[Michelle]

I went to the Activescan website, they must be having a problem with their server or something.

If you have not restarted your computer since running Killbox, then you need to restart in safe mode and delete the folders I have listed in my previous post.

Check the ActiveScan website here in a little bit to see if it's up and running again.

Michelle

[Advertisements]

yeah i already ran killbox and restarted in safe mode and deleted everything u asked. (my computer seems to be running great thanks to you!) i will check activescan in a little bit and get back to you with a log. You rock michelle

[GregDavid]

yeah i already ran killbox and restarted in safe mode and deleted everything u asked. (my computer seems to be running great thanks to you!) i will check activescan in a little bit and get back to you with a log. You rock michelle

[Michelle]

I'll be watching for your post!

Michelle

[GregDavid]

the website is still down, but i won't shutdown or logout on my computer.. i will do activescan as soon as the website is up again..
peace out michelle

[Michelle]

You have already run the "fix" for your computer - I just needed to make sure you didn't shut it down while I was working on your log. Your log is done so feel free to shutdown, restart, and log off as much as you want!

The only thing we're doing now is finding remnants of previous infections and killing them.

Michelle

[GregDavid]

ok, active scan is stil down. i'll get back to you tomoroww!!
once again. thanks!

[Michelle]

It's no problem

Michelle

[GregDavid]

heres the activescan log finally!


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\aupdate.conf
Adware:Adware/PurityScan No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\Greg\Favorites\-Shopping-
Adware:Adware/Xupiter No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/SideSearch No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/NavHelper No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Greg\Favorites\Sites about\Broadband comparison.url
Adware:Adware/Minibug No disinfected C:\AOL Instant Messenger\MiniBugTransporter.EXE
Adware:Adware/Minibug No disinfected C:\AOL Instant Messenger\Sysfiles\WxBug.EXE
Adware:Adware/Minibug No disinfected C:\AOL Instant Messenger\WxBug.EXE
Adware:Adware/Minibug No disinfected C:\Program Files\AIM95\Sysfiles\WxBug.EXE

Peace Michelle

[Michelle]

*double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the items listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINDOWS\system32\aupdate.conf
C:\AOL Instant Messenger\MiniBugTransporter.EXE
C:\AOL Instant Messenger\Sysfiles\WxBug.EXE
C:\AOL Instant Messenger\WxBug.EXE
C:\Program Files\AIM95\Sysfiles\WxBug.EXE
C:\keys.ini

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path (C:\keys.ini) has been entered press the YES button at both prompts so that your computer restarts.

While it's restarting tap the F8 key continually until a menu appears, use your up arrow key to highlight Safe Mode then hit enter.

Using Windows Explorer, delete the following items (in bold):

C:\Documents and Settings\Greg\Favorites\-Shopping-
C:\Documents and Settings\Greg\Favorites\Sites about\Broadband comparison.url
C:\WINDOWS\alchem.ini

After doing that you can run Activescan again, if you wish.

Michelle

[GregDavid]

hey michelle.. whats up.. i ran activescan again and heres the log...



Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\Greg\Favorites\-Shopping-
Adware:Adware/Xupiter No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/NavHelper No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Greg\Favorites\Sites about\Broadband comparison.url


get back to me whenever you feel.. i know that you have been working with me alot so whenever u get a chance tell me what else to delete.. thanks michelle i really apreciate your help.. i rely on my computer soo much because i am a graphic design major, and all of my assignmets requre the use of my computer
really, thanks for all of your help.. !!!!!!!

[Michelle]

Not much left! All you have to do is delete these 2 items from your favorites (you need to follow the url path below - going into Documents and Settings in Windows Explorer)

C:\Documents and Settings\Greg\Favorites\Sites about\Broadband comparison.url
C:\Documents and Settings\Greg\Favorites\-Shopping-

Then delete this file:
C:\WINDOWS\alchem.ini

And that's it!

After doing that, please post a new HiJackThis log just to doublecheck it!

Michelle

[GregDavid]

I followed your instructions and heres the new log! Thanks Michelle

Greg


Logfile of HijackThis v1.99.1
Scan saved at 7:11:14 PM, on 4/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\AOL Instant Messenger\aim.exe
C:\Documents and Settings\Greg\Desktop\POOP\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AOL Instant Messenger\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

[GregDavid]

im not so sure if my computer is completley clean, i might still have some VX2 stuff because Battlefield Vietnam dosn't work because punkbuster detects that i "do not have sufficient O/S privlidges" but, i run on an administratior account.. is it possible that somthing is hiding? or do I just have to reinstall the program?

[Michelle]

Go to Start > Control Panel > Add/Remove Programs and remove this:

Weatherbug

Then open HiJackThis and put a check next to this item and click "FIX CHECKED":

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

Using windows explorer delete the following folder:

C:\Program Files\AWS

Post a new HiJackThis log and I'll take a look.

Michelle

[Michelle]

By the way, you didn't have a VX2 infection - which is a good thing!

Michelle