Edited by Flrman1, 29 September 2006 - 02:48 PM.
Keep getting unauthorized shortcuts on my desktop [RESOLVED]
#16
Posted 29 September 2006 - 02:48 PM
#17
Posted 29 September 2006 - 06:03 PM
#18
Posted 30 September 2006 - 06:42 AM
When I browse my c: drive there is no windows folder.
Could it be located elswhere??
#19
Posted 30 September 2006 - 10:08 AM
Edited by Flrman1, 30 September 2006 - 10:08 AM.
#20
Posted 30 September 2006 - 10:09 AM
* Go to Add/Remove programs and uninstall these old versions of Java:
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
* Now go here and install the latest version of Java.
* Click here to download smitRem.exe.* Click here to download ATF Cleaner by Atribune and save it to your desktop.
- Save the file to your desktop.
- It is a self extracting file.
- Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
- Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.
- If the link to SmitRem above is not working try this one.
* Click Here and download Killbox and save it to your desktop.
* Click here for info on how to boot to safe mode if you don't already know how.
* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.
* Click Start > Run > and type in:
services.msc
Click OK.
In the services window find Mouse Button Monitor .
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.
Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.
* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: MediaCodec.BHO - {525A7CE1-5FD4-4FC7-A333-27D3754DB57C} - C:\WINNT\Downloaded Program Files\MediaCodec.ocx
O4 - HKLM\..\Run: [P2P Networking] C:\winnt\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [PSU_Playbook] C:\Documents and Settings\snyders.WICK\Local Settings\Temporary Internet Files\Content.IE5\I35UJIJ5\PlaybookNews[1].exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O15 - Trusted Zone: http://software.nocusnetworks.com
O16 - DPF: NetCharts - https://cpgn.infores...ses/install.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuke...erInstaller.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {62FB8678-5EAD-4D27-A639-415D9F0B668F} (MediaCodec.Install) - http://software.nocu.../mediacodec.cab
* Next in Hijack This click on the "Config" button in the lower right corner. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Copy and paste the following line in that box:
mousebm
Click OK.
* Restart your computer into safe mode now. Perform the following steps in safe mode:
* Double-click on Killbox.exe to run it.* Run ATF Cleaner:
- Put a tick by Standard File Kill.
- In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:
C:\WINNT\Downloaded Program Files\MediaCodec.ocx
C:\winnt\system32\P2P Networking
C:\Program Files\Error Nuker
- Click on the button that has the red circle with the X in the middle after you enter each file.
- It will ask for confimation to delete the file.
- Click Yes.
- Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
- Killbox may tell you that one or more files do not exist.
- If that happens, just continue on with all the files. Be sure you don't miss any.
- Exit the Killbox.
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
- If you use Firefox:
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[*]Click Exit on the Main menu to close the program.
- If you use Opera:
- Click Opera at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[/list]* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
* Restart back into Windows normally now.
* Run ActiveScan online virus scan here
When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.
Note: You have to use Internet Explorer to do the online scan.
Post a new HiJackThis log along with the results from ActiveScan
#21
Posted 30 September 2006 - 11:14 AM
I'm finishing everything right now and will post the logs this afternoon.
As awlays, your help is deeply appreciated!!
#22
Posted 30 September 2006 - 11:26 AM
There are approx. 2 dozen files with the mfc prefix, but nothing called mfc.exe.
Any suggestions?
In the meantime, can I move forward with the things I need to do in safe mode??
Edited by vjgkam, 30 September 2006 - 11:27 AM.
#23
Posted 01 October 2006 - 05:43 PM
#24
Posted 02 October 2006 - 08:33 AM
Here are the Active Scan an new HT logs:
Thanks!
Incident Status Location
Dialer:Dialer.B Not disinfected C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
Adware:adware/keenvalue Not disinfected c:\winnt\system32\drivers\etc\hosts.bho
Adware:adware/clickalchemy Not disinfected c:\winnt\inf\alchem.inf
Adware:adware/ipinsight Not disinfected c:\winnt\inf\polall1r.inf
Spyware:spyware/betterinet Not disinfected c:\winnt\inf\satmat.inf
Adware:adware/twain-tech Not disinfected c:\winnt\satmat.ini
Adware:adware/sidesearch Not disinfected c:\program files\Lycos
Adware:adware/mbkwbar Not disinfected c:\program files\MBKWBar
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Adware:adware/cws Not disinfected C:\Documents and Settings\snyders.WICK\Application Data\Earthlink\6.0\[email protected]\Favorites\Going Places
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/surfaccuracy Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Adware:adware/topmoxie Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Virus:W32/Sdbot.CWR.worm Disinfected C:\Documents and Settings\All Users\Documents\java.exe
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\snyders.WICK\Application Data\Earthlink\6.0\[email protected]\Cookies\snyders@adultfriendfinder[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\snyders.WICK\Application Data\Earthlink\6.0\[email protected]\Cookies\snyders@go[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\snyders.WICK\Application Data\Mozilla\Firefox\Profiles\vbcoi0d7.default\cookies.txt.old[.target.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\snyders.WICK\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\snyders.WICK\Desktop\smitRem.exe[smitRem/Process.exe]
Spyware:Cookie/Kazaa Networks Not disinfected C:\Program Files\EarthLink 5.0\[email protected]\Cookies\[email protected][2].txt
Spyware:Cookie/Go Not disinfected C:\Program Files\EarthLink 5.0\[email protected]\Cookies\snyders@go[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Program Files\EarthLink 5.0\[email protected]\Cookies\snyders@rn11[1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Program Files\EarthLink 5.0\[email protected]\Cookies\snyders@smni[1].txt
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll.updpnd
Adware:Adware/MBKWBar Not disinfected C:\Program Files\MBKWBar\MBKWBar.exe
Spyware:Spyware/BetterInet Not disinfected C:\WINNT\inf\mmaker2.inf
Adware:Adware/MBKWBar Not disinfected C:\WINNT\mbkwnst.exe[MBKWBar.exe]
Adware:Adware/MBKWBar Not disinfected C:\WINNT\mbkwnst.exe[MBKWBar.exe][IEToolBar.dll]
Logfile of HijackThis v1.99.1
Scan saved at 10:27:41 AM, on 10/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\ibmpmsvc.exe
C:\winnt\system32\Ati2evxx.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\winnt\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\winnt\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\Ati2evxx.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\tp4mon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\winnt\AGRSMMSG.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
C:\Program Files\j2 Messenger 4.0\J2GTray.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\winnt\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\winnt\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\winnt\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Memory Function] C:\winnt\system32\mfc.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PSU_Playbook] C:\Documents and Settings\snyders.WICK\Local Settings\Temporary Internet Files\Content.IE5\I35UJIJ5\PlaybookNews[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [IM] C:\program files\earthlinkim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Button Test - {20340348-8448-47f8-ae16-796747b6605c} - C:\winnt\system32\Microsoft\Extension\20340348-8448-47f8-ae16-796747b6605c.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://software.nocusnetworks.com
O16 - DPF: DigiChat Applet - http://host16.digich...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...?affiliate=wtlv
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123704351652
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144593592992
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direc.../dpcsysinfo.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.1...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com...tiveXWebCam.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...ion/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices..../DSLControl.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.veri...pdate_1-0-0.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O23 - Service: Sophos AutoUpdate Service (ActiveLinkClient) - Unknown owner - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\winnt\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\winnt\system32\CTSvcCDA.EXE
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\winnt\system32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
#25
Posted 02 October 2006 - 07:27 PM
* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
O4 - HKLM\..\Run: [Memory Function] C:\winnt\system32\mfc.exe
O4 - HKLM\..\Run: [PSU_Playbook] C:\Documents and Settings\snyders.WICK\Local Settings\Temporary Internet Files\Content.IE5\I35UJIJ5\PlaybookNews[1].exe
O9 - Extra button: Button Test - {20340348-8448-47f8-ae16-796747b6605c} - C:\winnt\system32\Microsoft\Extension\20340348-8448-47f8-ae16-796747b6605c.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://software.nocusnetworks.com
* Restart your computer into safe mode now. Perform the following steps in safe mode:
* Double-click on Killbox.exe to run it.
- Put a tick by Standard File Kill.
- In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:
c:\winnt\system32\drivers\etc\hosts.bho
c:\winnt\inf\alchem.inf
c:\winnt\inf\polall1r.inf
c:\winnt\inf\satmat.inf
c:\winnt\satmat.ini
c:\program files\Lycos
c:\program files\MBKWBar
c:\program files\MyWay
C:\Documents and Settings\snyders.WICK\Application Data\Earthlink\6.0\[email protected]\Favorites\Going Places
C:\Program Files\Kazaa\
C:\WINNT\inf\mmaker2.inf
C:\WINNT\mbkwnst.exe
- Click on the button that has the red circle with the X in the middle after you enter each file.
- It will ask for confimation to delete the file.
- Click Yes.
- Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
- Killbox may tell you that one or more files do not exist.
- If that happens, just continue on with all the files. Be sure you don't miss any.
- Exit the Killbox.
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
- If you use Firefox:
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- If you use Opera:
- Click Opera at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[/list]
* Restart back into Windows normally now.
* Run Kaspersky online virus scan here.
After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!
Note: You have to use Internet Explorer to do the online scan.
Post a new HiJackThis log along with the results from Kaspersky scan
#26
Posted 02 October 2006 - 07:29 PM
* Download DelDomains.inf from here.
Save the DelDomains.inf file to your desktop.
Rightclick DelDomains.inf and choose install.
* Also Click here to download ResetProtocolDefaults.reg and save it to your desktop.
Doubleclick on the ResetProtocolDefaults.reg file to add it to the registry. Answer yes to confirm the merge.
Please do the above before you post the new Hijck This log and the results of the Kaspersky scan.
#27
Posted 04 October 2006 - 03:42 PM
All done with the latest steps. How are we progressing??? Just curious....
Here are the newest HT log and Kaspenski log.
Thank you for your continued help.
Logfile of HijackThis v1.99.1
Scan saved at 5:36:57 PM, on 10/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\ibmpmsvc.exe
C:\winnt\system32\Ati2evxx.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\winnt\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\winnt\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\Ati2evxx.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\tp4mon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\winnt\AGRSMMSG.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\winnt\system32\wuauclt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
C:\Program Files\j2 Messenger 4.0\J2GTray.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\winnt\System32\winmine.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\winnt\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\winnt\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PSU_Playbook] C:\Documents and Settings\snyders.WICK\Local Settings\Temporary Internet Files\Content.IE5\I35UJIJ5\PlaybookNews[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [IM] C:\program files\earthlinkim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: FriendFinder Messenger.lnk = C:\Program Files\FriendFinder Messenger\FriendFinder Messenger.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CM_camera.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host16.digich...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...?affiliate=wtlv
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123704351652
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144593592992
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direc.../dpcsysinfo.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.1...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com...tiveXWebCam.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...ion/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} (CDDM Object) - https://netservices..../DSLControl.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.veri...pdate_1-0-0.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O23 - Service: Sophos AutoUpdate Service (ActiveLinkClient) - Unknown owner - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\winnt\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\winnt\system32\CTSvcCDA.EXE
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\winnt\system32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 04, 2006 5:33:12 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/10/2006
Kaspersky Anti-Virus database records: 215643
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 41068
Number of viruses found: 4
Number of infected objects: 15 / 0
Number of suspicious objects: 4
Duration of the scan process: 00:57:43
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_DB027.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_DB027.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFixer.zip/UWFX5_0001_MNINetInstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFixer.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED/ainits[1].scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236/[From postmaster <[email protected]>][Date Thu, 10 Apr 2003 10:44:42 -0500]/UNNAMED/size.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236/[From postmaster <[email protected]>][Date Thu, 10 Apr 2003 10:44:42 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236 Mail: infected - 4, suspicious - 1 skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\006.msf.bac_a02236 CryptFF.b: infected - 4, suspicious - 1 skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\temp.fr7511.bac_a02236/polall1m.exe/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\temp.fr7511.bac_a02236/polall1m.exe Infected: Trojan-Downloader.Win32.Agent.ae skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\temp.fr7511.bac_a02236 CAB: infected - 2 skipped
C:\Documents and Settings\snyders.WICK\.housecall\Quarantine\temp.fr7511.bac_a02236 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\snyders.WICK\Application Data\Earthlink\6.0\[email protected]\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\snyders.WICK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\snyders.WICK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\snyders.WICK\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\snyders.WICK\Local Settings\History\History.IE5\MSHist012006100420061005\index.dat Object is locked skipped
C:\Documents and Settings\snyders.WICK\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\snyders.WICK\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\snyders.WICK\ntuser.dat.LOG Object is locked skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED/ainits[1].scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf/[From yvesmuck <[email protected]>][Date Date header was inserted by mtaout10.icomcast.net]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf/[From postmaster <[email protected]>][Date Thu, 10 Apr 2003 10:44:42 -0500]/UNNAMED/size.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf/[From postmaster <[email protected]>][Date Thu, 10 Apr 2003 10:44:42 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\EarthLink 5.0\[email protected]\mailbox\006.msf Mail: infected - 4, suspicious - 1 skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\L0000028.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\SNYDERS\Data\storydb.idx Object is locked skipped
C:\Program Files\Verizon Online\SupportCenter\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\Verizon Online\SupportCenter\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\Verizon Online\SupportCenter\SmartBridge\SmartBridge.log Object is locked skipped
C:\Program Files\Verizon Online\WinPoET\WrOS.EventLog.txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
Scan process completed.
#28
Posted 05 October 2006 - 06:20 AM
#29
Posted 05 October 2006 - 07:04 AM
Is there any more cleaning we can do??
Also- what types of daily/weekly cleaning would you reccomend??
Lastly- When I did the last steps you aked me to do in KillBox, I saw a lot of stuff like Yahoo! messenger, Earthlink 5.0, Gamehouse and some programs I used to use to convert MP3 files. Can I use Killbox in safe mode to delete those programs?? Is it safe?
THANKS!
#30
Posted 05 October 2006 - 07:47 PM
You shouldn't use Killbox for that. You need to use Add/Remove programs to uninstall any apps that you wish to remove. If there are other files that you want to remove that can't or are not removed by uninstalling an application, for the most part you can just delete the file by right-clicking it and choosing delete. If a file is stubborn and will not delete in normal Windows User mode, you can use Killbox with the delete on reboot option or boot to safe mode and delete it with Killbox.Lastly- When I did the last steps you aked me to do in KillBox, I saw a lot of stuff like Yahoo! messenger, Earthlink 5.0, Gamehouse and some programs I used to use to convert MP3 files. Can I use Killbox in safe mode to delete those programs?? Is it safe?
We are pretty much done with the cleaning. The following should address the other questions you asked:
* If I had you use Killbox to delete any files, go ahead and delete the C:\!Killbox folder then empty the Recycle Bin.
* Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
* Go to Windows update and install all "High Priority Updates".
* Now turn off System Restore:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer, turn System Restore back on and create a restore point.
To create a restore point:
Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
Edited by Flrman1, 05 October 2006 - 07:48 PM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users