Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Here Is My Hijackthis Log


  • This topic is locked This topic is locked
34 replies to this topic

#1 currmac

currmac

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 16 February 2006 - 01:51 PM

thank you leurgy for the help.
here is my log after i followed the instuctions prep guide for hijackthis :thumbsup:














hijackthisLogfile of HijackThis v1.99.1
Scan saved at 2:32:17 PM, on 16/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Acer\eRecovery\Monitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
D:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijachthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theweathernetwork.com/weather/c...es/CANS0145.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsa1F.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmzxxn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BD1F7D4B-B6A3-B073-D109-B33EC72573C4} - C:\WINDOWS\system32\rotyqjgw.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EC442619-B6F5-B623-D109-B33EC72572C1} - C:\WINDOWS\system32\cvwgqmgx.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: LimeWire On Startup.lnk = D:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33} (WCSAXrview Control) - http://12.219.103.69:8080/wcsarview.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://www.gregsreef.com/WinWebPush.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F40A66-A941-40C3-BD9E-0A1FAA249C23}: NameServer = 142.177.1.2 142.177.129.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{35F40A66-A941-40C3-BD9E-0A1FAA249C23}: NameServer = 142.177.1.2 142.177.129.11
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
INSPIRE TO VICTORY

Posted Image

BC AdBot (Login to Remove)

 


#2 MoralTerror

MoralTerror

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 18 February 2006 - 07:58 PM

Hi currmac.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Options > Track this Topic) so that you are notified when you receive a reply.

Please be patient with me during this time.

#3 currmac

currmac
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 19 February 2006 - 06:46 AM

thank you moralterror i am still running house call and other cleaners they find something every time i look forward to what u have to say :thumbsup:
INSPIRE TO VICTORY

Posted Image

#4 currmac

currmac
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 19 February 2006 - 12:54 PM

hi moralterror i ran housecall today and it came up clean if that means anything? but i cant get into regedit it says not a valid w32 app

Edited by currmac, 19 February 2006 - 12:56 PM.

INSPIRE TO VICTORY

Posted Image

#5 MoralTerror

MoralTerror

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 19 February 2006 - 01:36 PM

Hi Currmac

I'll be with you very shortly with a fix

#6 MoralTerror

MoralTerror

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 19 February 2006 - 02:02 PM

Please print this page or copy it to Notepad in order to assist you while carrying out the following instructions.

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:
Posted Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html


Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Click Start->Run - type SERVICES.MSC & then click on the OK button
  • Locate the service - FreezeScreenSaver
  • Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  • Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  • In the popup box that appears, type in "Service name noted in step 2" & then click on the OK button
P2P - I see you have P2P software (Limewire) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Limewire


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsa1F.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmzxxn.dll (file missing)
O2 - BHO: (no name) - {BD1F7D4B-B6A3-B073-D109-B33EC72573C4} - C:\WINDOWS\system32\rotyqjgw.dll (file missing)
O2 - BHO: (no name) - {EC442619-B6F5-B623-D109-B33EC72572C1} - C:\WINDOWS\system32\cvwgqmgx.dll (file missing)
O4 - Startup: LimeWire On Startup.lnk = D:\Program Files\LimeWire\LimeWire.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab



Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\nsa1F.dll
C:\WINDOWS\system32\irsmzxxn.dll
C:\WINDOWS\system32\rotyqjgw.dll
C:\WINDOWS\system32\cvwgqmgx.dll
D:\Program Files\LimeWire



Reboot your system in Normal Mode.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner
  • Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  • Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Paste the Panda Scan report here together with a new HiJack This log.

#7 currmac

currmac
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 20 February 2006 - 09:24 AM

here are the logs u asked for thank you for the help





Incident Status Location

Adware:adware/exact.searchbar Not disinfected C:\Documents and Settings\Sarah\Local Settings\Temp\blank.gif
Potentially unwanted tool:application/funweb Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\winsysupd81.dat
Spyware:spyware/web3000 Not disinfected C:\WINDOWS\hh.ico
Adware:adware program Not disinfected C:\WINDOWS\ss3unstl.exe
Adware:adware/ucmore Not disinfected C:\PROGRAM FILES\TheSearchAccelerator
Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\InetGet
Adware:adware/dyfuca Not disinfected Windows Registry
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@questionmarket[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@www.advnt01[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@doubleclick[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@statse.webtrendslive[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@fastclick[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@tribalfusion[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@data.coremetrics[1].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@2o7[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@perf.overture[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@statcounter[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\kth436vx.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\kth436vx.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\kth436vx.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\kth436vx.default\cookies.txt[.i.screensavers.com/]
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\r?gedit.exe
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt
Adware:Adware/IST.SaferScan Not disinfected C:\Documents and Settings\Sarah\Local Settings\Temp\uninstall.exe
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@questionmarket[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@www.advnt01[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@doubleclick[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@statse.webtrendslive[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@fastclick[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@tribalfusion[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@data.coremetrics[1].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@2o7[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@perf.overture[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@statcounter[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\kth436vx.default\cookies.txt[]
Spyware:Cookie/2o7.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp
Spyware:Cookie/Clickbank Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp
Spyware:Cookie/Adserver Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B.tmp
Spyware:Cookie/Coremetrics Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp




Logfile of HijackThis v1.99.1
Scan saved at 10:18:19 AM, on 20/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Acer\eRecovery\Monitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\system32\svchost.exe
C:\hijachthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theweathernetwork.com/weather/c...es/CANS0145.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33} (WCSAXrview Control) - http://12.219.103.69:8080/wcsarview.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://www.gregsreef.com/WinWebPush.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F40A66-A941-40C3-BD9E-0A1FAA249C23}: NameServer = 142.177.1.2 142.177.129.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{35F40A66-A941-40C3-BD9E-0A1FAA249C23}: NameServer = 142.177.1.2 142.177.129.11
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
INSPIRE TO VICTORY

Posted Image

#8 currmac

currmac
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 20 February 2006 - 11:08 AM

why is sarah in every file and how do i get her name out
INSPIRE TO VICTORY

Posted Image

#9 MoralTerror

MoralTerror

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 21 February 2006 - 06:33 AM

Hi currmac

Does regedit work now??

Sarah is the name of the windows user account. This name is added to the name of the files.

Please print this page or copy it to Notepad in order to assist you when carrying out the following instructions:

Please download Cleanup! or use this (Alternate Link) if the main link does not work and install it. You will use this later.

You will need to update Ewido to the latest definition files.
Launch Ewido & click Update from the left pane
Then click on Start Update.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.


Clear your Firefox cookies. From the open browser, go to Tools>Options>Privacy>Cookies> Click Clear

Click Start > Run and type regsvr32 /u occache.dll and press enter

Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...
  • In the popup box that appears, copy/paste in:
    • C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
  • Click the Open button.
  • Click YES when prompted to restart your computer

    .
Reboot in safe mode(by repeatedly tapping F8 until the menu appears)

Click Start > Run and type regsvr32 occache.dll and press enter

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):


TheSearchAccelerator


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe


Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files in RED and Folders in BLUE(If they still exist)

C:\WINDOWS\system32\winlog.exe
C:\WINDOWS\system32\irssyncd.exe
C:\Documents and Settings\Sarah\Local Settings\Temporary Internet Files\Ssk.log
C:\WINDOWS\winsysupd81.dat
C:\WINDOWS\hh.ico
C:\WINDOWS\ss3unstl.exe
C:\PROGRAM FILES\TheSearchAccelerator
C:\PROGRAM FILES\COMMON FILES\InetGet
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt
C:\Documents and Settings\Sarah\Local Settings\Temp\uninstall.exe
C:\Documents and Settings\Sarah\Cookies\sarah@overture[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@questionmarket[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@www.advnt01[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@doubleclick[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@statse.webtrendslive[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@go[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@hitbox[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@fastclick[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@tribalfusion[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@data.coremetrics[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@2o7[2].txt
C:\Documents and Settings\Sarah\Cookies\sarah@perf.overture[1].txt
C:\Documents and Settings\Sarah\Cookies\sarah@statcounter[2].txt
C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\kth436vx.default\coo kies.txt[]


Locate this folder in windows explorer


C:\Program Files\Yahoo!\YPSR\Quarantine\


Click Edit > Select all then File > delete, click yes when asked if your sure you want to delete the selected files.


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Uncheck the following :
  • Scan local drives for temporary files
Click OK, Press the CleanUp! button to start the program and reboot when prompted.

Reboot to normal mode



Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended scan
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Post the following logs/files:

new HijackThis log
Ewido report
Kaspersky results

#10 currmac

currmac
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 21 February 2006 - 06:37 AM

no regedit is not working but i will do the steps you asked

"regdeit is not a valid win32 app"
INSPIRE TO VICTORY

Posted Image

#11 MoralTerror

MoralTerror

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 21 February 2006 - 06:50 AM

Go into C:\Windows\System32 and check if any of these files exist

CMD.COM
netstat.com
ping.com
regedit.com
tasklist.com
taskkill.com
taskmgr.com
tracert.com


#12 currmac

currmac
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 21 February 2006 - 07:06 AM

hey moralterror i copyed all the pages but befor i could finish my coumperter shut off????

i got it bad i think
INSPIRE TO VICTORY

Posted Image

#13 currmac

currmac
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 21 February 2006 - 07:12 AM

i have all those files except for taskmgr.com
INSPIRE TO VICTORY

Posted Image

#14 currmac

currmac
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 21 February 2006 - 07:15 AM

i dont have fire fox
INSPIRE TO VICTORY

Posted Image

#15 MoralTerror

MoralTerror

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 21 February 2006 - 07:17 AM

Let's do this first..

Posted Image


Download and unzip - bfu.zip
Run the program and click the Web button located on the top right corner

Copy/Paste this url into the address bar of the Download script window:

http://metallica.geekstogo.com/alcanshorty.bfu


Checkmark the following boxes:
  • Use settings specified in script for the above option
  • Show log after script ends
Execute the script by clicking the Execute button.

When it finishes running, click the Save button for a copy of the log
Post the log created by the script when you have completed the fix


If you have any questions about the use of BFU please click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users