Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Virus


  • Please log in to reply
4 replies to this topic

#1 BobZahn

BobZahn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 06 January 2006 - 01:13 PM

Ad aware keeps finding this virus but it continues to show up on a scan each morning.

win32.backdoor.agobot

Here is my hijack this

logLogfile of HijackThis v1.99.1
Scan saved at 1:08:32 PM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\dhcp\dhcpcl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Nortel Networks\Reporting for Call Center\LauncherService\RCCLauncher.exe
C:\WINDOWS\system32\scardupd.exe
C:\Program Files\Java\j2re1.4.0_03\bin\java.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Nortel Networks\Reporting for Call Center\WallboardDriver\WallboardDriver.exe
C:\Program Files\Java\j2re1.4.0_03\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nortel Networks\Reporting for Call Center\PrintCaller\printCaller.exe
C:\mysql\bin\winmysqladmin.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alphonso\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://208.253.92.198/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: printCaller.lnk = C:\Program Files\Nortel Networks\Reporting for Call Center\PrintCaller\printCaller.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0_03\bin\npjpi140_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0_03\bin\npjpi140_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38F25B31-AAF1-4868-A9EA-DAB51BBD8D34}: NameServer = 198.6.1.2,198.6.1.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{38F25B31-AAF1-4868-A9EA-DAB51BBD8D34}: NameServer = 198.6.1.2,198.6.1.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{38F25B31-AAF1-4868-A9EA-DAB51BBD8D34}: NameServer = 198.6.1.2,198.6.1.3
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DHCP Controller (dhcpcl) - Unknown owner - C:\WINDOWS\system32\dhcp\dhcpcl.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: RCC Launcher - ITEL, Inc - C:\Program Files\Nortel Networks\Reporting for Call Center\LauncherService\RCCLauncher.exe
O23 - Service: Smart Card Updater (SCardUpd) - Unknown owner - C:\WINDOWS\system32\scardupd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

BC AdBot (Login to Remove)

 


#2 BobZahn

BobZahn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 09 January 2006 - 01:33 PM

Can anyone help me?

#3 BobZahn

BobZahn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 11 January 2006 - 10:05 AM

Can someone please help me remove this pest. Adaware finds this program almost every day and I quarantine and delete it only to see it come back.

Here is the latest Hijack This scan.

Logfile of HijackThis v1.99.1
Scan saved at 10:01:37 AM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\dhcp\dhcpcl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Nortel Networks\Reporting for Call Center\LauncherService\RCCLauncher.exe
C:\WINDOWS\system32\scardupd.exe
C:\Program Files\Java\j2re1.4.0_03\bin\java.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Nortel Networks\Reporting for Call Center\WallboardDriver\WallboardDriver.exe
C:\Program Files\Java\j2re1.4.0_03\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nortel Networks\Reporting for Call Center\PrintCaller\printCaller.exe
C:\mysql\bin\winmysqladmin.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Alphonso\Desktop\HijackThis.exe
C:\Documents and Settings\Alphonso\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://***.***.**.***/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: printCaller.lnk = C:\Program Files\Nortel Networks\Reporting for Call Center\PrintCaller\printCaller.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0_03\bin\npjpi140_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0_03\bin\npjpi140_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38F25B31-AAF1-4868-A9EA-DAB51BBD8D34}: NameServer = 198.6.1.2,198.6.1.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{38F25B31-AAF1-4868-A9EA-DAB51BBD8D34}: NameServer = 198.6.1.2,198.6.1.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{38F25B31-AAF1-4868-A9EA-DAB51BBD8D34}: NameServer = 198.6.1.2,198.6.1.3
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DHCP Controller (dhcpcl) - Unknown owner - C:\WINDOWS\system32\dhcp\dhcpcl.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: RCC Launcher - ITEL, Inc - C:\Program Files\Nortel Networks\Reporting for Call Center\LauncherService\RCCLauncher.exe
O23 - Service: Smart Card Updater (SCardUpd) - Unknown owner - C:\WINDOWS\system32\scardupd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Edited by BobZahn, 11 January 2006 - 10:06 AM.


#4 BobZahn

BobZahn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 11 January 2006 - 03:02 PM

I performed all the scans as suggested in the 'Read This First' post at the top of this thread. Here is the latest HiJack This scan.

Logfile of HijackThis v1.99.1
Scan saved at 2:58:01 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\dhcp\dhcpcl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Nortel Networks\Reporting for Call Center\LauncherService\RCCLauncher.exe
C:\WINDOWS\system32\scardupd.exe
C:\Program Files\Java\j2re1.4.0_03\bin\java.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Nortel Networks\Reporting for Call Center\WallboardDriver\WallboardDriver.exe
C:\Program Files\Java\j2re1.4.0_03\bin\java.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nortel Networks\Reporting for Call Center\PrintCaller\printCaller.exe
C:\mysql\bin\winmysqladmin.exe
C:\Documents and Settings\Alphonso\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://xxx.xxx.xx.xxx/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: printCaller.lnk = C:\Program Files\Nortel Networks\Reporting for Call Center\PrintCaller\printCaller.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0_03\bin\npjpi140_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0_03\bin\npjpi140_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38F25B31-AAF1-4868-A9EA-DAB51BBD8D34}: NameServer = 198.6.1.2,198.6.1.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{38F25B31-AAF1-4868-A9EA-DAB51BBD8D34}: NameServer = 198.6.1.2,198.6.1.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{38F25B31-AAF1-4868-A9EA-DAB51BBD8D34}: NameServer = 198.6.1.2,198.6.1.3
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DHCP Controller (dhcpcl) - Unknown owner - C:\WINDOWS\system32\dhcp\dhcpcl.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: RCC Launcher - ITEL, Inc - C:\Program Files\Nortel Networks\Reporting for Call Center\LauncherService\RCCLauncher.exe
O23 - Service: Smart Card Updater (SCardUpd) - Unknown owner - C:\WINDOWS\system32\scardupd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Edited by BobZahn, 11 January 2006 - 03:03 PM.


#5 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 15 January 2006 - 07:53 PM

Where is it finding anything

Get all of these and/or verify you have the current versions

SpywareBlaster 3.5 http://majorgeeks.com/download2859.html
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html
MS AntiSpy - http://www.microsoft.com/downloads/details...&displaylang=en (XP and W2K only)

DownLoad them (they are free), install them, check each for their
definition updates
and then run AdAware, MS AntiSpy (W2k/XP) and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize

Do these and reboot before the next step.

Sorry - HiJackThis is runing from a temp directory and must be moved to run correctly

Get HiJack This V1.99.1 http://thespykiller.co.uk/files/hijackthis_sfx.exe - double click the DL file and click UNZIP letting it extract to its default folder C:\Program FIles\HiJackThis, run it from there, DO NOT fix anything, post the log here.

http://www.majorgeeks.com/download3155.html

Clean Posted Image - If you feel it is fixed, mark it solved via thread tools above - if not what is the current situation?

Restore points
Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

ME - http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Posted Image - rolling on the floor

Posted Image - shooting fingers

Posted Image - Bravo

http://www.bestsmileys.com/pageindex.htm

http://www.fancysplace.com/smileys/


Add remove programs – remove if present –

Open the log in notepad

EDIT - SELECT ALL
EDIT - COPY

Then come to this message, and in the quick reply box click in the white space and then EDIT - PASTE

You have no active AntiVirus!

Get the free AVG 7 install it, check for updates and run a full scan

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/

Or Avast

http://www.avast.com/eng/down_home.html

SAFE MODE

Boot the system - at the very first black screen before windows starts - start tapping F8 at least every second or less - you will get a B&W menu - select the top ost entry for safe mode with no options

It takes a while and your screen resolution will look different

Download Registrar Lite from here: http://www.resplendence.com/download/reglite.exe

Install it and open it then on the address bar paste this and press go:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Look down the right hand panel for this dodgy entry:

C:\Documents and Settings\DeepaliK\Local Settings\Temporary Internet Files\Content.IE5\4LIBINC9\WAS5Scan[1].exe

Right click it and select delete.

===================
http://support.microsoft.com/kb/290887/ - VB runtime

Service remove - http://forums.techguy.org/attachment.php?attachmentid=45240
· Double-click the cwsserviceremove.reg file you downloaded at the beginning.
· Answer Yes when prompted to add the contents to the registry.
CWShredder
DownLoad http://www.intermute.com/spysubtract/cwshr...r_download.html
Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix"


Download About:Buster from:
http://www.majorgeeks.com/download4289.html
Double click aboutbuster.exe, Click begin removal, click yes to shutdown IE, click Start, then click OK.

Stinger http://vil.nai.com/vil/stinger/

DownLoad http://www.cexx.org/lspfix.htm

Launch the LSP application, and click the "I know what I'm doing" checkbox.

Check all instances of ??????.dll (and nothing else), and move them to
the "Remove" pane.
Then click Finish.

Restart in safe mode

Now delete the C:\windows\system32\????.dll--> file
Reboot.

Red x - http://support.microsoft.com/?kbid=283807

Remove Norton - http://service1.symantec.com/SUPPORT/nav.n...001092114452606
===========================
Third party
1. Click on the Tools button on the Internet Explorer tool bar.
2. Highlight and click on Internet options at the bottom of the Tools menu.
3. Select the Privacy Tab of the Internet Options menu.
4. Select the Advanced... button at the bottom of the screen.
5. Select override automatic cookie handling button.
6. To block third party cookies select block under "Third-party cookies".
7. Select "always allow session cookies".
8. Click on the OK button at the bottom of the screen.


========================
XP Admin password http://pubs.logicalexpressions.com/Pub0009...icle.asp?ID=305

Everest http://www.lavalys.com/products/download.p...ang=en&pageid=3

Belarc http://www.belarc.com/free_download.html
SpyAxe

Download the SpyAxeFix.exe here:

http://noahdfear.geekstogo.com/SpyAxeFix.exe

Save it to your desktop. Close all other programs and windows. Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder. Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool. At one point when the tool runs, your taskbar will disappear, and your computer will restart when the tool completes. A text file will be created in the SpyAxeFix folder. Post it's contents and a new Hijack This log in your thread here:


DownLoad EasyCleaner http://www.majorgeeks.com/download414.html

Use the clear files and Unnecessary files buttons – I do not recommend
using the Duplicates files button
as many dupes are there on purpose.

Not all files will delete – that is normal.

In the unnecessary button I check the top 4 entries

TEATIMER http://www.safer-networking.org/en/faq/33.html

And turn on TeaTimer in SpyBot -

MODE - ADVANCED - TOOLS - RESIDENT - Check both boxes
Make sure you run immunize after an update

http://www.zonelabs.com/store/content/cata....jsp?lid=nav_za
___________________________________________
Vundo

Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
· Double-click VundoFix.exe to run it.
· Click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.
· Turn your computer back on.
· Please post the contents of C:\vundofix.txt and a new HiJackThis log.
.
________________________________________
Startup Checking

http://castlecops.com/StartupList.html
http://www.lafn.org/webconnect/ment...up/PENINDEX.HTM
http://www.sysinfo.org/startuplist....unt=50&offset=0
http://www.answersthatwork.com/Task...es/tasklist.htm
http://www.windowsstartup.com/wso/search.php
http://www.processlibrary.com/directory/a/
http://www.3feetunder.com/krick/startup/list.html


______________



Java Cache

# Click Start | Settings | Control Panel
# Click the Java Plugin Icon
# Click the Cache tab
# Click the Clear button and click OK to confirm
# Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

or

Control Panel > Java > General tab
Temporary Internet Files > Delete Files
Checkmark all 3 options and click OK


ZONE ALARM

http://www.zonelabs.com/store/content/comp...alm/freeDownloa

d.jsp?lid=zaskulist_download

dso fix http://www.majorgeeks.com/download4392.html

new.net DL and run http://www.newdotnet.com/removal.html


Lop Uninstaller at this link

DL http://www.thespykiller.co.uk/downloads.htm

Close all browser windows and run the uninstaller.
When it is finished restart your computer.


Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Automatic Updates.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Start" button to start the service. Beside "Startup Type" in the dropdown menu select "Automatic". Click Apply then OK. Exit the Services utility.

Restart your computer.

Now try Windows update.

Pocket KillBox DL http://www.downloads.subratam.org/KillBox.zip

Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:
C:\WINDOWS\xvkaudf.exe
Now put a tick by Delete on reboot.
Click on the button with the red circle with the X. It will ask for confirmation. Click yes – repeat on all of the files – on the last one click yes twice - Click No at the Pending Operations prompt.

EXE FIX http://www.kellys-korner-xp.com/regs_edits/exefix.reg - save target as exe.reg and double click

To turn on Tea Timer

In SB – MODE – Advanced
At the Bottom – Tools – Resident – Check both boxes

Files not being listed in the Recycle Bin seem to be related to a corrupt info2 file. To correct the issue (Fat32):

Go to Start/Run and type in CMD:

Type CD\ RECYCLED, and then press ENTER. (or recycler depending on your system)
Type ATTRIB -r -s -h info2, and then press ENTER.
Type DEL INFO2, and then press ENTER.

NOTE: This deletes the damaged INFO2 file. Windows will recreate this file as needed, automatically.


MsConfig W2K http://www.perfectdrivers.com/howto/msconfig.html

Enable show hidden and system files in explorer – TOOLS – OPTIONS – VIEW
========================================================================
Open notepad and paste in the following lines:

del c:\*.tmp
del %temp%\*.tmp /f
del %windir%\prefetch\*.*
del %windir%\temp\*.* /f
del C:\documents and settings\*\local settings\temp\*.* /f

Save to desktop as 'clean.bat'.

DoubleClick on the icon, and say yes when prompted.

Empty the recycle bin
========================================

PEPER Go here http://www.thespykiller.co.uk/ and click on Downloads to get the peper trojan uninstaller.

Run the peper fix - Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.

Restart your computer and post a new HJT log.


Move on Boot MoveOnBoot:

http://www.webattack.com/get/moveonboot.shtml

Istsvc http://securityresponse.symantec.com/avcenter/FxIstbar.exe

From Symantec
Note:
· The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.
· The removal tool may terminate Internet Explorer and Windows Explorer. It is recommended that users save their work and log out of these programs before running the removal tool.
· The removal tool will reset the Internet start page to a blank page. The start page can be modified by clicking on Tools > Internet Options in Internet Explorer.
· The removal tool will not delete some harmless Temporary Internet files, which Adware.Istbar created, in C:\Documents and Setings\Administrator\Local Settings\Temporary Internet Files.
These can be manually deleted using the following steps:
a. Start Internet Explorer.
b. Click Tools > Internet Options.
c. In the Temporary Internet Files section, then click the Delete Files button.
d. Check Delete all offline content, and then click OK.
Trusted zones

download http://www.mvps.org/winhelp2002/DelDomains.inf

Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.


html#12345 - Run this uninstaller to get rid of the peper.a trojan:

http://www.zerosrealm.com/downloads/uninst.exe

Peper
It's 14 random characters that always begins with a #. Having said that, there is another malicious file out there that looks the same, but isn't peper. So if the person runs the peper fix, then nothing turns up. No harm; no foul; so I always have them run the fix and if it's a false alarm - oh well.

Download Hoster from here:
www.funkytoad.com/download/hoster.zip
Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.

OE Links

With all windows closed.
Start > Run
Key in:
"C:\program files\outlook express\msimn.exe" /reg

Verify this is the path that msimn.exe is located and be sure to include the quotes.

Then open Outlook Express,
Tools > Options > General tab,
and verify Outlook Express is your default messaging program at the bottom of the page.

Tools > Internet Options > Programs tab
verify Outlook Express is showing in the E-mail window.


MessengerPlus3
When you get to the Sponsor Agreement,SELECT:
’I Refuse to give my support, install Messenger Plus! without the sponsor'.

ROOT KIT -

mszx23.exe
add any other the file names as needed

download http://www.thespykiller.co.uk/files/fixhx.reg and put it on desktop then double click it and say yes to the message to merge with registry

now go to start/ run and paste in this line
sc delete winlow
and press OK or enter
repeat for
sc delete vdmt16

now run killbox and paste each of these lines into the box, select standard file delete then press the red X button,say yes to the prompt then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, but if it says unable to delete file then select delete on reboot BUT DO NOT let it reboot yet

c:\windows\system32\klogini.dll
c:\windows\system32\p2.ini
c:\windows\system32\ps.a3d
c:\windows\system32\vdnt32.sys
c:\windows\system32\vdmt16.sys
c:\windows\system32\winlow.sys
c:\windows\system32\klo5.sys
c:\windows\system32\drct16.dll
C:\WINDOWS\System32\DSMANA~1.DLL

Before entering this one open task manager and select it on the process list and end process ( it should now be visible as we have removed the entries hiding it)
c:\windows\system32\mszx23.exe

now go to startrun & type regedit & press OK

find this key and delete it (right click on the MDS Search booster entry and select delete)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDS Search Booster

Second display on desktop

Go to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Under "Web Pages" you should see an entry checked called something like "Security" or similar.
Select that entry and click the "Delete" button. Click OK then Apply and OK.

XP Fix - http://www.visualtour.com/downloads/

Scroll down to get XP Fix

http://www.tech-forums.net/computer/topic/29806.html

aoutexec.nt

==========================================================
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

System Startup Service

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

------------

In Hijack This, click on the "Open Misc Tools section" button. Next click the "Delete an NT service" button. Copy and paste the following in that box:

SvcProc

Click OK.


then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

Root Kit revealer http://www.sysinternals.com/ntw2k/freeware...kitreveal.shtml

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\csrss.exe
C:\Documents and Settings\your username\Start Menu\Programs\Startup\csrss.exe


IF you don’t know how then get HiJack This from here http://thespykiller.co.uk/files/hijackthis_sfx.exe

Double click the DL file and let it extract to its default folder C:\Program FIles\HiJackThis, run it from there

IE Fix - http://windowsxp.mvps.org/IEFIX.htm - Repair - http://www.theeldergeek.com/repair_ie6.htm

MS Malicious removal tool http://support.microsoft.com/?kbid=890830


Elite toolbar remover
DL and run in safe mode http://www.softpedia.com/get/Internet/Popu...r-Remover.shtml

Problems with msinet.ocx, http://www.x10.crevier.org/homeseer/kb/1013/

Three character fix [xxx]

run Kapersky as described here
http://forums.subratam.org/index.php?showtopic=3466&hl=bube

then download this attachment, to the desktop, rightclick it & rename it to fix.reg and double click it and say yes to the prompts to merge with the registry then post a new hjt log please

http://forums.techguy.org/attachment.php?attachmentid=53089
--------------------------------------------------------------
Qoo - http://www.geekstogo.com/downloads/Trackqoo.zip

Download Find_Qoologic2.zip save it to your Desktop.

http://forums.net-integration.net/index.ph...=post&id=134981


Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder.

Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text opens, post it in a reply to your thread.

You might find you get an error message when first running this file, if so close it and run again and wait until file.txt opens on desktop

Ignore the first list that opens with a long list of files and wait for FILE.TXT to pop up.

It normally takes somewhere between 10 to 15 minutes depending on your computer.
-------------------------------------------------------------------

XP winsock http://www.snapfiles.com/get/winsockxpfix.html

Nail – Run the un-installer here - http://www.mypctuneup.com/evaluate.php

http://home9.inet.tele.dk/le01/Sikkerhed.htm - get ABIremover.zip, extract it and run ABIremover.exe


http://www.noidea.us/easyfile/index.php?folder=2

download Nailfix.zip
Unzip it to the desktop but do NOT run it yet.

Restart in safe mode

Now in Safe Mode:
Double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.


LOP - http://www.msghelp.net/showthread.php?tid=21598 to uninstall Messenger Plus sponsor

SE Fix

XP/W2K

Download CW-Shredder at the link below:
http://www.intermute.com/spysubtract/cwshr...r_download.html

Download http://www.derbilk.de/SpSeHjfix112.zip to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

9X
Download CW-Shredder at the link below:
http://www.intermute.com/spysubtract/cwshr...r_download.html


Download http://www.derbilk.de/SpSeHjfix109.zip to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

BHO that won’t go away

Download Registrar Lite from here:

http://www.resplendence.com/download/reglite.exe

Put it in its own folder.

Copy and paste the following text into the address bar, then hit 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

In the pane on the right are the values associated with that key.
We want to remove these ones:

{397951DD-9A21-6AE7-DB28-CD6A1F022D51}

Right click on each one and select delete.
If you get a confirmation question, respond OK then close out the program.
----------------------------------------------------------------------------
O16’s - HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
----------------------------------------------------------------------------
Search hooks - Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key.
We want to remove this one -> _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
-------------------------------------------------------------------------------
Reboot and post another Hijack This log please.

Internet Optimizer - http://securityresponse.symantec.com/avcenter/FxNetOpt.exe

DERBIZ

download and run both these uninstallers.
http://www.derbiz.com/techsupport/uninstall.exe

And select RUN or OPEN when prompted.

Please note if this fails to remove the DerBiz.com ISP Access Profile you
must save the uninstall program to your hard drive or desktop, disconnect
from the service and then execute the uninstall program by double clicking
on the file.

If for any unforeseen reason icons still remain on your desktop or start
menu please run the original uninstall on the start menu named 'Uninstall
Launch DerBiz.com' and follow the below URL in your Internet Browser's
address bar:

http://www.derbiz.com/techsupport/cleanreg.exe

And select RUN or OPEN when prompted.

Once these three steps have been completed the DerBiz.com ISP Access Profile
will be removed from your computer.

Fix for regedit

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tracert.com

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

Hotoffers - http://www.bleepingcomputer.com/forums/How...nfo-t15126.html

http://www.hotoffers.info/uninstall/index.html
===========================

Active X

Make sure your ActiveX settings are set like this:

Go to Internet Options - Security - Internet, press 'default level', then OK.
Now press "Custom Level."

In the ActiveX section, set the first two options (Download Signed and Unsigned ActiveX controls) to 'Prompt', and 'Initialize and Script ActiveX Controls not marked as Safe" to 'Disable'.


Run ActiveScan online virus scan

http://www.pandasoftware.com/products/activescan.htm

Look to the far right for the pink link

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

http://www.kaspersky.com/virusscanner - Online scan

When the scan is finished Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan

regsvr32 /u occache.dll – unregister

FIND IT - http://forums.net-integration.net/index.ph...=post&id=142443

CWS in 98

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


One click

You will need to boot to safe mode and navigate to the C:\Windows\System32
folder and rename the infected wininet.dll file to wininet.old then go to the
C:\Windows\System32\dllcache folder and copy the wininet.dll file there then
paste it in the system32 folder replacing the infected one you renamed.
After it has been replaced restart your computer and then delete the
wininet.old file.

Things won’t open
try this

1. Quit all programs that are running.
2. Click Start, and then click Run.
3. Type or paste this entry regsvr32 urlmon.dll
4. then click OK.
5. When you receive the "DllRegisterServer in urlmon.dll succeeded" message, click OK. then repeat for all the following


regsvr32 scrrun.dll
regsvr32 msxml.dll
regsvr32 mshtml.dll
regsvr32 shdocvw.dll
regsvr32 browseui.dll
regsvr32 actxprxy.dll
regsvr32 Shdocvw.dll
regsvr32 Actxprxy.dll
regsvr32 Oleaut32.dll

Weather alt. - http://tropicdesigns.net/weatherpulse.php
looks like the apropos rootkit C:\WINXP\ptgwK

so

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\csrss.exe
C:\Documents and Settings\your username\Start Menu\Programs\Startup\csrss.exe

q******_disk.dll browsela

Download win32delfkil.exe: http://users.telenet.be/marcvn/tools/win32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automatically and after the reboot the infection should be killed.

reboot & post a fresh HJT log

Kill Windows Messenger - http://vlaurie.com/computers2/Articles/messenger.htm

Empty the MS Quarantine – TOOLS – SPYWARE SCAN – MANAGE SPYWARE - Quarantine

VB6 - http://www.microsoft.com/downloads/details...&displaylang=en

smitfraud
http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Once it has downloaded, double-click on the smitfraud.reg file on your desktop and when it asks if you would like to merge the data, click on the Yes button.


Remove aprps
http://attachments.techguy.org/attachment....achmentid=63961

http://forums.techguy.org/t399319.html - Post #7

username : blyghtondj
password: greenday

www.geekstogo.com

Messenger - http://www.itc.virginia.edu/desktop/docs/messagepopup/


R3 entry

Launch Notepad, and copy/paste the bold below into a new text file. Save it as urlrepair.reg ('Save As Type' "All Files"). Save it in C:\

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Locate it (in C:\) and double-click on it (launch it). You'll recieve a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".

Reboot and scan again with Hijack This. Post the log.

Let's see if it worked.

ETB

· http://users.pandora.be/bluepatchy/miekiem...tools/LQfix.exe to download LQfix.exe and Save it to your desktop.
· Doubleclick LQfix.exe and click install.
· Leave the default settings. If you change them, the fix will fail.
· Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
· Follow the prompts on the screen.
· Your system will reboot afterwards.
· Please be patient after reboot, because there is a script running in the background.
· When it is finished, come back here and post a new Hijack This log.
================
the blue bar at the bottom does have an X
Download Blockrem from http://www.atribune.org/downloads/blockrem.zip
· Unzip it to its own folder on your desktop.
· Boot your computer to safe mode by rebooting and tapping the F8 button repeatedly until it brings up a boot menu.
From that menu, select Safe Mode by using the arrow keys to highlight it then pressing enter.
· Once in safe mode open the Blockrem folder on your desktop and double-click blockrem.bat (this is the file with the gear icon) to run it.
· Once it is running please follow the onscreen instructions.
· Reboot and post a HijackThis log.


download suspicious file packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it &
paste in this list of files and when it has created the archive on your desktop please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so we can examine the files

Vundo - http://securityresponse.symantec.com/avcen...moval.tool.html

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.

===========
St3

Download Win32delfkil.exe: http://users.telenet.be/marcvn/tools/win32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it.
This creates a new folder on your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automatically.
After the reboot, the infection should be killed.
===========
Sony Rootkit
http://securityresponse.symantec.com/avcenter/FixRyknos.exe

Agent.uj
Wareout – gambling pharmacy
===========================
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout

http://downloads.subratam.org/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed. )17’s can be fixed here

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.

If you get an Autoexec nt error do the following

XP Fix - http://www.visualtour.com/downloads/

Scroll down to get XP Fix

And run FixWareout again.
=================================================
Dsl.dll - http://securityresponse.symantec.com/avcen...e.ieplugin.html
Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users