Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

No means, no! [RESOLVED]

Started by GreekFire , Aug 25 2006 04:02 PM

  • This topic is locked This topic is locked

#1
GreekFire
Posted 25 August 2006 - 04:02 PM

GreekFire

    New Member

  • Member
  • Pip
  • 9 posts
I've been to 2 other forums (in 2 weeks), but I'm still unable to find assistance. I know patience is a virtue, but I'd appreciate if someone would post a reply as soon as they've started taking a look at my HJLog. Doing so will at least relax me a bit, and let me know I'm not being ignored. [/whining]

I am following the 5 step course, which has taken me the past 6 hours. I get ~10 pop-ups every ~7 minutes. They just bombard me "click-click-click" all of a sudden, and I go on a bloody Alt+F4 rampage. Only program which catches my attention is Duce6.exe (I'm sure there are others). I've located Duce6.exe, and deleted it (RecyleBin), ~15 seconds later, it comes back.

Help me [your full name here], you're my only hope... :whistling:



Logfile of HijackThis v1.99.1
Scan saved at 3:40:52 PM, on 8/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Qoofix & Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\ms04364341-331.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\twhup.exe
F2 - REG:system.ini: UserInit=userinit.exe,ernyacl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [rftwkhsA] C:\WINDOWS\rftwkhsA.exe
O4 - HKLM\..\Run: [jyc47198] RUNDLL32.EXE w4389d25.dll,n 00347195000000034389d25
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [WinTask.exe] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [Txuuegk] C:\Program Files\Itmot\Qkuog.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\Run: [svrrun] C:\WINDOWS\svrrun.exe
O4 - HKLM\..\Run: [SStb.exe] C:\WINDOWS\SStb.exe
O4 - HKLM\..\Run: [ssqb.exe] ssqb.exe
O4 - HKLM\..\Run: [seekmo] "c:\program files\seekmo\seekmo.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [4s9f3sO] jv6nlrt7oj.exe
O4 - HKLM\..\Run: [ms04364341-331] C:\WINDOWS\ms04364341-331.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [rikk] C:\PROGRA~1\COMMON~1\rikk\rikkm.exe
O4 - HKCU\..\Run: [Jlqfdm] C:\Documents and Settings\Owner\Application Data\?racle\l?[bleep].exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LBqpRii7i] jniyeze11378io.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1150352906453
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8467C057-CE3A-4957-A5D5-D50B1DDD4CDD}: NameServer = 205.171.3.65,205.171.2.65
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Qoofix & Ewido\ewido anti-spyware 4.0\guard.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
  • 0

Advertisements

#2
cfa-ddg2
Posted 25 August 2006 - 08:40 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello GreekFire....welcome to G2G forums...

This computer is SEVERELY infected. If we can clean it, it will likely take multiple steps. I'm willing to give it a shot if you are... :whistling:

We can help you, but you need to help us first.

You appear to have NO antivirus program on your computer and this is a must! Web surfing these days without an updated AV program is computer suicide.

Whether it is a free version like AVG or Anti-Vir, this is a must have. If you have no other AV program that you choose to use, select one of these two, install it, update it, run a system scan and let it fix what it finds.

1. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. Log into your usual account.

3.Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do it's job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows.

4. Now download this file from either of these two locations :

http://download.blee...Bs/combofix.exe
http://www.techsuppo...ls/combofix.exe

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall!

5. Post the ComboFix log in your next reply along with a new HJT log and we'll see what we need to do next...and there will be more to do.
  • 0

#3
GreekFire
Posted 25 August 2006 - 10:45 PM

GreekFire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
"SEVERELY"? I appreciate your help, and I will thoroughly follow your instructions, even if they contradict my morals! :whistling:

Here are the current results.

-----------------------------------------------------------------------------
ComboFix Log
-----------------------------------------------------------------------------

Owner - 06-08-25 22:22:01.93
ComboFix 06.08.24 - Running from: C:\

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-20 10:07 52 --a------ C:\WINDOWS\neonoc.dat


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-08-20 10:07 52 neonoc.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bk.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\wtssvtr.exe
C:\Program Files\Deskbar
C:\Program Files\PSLister
C:\Program Files\TClock
C:\Program Files\Common Files\{EC3FC80B-0958-1033-1202-030512200001}
C:\WINDOWS\Duce6.exe

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\Application Data\RACLE~1
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET


((((((((((((((((((((((((((((((( Files Created from 2006-07-25 to 2006-08-25 ))))))))))))))))))))))))))))))))))


2006-08-25 22:16 106,496 --a------ C:\WINDOWS\Duce6.exe
2006-08-25 22:04 297,246 --a------ C:\combofix.exe
2006-08-25 14:51 159,744 --a------ C:\WINDOWS\ms04364341-331.exe
2006-08-21 23:09 159,744 --a------ C:\WINDOWS\sys031364341-332006.exe
2006-08-21 22:34 159,744 --a------ C:\WINDOWS\ms064341-331362006.exe
2006-08-21 17:41 25 --a------ C:\WINDOWS\win320841-33136432006.exe
2006-08-20 10:13 14,617 --a------ C:\WINDOWS\xload.exe
2006-08-20 10:12 1,167 --a------ C:\WINDOWS\system32\jyc47198.sys
2006-08-20 10:08 214,752 --a------ C:\Setup100.exe
2006-08-20 10:08 186,223 --a------ C:\WINDOWS\srvyoeckew.exe
2006-08-03 11:57 16,264 --a------ C:\WINDOWS\system32\msmc.exe
2006-08-02 19:22 109,368 --a------ C:\OiUninstaller.exe
2006-07-27 23:18 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2006-07-27 23:18 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-07-27 23:18 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2006-07-26 12:20 613 --a------ C:\WINDOWS\ciwxg.dll
2006-07-26 12:20 32,976 --a------ C:\WINDOWS\system32\uninstIcn.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-25 22:22 -------- d-a------ C:\Program Files\Common Files
2006-08-25 21:08 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-08-25 21:08 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-25 21:08 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-08-25 21:08 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-08-25 21:07 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-25 21:07 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-08-25 21:07 -------- d-------- C:\Program Files\Grisoft
2006-08-25 21:06 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-08-25 15:12 -------- d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2006-08-25 14:58 -------- d-------- C:\Program Files\TrojanHunter 4.5
2006-08-25 14:52 -------- d-------- C:\Program Files\QuickTime
2006-08-25 14:52 -------- d-------- C:\Program Files\MSN Messenger
2006-08-25 14:52 -------- d-------- C:\Program Files\AIM
2006-08-25 14:51 -------- d-------- C:\Program Files\Internet Explorer
2006-08-24 11:35 -------- d-------- C:\Documents and Settings\Owner\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}
2006-08-24 06:54 -------- d-------- C:\Program Files\MySpace
2006-08-22 20:44 -------- d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2006-08-22 14:06 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-22 14:06 -------- d-------- C:\Program Files\Panasonic
2006-08-22 14:06 -------- d-------- C:\Program Files\MKE
2006-08-21 13:39 -------- d-------- C:\Documents and Settings\Owner\Application Data\çasks
2006-08-20 23:50 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-08-20 22:30 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-20 10:20 -------- d-------- C:\Program Files\Common Files\rikk
2006-08-20 10:08 -------- d-------- C:\Program Files\MSN
2006-08-15 22:28 90240 --a------ C:\WINDOWS\system32\drivers\sptd8589.sys
2006-08-15 22:28 642560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-07-29 22:10 -------- d-------- C:\Program Files\ComcastToolbar
2006-07-27 09:04 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-07-27 00:47 543684 --a------ C:\Documents and Settings\Owner\Application Data\FNTCACHE.BIN
2006-07-27 00:05 264248 --a------ C:\Documents and Settings\Owner\Application Data\perfc012.dat
2006-07-26 22:27 5609 --a------ C:\Program Files\hijackthis.log
2006-07-06 17:01 -------- d-------- C:\Program Files\Fujifilm e-Systems
2006-07-06 17:01 -------- d-------- C:\Documents and Settings\Owner\Application Data\Digital Album Organizer
2006-07-06 17:00 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-06-17 02:31 218112 --a------ C:\HijackThis.exe
2006-06-06 12:37 48936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"msmc"=""
"rftwkhsA"="C:\\WINDOWS\\rftwkhsA.exe"
"jyc47198"="RUNDLL32.EXE w4389d25.dll,n 00347195000000034389d25"
"xload"="\"C:\\WINDOWS\\xload.exe\""
"WinTask.exe"="C:\\WINDOWS\\WinTask.exe"
"Uninstall_WinTools"="C:\\WINDOWS\\Temp\\WTuninst.exe /remove"
"Txuuegk"="C:\\Program Files\\Itmot\\Qkuog.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"System service79"="C:\\WINDOWS\\etb\\pokapoka79.exe"
"svrrun"="C:\\WINDOWS\\svrrun.exe"
"SStb.exe"="C:\\WINDOWS\\SStb.exe"
"ssqb.exe"="ssqb.exe"
"seekmo"="\"c:\\program files\\seekmo\\seekmo.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"msnappau"="\"C:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe\""
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"dnscleaner"="C:\\WINDOWS\\dnscleaner.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"DeskAd Service"="C:\\Program Files\\DeskAd Service\\DeskAdServ.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"AutoUpdater"="\"C:\\Program Files\\AutoUpdate\\AutoUpdate.exe\""
"4s9f3sO"="jv6nlrt7oj.exe"
"ms04364341-331"="C:\\WINDOWS\\ms04364341-331.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rikk"="C:\\PROGRA~1\\COMMON~1\\rikk\\rikkm.exe"
"Jlqfdm"="C:\\Documents and Settings\\Owner\\Application Data\\?racle\\l?[bleep].exe"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"Yahoo! Pager"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe -quiet"
"Registry Cleaner"="\"C:\\Program Files\\Registry Cleaner\\RegClean.exe\""
"PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\""
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"LBqpRii7i"="jniyeze11378io.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyce.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\MSN\\hozyre.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"=""
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,d8,00,00,00,cc,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:00,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,01,00,00,00,d8,00,00,00,cc,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\hnjnszb.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hnjnszb"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\hnjnszb.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"ZESOFT"=dword:00000002
"WinToolsSvc"=dword:00000002
"TBPSSvc"=dword:00000002
"iPodService"=dword:00000003



Completion time: Fri 08/25/2006 22:27:39.64
ComboFix.txt
ComboFix2.txt






-----------------------------------------------------------------------------
HiJackThis Log
-----------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:34:28 PM, on 8/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Qoofix & Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\ms04364341-331.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [rftwkhsA] C:\WINDOWS\rftwkhsA.exe
O4 - HKLM\..\Run: [jyc47198] RUNDLL32.EXE w4389d25.dll,n 00347195000000034389d25
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [WinTask.exe] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [Txuuegk] C:\Program Files\Itmot\Qkuog.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\Run: [svrrun] C:\WINDOWS\svrrun.exe
O4 - HKLM\..\Run: [SStb.exe] C:\WINDOWS\SStb.exe
O4 - HKLM\..\Run: [ssqb.exe] ssqb.exe
O4 - HKLM\..\Run: [seekmo] "c:\program files\seekmo\seekmo.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [4s9f3sO] jv6nlrt7oj.exe
O4 - HKLM\..\Run: [ms04364341-331] C:\WINDOWS\ms04364341-331.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [rikk] C:\PROGRA~1\COMMON~1\rikk\rikkm.exe
O4 - HKCU\..\Run: [Jlqfdm] C:\Documents and Settings\Owner\Application Data\?racle\l?[bleep].exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LBqpRii7i] jniyeze11378io.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1150352906453
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8467C057-CE3A-4957-A5D5-D50B1DDD4CDD}: NameServer = 205.171.3.65,205.171.2.65
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Qoofix & Ewido\ewido anti-spyware 4.0\guard.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
  • 0

#4
cfa-ddg2
Posted 26 August 2006 - 10:07 AM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts

"SEVERELY"? I appreciate your help, and I will thoroughly follow your instructions, even if they contradict my morals! :whistling:


I'm not sure what the adverb severely has to do with morals, but believe me, this machine is /was severely infected. :blink:

Let's keep cleaning:

You may want to print a copy of these instructions to refer to later as you will be in safe mode and will not have access to this page!

Before we get going we need to Killing a RunningProcess
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Open Process Manager"
  • Find and Click on C:\WINDOWS\ms04364341-331.exe
  • Click on "Kill Process" button
  • Click Yes
  • Close HJT

1. I see you have Ewido installed, so you can skip the download instructions below...make sure it is updated with the latest definitions and set up as follows:

First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

2. RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Save it to your desktop, we will use it later.


4. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [rftwkhsA] C:\WINDOWS\rftwkhsA.exe
O4 - HKLM\..\Run: [jyc47198] RUNDLL32.EXE w4389d25.dll,n 00347195000000034389d25
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [WinTask.exe] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [Txuuegk] C:\Program Files\Itmot\Qkuog.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\Run: [svrrun] C:\WINDOWS\svrrun.exe
O4 - HKLM\..\Run: [SStb.exe] C:\WINDOWS\SStb.exe
O4 - HKLM\..\Run: [ssqb.exe] ssqb.exe
O4 - HKLM\..\Run: [seekmo] "c:\program files\seekmo\seekmo.exe"
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [4s9f3sO] jv6nlrt7oj.exe
O4 - HKLM\..\Run: [ms04364341-331] C:\WINDOWS\ms04364341-331.exe
O4 - HKCU\..\Run: [rikk] C:\PROGRA~1\COMMON~1\rikk\rikkm.exe
O4 - HKCU\..\Run: [Jlqfdm] C:\Documents and Settings\Owner\Application Data\?racle\l?[bleep].exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [LBqpRii7i] jniyeze11378io.exe


Now close all windows other than HiJackThis, then click Fix Checked.

Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Log into your usual account

5. Please remove these entries from Add/Remove Programs in the Control Panel (if present). Click start>>control panel>>add/remove programs:

PuritySCAN By OIN, OuterInfo, OIN or similar entires
WinTools
EliteBar
180ClientStubInstall
180 Search Assistant
180Solutions


6. Please delete these folders using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed folders, then right-click to select them and click delete


C:\Program Files\Itmot
C:\WINDOWS\etb
c:\program files\seekmo
C:\Program Files\DeskAd Service
C:\Program Files\AutoUpdate
C:\PROGRAM Files\COMMON Files\rikk
C:\Documents and Settings\Owner\Application Data\?racle<==the ? will be some character, probably an O, you need to be careful if you have legitimate Oracle applications on your system
C:\Program Files\Registry Cleaner
C:\Program Files\PSLister


7. Please delete these files using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed files, then right-click to select them and click delete:


C:\WINDOWS\rftwkhsA.exe
C:\WINDOWS\xload.exe"
C:\WINDOWS\WinTask.exe
C:\WINDOWS\Temp\WTuninst.exe
C:\WINDOWS\svrrun.exe
C:\WINDOWS\SStb.exe
C:\WINDOWS\dnscleaner.exe
C:\WINDOWS\ms04364341-331.exe


8. Please search for the following files using the search function (click start>>search, select all files and folders and search your hard drive). Delete them when found:

w4389d25.dll
ssqb.exe
jv6nlrt7oj.exe
jniyeze11378io.exe

9. Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

10. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode.
11. Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
12. Post back with:
  • the results of the ewido report scan
  • the F-Secure scan results
  • a new HJT log

  • 0

#5
GreekFire
Posted 26 August 2006 - 03:29 PM

GreekFire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok, well I ran into a problem. I wasn't able to complete step 11, during a step (preparing to scan), I would get an error message saying I needed to close the browser and try again. I tried it 2 more times, with the same result.

ComboFix showed Duce6.exe as deleted after yesterdays scan, but it was back today (TaskManager) when I came here. I ran ComboFix again, before I ran any of todays steps. Then when I was in Safe Mode (during step 7) I noticed it was in C:\WINDWOS\Duce6.exe, so I deleted it again. I also noticed 2 other programs which icons resembled that of Duce6.exe, these were sys031364341-332006.exe, and ms064341-331362006.exe, but I'm not the expert, so I didn't touch those.

Here are the current logs.



---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:41:18 PM 8/26/2006

+ Scan result:



Nothing found.



::Report end






--------------------------------------------------------
HijackThis Log
--------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:12:29 PM, on 8/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Qoofix & Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [ms04364341-331] C:\WINDOWS\ms04364341-331.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1150352906453
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8467C057-CE3A-4957-A5D5-D50B1DDD4CDD}: NameServer = 205.171.3.65,205.171.2.65
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Qoofix & Ewido\ewido anti-spyware 4.0\guard.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
  • 0

#6
cfa-ddg2
Posted 26 August 2006 - 04:41 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
hey GreekFire...I find it hard to believe that Ewido found NOTHING on your system...that is highly unusual and very weird.

Since I'm not standing over your shoulder when you do what I ask, can you tell me what error message you received trying to run F-Secure? It may help me figure out why it won't run.

Were you using Internet Explorer as the web browser?

1. Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
2. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [ms04364341-331] C:\WINDOWS\ms04364341-331.exe


Now close all windows other than HiJackThis, then click Fix Checked.


3. Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\ms04364341-331.exe
    C:\WINDOWS\sys031364341-332006.exe
    C:\WINDOWS\ms064341-331362006.exe
    C:\WINDOWS\win320841-33136432006.exe
    C:\WINDOWS\xload.exe
    C:\WINDOWS\system32\jyc47198.sys
    C:\Setup100.exe
    C:\WINDOWS\srvyoeckew.exe
    C:\WINDOWS\system32\msmc.exe
    C:\OiUninstaller.exe
    C:\WINDOWS\ciwxg.dll
    C:\WINDOWS\system32\uninstIcn.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

4. After the computer reboots, repeat ComboFix .

5. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
6. Post the new ComboFix log in your next reply along with the Panda Log and a new HJT log...
  • 0

#7
GreekFire
Posted 26 August 2006 - 09:51 PM

GreekFire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Yes indeed. Ewido fails. :whistling: Then again, maybe there's just another program interfering with it.

F-secure ran this time! I was planning on 'PrintScreen'ing when the message came up, but it actually ran! I'll paste the log (I ran it before following any other instructions). If you're still interested (I can't exactly remember), the message read something similar to "An error has occured, close your browser and try again (ID:24)".




---------------------------------------------------------------------------------
F-Secure Log
---------------------------------------------------------------------------------

Scanning Report
Saturday, August 26, 2006 19:39:21 - 20:44:35
Computer name: METEORA
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 15 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
Trojan.Win32.VB.tg (virus)
C:\WINDOWS\MS064341-331362006.EXE (Renamed)
C:\WINDOWS\SYS031364341-332006.EXE (Renamed)
W32/Smalldrp.GOJ (virus)
C:\SETUP100.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 16862
System: 3815
Not scanned: 4
Actions:
Disinfected: 1
Renamed: 2
Deleted: 0
None: 12
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{547B060A-39A6-4185-B1DB-CEF77F4CE061}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-08-26
F-Secure Libra: 2.4.1, 2006-08-24
F-Secure Orion: 1.2.37, 2006-08-25
F-Secure Draco: 1.0.35, 2006-08-15
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-07-17
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics




---------------------------------------------------------------------------------
ComboFix Log
---------------------------------------------------------------------------------

Owner - 06-08-26 21:10:15.31
ComboFix 06.08.24 - Running from: C:\

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\Application Data\RACLE~1
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET


((((((((((((((((((((((((((((((( Files Created from 2006-07-26 to 2006-08-26 ))))))))))))))))))))))))))))))))))


2006-08-25 22:04 297,246 --a------ C:\combofix.exe
2006-07-27 23:18 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2006-07-27 23:18 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-07-27 23:18 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-26 13:04 -------- d-a------ C:\Program Files\Common Files
2006-08-25 21:08 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-08-25 21:08 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-25 21:08 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-08-25 21:08 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-08-25 21:07 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-25 21:07 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-08-25 21:07 -------- d-------- C:\Program Files\Grisoft
2006-08-25 21:06 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-08-25 15:12 -------- d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2006-08-25 14:58 -------- d-------- C:\Program Files\TrojanHunter 4.5
2006-08-25 14:52 -------- d-------- C:\Program Files\QuickTime
2006-08-25 14:52 -------- d-------- C:\Program Files\MSN Messenger
2006-08-25 14:52 -------- d-------- C:\Program Files\AIM
2006-08-25 14:51 -------- d-------- C:\Program Files\Internet Explorer
2006-08-24 11:35 -------- d-------- C:\Documents and Settings\Owner\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}
2006-08-24 06:54 -------- d-------- C:\Program Files\MySpace
2006-08-22 20:44 -------- d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2006-08-22 14:06 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-22 14:06 -------- d-------- C:\Program Files\Panasonic
2006-08-22 14:06 -------- d-------- C:\Program Files\MKE
2006-08-21 13:39 -------- d-------- C:\Documents and Settings\Owner\Application Data\çasks
2006-08-20 23:50 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-08-20 22:30 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-20 10:08 -------- d-------- C:\Program Files\MSN
2006-08-15 22:28 90240 --a------ C:\WINDOWS\system32\drivers\sptd8589.sys
2006-08-15 22:28 642560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-07-29 22:10 -------- d-------- C:\Program Files\ComcastToolbar
2006-07-27 09:04 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-07-27 00:47 543684 --a------ C:\Documents and Settings\Owner\Application Data\FNTCACHE.BIN
2006-07-27 00:05 264248 --a------ C:\Documents and Settings\Owner\Application Data\perfc012.dat
2006-07-26 22:27 5609 --a------ C:\Program Files\hijackthis.log
2006-07-06 17:01 -------- d-------- C:\Program Files\Fujifilm e-Systems
2006-07-06 17:01 -------- d-------- C:\Documents and Settings\Owner\Application Data\Digital Album Organizer
2006-07-06 17:00 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-06-17 02:31 218112 --a------ C:\HijackThis.exe
2006-06-06 12:37 48936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"msmc"=""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"msnappau"="\"C:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe\""
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"Yahoo! Pager"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe -quiet"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyce.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\MSN\\hozyre.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"=""
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,d8,00,00,00,cc,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:00,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,01,00,00,00,d8,00,00,00,cc,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\hnjnszb.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hnjnszb"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\hnjnszb.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"ZESOFT"=dword:00000002
"WinToolsSvc"=dword:00000002
"TBPSSvc"=dword:00000002
"iPodService"=dword:00000003



Completion time: Sat 08/26/2006 21:11:07.53
ComboFix.txt
ComboFix2.txt
ComboFix3.txt




---------------------------------------------------------------------------------
Panda Log
---------------------------------------------------------------------------------

Incident Status Location

Adware:adware/superspider Not disinfected c:\windows\system32\d2kpax.dll
Adware:adware/cws.searchmeup Not disinfected c:\windows\mstasks1.exe
Adware:adware/msxmidi Not disinfected c:\windows\msxmidi.exe
Adware:adware/beginto Not disinfected c:\windows\system32\cache32_dsktptr
Potentially unwanted tool:application/seekmo Not disinfected c:\documents and settings\all users\start menu\programs\Seekmo Search Assistant
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Owner\Application Data\Registry Cleaner
Potentially unwanted tool:application/zango Not disinfected hkey_current_user\software\Zango Messenger
Adware:adware/hotoffers Not disinfected Windows Registry
Adware:adware/elitebar Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Spyware/7r7t Not disinfected C:\!KillBox\srvyoeckew.exe
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt



---------------------------------------------------------------------------------
HijackThis Log
---------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:34:38 PM, on 8/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Qoofix & Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1150352906453
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8467C057-CE3A-4957-A5D5-D50B1DDD4CDD}: NameServer = 205.171.3.65,205.171.2.65
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Qoofix & Ewido\ewido anti-spyware 4.0\guard.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
  • 0

#8
cfa-ddg2
Posted 26 August 2006 - 11:18 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hey GreekFire...good job!

Your HJT log appears clean and we're getting there, but there's still some stuff to do:

1. Please do this:
  • Copy the contents of the Quote Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\hnjnszb.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msmc"=-


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Then double-click on the fix.reg file, and when it prompts to merge say yes.


2. Open a command prompt by clicking start>>run and type cmd in the 'open' box.

Then type :

sc delete WintoolsSvc

and hit enter. Then type:

sc delete TBPSSvc

and hit enter

type exit and hit enter to exit the command prompt.

3. Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\windows\system32\d2kpax.dll
    c:\windows\mstasks1.exe
    c:\windows\msxmidi.exe
    C:\\WINDOWS\\hnjnszb.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

4. Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

5. Post back with the HJT uninstall list and let me know how your system is running...
  • 0

#9
GreekFire
Posted 27 August 2006 - 05:48 PM

GreekFire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
My system blew up. :blink: No, seriously, I'm not getting any pop-ups, or weird error messages on start-up, and I never had to go against any of my morals. I appreciate all your help. You've been great! :whistling:

I have two questions. (1)Can you tell me which programs/functions are NOT necessary on start-up, so I may uncheck them with msconfig? (2)You had me download a few program trial-versions, should I delete those now? I may forget to delete them later.

Here is the HJT uninstall list.


Actiontec Gateway
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
AOL Instant Messenger
AVG Free Edition
BCM V.92 56K Modem
Broadcom 440x 10/100 Integrated Controller
CCleaner (remove only)
Comcast Toolbar
Dell ResourceCD
ewido anti-spyware 4.0
HijackThis 1.99.1
Intel® Extreme Graphics Driver
IsoBuster 1.9.1
iTunes
Macromedia Flash Player 8
Macromedia Shockwave Player
MSN Toolbar
My Wal-Mart Digital Photo Center
MySpaceIM
Palmcorder File Converter 3.00
Palmcorder USB Device Driver 3.01
Panda ActiveScan
QuickTime
RealPlayer
Sonic DLA
SoundMAX
Spybot - Search & Destroy 1.4
TorrentStorm
TrojanHunter 4.5
Update for Windows XP (KB898461)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB842773
WinRAR archiver
WordPerfect Office 11
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
  • 0

#10
cfa-ddg2
Posted 27 August 2006 - 06:17 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello GreekFire...

You are welcome! The uninstall list looks fine...be very careful using P2P programs though...they are one of the largest sources of malware we see.

As far as start up programs, the one's I've noted below can be disabled from start up using msconfig as you desire; they are not required to run on start up and do so mostly out of convenience.

The choice about which to disable from start up is ultimately up to you. FYI, castlecops has a great start up list that details most all start up entries with information about each. You can find it here: CastleCops Startup List


O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe<=Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie i810). Available via Start - Settings - Control Panel
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"<=Updater for MSN toolbar..not required
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl<=AOL Instant Messenger. If connected to the internet automatically runs up AIM. Convenience more than anything. Available via Start - Programs
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet<=Yahoo! Messenger allows you to send instant messages. Available via Start - Programs
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background<=If you don't use MSN Messenger this can be annoying. Available via Start - Programs.


You can feel free to delete/remove any program we downloaded/used to clean your system such as Killbox! and Ewido. Ewido, while a trial, may be a useful program to you after the trial. While i am not certain, I believe it maintains it's functionality but needs to be manually updated after the trial concludes. You could check at the Ewido site to make sure about that.

If you system is having no other problems, let's finish up. In the instructions below it is very important that you do the System Restore part, to remove potentially infected restore points from your computer!

If you are having any other problems or have any other questions, I'll keep this thread open for a day or two for you to respond. Let me know!

Your HJT appears clean and I'm glad your system is running well with out problems!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • THIS IS IMPORTANT! - If you are using Windows XP then you should reset system restore to make sure there are no infected files found in a restore point and that you have a clean restore point should you need one!

    Now let's reset your restore points.

    Click Start Menu >> All Programs >> Accessories >> System Tools >> SystemRestore

    Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'.

    Next go to Start Menu >> Run, then type:

    cleanmgr

    click OK, when Disk Cleanup opens go to the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created. To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner by Atribune. This program is for XP and Windows 2000 only. ATF is a new, freeware, temporary file cleaner for Windows, IE, Firefox and Opera with a simple, easy-to-use interface. The main screen allows the user to either clean all temporary files, or select files for cleaning. The program also knows if Firefox and or Opera is being used, and gives the option of cleaning the temporary files associated with those applications.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein. These are excellent reads too: I'm not pulling your leg and Malware: Preventing the Infection

Remember...be careful out there!
  • 0

Advertisements

#11
GreekFire
Posted 27 August 2006 - 09:55 PM

GreekFire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Yeah, I do use torrents so. :whistling:

I ran into a problem(?) while trying to reactive my System Restore. It's an error message which pops-up ~4 times. The message reads:

rstrui.exe - Unable To Locate Component

This application has failed to start because framedyn.dll was not found. Re-installing the application may fix this problem.
  • 0

#12
cfa-ddg2
Posted 28 August 2006 - 05:25 AM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
The malware may have 'borked' that framedyn.dll file at that location. Take a look at these two links to see if they help:

http://support.micro...kb;en-us;319114

http://groups.google...d449f8d306a717e

Basically you'll first try to replace the file with a copy from another location on your HD or you can do a sfc /scannow (system file check) and repair/replace the missing file.

Let me know if this helps....otherwise I'll refer you to the Windows help forum here at G2G. But this should fix it!
  • 0

#13
GreekFire
Posted 28 August 2006 - 05:48 PM

GreekFire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I fixed it, but I've been having trouble with the instructions. It seems to stall here and there, and I haven't been able to complete the process. I will keep on trying (this post; heads-up so you know where I stand).
  • 0

#14
cfa-ddg2
Posted 28 August 2006 - 05:55 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Where is it stalling? Or does it give you an error message?
  • 0

#15
cfa-ddg2
Posted 28 August 2006 - 06:00 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
You can also check the System Restore errors:


System Restore Errors* To check the event logs for System Restore related errors:o Click Start
o Click Control Panel
o Click "Performance and Maintenance".
o Click Administrative Tools
o Click Computer Management
o Double-click Event Viewer
o Click System.
o Click the Source tab to sort by name
o Look for "sr" or "srservice"
o Double-click each of these services
o Evaluate the event description for any indication of the cause of the problem.
[/list]
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP