Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked By A Worm Trojan


  • This topic is locked This topic is locked
13 replies to this topic

#1 drgonzo

drgonzo

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 17 January 2007 - 05:51 AM

hello
i seen to be infected with a worm called alcan. ive tried to remove it with adaware to no effect. i had a look at other topics related, but couldnt download AVG antivirus as im using windows 95.
here is a hijack this log after running adaware and removing some critical objects.

thanks for any help

Logfile of HijackThis v1.99.1
Scan saved at 10:50:09, on 17/01/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SAMSUNG\SAMSUNG SCX-4X21 SERIES\PSU\SCAN2PC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netcenter.com/uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 100.000.000.4
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP\WSBHO2K0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WHITNEY_S2P] C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [{295C16E3-0000-6153--popo0161}] "C:\Program Files\Common Files\{295C16E3-0000-6153--popo0161}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PavProc] C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: DLHelperEXE.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.netcenter.com/uk/
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 100.0.0.1

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 PM

Posted 17 January 2007 - 12:53 PM

Hello drgonzo, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 PM

Posted 17 January 2007 - 03:46 PM

IMPORTANT
Your log shows that you are seriously behind on Windows updates. It is essential that you update your Windows before we continue to help you as the infections could reoccur. Visit Microsoft's Windows Update site and if it asks to install software, let it. Next, install ALL critical updates and any other Windows updates for services/programs you use. When it prompts you to reboot, do so. Then repeat the process again until there are no more critical updates listed.
I recommend you to visit Microsoft's Windows Update site regulary, because lots of hackers/trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.


IMPORTANT
It is important that your computer has an antivirus software running on your machine.
Your log doesn't show an antivirus software running. This is somewhat suicidal in today's digital world. If you have disabled your antivirus software, please re-enable it.
You need to install an antivirus program as soon as you can and run a complete scan of the computer. Please download and install one of these good (and free) products:
- Antivir
- Avast Free
- AVG Free
- Bitdefender Free

Install one of these products and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.
NOTE: Never install more than one antivirus program on your system. Several together can give problems and decrease the reliability of it seriously.


IMPORTANT
It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled your firewall, please re-enable it.
If you do not have a firewall installed, please download and install one of these good (and free) products:
- ZoneAlarm Free
- Outpost Firewall Free
- Kerio

NOTE: Never install more than one firewall program on your system. Several together can give problems and decrease the reliability of it seriously.


Now I need to see another HijackThis log, but you need to extract (unzip) HijackThis first (otherwise the backups made when items are fixed won't be secure). The easiest way to accomplish this is to reinstall and delete any copies of HijackThis.zip you have saved.

Please download the self-extracting version of HijackThis and save HijackThis_sfx to your Desktop.
Download HijackThis v.1.99.1

Once it is downloaded, double-click on the hijackthis_sfx.exe file and click the Unzip button. Then close the WinZip Self-Extractor window. Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it.
Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

When the HijackThis window opens, click on the button labelled "Do a system scan and save a logfile". HijackThis will perform a system scan, and when the scan is complete, Notepad will open up containing the scan results. The HijackThis log will be automatically saved to the HijackThis folder. Copy the entire contents of the new HijackThis log and post them here.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#4 drgonzo

drgonzo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 24 January 2007 - 11:27 AM

hi sorry took so long...
ive updated to latest windows versions....
and installed avast antivirus...
not going to install firewall...

here is latest hijack log

thanks for help

Logfile of HijackThis v1.99.1
Scan saved at 16:24:31, on 24/01/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SAMSUNG\SAMSUNG SCX-4X21 SERIES\PSU\SCAN2PC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 100.000.000.4
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP\WSBHO2K0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WHITNEY_S2P] C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [{295C16E3-0000-6153--popo0161}] "C:\Program Files\Common Files\{295C16E3-0000-6153--popo0161}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PavProc] C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: DLHelperEXE.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.netcenter.com/uk/
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 100.0.0.1

#5 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 PM

Posted 25 January 2007 - 03:43 AM

IMPORTANT
Not having installed a software firewall is somewhat suicidal in today's digital world. It is important that you use a firewall, to prevent unauthorised traffic both out of and into your computer. I strongly recommend you to install a firewall, otherwise you are more prone to reinfection by malware. Do you have a reason for not wanting to install one?
I strongly advise downloading and installing ONE of these good (and free) products:
- ZoneAlarm Free
- Outpost Firewall Free
- Kerio

For more information about firewalls, see this reference: Understanding and Using Firewalls.


Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. A print out of the instructions would be a good reference to make sure you don't yet lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1
You need to update your Sun Java Console. Older versions have vulnerabilities that malware can and are using to infect systems.
Please perform these instructions to update your Sun Java Console:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and check any item with Java Runtime Environment (JRE) in the name.
3. Click the Remove or Change/Remove button next to these items to remove all versions of Java.
4. Reboot your computer.
5. Download and install the latest version of Java Runtime Environment (JRE) 6 (click).

Step #2
Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
O4 - HKLM\..\Run: [{295C16E3-0000-6153--popo0161}] "C:\Program Files\Common Files\{295C16E3-0000-6153--popo0161}\Update.exe" mc-110-12-0000137
O4 - Startup: DLHelperEXE.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

Step #3
First enable the viewing of hidden files in Windows by following these steps:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following files or directories (do not be concerned if they do not exist):
C:\Program Files\Common Files\{295C16E3-0000-6153--popo0161} <-- this folder
C:\Windows\System\DLHelperEXE.exe
C:\WINDOWS\web\related.htm

Reboot your computer to boot back into normal mode.

Step #4
Please download Combofix and save it to your Desktop.
Download combofix.exe

Once downloaded, double-click combofix.exe and follow the on-screen prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

NOTE: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall!

Step #5
Please provide me an uninstall list by performing these instructions:
1. Open HijackThis.
2. Click once on the Config... button.
3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen.
4. Click on the button labelled "Open Uninstall Manager...". You'll see a list of currently installed programs.
5. Click on the button labelled "Save list..." and specify where you would like to save the uninstall list.

When you press the Save button, Notepad will open up with the contents of that file. Copy and paste the contents of that Notepad file as a reply to this topic.

Step #6
Scan with HijackThis again and post a new HijackThis log.

Edited by htv8, 25 January 2007 - 03:45 AM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#6 drgonzo

drgonzo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 25 January 2007 - 06:00 AM

hi got through everything, exept when i downloaded combofix.exe.... it didnt work, tried two other download links, same problem... coming up error...

here is log from step#5

Ad-Aware SE Personal
Adobe Acrobat 4.0
avast! Antivirus
Conexant SoftK56 PCI Modem(M)
HijackThis 1.99.1
Internet Explorer Q891781
Ipswitch WS_FTP Pro
J2SE Runtime Environment 5.0 Update 10
Lotus SmartSuite 97
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Money 2000 Standard
Microsoft Office 2000 Small Business
Microsoft Outlook Express 6
Microsoft PowerPoint Viewer 97
Microsoft Web Publishing Wizard 1.6
Microsoft Works 2000
ML-1710 Series
MP3 Player Utilities
OIN
Outlook Express Q837009
Readiris Pro 9
Samsung SCX-4x21 Series
Shockwave
SmarThru 4
SmarThru PC Fax
USB Storage Driver
Winamp (remove only)
Windows Millennium Edition KB891711 Update
Windows Millennium Edition Q823559 Update


hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 10:58:44, on 25/01/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SAMSUNG\SAMSUNG SCX-4X21 SERIES\PSU\SCAN2PC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 100.000.000.4
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP\WSBHO2K0.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WHITNEY_S2P] C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PavProc] C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.netcenter.com/uk/
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 100.0.0.1

cheers

#7 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 PM

Posted 26 January 2007 - 02:13 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
Go to Start > Control Panel > Add/Remove Programs and uninstall OIN if listed. This entry is bad.

Step #2
Although you updated your Sun Java Console, you are still not running the latest version. Older versions have vulnerabilities that malware can and are using to infect systems.
Please perform these instructions once again to update your Sun Java Console:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and uninstall J2SE Runtime Environment 5.0 Update 10.
3. Reboot your computer.
4. Download and install the latest version of Java Runtime Environment (JRE) 6 (click).

Step #3
Please download Silent Runners.zip from the download link below and save it to your Desktop.
Download Silent Runners.zip

Once it is downloaded, extract the ZIP file to a new folder on your Desktop. Run the Silent Runners.vbs file inside it by double-clicking on it.
NOTE: If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run. This script is not malicious so please allow it.

Once launched, you will receive a prompt: "Skip supplementary searches?". Click the No button. A text file will appear in the Silent Runners folder. Silent Runners is not done yet, so please let it run. (It won't appear to be doing anything)! Once you receive the "All Done!" prompt, open the text file and post the entire contents of that text file in your next reply.

Step #4
Please perform an online scan with Kaspersky Online Scanner (click).
Follow these instructions:
1. Click on the button labelled "Kaspersky Online Scanner".
2. You will be prompted to install an ActiveX component from Kaspersky. Install it.
3. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT.
4. Now click on "Scan Settings".
5. In the scan settings, make sure the following are selected:

Scan using the following Anti-Virus database:
Extended (if available, otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

6. Click OK.
7. Now under select a target to scan, select My Computer.

The program will start and scan your system.
NOTE: The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected. Click on the button labelled "Save as Text" and save a text file to your Desktop. Copy and paste that information in your next post.

Step #5
Scan with HijackThis again and post a new HijackThis log.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#8 drgonzo

drgonzo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 26 January 2007 - 09:55 AM

here is reports./.....

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]
"(Default)" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"WHITNEY_S2P" = "C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe" ["0"]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"SSDPSRV" = "C:\WINDOWS\SYSTEM\ssdpsrv.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"PavProc" = "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe" [file not found]
"KB918547" = "C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{601ED020-FB6C-11D3-87D8-0050DA59922B}\(Default) = "Ipswitch.WsftpBrowserHelper"
-> {HKLM...CLSID} = "WsftpBrowserHelper Class"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WS_FTP\WSBHO2K0.DLL" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]




and here is kaspersky report
KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Friday, January 26, 2007 2:49:20 PM
Operating System: Microsoft Windows Millennium Edition
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/01/2007
Kaspersky Anti-Virus database records: 262181


Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
a:\
c:\
d:\

Scan Statistics
Total number of scanned objects28497
Number of viruses found19
Number of infected objects63 / 0
Number of suspicious objects0
Duration of the scan process01:55:44

Infected Object NameVirus NameLast Action
c:\_RESTORE\TEMP\A0328187.CPY Infected: Trojan-Dropper.Win32.Small.abe
skipped

c:\_RESTORE\TEMP\A0328188.CPY Infected:
not-a-virus:AdWare.Win32.180Solutions skipped

c:\_RESTORE\TEMP\A0328189.CPY Infected:
not-a-virus:AdWare.Win32.VirtualBouncer.d skipped

c:\_RESTORE\TEMP\A0328196.CPY Infected: Trojan-Dropper.Win32.Mudrop.r
skipped

c:\_RESTORE\TEMP\A0328197.CPY Infected:
not-a-virus:AdWare.Win32.Softomate.ac skipped

c:\_RESTORE\TEMP\A0330945.CPY Infected: not-a-virus:AdWare.Win32.Thumper.a
skipped

c:\_RESTORE\ARCHIVE\FS555.CAB/W0465365.CPY/data0003 Infected:
not-a-virus:AdWare.Win32.PurityScan.bu skipped

c:\_RESTORE\ARCHIVE\FS555.CAB/W0465365.CPY Infected:
not-a-virus:AdWare.Win32.PurityScan.bu skipped

c:\_RESTORE\ARCHIVE\FS555.CAB CAB: infected - 2 skipped

c:\_RESTORE\ARCHIVE\FS552.CAB/A0320970.CPY Infected:
Backdoor.Win32.EggDrop.v skipped

c:\_RESTORE\ARCHIVE\FS552.CAB/A0320974.CPY Infected:
not-a-virus:RiskTool.Win32.Starter.a skipped

c:\_RESTORE\ARCHIVE\FS552.CAB/A0320978.CPY Infected:
Trojan-Downloader.Win32.Agent.bca skipped

c:\_RESTORE\ARCHIVE\FS552.CAB/A0321066.CPY Infected:
Trojan-Dropper.Win32.Agent.bbp skipped

c:\_RESTORE\ARCHIVE\FS552.CAB CAB: infected - 4 skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0321954.CPY/data0003 Infected:
not-a-virus:AdWare.Win32.PurityScan.bu skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0321954.CPY Infected:
not-a-virus:AdWare.Win32.PurityScan.bu skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0322051.CPY Infected:
not-a-virus:AdWare.Win32.PurityScan.ak skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0322053.CPY/data0003 Infected:
not-a-virus:AdWare.Win32.PurityScan.bu skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0322053.CPY Infected:
not-a-virus:AdWare.Win32.PurityScan.bu skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0322054.CPY/data0003 Infected:
not-a-virus:AdWare.Win32.PurityScan.bu skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0322054.CPY Infected:
not-a-virus:AdWare.Win32.PurityScan.bu skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0322303.CPY Infected:
not-a-virus:AdWare.Win32.PurityScan.ak skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0322335.CPY/WISE0023.BIN/data0001.cab/VVSN.exe
Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0322335.CPY/WISE0023.BIN/data0001.cab
Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0322335.CPY/WISE0023.BIN Infected:
not-a-virus:AdWare.Win32.SaveNow.z skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0322335.CPY/WISE0027.BIN Infected:
not-a-virus:AdTool.Win32.WhenU.a skipped

c:\_RESTORE\ARCHIVE\FS554.CAB/A0322335.CPY Infected:
not-a-virus:AdTool.Win32.WhenU.a skipped

c:\_RESTORE\ARCHIVE\FS554.CAB CAB: infected - 13 skipped

c:\_RESTORE\ARCHIVE\FS557.CAB/A0324072.CPY/WISE0044.BIN/stream/data0005
Infected: not-a-virus:AdWare.Win32.Softomate.aa skipped

c:\_RESTORE\ARCHIVE\FS557.CAB/A0324072.CPY/WISE0044.BIN/stream Infected:
not-a-virus:AdWare.Win32.Softomate.aa skipped

c:\_RESTORE\ARCHIVE\FS557.CAB/A0324072.CPY/WISE0044.BIN Infected:
not-a-virus:AdWare.Win32.Softomate.aa skipped

c:\_RESTORE\ARCHIVE\FS557.CAB/A0324072.CPY Infected:
not-a-virus:AdWare.Win32.Softomate.aa skipped

c:\_RESTORE\ARCHIVE\FS557.CAB CAB: infected - 4 skipped

c:\_RESTORE\ARCHIVE\FS558.CAB/A0324996.CPY Infected:
Backdoor.Win32.EggDrop.v skipped

c:\_RESTORE\ARCHIVE\FS558.CAB/A0324997.CPY Infected: P2P-Worm.Win32.VB.dw
skipped

c:\_RESTORE\ARCHIVE\FS558.CAB CAB: infected - 2 skipped

c:\_RESTORE\LOGS\vxdsfp.log Object is locked skipped

c:\_RESTORE\LOGS\vxdalt1.log Object is locked skipped

c:\WINDOWS\SYSTEM\CatRoot\SYSMAST.cbd Object is locked skipped

c:\WINDOWS\SYSTEM\CatRoot\SYSMAST.cbk Object is locked skipped

c:\WINDOWS\SYSTEM\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATMAST.cbd
Object is locked skipped

c:\WINDOWS\SYSTEM\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATMAST.cbk
Object is locked skipped

c:\WINDOWS\SYSTEM\pknkizi.dll Infected: Email-Worm.Win32.Tanatos.b.dam2
skipped

c:\WINDOWS\SYSTEM\htctes.dll Infected: Email-Worm.Win32.Tanatos.b.dam2
skipped

c:\WINDOWS\SYSTEM\mi1.exe/data0009/stream/data0006 Infected:
not-a-virus:AdWare.Win32.Softomate.e skipped

c:\WINDOWS\SYSTEM\mi1.exe/data0009/stream Infected:
not-a-virus:AdWare.Win32.Softomate.e skipped

c:\WINDOWS\SYSTEM\mi1.exe/data0009 Infected:
not-a-virus:AdWare.Win32.Softomate.e skipped

c:\WINDOWS\SYSTEM\mi1.exe NSIS: infected - 3 skipped

c:\WINDOWS\SYSTEM\mi2.exe/WISE0044.BIN/stream/data0005 Infected:
not-a-virus:AdWare.Win32.Softomate.aa skipped

c:\WINDOWS\SYSTEM\mi2.exe/WISE0044.BIN/stream Infected:
not-a-virus:AdWare.Win32.Softomate.aa skipped

c:\WINDOWS\SYSTEM\mi2.exe/WISE0044.BIN Infected:
not-a-virus:AdWare.Win32.Softomate.aa skipped

c:\WINDOWS\SYSTEM\mi2.exe WiseSFX: infected - 3 skipped

c:\WINDOWS\SYSTEM\mi2.exe WiseSFX Dropper: infected - 3 skipped

c:\WINDOWS\APPLOG\ZIPPER.1.~~C Object is locked skipped

c:\WINDOWS\SchedLog.Txt Object is locked skipped

c:\WINDOWS\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Object is locked skipped

c:\WINDOWS\Sti_Trace.log Object is locked skipped

c:\WINDOWS\Sti_Event.log Object is locked skipped

c:\WINDOWS\wiaservc.log Object is locked skipped

c:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat Object is locked
skipped

c:\WINDOWS\Cookies\index.dat Object is locked skipped

c:\WINDOWS\History\History.IE5\index.dat Object is locked skipped

c:\WINDOWS\History\History.IE5\MSHist012007012620070127\index.dat Object
is locked skipped

c:\WINDOWS\WIN386.SWP Object is locked skipped

c:\Program Files\Windows Media
Player\Music\BSINSTALL.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected:
not-a-virus:AdWare.Win32.SaveNow.z skipped

c:\Program Files\Windows Media
Player\Music\BSINSTALL.exe/WISE0023.BIN/data0001.cab Infected:
not-a-virus:AdWare.Win32.SaveNow.z skipped

c:\Program Files\Windows Media Player\Music\BSINSTALL.exe/WISE0023.BIN
Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

c:\Program Files\Windows Media Player\Music\BSINSTALL.exe/WISE0027.BIN
Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

c:\Program Files\Windows Media Player\Music\BSINSTALL.exe WiseSFX:
infected - 4 skipped

c:\Program Files\Windows Media Player\Music\BSINSTALL.exe WiseSFX Dropper:
infected - 4 skipped

c:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL Infected:
not-a-virus:AdWare.Win32.MyWay.z skipped

c:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL Infected:
not-a-virus:AdWare.Win32.MyWay.z skipped

c:\Program
Files\HijackThis\backups\backup-20070125-102847-670-DLHelperEXE.exe
Infected: not-a-virus:AdWare.Win32.Thumper.a skipped

c:\Recycled\Dc1\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac
skipped

c:\Recycled\Dc2\Bar888.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac
skipped

c:\sinead\BSPROINSTALL.exe/WISE0044.BIN/stream/data0005 Infected:
not-a-virus:AdWare.Win32.Softomate.aa skipped

c:\sinead\BSPROINSTALL.exe/WISE0044.BIN/stream Infected:
not-a-virus:AdWare.Win32.Softomate.aa skipped

c:\sinead\BSPROINSTALL.exe/WISE0044.BIN Infected:
not-a-virus:AdWare.Win32.Softomate.aa skipped

c:\sinead\BSPROINSTALL.exe WiseSFX: infected - 3 skipped

c:\sinead\BSPROINSTALL.exe WiseSFX Dropper: infected - 3 skipped

Scan process completed.

#9 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 PM

Posted 27 January 2007 - 04:58 PM

Step #1
I need to see another Silent Runners log as I'm missing very important information in the current one. You have not posted the entire contents of the text file. Please run Silent Runners again and make sure you include ALL of the Silent Runners log in your next reply. Copy and paste ALL the contents of the Notepad window Silent Runners opens as a reply to this post.

Step #2
Scan with HijackThis again and post a new HijackThis log.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#10 drgonzo

drgonzo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 30 January 2007 - 09:16 AM

here is logs again...hope i did it ok..

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]
"(Default)" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"WHITNEY_S2P" = "C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe" ["0"]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"SSDPSRV" = "C:\WINDOWS\SYSTEM\ssdpsrv.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"PavProc" = "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe" [file not found]
"KB918547" = "C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{601ED020-FB6C-11D3-87D8-0050DA59922B}\(Default) = "Ipswitch.WsftpBrowserHelper"
-> {HKLM...CLSID} = "WsftpBrowserHelper Class"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WS_FTP\WSBHO2K0.DLL" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WS_FTP\WSFTPSI.DLL" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WS_FTP\WSFTPSI.DLL" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]


System Policies {policy setting}:
---------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"CDRAutoRun" = (REG_BINARY) hex:00 00 00 00
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by System Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Paradise.jpg"

Displayed if Active Desktop disabled and wallpaper not set by System Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Clouds.bmp"


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=" [file not found]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" [MS]

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\PROGRAM FILES\JAVA\JRE1.6.0\BIN\SSV.DLL" ["Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.netcenter.com/uk/
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
USB Port Monitor\Driver = "ssusbmon.dll" ["SAMSUNG Electronics"]
SUGW2 Langmon\Driver = "SUGW2lmx.dll" ["Samsung Electronics."]
SmarThru PC Fax Port\Driver = "SamFaxPort.dll" ["Samsung Software Center, Moscow"]
usbmon.dll\Driver = "usbmon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 20 seconds.
---------- (total run time: 89 seconds)



hijack log

Logfile of HijackThis v1.99.1
Scan saved at 14:14:35, on 30/01/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SAMSUNG\SAMSUNG SCX-4X21 SERIES\PSU\SCAN2PC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\LOTUS\APPROACH\APPROACH.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 100.000.000.4
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP\WSBHO2K0.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WHITNEY_S2P] C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PavProc] C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0\BIN\SSV.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.netcenter.com/uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...ebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 100.0.0.1

#11 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 PM

Posted 31 January 2007 - 11:46 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
Go to Start > Run and copy/paste each of the following lines in the Run: field, followed by pressing the Enter key after each line:
regsvr32 /u C:\WINDOWS\system\pknkizi.dll
regsvr32 /u C:\WINDOWS\system\htctes.dll

Step #2
If not already enabled, please follow these steps to enable the viewing of hidden files in Windows:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following files or directories (do not be concerned if they do not exist):
C:\WINDOWS\system\pknkizi.dll
C:\WINDOWS\system\htctes.dll
C:\WINDOWS\system\mi1.exe
C:\WINDOWS\system\mi2.exe
C:\Program Files\Windows Media Player\Music\BSINSTALL.exe
C:\Recycled\Dc1\Update.exe
C:\Recycled\Dc2\Bar888.dll

C:\Program Files\MyWay <-- this folder
C:\sinead <-- this folder

Reboot your computer to boot back into normal mode.

Step #3
Please download ATF Cleaner from the link below and save it to your Desktop.
Download ATF Cleaner

Now follow these instructions to run ATF Cleaner:
1. Double-click ATF-Cleaner.exe to run the program.
2. Click once on the Main tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
3. Then click on the button labelled "Empty Selected".

If you use the Mozilla Firefox browser, please follow these instructions as well:
1. Click once on the Firefox tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser, please follow these instructions as well:
1. Click once on the Opera tab at the top of the screen and put a checkmark in the radiobutton labelled "Select All".
2. Then click on the button labelled "Empty Selected". NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Now click the Exit button on the Main tab to exit the program.

Step #4
Download Dr.WEB CureIt! to your Desktop by clicking the download link below.
Download Dr.WEB CureIt!

Once downloaded, double-click the cureit.exe file to launch the program. Please follow these instructions to run Dr.WEB CureIt!:
1. Once launched, click once on the Start link. Click the OK button on the confirmation window to allow the express scan to run.
NOTE: This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
2. Once the scan has finished, click Options > Change settings.
3. Click once on the Scan tab (if not already selected) and remove the checkmark from the checkbox labelled "Heuristic analysis".
4. Click the Apply button, followed by clicking the OK button to return back to the main window.
5. Back at the main window, mark the drives you want to scan by clicking on them. Select all drives. A red dot shows which drives have been chosen.
6. Click the green arrow at the right to start the scan. Click the button labelled "Yes to all" if it asks if you want to cure/move the file.

When the scan has finished, look if you can click the Posted Image icon next to the files found. If so, click it and then click the icon below and select the option labelled "Move incurable" (as you can see in the image below):
Posted Image
This will move the files to the %userprofile%\DoctorWeb\quarantaine-folder if they cannot be cured. (This in case if we need samples.)

Now follow these instructions to generate a report for review:
1. In the Dr.WEB CureIt! menu on top, click File and choose the option labelled "Save report list".
2. Save the report to your Desktop. The report will be called DrWeb.csv.
3. Close Dr.WEB CureIt!.
4. Reboot your computer after closing, because it could be possible that files in use will be moved/deleted during reboot.
5. After reboot, post the contents of the log from Dr.WEB CureIt! you saved previously in your next reply.

Step #5
Scan with HijackThis again and post a new HijackThis log.
Also let me know how your computer is running.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#12 drgonzo

drgonzo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 01 February 2007 - 10:08 AM

ok the csv file from dr.web cureit... was clear
everything is running smoothly
here is log of hijack this

Logfile of HijackThis v1.99.1
Scan saved at 15:03:35, on 01/02/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SAMSUNG\SAMSUNG SCX-4X21 SERIES\PSU\SCAN2PC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 100.000.000.4
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP\WSBHO2K0.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WHITNEY_S2P] C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PavProc] C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0\BIN\SSV.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.netcenter.com/uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...ebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 100.0.0.1



cheers for your help...

#13 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 PM

Posted 02 February 2007 - 07:27 AM

Your log looks clean now. Good work! :thumbsup: However, if you experience any more problems, please report back.

Now please follow the simple steps below in order to keep your computer clean and secure.

Step #1: re-hide hidden system files and folders
Re-hide your hidden system files and folders again, because above instructions to set your system to show all files, unhide legit files and folders as well, and I don't want you to delete them because they may look suspicious. To hide them again, just perform these instructions:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Place a checkmark in the checkbox labelled "Hide file extensions for known file types".
6. Place a checkmark in the checkbox labelled "Hide protected operating system files".
7. Deselect the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Now your computer is configured to hide all hidden system files and folders.

Step #2: reset and re-enable System Restore
Rest and re-enable System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. To clean these files:
1. Close all programs so that you are at your Desktop.
2. Right-click the My Computer icon on the Destkop or the My Computer entry in the Start menu.
3. In the right-click menu, go to Properties.
4. Click the System Restore tab.
5. Place a checkmark in the checkbox labelled "Turn off System Restore on all drives" to disable System Restore.
6. Click the Apply button.
7. Uncheck the option labelled "Turn off System Restore on all drives" to turn System Restore back on.
8. Click the OK button.

You have now flushed your previous restore points, so we will make a new one again since your computer is clean now:
1. Close all programs so that you are at your Desktop.
2. Go to Start > All Programs > Accessories > System Tools > System Restore.
3. Select the radio button labelled "Create a restore point" and press the Next button.
4. Type the name you would like this restore point to be referred and press the Create button.
5. Press the Close button to close the System Restore utility.

Step #3
Finally, and definitely the MOST IMPORTANT step, click on this tutorial and follow each step listed here:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Do not forget to tell your friends about us.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#14 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 PM

Posted 14 February 2007 - 07:52 AM

As the problem here seems to be resolved, this topic is now closed.
To get it reopened, PM a staff member with the address of this thread. This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Glad we could help. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users