Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Rootkits And A Lot Of Malware


  • Please log in to reply
35 replies to this topic

#1 aelfgifa

aelfgifa

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 02 May 2006 - 11:54 PM

Hello,

I desperately need help - as does everybody else posting here, so here's what I've done to try to help myself so far in the hope this saves you some time. Based on some advice from quietman7 in the "Am I infected?" forum, I have spent most of today following that advice and have logs I don't understand for the following if they are needed:

Housecall
AVG (saved my virus vault in Notepad)
Ewido
Spybot S&D (I ran it but don't know if it generated a log)
AdAware

I followed the directions for posting here and have done everything except downloading the firewall from ZoneAlarm. That is so far over my head it's pathetic - and I have a stack of tutorials from this site I'm trying to make sense of. Instead, I downloaded SocketShield in the hopes it would serve "kind of" the same purpose without my botching a firewall configuration.

Apparently, I have several rootkits, multiple versions of SdBot, Adware.Minibug and that's only the part I understood. I'm not sure what's been healed and what's going to keep coming back every time I log on. The Housecall report was 18 pages long so I don't want to post any of the above unless somebody asks for it. So - here's my Hijack This log and I would be very grateful for any help.

aelfgifa



Logfile of HijackThis v1.99.1
Scan saved at 8:35:31 PM, on 5/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection -

{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AdwareAlert] C:\Program

Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SocketScanner Monitor] C:\Program

Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - Startup: SpywareGuard.lnk = C:\Program

Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Corel Desktop Application Director.LNK =

C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Global Startup: PerfectPrint.LNK =

C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program

files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program

files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program

files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program

files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program

files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program

files\explabs.com\socketshield\wrnetdrv.dll
O17 -

HKLM\System\CCS\Services\Tcpip\..\{AD76C33E-8909-42B4-817C-E383974157C4

}: NameServer = 12.6.42.1 12.6.42.2
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:29 AM

Posted 05 May 2006 - 10:58 PM

Hello aelfgifa,

I know you ran Ewido, but I want to you run it again in the Safe Mode and run CCleaner before you run it.

I recommend that you download and use CCleaner prior to scanning with Ewido in order to speed up the scan by removing all the temp/junk files.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

Note: We will be deleting all temp files. Before using CCleaner, make sure you do not have any files in the Temp folder that you want to keep. If so, then move them to another folder.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section including Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Please download Ewido Anti Malware it is a trial version of the program.
  • Install ewido anti malware
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Please reboot your computer in SafeMode by doing the following:
    Restart your computer
    After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    Instead of Windows loading as normal, a menu should appear
    Select the first option, to run Windows in Safe Mode.
  • Click on Ewido Anti Malware icon to open it
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress, you will be prompted to clean the first infected file it finds.
    Choose Remove, then put a check next to 'Perform action on all infections' in the the box.
    Doing this, enables the scan to proceed automatically until its completion.
    Click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close Ewido Anti Malware.

Note: Ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.


***************************************************


Please download, update and run the free A2 (A squared) anti-trojan

If malware is found, click the button "Remove Selected Malware".

Save the log file by clicking on "Save HTML-Report".

Let it delete whatever it finds.

***************************************************


I know you may have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.
Run this pc through the
Trend Micro Housecall Online virus scanner
or
Panda Scan Online virus scanner
or
BitDefender Free Online Virus Scan

Let it delete whatever it finds.
Post the log. Let me know if it is too large to post.

***************************************************


Please make sure that Word Wrap is turned OFF in Notepad before you copy and paste the HijackThis log here. Take a look at the log you just posted. It's an eye killer!


Please post the report .txt from Ewido, your Online Virus scanner log, and a fresh Hijackthis log.

Edited by SifuMike, 05 May 2006 - 11:02 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 aelfgifa

aelfgifa
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 05 May 2006 - 11:50 PM

Hello SifuMike,

OK -- I'm going to print this out so I don't mess up and try to follow the directions you posted. Just got back, am glad I checked my email. Sorry about the wrapping in Notepad.

aelfgifa

#4 aelfgifa

aelfgifa
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 06 May 2006 - 03:12 AM

Hello SifuMike,

You wanted me to post the Ewido reports, my online virus scanner logs and a fresh HJT. I used Housecall and A2 (the links you gave) and they both found something different. A2 wouldn't let me save a log or even cut and paste into Notepad, so I wrote down what the screen said and typed it in below. I hope this makes sense. The Housecall log is very long, so I typed in what I think are the highlights from the May 2 scan and the one I just finished. Let me know if you'd like me to post the originals (one is 18 pages long). And FWIW, Ewido found (and apparently healed) 2 infections of SdBot.YX - one yesterday and one today. AVG Free edition hasn't detected anything new since May 2.

So - I'm cautiously optimistic, although this has happened before only to see a whole new onslaught of viruses the next day. Thank you very much for the help.

aelfgifa

Ewido May 2

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:21:25 PM, 5/2/2006
+ Report-Checksum: 7CAD0361

+ Scan result:

C:\WINDOWS\SYSTEM32\msconfig32.exe -> Backdoor.SdBot.yx : Cleaned with backup
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup
C:\Documents and Settings\Administrator\msdirectx.sys -> Rootkit.Agent.l : Cleaned with backup
C:\System Volume Information\_restore{51A60BE7-6828-4987-AAB1-1558C167D82A}\RP269\A0071734.sys -> Rootkit.Agent.l : Cleaned with backup


::Report End

Ewido May 5

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:02:54 PM, 5/5/2006
+ Report-Checksum: 4E318B46

+ Scan result:

No infected objects found.


::Report End

A2 found the following (I wrote down what I could; couldn't save or copy to log)

Key:HKEY_LOCAL_MACHINE\System\currentcontrolset\enum\root\legacy_msdir...

and said it was called Trace.registry.Aimbot

Housecall logs available if you ask me for them (very long) but summary is:

May 2:

TROJ_ROOTKIT.H (2 infections)
WORM_SDBOT.BUY (infection)

May 5:

0 Infections

(This was a little confusing because even though the May 2 log said the infections could not be healed, they did not show up in the May 5 log. So - I hope this means they're gone, but let me know if you want the original text file)

AVG free version has a whole laundry list; let me know if you want me to try to write down what's in the virus vault. It won't let me cut and paste into Notepad either

Fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:07:29 PM, on 5/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SocketScanner Monitor] C:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Global Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

OK, I'm going to hit the send button before I accidentally delete this and have to start over again. Thank you very much for being willing to look at this mess.

aelfgifa

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:29 AM

Posted 06 May 2006 - 12:59 PM

Hello aelfgifa,

I am coming in late here so I have no ideas what you have been "fixing".
Have you been fixing items yourself with Hijackthis?

This was a little confusing because even though the May 2 log said the infections could not be healed, they did not show up in the May 5 log.


Do not print the May 2 logs. I dont care about May 2 logs, only about the current logs.



You wanted me to post the Ewido reports, my online virus scanner logs and a fresh HJT. I used Housecall and A2 (the links you gave) and they both found something different. A2 wouldn't let me save a log or even cut and paste into Notepad


Is notepad not working?

Do a file search to see if you can find NotePad.exe.

If it isnt working, then run Microsoft's System File Checker program.

Scannow Tutorial
http://www.updatexp.com/scannow-sfc.html

Go to Start, then Run, type sfc /scannow in the run box and press enter.

Note: There is a space between sfc and the forward slash. Windows will ask you for your Windows Install CD so put it in...don't worry if the XP setup screen appears, this is
not a part of sfc /scannow, your autorun utility in Windows is starting it. Simply
minimize the screen and allow sfc to continue.

***********************************

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Then post the results from the Kapersky scan.
Do not post a "summary" of the scans, as that does not help me. I need to see the locations ( the file path) of what it found in order to delete them.

The last Hijackthis log you posted was run from the Safe Mode and does not show all the running processes. :thumbsup:
Boot to the normal mode and post a fresh Hijackthis log and the Kapersky scan. If it is too big, let me know.

Edited by SifuMike, 06 May 2006 - 01:17 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 aelfgifa

aelfgifa
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 06 May 2006 - 05:12 PM

Hi SifuMike,

Here is a fresh HJT log. Sorry about the one in safe mode; I thought somebody earlier told me to do that but maybe I misunderstood. When you said you were "coming in late here", I was trying not to be wordy and repeat the woes I posted in another forum ("Am I Infected?")

When I referred to "fixing" things, I was talking about the different viruses that Ewido, A-Squared, and Housecall supposedly healed. The May 5 scans showed fewer than May 2, but I still have problems. I cut and pasted into my last post the actual Ewido logs. I couldn't get a log from A-Squared but I wrote down in my previous post what it told me it did about the Trace.registry.Aimbot it found. I DO have my AVG virus vault in a text file (figured that out). I also have the Housecall results from May 2 and May 5 (can't tell if rootkits are gone or if they just seem to be) but they are 18 and 14 pages long respectively in text files. Do you want them posted?

I could not run Kaspersky. I use Firefox; I went to their site and they told me to use IE. I switched to IE, went back to their page, and it crashed my machine. I got the Task Manager problem again I described in another thread in the "Am I infected" forum. Never got past the the accept/decline EULA and had to reboot.

So, then I emptied my temporary files and ran HJT again, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 1:54:55 PM, on 5/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SocketScanner Monitor] C:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Global Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD76C33E-8909-42B4-817C-E383974157C4}: NameServer = 12.6.42.1 12.6.42.2
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thx,

aelfgifa

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:29 AM

Posted 06 May 2006 - 05:50 PM

Hello aelfgifa,

I see you have System Restore turned off. :thumbsup: Please turn System Restore ON.
Disabling System Restore wipes out all restore points. Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running.
Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off.
We will clean the restore folder and set a new point AFTER the PC is clean and all programs are working properly.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405




I got the Task Manager problem again I described in another thread in the "Am I infected" forum

Run Microsoft's System File Checker program.


Scannow Tutorial
http://www.updatexp.com/scannow-sfc.html

Go to Start, then Run, type sfc /scannow in the run box and press enter.

Note: There is a space between sfc and the forward slash. Windows will ask you for your Windows Install CD so put it in...don't worry if the XP setup screen appears, this is
not a part of sfc /scannow, your autorun utility in Windows is starting it. Simply
minimize the screen and allow sfc to continue.

**************************************


Internet Explorer v6.00 SP1 (6.00.2800.1106)


The version (6.00.2800.1106) is out of date. You are wide open to malware with this ancient version!
Check Windowsupdate http://update.microsoft.com/microsoftupdat...t.aspx?ln=en-us
to update the Internet Explorer.

**************************************

You have a suspicious file we need to check. Do you install socketshield?

You will need to configure Windows to show Hidden files.

Go to Jotti Online File Scanner copy and paste C:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe to the upload and scan it.

Let me know the results.
Copy and paste the output to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken



I also have the Housecall results from May 2 and May 5 (can't tell if rootkits are gone or if they just seem to be) but they are 18 and 14 pages long respectively in text files. Do you want them posted?



No, they are too old to do any good. :flowers:
That was the reason I asked to to run Kaspersky scan, to get a currnet listing of malware on your computer.
So run TrendMicro Housecall again and post one page of the log (as much as you can put in one thread) and we will see what is there.

Edited by SifuMike, 06 May 2006 - 06:10 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 aelfgifa

aelfgifa
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 06 May 2006 - 06:46 PM

Hello SifuMike,

OK, I have reached the limit of what I am even able to understand from trying to follow your directions. I have never even heard of most of this stuff until a few weeks ago and am so over my head it's pathetic. In order . . .

1 - I turned System Restore back off. I was advised to turn it off; I forgot by whom.

2. When I tried to run scannow, my computer insists it needs my original Windows CD. It is somewhere in my house but if I knew where, I'd probably have given up and reinstalled Windows a long time ago :thumbsup: When I tried to run it as you directed, I ended up with two little windows called "Windows File Protection" that I can't close, end task, or otherwise get out of even by rebooting - so I just moved them to the bottom of my screen where I can't see them - kind of like with popups that won't go away. (Excuse me while I tear some more hair out)

3. Yes, I did install SocketShield. The best I can figure out, it's a beta program to look at what ports are open and which ones are running something. Then I google on the results. I have fewer now than before, but the "listening ports" are supposedly 0, 80, 123, 1090, 1900, and 5000. Some of them occasionally have IP addresses next to them, some don't. No, I don't understand this, I'm just parroting back what I've been told.

4. I don't use Internet Explorer even it's on my computer. I use FireFox for browsing and it's up to date except for the very newest update. Can IE hurt me just my being there? The only reason I tried to use it a minute ago is because the on-line virus scanner you wanted me to run said it needed IE.

5. I have already configured Windows to show hidden files (I assume you mean when I search). And BTS, that's how, maybe a month or so ago, I found a little file (forgot its name) with a *.doc.exe extension. I renamed it and deleted it because it wouldn't let me open or delete it. I think now that might have been part of how I got infected (???) but a friend told me to rename it and delete it so I did. Yes I am stupid. But what I've done, I've already done, so I am really trying to understand what you're saying and follow the directions correctly. But like I said . . .

Jotti -- Ok, I'll try to run this next and will run Housecall again and post the first. I have to take a quick break now and go do an errand, but I basically have this weekend devoted to trying to clean up my computer. Thank you very much for the help and please be patient with me because I have no idea what I'm doing and a lot of the terms that people use here are so foreign to me I have to switch back and forth between this board and Google.

Thanks again

aelfgifa (who will have snatched herself bald before this is over)

#9 aelfgifa

aelfgifa
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 06 May 2006 - 06:48 PM

Oops -- I meant to say I turned Restore back ON. Sorry.

aelfgifa

#10 aelfgifa

aelfgifa
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 06 May 2006 - 11:35 PM

Hi SifuMan,

Here are the results I could get, including a fresh HJT log which I assume you'll probably want.

1. I have the log from Jotti (one line):

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

2. I tried to update IE (which I don't use, but tried to update it anyway as you advised). I downloaded IE7 Beta, which was the only option that came up, but when I tried to install it I was told: Update/Iesetup.ex not a valid Win32 application and it went no further. Then, I rebooted into Firefox and tried to run Housecall again - just as I have done before. I tried three times (rebooting in between) and each time, it hung and got no further than the intoduction. So -- the only thing out of the ordinary I have done is try to use IE as a browser while I was trying to update it.

3. I couldn't run scannow because I can't find my original CD.

4. HJT log below

So. . . should I just resign myself to the fact that I'm sharing my computer with some unknown somebody and be grateful if they let me use it at their convenience?

Anyhow, thanks for trying. I don't mean to sound so pessimistic, but Im very frustrated with this and still think I'm infected with something that is fighting back. :thumbsup:

aelfgifa

Logfile of HijackThis v1.99.1
Scan saved at 8:13:42 PM, on 5/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SocketScanner Monitor] C:\Program Files\ExPLabs.com\SocketShield\SocketScannerMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Global Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files\explabs.com\socketshield\wrnetdrv.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146967860379
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD76C33E-8909-42B4-817C-E383974157C4}: NameServer = 12.6.42.1 12.6.42.2
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:29 AM

Posted 07 May 2006 - 12:15 AM

Hi aelfgifa,

Sorry to hear that you are having so many problems. Looks like this computer is a real mess.


1. I have the log from Jotti (one line):

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file



SocketShield is a beta program. That means it is not been tested throughtly, still has bugs in it, and they are using you to test it. I recommend you uninstall SocketShield.

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries: SocketShield



You said Internet Explorer would not run online virus scans, but can you use FireFox to perform this online Virus scan?
[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]
Trend Micro Housecall Scan for Firefox
http://uk.trendmicro-europe.com/consumer/h...call_launch.php
Hopefully, the Online virus scanner files will show some of the malware and then we can delete it.


If you cannot get it to run then post as much of Housecall results of May 5 as you can squeeze into one page.

You said it was many pages long, but perhaps we can work page at a time, eliminating malware as we go. It is not much to go on, and out of date but we can see what it says. I need to see the exact locations of all the virus files, so do not give me a summary.

I hate to say it, but at this point things are NOT looking good. :thumbsup: I think you have a combination of damaged Windows files and viruses. I cannot tell if you have viruses until I see the report from an online virus scan.

The normal fix for damaged Windows files is to run scannow, but you say you cannot find the Windows Install CD, so that is out of the question.

The fix for viruses is to run Online Scanners, but you have not been able to run those either.

Edited by SifuMike, 07 May 2006 - 02:59 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 aelfgifa

aelfgifa
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 08 May 2006 - 12:34 AM

Hello SifuMike,

Well, maybe things are looking better. I found my Windows XP CD and . . .

1. Deleted Socket Shield as you instructed.

2. Ran CCleaner again.

3. Ran scannow. Nothing spectacular happened, it just ran.

4. I was able to run Housecall (not sure why I couldn't yesterday). This time it didn't detect any malware as it did the other times, only a list of vulnerabilities. (If there is a way to save a log, I didn't see it, so I've just been clicking "select all" and copying it into Notepad). The first time I ran it, it detected two rootkits and some viruses, can I assume they're gone or will they come back? The first page of the May 2 Housecall file I saved is pasted in below. It looks like it fixed the "malware" but not the "vulnerabilities" (??????)

5. I tried to run the Kaspersky virus scanner from IE (instead of Firefox which is what I usually use), but had trouble with IE 6 even staying on line. Should I keep trying, or leave well enough alone? I have Ewido running (the 14 day trial version and also AVG free edition) right now.

OK - so here's the first page or so of the May 2 Housecall and thank you very much for your time in helping me try to fix this.

aelfgifa

---------------------------------------

Encyclopedia

Collecting scan results...
Detected malware

Note: Complete removal of the malware listed below failed! If you require general hints and tips to solve the problem, please click here. Malware specific information is available from the relevant malware section.

TROJ_ROOTKIT.H
2 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
This Trojan tool may be installed on a system either by another malicious program or by a remote malicious user upon gaining access to a target system.

It is used ...
Aliasnames: Hacktool.Rootkit, APP:HTool-Fuzen, Trojan.Win32.Rootkit.h, W32/FUrootkit.B@tool, Win32/Efewe.B!Trojan, Win32.Efewe.B[trojan], TR/Rootkit.H
Platform: Windows NT, 2000, XP
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

This Trojan tool may be installed on a system either by another malicious program or by a remote malicious user upon gaining access to a target system.

It is used by several malware, particularly WORM_RBOT and WORM_SDBOT variants, to hide their processes.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

WORM_SDBOT.BUY
1 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
Upon execution, this worm drops a copy of itself in the Windows system folder. It also drops another file, which it uses to hide its process in the Windows ...
Aliasnames: no more aliase names known
Platform: Windows 98, ME, 2000, NT, XP
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

Upon execution, this worm drops a copy of itself in the Windows system folder. It also drops another file, which it uses to hide its process in the Windows Task Manager.

It modifies the system registry to ensure its execution on startup.

It is also capable of propagating via network shares. If the shares are inaccessible, it uses a set of user names and passwords. It may also propagate by taking advantage of the following Windows vulnerabilities:

* The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.

* The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-011.

It also has backdoor capabilities. It connects to an IRC server and joins a specific channel, where it listens for commands coming from a remote malicious user.

It also terminates certain processes.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
TITLE_OF_MALWARE
0 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
Detected signatures
EICAR signature
0 Signatures
The detected signature is not a security risk; it is designed to test antivirus scanners. The listed files are not infected. They only contain the EICAR signature.
Take no action on signatures on the machineDelete signatures. Warning! Deleting this column will remove all associated signature files.EICAR filesThis will display all file paths of the above signatureReasonno accessnot supported
Detected grayware/spyware

Note: Complete removal of the grayware listed below failed! If you require general hints and tips to solve the problem, please click here. Grayware specific information is available from the relevant grayware section.
TITLE_OF_GRAYWARE
0 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
HTTP cookies
0 Detected
Cookies are generally used to save user-specific data from Internet transactions with a Web server via a browser. The cookies listed below are "profiling cookies" that are only used to monitor your Internet usage.
Cleanup options Remove all detected cookies
Select individual action for each detected cookie
Keep this cookieRemove this cookieCookiesThe cookies displayed here are classified as potentially malicious.ReasonThis column indicates the reason why cleanup failed.The system denied access to the cookieThe current pattern does not support removal
Detected vulnerabilities

Unchecked Buffer in Windows Shell Could Enable System Compromise

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:29 AM

Posted 08 May 2006 - 08:59 AM

This time it didn't detect any malware as it did the other times, only a list of vulnerabilities. (If there is a way to save a log, I didn't see it, so I've just been clicking "select all" and copying it into Notepad). The first time I ran it, it detected two rootkits and some viruses, can I assume they're gone or will they come back? The first page of the May 2 Housecall file I saved is pasted in below. It looks like it fixed the "malware" but not the "vulnerabilities" (??????)



I sounds like the malware may be are gone, but I have to see the current Housecall log in order to tell you anything. Please post it.

Posting the May 2 Housecall is no help to me as it only tells me what was on your computer on May 2, not now. Never mind about the "vulnerablitlites" for now, your problems are deeper.

Lets see a fresh Hijackthis log.

Edited by SifuMike, 08 May 2006 - 09:04 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 aelfgifa

aelfgifa
  • Topic Starter

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 08 May 2006 - 04:03 PM

Hello SifuMike,

You wanted a fresh HJT log and a copy of the current Housecall log. The HJT log is below, last night's Housecall log that showed no malware is below, although I couldn't run it today. Maybe their site is just busy.

Does this mean my problems are over? I downloaded ZoneAlarm but haven't installed it yet. Should I? I googled on some of the open ports Socket Shield told me I had before I uninstalled it. Some of them seem to be commonly used by trojans, but I won't change anything until I hear from you.

FWIW, I assumed whoever might have been controlling my machine had my passwords, so over the weekend (in Windows XP), I took away my own administrator rights and reassigned them to myself under a different user name with better passwords. Don't know if this will help but it probably can't hurt.

Thanks again,

aelfgifa

-----------------

Logfile of HijackThis v1.99.1
Scan saved at 12:48:24 PM, on 5/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Global Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146967860379
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD76C33E-8909-42B4-817C-E383974157C4}: NameServer = 12.6.42.1 12.6.42.2
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Housecall log from May 7th (first few pages - say no more malware if I'm reading this right?)

Collecting scan results...
Detected malware

Note: Complete removal of the malware listed below failed! If you require general hints and tips to solve the problem, please click here. Malware specific information is available from the relevant malware section.
TITLE_OF_MALWARE
0 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
Detected signatures
EICAR signature
0 Signatures
The detected signature is not a security risk; it is designed to test antivirus scanners. The listed files are not infected. They only contain the EICAR signature.
Take no action on signatures on the machineDelete signatures. Warning! Deleting this column will remove all associated signature files.EICAR filesThis will display all file paths of the above signatureReasonno accessnot supported
Detected grayware/spyware

Note: Complete removal of the grayware listed below failed! If you require general hints and tips to solve the problem, please click here. Grayware specific information is available from the relevant grayware section.
TITLE_OF_GRAYWARE
0 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
HTTP cookies
0 Detected
Cookies are generally used to save user-specific data from Internet transactions with a Web server via a browser. The cookies listed below are "profiling cookies" that are only used to monitor your Internet usage.
Cleanup options Remove all detected cookies
Select individual action for each detected cookie
Keep this cookieRemove this cookieCookiesThe cookies displayed here are classified as potentially malicious.ReasonThis column indicates the reason why cleanup failed.The system denied access to the cookieThe current pattern does not support removal
Detected vulnerabilities

Unchecked Buffer in Windows Shell Could Enable System Compromise

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability enables a remote attacker to execute arbitrary code by creating an .MP3 or .WMA file that contains a corrupt custom attribute. This is caused by...
More information about this vulnerability and its elimination.
Affected programs and services: Windows XP Home Edition
Windows XP Professional
Windows XP Tablet PC Edition
Windows XP Media Center Edition
Malware exploiting this vulnerability: unknown
This vulnerability enables a remote attacker to execute arbitrary code by creating an .MP3 or .WMA file that contains a corrupt custom attribute. This is caused by a buffer overflow in the Windows Shell function in Microsoft Windows XP.
More information about this vulnerability and its elimination.

Unchecked Buffer in Locator Service Could Lead to Code Execution

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability enables local users to execute arbitrary code through an RPC call. This is caused by a buffer overflow in the RPC Locator service for Wi...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows NT 4.0
Microsoft Windows NT 4.0
Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Malware exploiting this vulnerability: unknown
This vulnerability enables local users to execute arbitrary code through an RPC call. This is caused by a buffer overflow in the RPC Locator service for Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP.
More information about this vulnerability and its elimination.

Unchecked Buffer In Windows Component Could Cause Server Compromise

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NT...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows NT 4.0
Microsoft Windows NT 4.0
Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Malware exploiting this vulnerability: unknown
This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NTDLL.DLL on Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP.
More information about this vulnerability and its elimination.

Cumulative Patch for Outlook Express (330994)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer.
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Outlook Express 5.5
Microsoft Outlook Express 6.0
Malware exploiting this vulnerability: unknown
This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer.
More information about this vulnerability and its elimination.

Buffer Overrun In HTML Converter Could Allow Code Execution

(More . . . )

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:29 AM

Posted 08 May 2006 - 05:35 PM

Hello aelfgifa,

although I couldn't run it today. Maybe their site is just busy.


Their site if frequently busy. You could try at another time.
or you could try any of these online scanners

BitDefender Free Online Virus Scan http://www.bitdefender.com/scan8/ie.html
Kaspersky Online Scanner http://www.kaspersky.com/virusscanner
Panda Activescan http://www.pandasoftware.com/products/activescan.htm
F-Secure Online Virus Scanner http://support.f-secure.com/enu/home/ols.shtml
eTrust Antivirus Web Scanner http://www3.ca.com/securityadvisor/virusinfo/scan.aspx





I downloaded ZoneAlarm but haven't installed it yet. Should I?


Yes, if you do not have a firewall then install ZoneAlarm. A firewall is your first defense against malware and it will do a far better job than SocketShield.


Does this mean my problems are over?


Before I give you the OK, I would like to see another page of your Housecall (as much as you can squeeze into the thread). I have to be certain that Housecall removed all the viruses it found.

You hijackthis log looks clean. :thumbsup:

It a good idea to change all of yours passwords frequently - just dont forget them.

If you update your Internet Explorer, then some of the errors that Housecall is finding will go away. Your current version is vulnerable to attacks.
I cannot stress this strong enough.
http://www.microsoft.com/downloads/

How is your computer acting?

Edited by SifuMike, 08 May 2006 - 05:40 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users