Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

please please help me! DrWatson problem [resolved]


  • This topic is locked This topic is locked

#31
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I went to the Activescan website, they must be having a problem with their server or something.

If you have not restarted your computer since running Killbox, then you need to restart in safe mode and delete the folders I have listed in my previous post.

Check the ActiveScan website here in a little bit to see if it's up and running again.

Michelle :tazz:
  • 0

Advertisements


#32
GregDavid

GregDavid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
yeah i already ran killbox and restarted in safe mode and deleted everything u asked. (my computer seems to be running great thanks to you!) i will check activescan in a little bit and get back to you with a log. You rock michelle :tazz:
  • 0

#33
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
:tazz:

I'll be watching for your post!

Michelle ;)
  • 0

#34
GregDavid

GregDavid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
the website is still down, but i won't shutdown or logout on my computer.. i will do activescan as soon as the website is up again..
peace out michelle
  • 0

#35
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You have already run the "fix" for your computer - I just needed to make sure you didn't shut it down while I was working on your log. Your log is done so feel free to shutdown, restart, and log off as much as you want! :tazz:

The only thing we're doing now is finding remnants of previous infections and killing them.

Michelle ;)
  • 0

#36
GregDavid

GregDavid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
ok, active scan is stil down. i'll get back to you tomoroww!!
once again. thanks! :tazz:
  • 0

#37
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It's no problem :tazz:

Michelle
  • 0

#38
GregDavid

GregDavid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
heres the activescan log finally!


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\aupdate.conf
Adware:Adware/PurityScan No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\Greg\Favorites\-Shopping-
Adware:Adware/Xupiter No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/SideSearch No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/NavHelper No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Greg\Favorites\Sites about\Broadband comparison.url
Adware:Adware/Minibug No disinfected C:\AOL Instant Messenger\MiniBugTransporter.EXE
Adware:Adware/Minibug No disinfected C:\AOL Instant Messenger\Sysfiles\WxBug.EXE
Adware:Adware/Minibug No disinfected C:\AOL Instant Messenger\WxBug.EXE
Adware:Adware/Minibug No disinfected C:\Program Files\AIM95\Sysfiles\WxBug.EXE

Peace Michelle :tazz:
  • 0

#39
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
*double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the items listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINDOWS\system32\aupdate.conf
C:\AOL Instant Messenger\MiniBugTransporter.EXE
C:\AOL Instant Messenger\Sysfiles\WxBug.EXE
C:\AOL Instant Messenger\WxBug.EXE
C:\Program Files\AIM95\Sysfiles\WxBug.EXE
C:\keys.ini


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path (C:\keys.ini) has been entered press the YES button at both prompts so that your computer restarts.

While it's restarting tap the F8 key continually until a menu appears, use your up arrow key to highlight Safe Mode then hit enter.

Using Windows Explorer, delete the following items (in bold):

C:\Documents and Settings\Greg\Favorites\-Shopping-
C:\Documents and Settings\Greg\Favorites\Sites about\Broadband comparison.url
C:\WINDOWS\alchem.ini

After doing that you can run Activescan again, if you wish.

Michelle :tazz:
  • 0

#40
GregDavid

GregDavid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
hey michelle.. whats up.. i ran activescan again and heres the log...



Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\Greg\Favorites\-Shopping-
Adware:Adware/Xupiter No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/NavHelper No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Greg\Favorites\Sites about\Broadband comparison.url


get back to me whenever you feel.. i know that you have been working with me alot so whenever u get a chance tell me what else to delete.. thanks michelle :tazz: i really apreciate your help.. i rely on my computer soo much because i am a graphic design major, and all of my assignmets requre the use of my computer
really, thanks for all of your help.. !!!!!!!
  • 0

Advertisements


#41
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Not much left! All you have to do is delete these 2 items from your favorites (you need to follow the url path below - going into Documents and Settings in Windows Explorer)

C:\Documents and Settings\Greg\Favorites\Sites about\Broadband comparison.url
C:\Documents and Settings\Greg\Favorites\-Shopping-

Then delete this file:
C:\WINDOWS\alchem.ini

And that's it!

After doing that, please post a new HiJackThis log just to doublecheck it!

Michelle :tazz:
  • 0

#42
GregDavid

GregDavid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I followed your instructions and heres the new log! Thanks Michelle :tazz:

Greg


Logfile of HijackThis v1.99.1
Scan saved at 7:11:14 PM, on 4/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\AOL Instant Messenger\aim.exe
C:\Documents and Settings\Greg\Desktop\POOP\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AOL Instant Messenger\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
  • 0

#43
GregDavid

GregDavid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
im not so sure if my computer is completley clean, i might still have some VX2 stuff because Battlefield Vietnam dosn't work because punkbuster detects that i "do not have sufficient O/S privlidges" but, i run on an administratior account.. is it possible that somthing is hiding? or do I just have to reinstall the program?
  • 0

#44
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Go to Start > Control Panel > Add/Remove Programs and remove this:

Weatherbug

Then open HiJackThis and put a check next to this item and click "FIX CHECKED":

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

Using windows explorer delete the following folder:

C:\Program Files\AWS

Post a new HiJackThis log and I'll take a look.

Michelle :tazz:
  • 0

#45
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
By the way, you didn't have a VX2 infection - which is a good thing! :tazz:

Michelle
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP