415.CPY Win32.Alureon.U infected C:\_RESTORE\TEMP\
A0150421.CPY Win32.Alureon.U infected C:\_RESTORE\TEMP\
A0151488.CPY Win32.Alureon.U infected C:\_RESTORE\TEMP\
A0151508.CPY Win32.Alureon.U infected C:\_RESTORE\TEMP\
A0151524.CPY Win32.Alureon.U infected C:\_RESTORE\TEMP\
oleext.dll Win32.Alemod.N infected C:\WINDOWS\SYSTEM\
WININET.DLL Win32.Alemod.H infected C:\WINDOWS\SYSTEM\
howiper.exe Win32.Qhosts.S infected C:\WINDOWS\SYSTEM\
pppcgm.exe Win32.Bloon.V infected C:\WINDOWS\SYSTEM\

I see that some are in the "C:\RESTORE" folder, so I am especially hesitant about doing anything to mess with the restore yet. Any suggestions?

BTW, when I checked, system restore was already off.

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:17 AM

Posted 11 December 2005 - 08:57 AM

:thumbsup: Click Here to do a Panda online scan
  • If it asks you install active x controls click Yes
  • If a box comes up telling you to install the program also click Yes
  • Make sure you tick Disinfect automatically under Scan Options
  • Complete the scan and post the log that you can save afterwards in the same way you did the HJT log.
  • It is normal for it to take a reasonable time to complete
Download WinPFind!
  • Extract WinPFind.zip to your c:\ folder.
  • Reboot your computer into Safe Mode
  • Then open c:\WinPFind and double-click on WinPFind.exe.
  • When the program is open, click on the Start Scan button to start scanning your computer.
  • Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed.
  • Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
Please post back with both logs, and we can decide what to do from there.

David

#14 Sherman8r44

Sherman8r44
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Location:Lawng Oiland, New Yawk
  • Local time:05:17 AM

Posted 11 December 2005 - 04:57 PM

I did the ActiveScan, but I couldn't find a "disinfect" option. Here is the log:


Incident Status Location

Adware:adware/spyaxe Not disinfected C:\WINDOWS\SYSTEM\HPFSTS04.TMP
Virus:Trj/Downloader.GHQ Not disinfected C:\WINDOWS\SYSTEM\LogFiles\Z0091300.so
Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM\ts.ico
Adware:Adware/PsGuard Not disinfected C:\WINDOWS\SYSTEM\oleext.dll
Virus:W32/Smitfraud.D Not disinfected C:\WINDOWS\SYSTEM\WININET.DLL
Adware:Adware/QuickWeb Not disinfected C:\WINDOWS\SYSTEM\pppcgm.exe
Adware:Adware/Spoon Not disinfected C:\WINDOWS\SYSTEM\favset.exe
Adware:Adware/IdeskBar Not disinfected C:\WINDOWS\SYSTEM\idemlog.exe
Virus:Trj/Downloader.FFZ Not disinfected C:\WINDOWS\SYSTEM\csrha.exe

I also did the WinPFind, but I can't find the logfile.

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:17 AM

Posted 11 December 2005 - 05:41 PM

:thumbsup: Boot into Safe Mode
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\SYSTEM\HPFSTS04.TMP
C:\WINDOWS\SYSTEM\LogFiles\Z0091300.so
C:\WINDOWS\SYSTEM\ts.ico
C:\WINDOWS\SYSTEM\oleext.dll
C:\WINDOWS\SYSTEM\WININET.DLL
C:\WINDOWS\SYSTEM\pppcgm.exe
C:\WINDOWS\SYSTEM\favset.exe
C:\WINDOWS\SYSTEM\idemlog.exe
C:\WINDOWS\SYSTEM\csrha.exe

______________________________

Please run Winpfind again and at the end it will notify you where the text file has been saved. I would think it would be in the folder where the Winpfind application is saved.

David

Edited by D-Trojanator, 13 December 2005 - 05:08 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users