Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Keep getting unauthorized shortcuts on my desktop [RESOLVED]


  • This topic is locked This topic is locked

#16
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Yes, it is safe. The only way you'll have a problem is if you delete a system file. Simply showing them cannot harm anything.

Edited by Flrman1, 29 September 2006 - 02:48 PM.

  • 0

Advertisements


#17
vjgkam

vjgkam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ok....I'm on it. This is a work laptop and I need to be careful..
  • 0

#18
vjgkam

vjgkam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I can't seem to locate the C:\Windows\System32\mfc.exe file.

When I browse my c: drive there is no windows folder.

Could it be located elswhere??
  • 0

#19
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Sorry, my fault. It is c:\WINNT\System32\mfc.exe.

Edited by Flrman1, 30 September 2006 - 10:08 AM.

  • 0

#20
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Have you done all this?

* Go to Add/Remove programs and uninstall these old versions of Java:

J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6


* Now go here and install the latest version of Java.


* Click here to download smitRem.exe.

  • Save the file to your desktop.
  • It is a self extracting file.
  • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.
  • If the link to SmitRem above is not working try this one.
* Click here to download ATF Cleaner by Atribune and save it to your desktop.


* Click Here and download Killbox and save it to your desktop.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Mouse Button Monitor .
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: MediaCodec.BHO - {525A7CE1-5FD4-4FC7-A333-27D3754DB57C} - C:\WINNT\Downloaded Program Files\MediaCodec.ocx

O4 - HKLM\..\Run: [P2P Networking] C:\winnt\system32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart

O4 - HKLM\..\Run: [PSU_Playbook] C:\Documents and Settings\snyders.WICK\Local Settings\Temporary Internet Files\Content.IE5\I35UJIJ5\PlaybookNews[1].exe

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup

O15 - Trusted Zone: http://software.nocusnetworks.com

O16 - DPF: NetCharts - https://cpgn.infores...ses/install.cab

O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuke...erInstaller.exe

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab

O16 - DPF: {62FB8678-5EAD-4D27-A639-415D9F0B668F} (MediaCodec.Install) - http://software.nocu.../mediacodec.cab



* Next in Hijack This click on the "Config" button in the lower right corner. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Copy and paste the following line in that box:

mousebm

Click OK.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\WINNT\Downloaded Program Files\MediaCodec.ocx

    C:\winnt\system32\P2P Networking

    C:\Program Files\Error Nuker


  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Exit the Killbox.
* Run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  • If you use Firefox:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[*]Click Exit on the Main menu to close the program.
[/list]* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from ActiveScan


  • 0

#21
vjgkam

vjgkam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I've done everything up to where I need to start in safe mode. I didn't want to get to far ahead, as I was concerned that I may have to re-do everything due to my earlier concern about unchecking the items and the windows warning I received.
I'm finishing everything right now and will post the logs this afternoon.
As awlays, your help is deeply appreciated!!
:whistling:
  • 0

#22
vjgkam

vjgkam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I can't find a file named mfc.exe in C:/WINNT/System32

There are approx. 2 dozen files with the mfc prefix, but nothing called mfc.exe.

Any suggestions?

In the meantime, can I move forward with the things I need to do in safe mode??

Edited by vjgkam, 30 September 2006 - 11:27 AM.

  • 0

#23
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Finish evrything else and forget about the file for now.
  • 0

#24
vjgkam

vjgkam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ok, I finished everything up to this point. I ran the smitRem as instructed, and it completed extremely fast. A prompt appeared sying it could take up to three hours, and then started the scan. I walked away from my computer, and when I came back in the room about 5 mintutes later, the window was gone. I'm assuming it ran while I was away.

Here are the Active Scan an new HT logs:

Thanks!



Incident Status Location

Dialer:Dialer.B Not disinfected C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
Adware:adware/keenvalue Not disinfected c:\winnt\system32\drivers\etc\hosts.bho
Adware:adware/clickalchemy Not disinfected c:\winnt\inf\alchem.inf
Adware:adware/ipinsight Not disinfected c:\winnt\inf\polall1r.inf
Spyware:spyware/betterinet Not disinfected c:\winnt\inf\satmat.inf
Adware:adware/twain-tech Not disinfected c:\winnt\satmat.ini
Adware:adware/sidesearch Not disinfected c:\program files\Lycos
Adware:adware/mbkwbar Not disinfected c:\program files\MBKWBar
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Adware:adware/cws Not disinfected C:\Documents and Settings\snyders.WICK\Application Data\Earthlink\6.0\[email protected]\Favorites\Going Places
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/surfaccuracy Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Adware:adware/topmoxie Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Virus:W32/Sdbot.CWR.worm Disinfected C:\Documents and Settings\All Users\Documents\java.exe
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\snyders.WICK\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\snyders.WICK\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\snyders.WICK\Application Data\Mozilla\Firefox\Profiles\vbcoi0d7.default\cookies.txt.old[.target.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\snyders.WICK\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\snyders.WICK\Desktop\smitRem.exe[smitRem/Process.exe]
Spyware:Cookie/Kazaa Networks Not disinfected C:\Program Files\EarthLink 5.0\[email protected]\Cookies\[email protected][2].txt
Spyware:Cookie/Go Not disinfected C:\Program Files\EarthLink 5.0\[email protected]\Cookies\[email protected][1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Program Files\EarthLink 5.0\[email protected]\Cookies\[email protected][1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Program Files\EarthLink 5.0\[email protected]\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll.updpnd
Adware:Adware/MBKWBar Not disinfected C:\Program Files\MBKWBar\MBKWBar.exe
Spyware:Spyware/BetterInet Not disinfected C:\WINNT\inf\mmaker2.inf
Adware:Adware/MBKWBar Not disinfected C:\WINNT\mbkwnst.exe[MBKWBar.exe]
Adware:Adware/MBKWBar Not disinfected C:\WINNT\mbkwnst.exe[MBKWBar.exe][IEToolBar.dll]



Logfile of HijackThis v1.99.1
Scan saved at 10:27:41 AM, on 10/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\ibmpmsvc.exe
C:\winnt\system32\Ati2evxx.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\winnt\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\winnt\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\Ati2evxx.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\tp4mon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\winnt\AGRSMMSG.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
C:\Program Files\j2 Messenger 4.0\J2GTray.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\winnt\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\winnt\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\winnt\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Memory Function] C:\winnt\system32\mfc.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PSU_Playbook] C:\Documents and Settings\snyders.WICK\Local Settings\Temporary Internet Files\Content.IE5\I35UJIJ5\PlaybookNews[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [IM] C:\program files\earthlinkim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Button Test - {20340348-8448-47f8-ae16-796747b6605c} - C:\winnt\system32\Microsoft\Extension\20340348-8448-47f8-ae16-796747b6605c.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://software.nocusnetworks.com
O16 - DPF: DigiChat Applet - http://host16.digich...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...?affiliate=wtlv
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123704351652
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144593592992
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direc.../dpcsysinfo.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.1...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com...tiveXWebCam.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...ion/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices..../DSLControl.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.veri...pdate_1-0-0.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O23 - Service: Sophos AutoUpdate Service (ActiveLinkClient) - Unknown owner - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\winnt\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\winnt\system32\CTSvcCDA.EXE
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\winnt\system32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
  • 0

#25
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [Memory Function] C:\winnt\system32\mfc.exe

O4 - HKLM\..\Run: [PSU_Playbook] C:\Documents and Settings\snyders.WICK\Local Settings\Temporary Internet Files\Content.IE5\I35UJIJ5\PlaybookNews[1].exe

O9 - Extra button: Button Test - {20340348-8448-47f8-ae16-796747b6605c} - C:\winnt\system32\Microsoft\Extension\20340348-8448-47f8-ae16-796747b6605c.htm

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O15 - Trusted Zone: http://software.nocusnetworks.com



* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    c:\winnt\system32\drivers\etc\hosts.bho

    c:\winnt\inf\alchem.inf

    c:\winnt\inf\polall1r.inf

    c:\winnt\inf\satmat.inf

    c:\winnt\satmat.ini

    c:\program files\Lycos

    c:\program files\MBKWBar

    c:\program files\MyWay

    C:\Documents and Settings\snyders.WICK\Application Data\Earthlink\6.0\[email protected]\Favorites\Going Places

    C:\Program Files\Kazaa\

    C:\WINNT\inf\mmaker2.inf

    C:\WINNT\mbkwnst.exe


  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Exit the Killbox.
* Run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  • If you use Firefox:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[*]Click Exit on the Main menu to close the program.
[/list]
* Restart back into Windows normally now.


* Run Kaspersky online virus scan here.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan
  • 0

Advertisements


#26
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Also go ahead and do this please:

* Download DelDomains.inf from here.
Save the DelDomains.inf file to your desktop.
Rightclick DelDomains.inf and choose install.


* Also Click here to download ResetProtocolDefaults.reg and save it to your desktop.

Doubleclick on the ResetProtocolDefaults.reg file to add it to the registry. Answer yes to confirm the merge.

Please do the above before you post the new Hijck This log and the results of the Kaspersky scan.
  • 0

#27
vjgkam

vjgkam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ok,
All done with the latest steps. How are we progressing??? Just curious....
Here are the newest HT log and Kaspenski log.
Thank you for your continued help.

Logfile of HijackThis v1.99.1
Scan saved at 5:36:57 PM, on 10/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\ibmpmsvc.exe
C:\winnt\system32\Ati2evxx.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\winnt\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\winnt\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\Ati2evxx.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\tp4mon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\winnt\AGRSMMSG.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\winnt\system32\wuauclt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
C:\Program Files\j2 Messenger 4.0\J2GTray.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\winnt\System32\winmine.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\winnt\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\winnt\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PSU_Playbook] C:\Documents and Settings\snyders.WICK\Local Settings\Temporary Internet Files\Content.IE5\I35UJIJ5\PlaybookNews[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [IM] C:\program files\earthlinkim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host16.digich...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...?affiliate=wtlv
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123704351652
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144593592992
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direc.../dpcsysinfo.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.1...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com...tiveXWebCam.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...ion/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices..../DSLControl.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.veri...pdate_1-0-0.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O23 - Service: Sophos AutoUpdate Service (ActiveLinkClient) - Unknown owner - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\winnt\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\winnt\system32\CTSvcCDA.EXE
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\winnt\system32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)




KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 04, 2006 5:33:12 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/10/2006
Kaspersky Anti-Virus database records: 215643
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 41068
Number of viruses found: 4
Number of infected objects: 15 / 0
Number of suspicious objects: 4
Duration of the scan process: 00:57:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_DB027.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_DB027.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFixer.zip/UWFX5_0001_MNINetInstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFixer.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED/ainits[1].scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236/[From postmaster <[email protected]>][Date Thu, 10 Apr 2003 10:44:42 -0500]/UNNAMED/size.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236/[From postmaster <[email protected]>][Date Thu, 10 Apr 2003 10:44:42 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236 Mail: infected - 4, suspicious - 1 skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236 CryptFF.b: infected - 4, suspicious - 1 skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\temp.fr7511.bac_a02236/polall1m.exe/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\temp.fr7511.bac_a02236/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\temp.fr7511.bac_a02236 CAB: infected - 2 skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\temp.fr7511.bac_a02236 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\snyders.WICK\Application Data\Earthlink\6.0\[email protected]\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\snyders.WICK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\snyders.WICK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\snyders.WICK\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\snyders.WICK\Local Settings\History\History.IE5\MSHist012006100420061005\index.dat Object is locked skipped
C:\Documents and Settings\snyders.WICK\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\snyders.WICK\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\snyders.WICK\ntuser.dat.LOG Object is locked skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED/ainits[1].scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf/[From postmaster <[email protected]>][Date Thu, 10 Apr 2003 10:44:42 -0500]/UNNAMED/size.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf/[From postmaster <[email protected]>][Date Thu, 10 Apr 2003 10:44:42 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf Mail: infected - 4, suspicious - 1 skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\L0000028.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\storydb.idx Object is locked skipped
C:\Program Files\Verizon Online\SupportCenter\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\Verizon Online\SupportCenter\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\Verizon Online\SupportCenter\SmartBridge\SmartBridge.log Object is locked skipped
C:\Program Files\Verizon Online\WinPoET\WrOS.EventLog.txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#28
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
How is the computer behaving now?
  • 0

#29
vjgkam

vjgkam

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
The computer is running smoothly and the shortcuts have ceased! I really appreciate your help with all this.
Is there any more cleaning we can do??
Also- what types of daily/weekly cleaning would you reccomend??
Lastly- When I did the last steps you aked me to do in KillBox, I saw a lot of stuff like Yahoo! messenger, Earthlink 5.0, Gamehouse and some programs I used to use to convert MP3 files. Can I use Killbox in safe mode to delete those programs?? Is it safe?
THANKS!
  • 0

#30
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts

Lastly- When I did the last steps you aked me to do in KillBox, I saw a lot of stuff like Yahoo! messenger, Earthlink 5.0, Gamehouse and some programs I used to use to convert MP3 files. Can I use Killbox in safe mode to delete those programs?? Is it safe?

You shouldn't use Killbox for that. You need to use Add/Remove programs to uninstall any apps that you wish to remove. If there are other files that you want to remove that can't or are not removed by uninstalling an application, for the most part you can just delete the file by right-clicking it and choosing delete. If a file is stubborn and will not delete in normal Windows User mode, you can use Killbox with the delete on reboot option or boot to safe mode and delete it with Killbox.

We are pretty much done with the cleaning. The following should address the other questions you asked:

* If I had you use Killbox to delete any files, go ahead and delete the C:\!Killbox folder then empty the Recycle Bin.


* Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


* Go to Windows update and install all "High Priority Updates".


* Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

Edited by Flrman1, 05 October 2006 - 07:48 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP