Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log Interpertation


  • This topic is locked This topic is locked
15 replies to this topic

#1 Dr. Steve

Dr. Steve

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 08 February 2006 - 04:17 PM

My internet explorer is not keeps logging me out of my yahoo home page. I get
a session time out error like I am not accepting cookies. I have checked and
rechecked all the security settings, cookie setting, etc. Have reset to
default settings numerous times. I have been told my browser is corrupted.
Have tried to uninstall and reinstall, but still am being told that I have a
more current version than the explorer 6. I have previously loaded SP 2 and
all updates are current on my CPU.
Any suggestions on how to fix my corrupted files?

Recommended to load Hijack this and post scan results here for interpertaion:
Log is below:
Logfile of HijackThis v1.99.1
Scan saved at 1:05:31 PM, on 2/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINNT\smss.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\System32\dllhost.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\SoftDent\SDWIN.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\DOCTOR~1.DEN\LOCALS~1\Temp\Temporary Directory 1 for HijackThis-1.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINNT\smss.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINNT\winlogon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138310831808
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dentistry.local
O17 - HKLM\Software\..\Telephony: DomainName = dentistry.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5243EEA-BD16-4CA3-A15B-A7FB466BEF62}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dentistry.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dentistry.local
O18 - Protocol: bw+0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINNT\system32\balcdehg.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe



Thank You

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:05 PM

Posted 08 February 2006 - 05:42 PM

Hi Dr. Steve :thumbsup:,

Welcome to the Forum.

First of all, we need to unzip/extract hijackthis and move it to a folder of its own.

Here is how to unzip/extract properly:

Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.

How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

================================================

Please go to Start>Control Panel>Add/Remove Programs and uninstall/remove logitech desktop messenger. You don't need it and it makes a mess in the HijackThis log.

=================================================

We'll need to disable Microsoft Antispyware so that it will not interfere with the fix. If you have any other script blocking software you'll either need to disable them or give permission when they warn you of a change during the following fix.

Disable Microsoft AntiSpyware
1. Open Microsoft AntiSpyware.
2. Click on Options> Settings.
3. In the left pane, click on Real-time Protection.
4. Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
5. Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
6. After you unchecked these, click on the Save button and close Microsoft AntiSpyware.
7. Right click on the Microsoft AntiSpyware Icon on the taskbar and select Shutdown Microsoft AntiSpyware

=================================================

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for more information.

================================================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK

===============================================

Scan with HijackThis and put a checkmark against the following:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINNT\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINNT\winlogon.exe
O18 - Protocol: bw+0s - {9622B9EA-8BB7-4DF7-89FB-87A00F40775B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll <---please put a checkmark against all the other 018 entries for Logitech Desktop Messenger
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINNT\system32\balcdehg.dll (file missing)


Close all other windows/applications/browsers and click "fix checked". Exit HijackThis but stay in Safe Mode.

===============================================

In Safe Mode, using Windows Explorer, please navigate and delete the following files and folders, if found: There are legitimate files with the same name in a different folder. So, please be careful .

C:\WINNT\smss.exe
C:\WINNT\winlogon.exe
===============================================

Still in Safe Mode, clean the temp files:

Open Internet Explorer. You'll get a 404 page not found, but that is normal in safe mode.
At the top, click Tools>Internet Options> and then, in the center click Delete Cookies
Click Delete Files and then in the new applet check the box for all offline content
Click OK
Close that applet and open the C>Windows>Temp folder, and delete all files in there too, and all files in sub-folders of Temp.
Empty the C:\Windows\Prefetch Folder about once a month. More if you use the internet a lot.
Empty ALL C:\Documents and Settings\user name here\LocalSettings\Temp Folders

Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty

================================================

Restart your computer in Normal Mode.

================================================

Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

================================================

Post a new HijackThis log and the Panda scan results in your next reply

Edited by amateur, 08 February 2006 - 05:51 PM.


#3 Dr. Steve

Dr. Steve
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 08 February 2006 - 11:27 PM

Here is the scan results. Thanks for the help!!


Logfile of HijackThis v1.99.1
Scan saved at 8:24:40 PM, on 2/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\Hijackthis\HijackThis-1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138310831808
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dentistry.local
O17 - HKLM\Software\..\Telephony: DomainName = dentistry.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5243EEA-BD16-4CA3-A15B-A7FB466BEF62}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dentistry.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dentistry.local
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe


Here is the Panda Scan


Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt[]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt[dcszp7e1v10000omp5r9bmtnv_1o4g]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@doubleclick[1].txt
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0058D8BF-FE4F-4AC2-A220-5139F9.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\00F6C424-8F0C-4473-B906-8E5568.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\01005CEF-A4FE-4908-8ABB-B7E21F.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\01ADBB4F-0F79-4603-9E35-927F33.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\035C4828-655C-41BC-87B7-862DAD.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0364F5FB-39BE-4E84-AE84-630353.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\05198371-EDC7-412F-91D1-E706FC.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\06ECB38B-1061-45BC-9D16-4E2C7A.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0AD5AED9-C0DA-4F56-851A-07B788.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0B5A34B4-E5CD-4680-9A51-C2E8CF.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0F393E7B-8588-495F-A033-58A91E.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0F84AA1B-5FAC-4553-AC9A-9D551B.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\11C69342-4C77-4635-BC81-A70C97.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\12E62E6A-C9F4-4450-A338-C6040C.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\158FAEF8-A19C-4C51-8618-1B5F41.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\163BC9A3-A864-4783-9EAB-5F4F83.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\16687447-7C98-4EE5-BEE2-DA8DFA.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1808F0AF-69BD-45B3-9D4D-991455.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\181D78B7-2AF2-4D9F-BEF3-48F312.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1978E974-BA4F-402D-82E0-3E86A0.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\19B24346-FDFF-421A-81F8-D3B742.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\19EEFDD9-E22B-47EA-93A6-B96B74.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1B4C76B3-7BE9-4598-AAA3-961950.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1BC94D0E-42A2-46BB-8EA3-C69B86.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1EDCA470-465F-45AB-A106-9C60FB.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\219945F1-EAE2-4FD7-B154-DF644E.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\21E4DBA0-2B12-4FD6-8BBC-EA7852.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2381F1F1-EFD9-48DD-BAC7-58C6D9.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\239A1C49-985E-4E6F-AB0B-C7422C.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\250B4458-371E-413C-9835-CAE9A6.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\251D786D-E16D-4A7A-9885-960C8A.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2634C887-5DC3-4641-B92F-3E10B0.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2664305E-8B50-466B-87D8-9771E1.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\269D7181-EC8F-49E6-AF6F-2AE9E0.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\28E40FC1-491D-4BAB-901C-DD3F03.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2A43FC18-CEB2-491B-8423-59A597.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2B4103A9-11AF-4B1B-BAC7-B1144F.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2C672F14-3F3D-46EB-8978-8E4FA9.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2CA3EFA1-E4EB-4DB1-BBFA-5B0808.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2D23A802-7D9E-4D9B-80D3-588349.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2D5C516E-9184-4037-83E4-00549A.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\30BB7B08-017F-40CF-AEE8-67F0BD.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\30C8833A-57B4-4B1A-B374-17058D.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\32102BD0-485D-4EB1-8400-26918B.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3257F443-C07D-4FAC-8201-865D96.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\35E1D094-97C0-4DC8-87AE-634A12.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\36864861-C7C4-4743-902C-14DA47.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\36BD77CE-7C0A-475F-AA32-03F3F4.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3936D8B9-6912-4B28-AEF9-92B07C.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3A6A5923-51A1-450B-9E1A-39031F.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3A83CF57-CC41-4DF4-B688-8CA42E.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3C18EA69-54F9-46EB-B82B-1D4669.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3F3B6556-15D9-44E3-B512-9B755D.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\40AEC10C-9541-44AD-B13F-83E804.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\418B5915-A720-4579-9714-1EFF15.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\45C1377F-DB15-4448-9396-025698.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4600160E-FDB7-4C43-B3DD-58AD95.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\47BFDCE0-5BAA-4CA5-861D-9B14B6.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\493CAEAB-AAF7-4898-B3D1-590E13.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\497DA945-0D6B-4FCC-A0B5-243472.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\49AB90BC-3C3F-46D1-B94A-0706B1.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\49C41ADD-F2FD-45D5-A178-C2A49B.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4A2D3D08-C586-4CCE-9780-73D4B4.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4A5D8344-CBDC-425D-B1EE-04CF1D.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4B3CAA5F-C5FD-4E50-8D24-92AA2B.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\50BAC72E-255F-4C69-82ED-692B3F.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\521246C4-19AF-4D1B-94FE-E30568.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\525934B3-C0F6-4BA6-B59A-E7C18C.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\547AB375-EF85-4785-AA3F-F40A43.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\558AB07B-BBE0-4639-8888-F850D3.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5623ABE6-7D98-4DD9-9999-0B3711.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\56553946-4D00-45AF-A4B0-9B6500.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\57C651EA-2747-448B-BBC5-FB0B14.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5A14C0F6-74EE-4546-9418-D2D40F.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5DB3B56B-E81D-4535-ACF6-B1EB9A.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5E512E46-C087-45E0-8D0A-A7AB77.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5E93CC54-D2FE-47F0-A4BE-67F0AD.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5F1259FA-59DF-4B64-BA1C-FEEE4B.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5FD8F955-E859-480D-BE21-9268CB.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\630BB4A7-56D6-42EC-BFE1-05E8AF.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\65B4194F-6E22-4B97-9421-84079F.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\66B0DAA6-CAF7-4C6D-A5ED-D7CB21.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\676A750C-A681-4044-8D88-532428.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\69FD8043-F728-4A59-B548-177CBB.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6A54C3CF-9FBD-44F5-9470-6A27C2.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6DA2E7A4-2AA2-4E5E-89EB-1CD475.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6DD2AAD9-39C4-44F9-A3E4-1384FA.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6DFF9A3A-B015-4001-B4C0-4BBC8B.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6F0474F1-E7C3-4C26-8D03-7D614B.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6F35408E-B33D-4205-8ED4-DD59CA.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6F511C61-6D49-4EFC-9E76-7E6B14.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6F64B7CF-2A7B-47E3-BB99-57FBC6.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6FFC3B01-A941-4566-8569-AF8371.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\73D0E40D-4C5E-4B2E-A5E3-5EA9C3.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7465617D-502D-4D3B-AE0C-980297.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\76177917-A301-47FC-9AE6-2F43E3.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\76563FE3-E799-4CD1-B145-36C30B.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\77074934-4DA6-4741-A753-06963D.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\780DBE63-38FB-4714-9A21-3D71E4.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7852F8AC-59C9-4E8E-946F-6440F6.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7992ADA3-60B6-46DD-91EA-F885AB.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7AA6FDD0-BB9D-4C83-8D2A-68C587.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7AE8A11F-505B-460B-B5DB-D3354E.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7BB02F85-C177-4827-82C7-7CF9B5.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7BF5080D-CA47-4570-A338-A6BFDC.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7D56848F-1460-4C78-A90D-8E8E0D.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7DFA0688-B868-4C79-A89A-24B8F4.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7E2287BB-D66A-4696-B846-F1C4ED.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7E6EA45C-89EC-4882-A175-1057B0.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7EEB53EC-44F5-4798-898A-80FE1A.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7F48545C-6016-4B2B-936C-E73792.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\81C2F65E-F495-4B8E-90CF-AABDFF.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8309A53C-1094-4068-846D-6FCEFB.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\838212B9-27B3-4D06-8943-140E59.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8557EB35-EFD9-40AB-9460-6A96FC.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\85B7FE23-3DA1-4BC1-B649-22C177.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\86E60121-FCD2-40ED-8FF6-85CEBB.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\896FDDA7-ADE3-4C62-95D7-4F7155.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\89C7A64E-4956-4D87-9ECB-C17736.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\89E69298-449C-483A-B681-120142.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8D63C8BA-4DA6-4FC2-BF72-7052D4.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8DA75519-650C-4692-83F7-30B224.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8DA9B822-0384-4515-8837-DEC4F0.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\906100A2-5967-4077-B13E-E971DF.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\91035FE5-EB64-4C02-9FFE-A81ECE.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\91A3824B-C56C-4489-B6A4-5B4CBD.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\91F39598-F8FA-4E1D-907D-F443BB.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\93E92B19-C64C-4F73-A57D-1A13C1.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9559553B-095E-444A-A001-B92712.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\960E9D10-8489-4892-8E7D-577BFE.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9883487B-49A2-46A4-805E-67B1DB.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\99DFC774-DC2F-4B31-9C7C-9E5737.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9B3C165E-2790-44DD-8B78-AC901C.asq
Virus:Bck/Agent.AZM Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9B47F22C-90A3-4598-83E7-8E9C66.asq
Virus:Bck/Agent.AZM

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:05 PM

Posted 09 February 2006 - 08:48 AM

Hi Dr. Steve,

Download and install Ewido Anti-Malware

During the installation, uncheck the following under Additional Options:
Install background guard
Install scan via context menu


Check for updates but do not run it yet.

Download CWShredder 2.19
Launch the executable and then click "Check for Update"
Download and install any updates.
Now, close any open windows except for CWShredder and then click "Fix ->"
It should take about a minute to run, then click "Next ->" You'll see three lines starting with "Restoring" to let you know the scan is finished.

==================================================

Now restart your computer in Safe mode like you did before.

==================================================

Scan with HijackThis and put a checkmark against the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)


Close all other windows/browsers/applications and click on "fix checked". Exit HijackThis but stay in Safe Mode.

==================================================

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK

Empty the Recycle Bin.

=================================================

Still in Safe Mode, run Ewido.
Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close Ewido-Anti-Malware.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

=================================================

You have an old and vulnerable version of the Java Runtime Environment (JRE) installed. Please go to this link and it will describe how you can remove your old version and update to a new JRE:
http://wiki.castlecops.com/Windows_Update_Fix

=================================================

Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

=================================================

Scan with HijackThis again.

=================================================

Post back:

HijackThis log
Ewido log
Panda scan results, please


#5 Dr. Steve

Dr. Steve
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 09 February 2006 - 01:35 PM

Just wanted you to know that the first things we did seemed to have helped with the logging out problem!!I previously loaded Firefox as a quick fix to my problem and will get rid of it when we are though and go back to using my explorer.

Here are the new reports:

Active Scan:

Incident Status Location

Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@2o7[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@doubleclick[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@zedo[1].txt
Adware:adware/azesearch Not disinfected C:\WINNT\blank.mht
Dialer:dialer.bny Not disinfected C:\WINNT\pcconfig.dat
Adware:adware/adsmart Not disinfected C:\WINNT\system32\maxd64.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:58:44 AM, 2/9/2006
+ Report-Checksum: C67222AF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} -> Downloader.Delf : Cleaned with backup
:mozilla.17:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.18:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.37:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.57:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.58:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.59:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.60:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.61:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.74:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.75:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.76:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.77:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.81:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.82:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.92:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.93:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.94:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.95:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.96:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.97:C:\Documents and Settings\doctor.DENTISTRY\Application Data\Mozilla\Firefox\Profiles\50q2rjon.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP1\A0000016.exe -> Worm.Locksky.m : Cleaned with backup
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP2\A0000041.exe -> Worm.Locksky.m : Cleaned with backup
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP2\A0000062.exe -> Worm.Locksky.m : Cleaned with backup
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP2\A0000072.exe -> Worm.Locksky.m : Cleaned with backup
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP49\A0007417.exe -> Worm.Locksky.m : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:29:09 AM, on 2/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Hijackthis\HijackThis-1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138310831808
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dentistry.local
O17 - HKLM\Software\..\Telephony: DomainName = dentistry.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5243EEA-BD16-4CA3-A15B-A7FB466BEF62}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dentistry.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dentistry.local
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:05 PM

Posted 09 February 2006 - 03:27 PM

Hi Dr. Steve,

Ewido cleaned a lot of junk. Panda is reporting some bad files and some cookies. We'll do some clean up see how things are afterwards.

Please run Notepad and paste the following text inside the Code box into a new file: It's important that you use notepad, not wordpad.

attrib -r -h -s C:\WINNT\blank.mht 
del C:\WINNT\blank.mht 
attrib -r -h -s C:\WINNT\pcconfig.dat 
del C:\WINNT\pcconfig.dat 
attrib -r -h -s C:\WINNT\system32\maxd64.exe 
del C:\WINNT\system32\maxd64.exe
Save the file to the desktop as remove.bat and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on remove.bat.

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu

======================================

Please run Panda online scan one more time.

======================================

Post back a new HijackThis log and the Panda results, please.

#7 Dr. Steve

Dr. Steve
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 09 February 2006 - 04:25 PM

Here they are:

Panda Scan:


Incident Status Location

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@ads.pointroll[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@atdmt[1].txt
Adware:adware/azesearch Not disinfected C:\WINNT\efefdfddfsdh.tmp
Adware:adware/adsmart Not disinfected C:\WINNT\system32\vx.tll
Logfile of HijackThis v1.99.1
Scan saved at 1:20:57 PM, on 2/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Hijackthis\HijackThis-1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138310831808
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dentistry.local
O17 - HKLM\Software\..\Telephony: DomainName = dentistry.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5243EEA-BD16-4CA3-A15B-A7FB466BEF62}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dentistry.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dentistry.local
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:05 PM

Posted 09 February 2006 - 05:05 PM

Hi Dr. Steve,

We have two new bad files showing up. :thumbsup:

Please restart your computer in Safe Mode, following my earlier instructions.

Using Windows Explorer (Press Windows key and E key at the same time to bring up Windows Explorer), navigate and delete the following files in bold:

C:\WINNT\efefdfddfsdh.tmp
C:\WINNT\system32\vx.tll

Empty your Recycle Bin.

Restart your computer.

Please download the free http://www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html]Ad-Aware SE[/url] and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:
  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
Click Proceed.

3) To start the scan, Click > "Scan Now" at left
  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
4) When the scan has completed, select Next.
  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.
Please download Spybot S & D

a. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
b. Close ALL windows except Spybot S&D
c. Click the button to 'Search for Updates' then download and install the Updates. Remember to "immunize" after updating so that the latest definitions can be enabled.
d. Next click the button 'Check for Problems'
e. When Spybot is complete, it will be showing RED entries, BLACK entries and GREEN entries in the window.
f. Make sure that there is a check mark beside all of the RED entries ONLY.
g. Choose Fix Selected Problems and allow Spybot to fix the RED entries.

If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.

At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows.

h. REBOOT to complete the scan and clear memory.

Run Ewido again.

Restart and run Panda again. Post the resuts of Panda and Ewido back here please.

Edited by amateur, 09 February 2006 - 08:01 PM.


#9 Dr. Steve

Dr. Steve
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 09 February 2006 - 10:20 PM

When I used microsoft explorer it would not let me open C:\WINN\efefdfsdh.tmp Gave the error box Windows cannot open this file .... needs to know what program created it ..... So I could not delete it. I do think that Spybot cleaned it for me.

Here is the last Panda Scan


Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@com[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@doubleclick[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@overture[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@zedo[1].txt


Looks pretty good? :thumbsup:

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:05 PM

Posted 09 February 2006 - 10:38 PM

Hi Dr. Steve,

Yes, it does look pretty good. :thumbsup: Your log was clean too. I am missing the latest Ewido log. How did that turn out? How is the computer running now?

Edited by amateur, 09 February 2006 - 10:42 PM.


#11 Dr. Steve

Dr. Steve
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 10 February 2006 - 10:07 AM

Computer seems to be running fine. The explorer log out issue is resolved. Seems to be a little slower on start-up, but not a big deal. I did not load the WUFix.zip when I did the Java update, do I need to do that?
Here is the Ewido scan, results still look pretty good.




---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:02:35 AM, 2/10/2006
+ Report-Checksum: E5AC0815

+ Scan result:

HKU\S-1-5-21-3354240336-1586625076-3646724030-1126\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69} -> Logger.Sters : Cleaned with backup
C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\doctor.DENTISTRY\Cookies\doctor@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup


::Report End

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:05 PM

Posted 10 February 2006 - 10:31 AM

Hi Dr. Steve,

Yes, all looks good. :thumbsup: However, you seem to be in a network. If so, you may get re-infected by others on the network. It would be a good practice to make sure that no body else is infected, if you can. One of the trojans you had is spread through file sharing. Continue with scanning regularly with Adaware, Spybot and Ewido. I'll also give you some more tips below on keeping your computer safe.

I did not load the WUFix.zip when I did the Java update, do I need to do that?


You don't need to do that unless you have problems updating your Windows XP. If you've updated your java and removed all the old versions of it from Add/Remove Programs, you are all set.
A note on Ewido: : Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days that is why we are not installing the guard so it will not interfere with the cleanup or the malware removal process. You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan. If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

Now that you are clean, or seem to be, please follow these simple steps in order to keep your computer clean and secure.

Re-nable MicrosoftAntispyware
Open Microsoft Antispyware
Click on Options > Settings.
In the left pane, click on Real-time Protection
Under Startup Options check Enable the Microsoft Antispyware Security Agents on Startup (recommended)
Under Realtime spyware threat protection check Enable realtime spyware threat protection (recommended)
After you check these, click on the Save button and close Microsoft Antispyware.

Remember to hide your system files again.

Start>My Computer>Tools>Folder Options>View
Under the Hidden files and Folders heading uncheck Show hidden files and folders.
check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
check the Hide file extensions for known file types.
Click OK.

Disable and Enable System Restore If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. Because Windows regularly sets restorepoints, it's very possible that the malware, you have removed, is still present in the System Restore. If you put Windows back to such a restorepoint, this malware will be put back, as well.

This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)
1. Right-click My Computer, and then click Properties.
2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box.
3. Click OK, and then click Yes.

4. Restart the computer.
5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'.

Reboot normally.

You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide


And that's all. But to help protect you against further infections, and also to help prevent criminals using your computer to infect other people's computers on the web, I recommend the following: (You may already have some of the items)


Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.
If you haven't got a antivirus, you can download and install one of the following free ones: Make sure that you have only ONE antivirus running on your computer as more than one would cause conflict and render the computer vulnerable.

AntiVir here
AVG Free here
Avast here

It is essential to keep the anti-virus program fully updated. New virus infections are being produced all the time, and unless the program downloads the latest 'definitions', it cannot protect you against the newer versions. If you want to check for updates manually I'd recommended doing so at least once a week. However, a better option is to set the program to download and install updates automatically every time you are connected to the Internet. The first time you use it, please set it to perform a full system scan.
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site <http://windowsupdate.microsoft.com/> to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site <http://office.microsoft.com/officeupdate/maincatalog.aspx?lc=en-us> and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them allready):
AdAware here
Spybot here Remember to "immunize" after each update
Microsoft Antispyware here

Install realtime pestware-scanners and keep them up-to-date.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster here Remember to "enable all protection" after each update.
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet.
If there is no firewall installed on your computer, you can download and install one of the following free firewalls:
ZoneAlarm here
Sygate here
Kerio Personal Firewall (Will be discontinued as from the end of 2005) here
Outposthere
Important: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall!

Test your firewall here to make sure that it's working properly

Install these programs, to make surfing with Internet Explorer safer:

A popup-blocker, f.e. Google Toolbar here: A popup-blocker prevents popup-windows from opening, when you come along a websites that uses them, during internet-surfing.

IE-SPYAD here: This utility adds a long list of known bad sites to Internet Explorer's Restricted Sites zone. This prevents those sites from executing their malicious programs on your computer.

SiteHound by Firetrust
here:

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
· Fraudulent claims or scams
· Offensive material
· Security vulnerabilities
· Spyware or Adware
· Spam related material
· or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

• Adult • Spyware • Spam Advertising • Phishing • Possible scam or fraud • Misleading or False Advertising
• Pharming • Rogue or Suspect Product • Adware • Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP



Install and use an alternative browser to surf on the internet.

Because Internet Explorer is the most-used browser on the planet, most of the hijackers, adware and spyware are made to abuse your computer thru Internet Explorer.
Here are some good alternative browsers:
Mozilla Suite here
Mozilla Firefox here
Opera here
Netscape here
Important: You can not uninstall Internet Explorer.
First of all, it's part of Windows and you'll need it to download and install Windows Updates.
Secondly, There are some sites that are only accessable with Internet Explorer, fe. most of the Online Malware-scanners.

But above all, keep all your software UP-TO-DATE at all time!!

Also, I would recommend reading the excellent advice by Tony Klein: So how did I get infected in the first place
Happy and safe surfing. :flowers:

#13 Dr. Steve

Dr. Steve
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 10 February 2006 - 01:09 PM

WOW, lot of information here! Thanks for all the great information and fantastic clean-up on my system!!!

I did have some other questions:

1. We Emptied: C:\Windows\ Prefetch, C>Windows>Temp (subfolder as well),
C:\Documents and Settings\User name here\Local Settings\Temp Folders
(Should I be doing this on a regular basis?
2. We did a lot of things in Safemode. Do I need to worry about that, when should I do that? Do I need to be in
Safemode when running any virus scans?
3. As far as other browsers – should I only use explorer for my updates. (I have firefox and have noticed it doesn’t have some tools that explorer has that I use frequently).

I have another Computer at home, not on the network that was purchased about the same time as this one. I have no known issues, as far as symptoms, but am wondering if I need to have you look at that one as well, or if I should just go ahead and follow the recommendations being given me here?
It already has SpyBot, Ad-Aware, Microsoft AntiSpyware, and E-trust
But it doesn’t have Hijackthis, Panda, Ewido, CW Shredder, ATF Cleaner.
I updated the SpyBot, and Ad-Aware, I loaded the WUFix Zip, Did a Panda Scan that was Clean except for some Cookies –like doubleclick, etc

#14 Dr. Steve

Dr. Steve
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 10 February 2006 - 01:13 PM

I forgot to ask you about the Windows One Care Live, I have that loaded as well

#15 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:05 PM

Posted 10 February 2006 - 03:25 PM

Hi Dr. Steve, :thumbsup:

WOW, lot of information here! Thanks for all the great information and fantastic clean-up on my system!!!


You are very welcome. Glad we could help.

1. We Emptied: C:\Windows\ Prefetch, C>Windows>Temp (subfolder as well),
C:\Documents and Settings\User name here\Local Settings\Temp Folders
(Should I be doing this on a regular basis?


Yes, it's a good practice.

We did a lot of things in Safemode. Do I need to worry about that, when should I do that? Do I need to be in
Safemode when running any virus scans?


In safe mode, only the essential system files are utilized, therefore the non-essential running processes don't interfere with our work and with scanning. You don't need to worry about that. It was also necessary when we deleted the unwanted files. I wouldn't advise you to do anything with the HijackThis or delete any files unless you are 100% sure what you are doing. Otherwise, you may damage the system and render the computer unusable. In fact, I would advise you to uninstall HijackThis. You can always download it again if you ever need it (I hope you won't). These tools are constantly updated anyway. And, no, you don't need to be in Safe Mode for virus scanning.

As far as other browsers – should I only use explorer for my updates. (I have firefox and have noticed it doesn’t have some tools that explorer has that I use frequently).


I personally prefer Internet Explorer. Some people swear by Firefox. It's a good idea to have a second browser in case you have problems with one. Then, you can use your second browser to get on the internet.

I have another Computer at home, not on the network that was purchased about the same time as this one. I have no known issues, as far as symptoms, but am wondering if I need to have you look at that one as well, or if I should just go ahead and follow the recommendations being given me here?


The recommendations for keeping a computer clean and safe would be the same for all computers. However, if the other computer is infected, the remedies would differ. If you want to make sure that it's clean, post a HijackThis log for that computer too, and I, or somebody else, will take a look at it.

I forgot to ask you about the Windows One Care Live, I have that loaded as well


I have never used Windows One Care Live, therefore not familiar with it. Sorry I cannot say anything one way or the other.

I hope I've been able to answer all your questions.

Take care :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users