Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan-backdoor-rustock

Started by snezzlebear , Dec 26 2006 05:32 AM

  • Please log in to reply

#1
snezzlebear
Posted 26 December 2006 - 05:32 AM

snezzlebear

    Member

  • Member
  • PipPip
  • 24 posts
Sorry if this is in the wrong section - I'm totally confused. I have no idea how to get rid of this thing at all. Each nigt I do an AVG virus scan and Ad-Aware scan and get nothing but when I do a scan with Spysweeper I continually come up with this 1 trojan - I cannot locate it and I have no idea where to start in regards to removing it. Any help would be much appreciated. :whistling:
  • 0

Advertisements

#2
tirol
Posted 26 December 2006 - 08:00 AM

tirol

    Visiting Staff

  • Visiting Consultant
  • 402 posts
Hello snezzlebear,

Welcome on GeeksToGo,
my name is tirol and i'll help you.

first i need an Hijackthis log :

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
thanks,
tirol

Edited by tirol, 26 December 2006 - 08:01 AM.

  • 0

#3
snezzlebear
Posted 26 December 2006 - 09:16 AM

snezzlebear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

Hello snezzlebear,

Welcome on GeeksToGo,
my name is tirol and i'll help you.

first i need an Hijackthis log :

* Click here to download HJTsetup.exe

  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
thanks,
tirol


well here is wat I got btw i couldn't get it from your link for some reason O.o it kept coming up with cannot find server = /

Logfile of HijackThis v1.99.1
Scan saved at 2:15:07 AM, on 27/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sarah\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: The IE monitor (part of Time Boss application) - {E421B744-12A1-4447-AB8A-DA2F96D9D9EE} - C:\PROGRA~1\TIMEBO~1\TIME_B~1.DLL
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9244B6FA-0AB0-4A67-9170-B393C402F106}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7CDD8B0-7168-4D78-83E7-693A8937F537}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: time_boss_logon - C:\Program Files\Time Boss\time_boss_l2.mik
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: Time boss srv (TimeBossSrv) - NiceKit Software - C:\Program Files\Time Boss\time_boss_s.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • 0

#4
tirol
Posted 26 December 2006 - 09:00 PM

tirol

    Visiting Staff

  • Visiting Consultant
  • 402 posts
Hello snezzlebear,

Download
http://www.uploads.e...et/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).

Post the content of these logfiles along with a new HijackThis log.

thanks,
tirol.
  • 0

#5
snezzlebear
Posted 27 December 2006 - 04:39 AM

snezzlebear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Ok here we go.


pelog

************************* Rustock.b-fix -- By ejvindh *************************
Wed 27/12/2006 21:26:40.46

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 69550
Total size: 69550 bytes.
Attempting to remove ADS...
system32: deleted 69550 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************


avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\iowrqqud

*******************

Script file located at: \??\C:\Documents and Settings\ymhdelwi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 9:38:25 PM, on 27/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Sarah\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: The IE monitor (part of Time Boss application) - {E421B744-12A1-4447-AB8A-DA2F96D9D9EE} - C:\PROGRA~1\TIMEBO~1\TIME_B~1.DLL
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9244B6FA-0AB0-4A67-9170-B393C402F106}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7CDD8B0-7168-4D78-83E7-693A8937F537}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: time_boss_logon - C:\Program Files\Time Boss\time_boss_l2.mik
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: Time boss srv (TimeBossSrv) - NiceKit Software - C:\Program Files\Time Boss\time_boss_s.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • 0

#6
tirol
Posted 27 December 2006 - 06:04 PM

tirol

    Visiting Staff

  • Visiting Consultant
  • 402 posts
Hello Snezzlebear,

you log is clean now,
before stating all is cleared , please do the following :

1. Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
2. Panda Active scan
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button,
    then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Then redo a Hijackthis scan and post the result alongwith Panda'report.
Thanks,
tirol.

Edited by tirol, 27 December 2006 - 06:05 PM.

  • 0

#7
snezzlebear
Posted 30 December 2006 - 08:10 AM

snezzlebear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ActiveScan


Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Sarah\Cookies\[email protected][1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Sarah\Cookies\[email protected][2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@atwola[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@doubleclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@hitbox[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@questionmarket[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@tribalfusion[1].txt
Potentially unwanted tool:Application/RealSpy Not disinfected C:\WINDOWS\system32\actskn45.ocx


HiJackThis!

Logfile of HijackThis v1.99.1
Scan saved at 1:09:47 AM, on 31/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Sarah\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: The IE monitor (part of Time Boss application) - {E421B744-12A1-4447-AB8A-DA2F96D9D9EE} - C:\PROGRA~1\TIMEBO~1\TIME_B~1.DLL
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9244B6FA-0AB0-4A67-9170-B393C402F106}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7CDD8B0-7168-4D78-83E7-693A8937F537}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: time_boss_logon - C:\Program Files\Time Boss\time_boss_l2.mik
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: Time boss srv (TimeBossSrv) - NiceKit Software - C:\Program Files\Time Boss\time_boss_s.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

LOL i think i need to use spysweeper :whistling:
  • 0

#8
tirol
Posted 30 December 2006 - 11:44 AM

tirol

    Visiting Staff

  • Visiting Consultant
  • 402 posts

LOL i think i need to use spysweeper :whistling:


Yes, please do, check for updates, and post the report to check if it has treated what Panda found.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

tirol.

Edited by tirol, 30 December 2006 - 11:54 AM.

  • 0

#9
snezzlebear
Posted 31 December 2006 - 03:58 AM

snezzlebear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok well spysweeper didn't pick up anything but here is the other log.



Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Apple Software Update
AVG Free Edition
AviSynth 2.5
Baldur's Gate & Tales of the Sword Coast
DC++ 0.698
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
FLV Player 1.3.3
Hamachi 1.0.1.3
HijackThis 1.99.1
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB929120)
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
LimeWire PRO 4.12.3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
NoteWorthy Composer
Panda ActiveScan
PSP Video 9 1.74
QuickTime
RealPlayer
Remote Administrator v2.2
RONIN
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Spy Sweeper
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
Time Boss 2.20
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Yugioh Virtual Desktop
  • 0

#10
tirol
Posted 31 December 2006 - 05:57 AM

tirol

    Visiting Staff

  • Visiting Consultant
  • 402 posts
Hello snezzlebear,

Just few things to complete.
all is OK now. :whistling:

deleting bad files/folder & programms

To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\actskn45.ocx


When it's done :
reset your hidden/system files and folders.
System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNCHECK Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Keep "hide extensions for known file types" box unchecked as a security feature.


Via control panel => add/remove
remove the old Java VM
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9


Download ATF Cleaner by Atribune.
You will keep this programm. It doesn't need any installation.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again with a clean brand-new restore point.



Some security advices :
In addition to keep your anti-virus programm up-dated, please, consider the following points thouroughly :

1. - Windows Updates -
It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft.
To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

2. - A real Firewall -
Windows Firewall is an in-bound only firewall. It doesn't prevent baddies (or verbose programs) to access the Net from your machine.
You should look forward about installing a good software firewall :
Two good free versions are Sygate and ZoneLabs.

3. - Hosts file -
In conjunction with a software Firewall, a hosts file well managed is a must :
MVPS Hosts file <=
The MVPS Hosts file replaces your current HOSTS file with one containing well known bad sites .
Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Another good site to learn more about Firewall/hosts file
http://www.accs-net....ts/eDexter.html

Hoster: an excellent tool to manage easily your hosts file:
Download the Hoster from here http://www.funkytoad.com/


4. - anti-spyware tools -
Keep your anti-spyware tools updated and scan at least once a week depending on your Internet activity (Web-browsing, mailing...).


5. Use ATFcleaner on a regular basis.


6. - other tools -
The following is a list of tools and utilities that I like to suggest to people to keep away from getting infected again.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • Trillian or Miranda-IM -
    These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
6. To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

7. Last but not least : you have been housing very bad infections which propagate more and more nowadays.
To counter-fight this situation, the main international anti-malware experts have set a place to receive complaints from net's users.
Please, visit this site http://www.malwareco....info/index.php
and give all informations about your situation.

I insist on a S/W Firewall : it's the first barrier against malware !
Have a safe and happy computing new year :blink: !
tirol

PS : if all OK from you, i will close this topic.

Edited by tirol, 31 December 2006 - 06:00 AM.

  • 0

Advertisements

#11
snezzlebear
Posted 31 December 2006 - 09:21 AM

snezzlebear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I really don't understand this HOSTS thing :whistling:



Also what do you mean by an S/W Firewall and Java VM?

I really need to be cautious of what I install as my computer is pretty old and doesn't really have that much memory :blink:


I have just installed Zone Alarm Firewall and i have begun having difficulties logging in to certain forums and connecting to the internet in general. Do you have any ideas why this is occuring?

Edited by snezzlebear, 01 January 2007 - 01:01 AM.

  • 0

#12
tirol
Posted 03 January 2007 - 11:40 AM

tirol

    Visiting Staff

  • Visiting Consultant
  • 402 posts
hello snezzlebear,

Download and save KillBox to your Desktop


Run KillBox and select Standard File Kill
Copy this list of file and folder locations to your clipboard:

c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf

Go to File>>Paste from clipboard
For each file, press the button with a red X in it and click Yes>>OK
When all files/folders have been removed, exit KillBox


I really don't understand this HOSTS thing

From the link i gave you : http://www.accs-net....ts/eDexter.html
did you read this : http://www.accs-net....t_is_hosts.html ?
hosts file, with no extension is located at : c:\windows\system32\drivers\etc
can you tell me if you downloaded one, and which size is it ?

Also what do you mean by an S/W Firewall and Java VM?

i apologize to have used acronyms.
S/W firewall is a SoftWare firewall such as Zone alarm
Java VM is the Java Virtual Machine.
When updated, as you did, old versions are useless and then can be uninstall
Start => Control Panel => Add/remove programms, remove :
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9

I really need to be cautious of what I install as my computer is pretty old and doesn't really have that much memory

how much do you have

I have just installed Zone Alarm Firewall and i have begun having difficulties logging in to certain forums and connecting to the internet in general.
Do you have any ideas why this is occuring?

is this related really to Zone Alarm installation or and hosts file ?

You can free some memory by stopping certains AntiMalware shields :

Disable Tea-timer from SpyBot Search&Destroy:
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
SuperAntispyware :
right-click on the shortcut from the system tray :
choose : View Control Center (preferences/options)
on the General and Startup tab:
uncheck : Start SUPERAntispyware when Windows starts
then click Close to exit.

To disable SpySweeper:
Open it, click >Options over to the left then >Program Options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

redo a scan with HijackThis and post the log here,
thanks,
tirol.
  • 0

#13
snezzlebear
Posted 04 January 2007 - 03:19 PM

snezzlebear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

Download and save KillBox to your Desktop


Run KillBox and select Standard File Kill
Copy this list of file and folder locations to your clipboard:

c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf

Go to File>>Paste from clipboard
For each file, press the button with a red X in it and click Yes>>OK
When all files/folders have been removed, exit KillBox


Just wanted to make sure I was unerstanding you I can see a boz with a red circle and a white cross is this the button you mean?

From the link i gave you : http://www.accs-net....ts/eDexter.html
did you read this : http://www.accs-net....t_is_hosts.html ?
hosts file, with no extension is located at : c:\windows\system32\drivers\etc
can you tell me if you downloaded one, and which size is it ?


I think I understand it now I did read it but it confused me then. Is it basically like a call monitoring system :whistling:

I got one called "Hoster" from www.funkytoad.com.
If I'm understanding you right 275KB

i apologize to have used acronyms.
S/W firewall is a SoftWare firewall such as Zone alarm
Java VM is the Java Virtual Machine.
When updated, as you did, old versions are useless and then can be uninstall
Start => Control Panel => Add/remove programms, remove :
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9


No need to apologise :) I just thought I had missed something or was understanding you properly

I really need to be cautious of what I install as my computer is pretty old and doesn't really have that much memory
how much do you have



On C Drive I have 33 GB and on D Drive I have 12.2 GB which I am told pretty much equates to nothing *being extremley tiny* but to be honest I have no concept of size when it comes to computers at all. :blink:

is this related really to Zone Alarm installation or and hosts file ?


I'm not sure. :help: How do I find out?

You can free some memory by stopping certains AntiMalware shields :

Disable Tea-timer from SpyBot Search&Destroy:

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
SuperAntispyware :
right-click on the shortcut from the system tray :
choose : View Control Center (preferences/options)
on the General and Startup tab:
uncheck : Start SUPERAntispyware when Windows starts
then click Close to exit.

To disable SpySweeper:
Open it, click >Options over to the left then >Program Options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".


Do I also need to do this with Ad-Aware SE Personal, SpyWareBlaster and SpyWareGuard?

Here's my log

Logfile of HijackThis v1.99.1
Scan saved at 8:56:23 AM, on 5/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Time Boss\time_boss.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\Programs\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: The IE monitor (part of Time Boss application) - {E421B744-12A1-4447-AB8A-DA2F96D9D9EE} - C:\PROGRA~1\TIMEBO~1\TIME_B~1.DLL
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9244B6FA-0AB0-4A67-9170-B393C402F106}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7CDD8B0-7168-4D78-83E7-693A8937F537}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1ADD404F-76B9-476E-B854-35E05B11B752}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: time_boss_logon - C:\Program Files\Time Boss\time_boss_l2.mik
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Time boss srv (TimeBossSrv) - NiceKit Software - C:\Program Files\Time Boss\time_boss_s.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe




ergh I have also no idea why i can't quote =(

Edited by tirol, 05 January 2007 - 10:09 AM.

  • 0

#14
tirol
Posted 05 January 2007 - 05:18 PM

tirol

    Visiting Staff

  • Visiting Consultant
  • 402 posts
Hello dear snezzlebear,

I think I understand it now I did read it but it confused me then. Is it basically like a call monitoring system

It's a bit surprising you are talking about call monitoring system !
What do you know about that ?

Let's coming back with your question :
as an example : when a machine (your PC) wants to "talk" to another machine, dialog between them is what we call a "protocol", whatever the physical link is.
When you "dial" : www.geekstogo.com, there is a translation to get IP@ of the machine.
Whatever you have, ADSL or old 56 Kbits modem, that's doesn't matter.
www.geekstogo.com is translated into an IP adress.
That's what we call DNS resolution.
Let's say our nasty friend : http//www.youri.ru is known as a nest of malware.
Oh yes, either it's a known place to get lot of cracks or keygen to work-around so costly softwares, or it's just making money by visiting that place.
You don't want to get there, do you ?
the problem is lot of malwares redirect you into places you didn't want to be.
Most of the times, it's not harmful, but it becames annoying. But by lack of chance, it can be more then nasty.
What you get is a sample. Hope this is clear.
To get rid of that, there's a simple way. embedeed with your Operating system, XP.
At the very beginning of windows installation, there is an hosts file, but nuke, in fact exactly equals to hosts.sam.
Now let's say you've been polluted, whatever the means but in final you are redirected to the youri'site.
It can be by opening a wrong mail attachment, of course not, you'd say !
or not follow regular windows updates, no no i do it !
or having no firewall, hmmm yes i guess !
OK, let's go on : the insane succeeds to come into your machine.
Every time you want to go to Google the malware changes it to youri.ru.
Hosts file can just avoid this.
by adding a line such as = 127.0.0.1 www.youri.ru
you'll get an error while surfing when typing google.
Why ?
because this IP address is your own machine (private), and when any Internet browser want to go there, reading hosts file will
get there and as a non-Internet (public) address.
For sure it will not let you go to Google until we've have helped you to be clean.
Not sure, my dear snezzlebear, all above is clear enough.
Hoster is a tool, to help managing this file.

What you will have to get in mind is :
you can have all the tools installed ,and moreover the free ones,the most important safe tool is your own brain.

do you have still problem while surfing ?
what forum don't you reach ?


I didn't ask you about your Hard Drive capacity, but about your memory .
Easy way : right-click on system-tray, then open task manager, when there under Performances tab you get it in Physical memory => total :blink:

tirol.

PS. you don't have any problem with QUOTE : only thing is you have to be careful of opening tags and ending tags.
ie. : [tag] blalbla [/tag]
if you miss the pair [tag] and [/tag], or any "roving" tag alone without its friend , then you get the mess :whistling:

Edited by tirol, 05 January 2007 - 05:32 PM.

  • 0

#15
snezzlebear
Posted 05 January 2007 - 08:39 PM

snezzlebear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I don't know much bout call monitoring systems actually thats just what it sounded like to me =/


the forum I am having difficulty getting on now is www.pojo.com

It lets me type in my logon details but when I click "logon" my password disappears and it says I have enteredt an incorrect username or password so I really don't get wats going on there :whistling:


Also just recently my Firewall has been switching itself off ... now i don't think this could even meran hugs and puppies. Im not sure how to stop it but I also do not know how to re-activate my Zone Alarm Pro fire wall
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP