Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Panda Scan show viruses

Started by realapp , Jan 09 2007 02:21 PM

  • This topic is locked This topic is locked

#1
realapp
Posted 09 January 2007 - 02:21 PM

realapp

    Member

  • Member
  • PipPipPip
  • 338 posts
I was having trouble with IE errror saying encountered problem and have to shut down as well as computer running slow. I initially ran Spybot and it got rid of a deepdive virus, but didn't solve problem. I then did all the suggestions listed here. Also, after updating Windows sp1a, i had a windows installer keeping popping up. Never had that before. PC does seem to be running better, but want to make sure I get rid of all the Panda Scan results, and don't know how to proceed. Any help would be greatly appreciated!!. I have posted the Scan Report as well as the Hijack This log.

Computer actually running slower again today.



Incident Status Location

Virus:Trj/LowZones.TF Disinfected Operating system
Spyware:spyware/betterinet Not disinfected c:\windows\system32\in10b6s.dll
Adware:adware/kingporn Not disinfected c:\windows\system32\inetdctr.dll
Adware:adware/virtualbouncer Not disinfected c:\windows\system32\INNERADINSTALL.LOG
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Teresa L\Application Data\tvmcwrd.dll
Dialer:dialer.bny Not disinfected c:\windows\pcconfig.dat
Dialer:dialer generic Not disinfected c:\program files\dialers
Adware:adware/ist.istbar Not disinfected Windows Registry
Virus:Trj/LowZones.TF Disinfected C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
Virus:Trj/LowZones.TF Disinfected C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Virus:Trj/LowZones.TF Disinfected C:\Program Files\Java\jre1.5.0\bin\jusched.exe
Virus:Trj/LowZones.TF Disinfected C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe
Virus:Trj/Downloader.AEE Disinfected C:\WINDOWS\LastGood\Downloaded Program Files\counter.inf
Adware:Adware/SAHAgent







Logfile of HijackThis v1.99.1
Scan saved at 2:15:23 PM, on 1/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\HP\DIGITA~1\PRODUC~1\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C80 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_SA9.tmp"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://iow.mlxchange...ectComboBox.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1149624254156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168371201343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://spherion.cent...aDownloader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Edited by realapp, 10 January 2007 - 08:20 AM.

  • 0

Advertisements

#2
JSntgRvr
Posted 14 January 2007 - 04:37 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, realapp :whistling:

Welcome to Geeks to go.

The AciveScan shows too many False Positives.

Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
  • Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#3
realapp
Posted 14 January 2007 - 07:50 PM

realapp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 338 posts
Hope this was right. Thanks!!!!!




Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\WIN2000\BAK

04/11/2005 08:17 AM 622,592 guru.exe
1 File(s) 622,592 bytes

Directory of C:\WINDOWS\BAK

09/23/2001 06:14 AM 163,840 DELLMMKB.EXE
1 File(s) 163,840 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MICROS~3\BAK

10/05/2001 06:34 PM 24,576 wkfud.exe
08/23/2001 03:52 PM 331,830 WksSb.exe
2 File(s) 356,406 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/27/2003 11:31 AM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\UPROMI~2\BAK

11/16/2006 02:17 PM 255,520 UpromiseRemindUv.exe
1 File(s) 255,520 bytes

Directory of C:\PROGRA~1\BILLPS~1\WINPAT~1\BAK

09/19/2004 05:29 PM 110,592 winpatrol.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\EPSON\INKMON~1\BAK

12/07/2001 03:48 AM 258,118 InkMonitor.exe
1 File(s) 258,118 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

09/26/2006 08:39 AM 369,664 avgcc.exe
1 File(s) 369,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

05/11/2005 10:12 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

05/31/2006 07:54 AM 1,003,520 realplay.exe
1 File(s) 1,003,520 bytes


09/04/2001 02:31 PM 655,360 DirectCD.exe
1 File(s) 655,360 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

04/28/2004 05:08 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0\BIN\BAK

05/07/2006 08:22 PM 36,972 jusched.exe
1 File(s) 36,972 bytes

Directory of C:\PROGRA~1\TRACKE~1\PDF-XC~1\PDFSAVER\BAK

07/18/2004 09:43 AM 368,640 pdfSaver3.exe
1 File(s) 368,640 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

622592 Apr 11 2005 "C:\WIN2000\bak\guru.exe"
163840 Sep 23 2001 "C:\WINDOWS\bak\DELLMMKB.EXE"




24576 Oct 5 2001 "C:\Program Files\Microsoft Works\bak\wkfud.exe"
331830 Aug 23 2001 "C:\Program Files\Microsoft Works\bak\WksSb.exe"
77824 Nov 27 2003 "C:\Program Files\QuickTime\bak\qttask.exe"
255520 Nov 16 2006 "C:\Program Files\Upromise__RemindU\bak\UpromiseRemindUv.exe"
237568 Sep 19 2004 "C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe"
110592 Sep 19 2004 "C:\Program Files\BillP Studios\WinPatrol\bak\winpatrol.exe"
258118 Dec 7 2001 "C:\Program Files\EPSON\Ink Monitor\bak\InkMonitor.exe"
406016 Dec 28 2006 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
369664 Sep 26 2006 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
49152 May 11 2005 "C:\Program Files\HP\HP Software Update\hpwuSchd2.exe"
49152 May 11 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
1003520 May 31 2006 "C:\Program Files\Real\RealPlayer\bak\realplay.exe"
655360 Sep 4 2001 "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
180269 Apr 28 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
36972 May 7 2006 "C:\Program Files\Java\jre1.5.0\bin\bak\jusched.exe"
368640 Jul 18 2004 "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\bak\pdfSaver3.exe"


end of report
  • 0

#4
JSntgRvr
Posted 14 January 2007 - 09:34 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, realapp . :whistling:

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. We will delete the bad files, then copy the good files to their correponding places.

The following programs were affected:

Microsoft Works
QuickTime
Upromise__RemindU
WinPatrol
EPSON Ink Monitor
AVG Free
HP Software Update
RealPlayer
Easy CD Creator
Java
PDF-XChange
Keyboard
WinTOTAL Scheduler

Download the enclosed file: [attachment=12626:attachment]
Save and extract its contents to the desktop. It is a folder containing a Batch file, DelFiles.bat . Don't do anything with it yet. We will run it in Safe Mode.

Posted ImagePlease download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Posted Image
  • Launch AVG Anti-Spyware.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Perform the following steps in safe mode:

Double click on the DelFiles.bat file. The MSDOS window will flash for a second. That is normal. A new document will be produced. Post its contents in your next reply.
  • IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware .
Restart back into Windows normally now.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post a fresh Hijackthis log along with the AVG Anti-spyware report, ActiveScan report and the logit.txt produced earlier..
  • 0

#5
realapp
Posted 15 January 2007 - 11:57 AM

realapp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 338 posts
okay, I think this is everything that was needed in last post.




Logfile of HijackThis v1.99.1
Scan saved at 11:47:14 AM, on 1/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Documents and Settings\Teresa L\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://iow.mlxchange...ectComboBox.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1149624254156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168371201343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://spherion.cent...aDownloader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe




Volume in drive C has no label.
Volume Serial Number is 40D8-EFDD

Directory of C:\Backup

01/15/2007 09:21 AM <DIR> .
01/15/2007 09:21 AM <DIR> ..
12/28/2006 04:45 PM 406,016 avgcc.exe
05/11/2005 11:12 PM 49,152 hpwuSchd2.exe
2 File(s) 455,168 bytes
2 Dir(s) 28,705,882,112 bytes free
Volume in drive C has no label.
Volume Serial Number is 40D8-EFDD

Directory of C:\Backup

01/15/2007 11:27 AM <DIR> .
01/15/2007 11:27 AM <DIR> ..
09/26/2006 08:39 AM 369,664 avgcc.exe
09/23/2001 06:14 AM 163,840 DELLMMKB.EXE
09/04/2001 02:31 PM 655,360 DirectCD.exe
04/11/2005 08:17 AM 622,592 guru.exe
05/11/2005 10:12 PM 49,152 hpwuSchd2.exe
12/07/2001 03:48 AM 258,118 InkMonitor.exe
05/07/2006 08:22 PM 36,972 jusched.exe
07/18/2004 09:43 AM 368,640 pdfSaver3.exe
11/27/2003 11:31 AM 77,824 qttask.exe
05/31/2006 07:54 AM 1,003,520 realplay.exe
04/28/2004 05:08 AM 180,269 realsched.exe
11/16/2006 02:17 PM 255,520 UpromiseRemindUv.exe
09/19/2004 05:29 PM 110,592 winpatrol.exe
10/05/2001 06:34 PM 24,576 wkfud.exe
08/23/2001 03:52 PM 331,830 WksSb.exe
15 File(s) 4,508,469 bytes
2 Dir(s) 28,365,443,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 40D8-EFDD

Directory of C:\Backup

01/15/2007 11:27 AM <DIR> .
01/15/2007 11:27 AM <DIR> ..
09/26/2006 08:39 AM 369,664 avgcc.exe
09/23/2001 06:14 AM 163,840 DELLMMKB.EXE
09/04/2001 02:31 PM 655,360 DirectCD.exe
04/11/2005 08:17 AM 622,592 guru.exe
05/11/2005 10:12 PM 49,152 hpwuSchd2.exe
12/07/2001 03:48 AM 258,118 InkMonitor.exe
05/07/2006 08:22 PM 36,972 jusched.exe
07/18/2004 09:43 AM 368,640 pdfSaver3.exe
11/27/2003 11:31 AM 77,824 qttask.exe
05/31/2006 07:54 AM 1,003,520 realplay.exe
04/28/2004 05:08 AM 180,269 realsched.exe
11/16/2006 02:17 PM 255,520 UpromiseRemindUv.exe
09/19/2004 05:29 PM 110,592 winpatrol.exe
10/05/2001 06:34 PM 24,576 wkfud.exe
08/23/2001 03:52 PM 331,830 WksSb.exe
15 File(s) 4,508,469 bytes
2 Dir(s) 28,364,947,456 bytes free





---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:01:14 AM 1/15/2007

+ Scan result:



Nothing found.


::Report end






Incident Status Location

Spyware:spyware/betterinet Not disinfected c:\windows\system32\in10b6s.dll
Adware:adware/kingporn Not disinfected c:\windows\system32\inetdctr.dll
Adware:adware/virtualbouncer Not disinfected c:\windows\system32\INNERADINSTALL.LOG
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Teresa L\Application Data\tvmcwrd.dll
Dialer:dialer.bny Not disinfected c:\windows\pcconfig.dat
Dialer:dialer generic Not disinfected c:\program files\dialers
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
  • 0

#6
JSntgRvr
Posted 15 January 2007 - 12:43 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\windows\system32\in10b6s.dll
    c:\windows\system32\inetdctr.dll
    c:\windows\system32\INNERADINSTALL.LOG
    C:\Documents and Settings\Teresa L\Application Data\tvmcwrd.dll
    c:\windows\pcconfig.dat
    c:\program files\dialers\
    C:\WINDOWS\SYSTEM32\xmltok.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

How is the computer doing?
  • 0

#7
realapp
Posted 15 January 2007 - 12:54 PM

realapp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 338 posts
I was able to download Killbox but when I open in and click on "All files" it just keeps blinking. Is this what it's suppose to do. It doesn't show me any files. The computer does seem to be running better. Thanks so much!

Edited by realapp, 15 January 2007 - 01:01 PM.

  • 0

#8
JSntgRvr
Posted 15 January 2007 - 02:24 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, realapp :whistling:

I was able to download Killbox but when I open in and click on "All files" it just keeps blinking. Is this what it's suppose to do. It doesn't show me any files. The computer does seem to be running better. Thanks so much!

You have to click on Delete on Reboot first, then on All Files button. Highlight the list of files, right click and select Copy.

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot.

Let me know if able to do so.
  • 0

#9
realapp
Posted 15 January 2007 - 02:26 PM

realapp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 338 posts
I did click on "Delete on Reboot" but no files appear
  • 0

#10
JSntgRvr
Posted 15 January 2007 - 04:29 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, realapp :whistling:

Lets use another tool.

Please remove Killbox from your computer.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the QUOTE box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
c:\windows\system32\in10b6s.dll
c:\windows\system32\inetdctr.dll
c:\windows\system32\INNERADINSTALL.LOG
C:\Documents and Settings\Teresa L\Application Data\tvmcwrd.dll
c:\windows\pcconfig.dat
C:\WINDOWS\SYSTEM32\xmltok.dll

Folders to delete:
c:\program files\dialers


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log .
  • 0

#11
realapp
Posted 15 January 2007 - 04:50 PM

realapp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 338 posts
okay, here it is.


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vvojbeak

*******************

Script file located at: \??\C:\Documents and Settings\gujfrnls.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\windows\system32\in10b6s.dll deleted successfully.
File c:\windows\system32\inetdctr.dll deleted successfully.
File c:\windows\system32\INNERADINSTALL.LOG deleted successfully.
File C:\Documents and Settings\Teresa L\Application Data\tvmcwrd.dll deleted successfully.
File c:\windows\pcconfig.dat deleted successfully.
File C:\WINDOWS\SYSTEM32\xmltok.dll deleted successfully.
Folder c:\program files\dialers deleted successfully.

Completed script processing.

*******************

Finished! Terminate.







Logfile of HijackThis v1.99.1
Scan saved at 4:49:57 PM, on 1/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\notepad.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Teresa L\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://iow.mlxchange...ectComboBox.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1149624254156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168371201343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://spherion.cent...aDownloader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#12
JSntgRvr
Posted 15 January 2007 - 05:09 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, realapp :whistling:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab


Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

The rest of the log look clear. Congratulations.Posted Image

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Create a Restore point:
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
You should also upgrade to SP2.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Glad I could be of help. Best wishes! Posted Image
  • 0

#13
realapp
Posted 15 January 2007 - 05:28 PM

realapp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 338 posts
THANK YOU SO MUCH. I NEVER COULD HAVE DONE ALL THAT!!!
  • 0

#14
JSntgRvr
Posted 15 January 2007 - 05:31 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
You are welcome. :whistling:
  • 0

#15
JSntgRvr
Posted 24 January 2007 - 01:15 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP