Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Lost my ability to change wallpaper [CLOSED]

Started by hatuttle , Jun 16 2005 02:45 PM

This topic is locked

#1
hatuttle

Posted 16 June 2005 - 02:45 PM

Member

Member
10 posts

I have run all the diagnostics you have recommended and still am having problems with being able to change my wallpaper. The option simply has disappeared when I enter my Control Panel and then Display - the only choices/tabs are Screen Saver & Setting - the tab for Wallpaper has disappeared. Also, still have websites that seem to be hijacked - ie - amazon.com comes up the following:

http://www.amazon.co...4755254-9001450

Also - google.com comes up w/ google.be.

Here is my logfile from Hijackthis - ANY help is GREATLY appreciated:

Logfile of HijackThis v1.99.1
Scan saved at 10:39:43 PM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpE426.tmp (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Atari Launcher] C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor
O4 - HKLM\..\Run: [AME_CSA] rundll32 csa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Golum] C:\WINDOWS\System32\golum\services.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\PROGRA~1\AOLCOM~2\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {0BBAA4B8-0D7D-09C2-1F47-71935F537D51} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hwbyyica.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com....chm::/file.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {18A043AD-ABEC-2222-C7B7-119943671599} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {23D37870-FF12-7061-E3C3-05D322A8556C} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {32D83038-2841-0A85-0E3A-43AF67043E37} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish....ishUploader.cab
O16 - DPF: {5CA9E533-2585-2093-A449-7E1161E1C1E1} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094728414953
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://ftp.coupons.c...23/cpbrkpie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.c...belgio_ver3.CAB
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.bro...in/Download.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22573E38-D101-4633-B010-0AD3D577BB2F}: NameServer = 195.238.2.22 195.238.2.21
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\cfmon.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#2
Guest_thatman_*

Posted 16 June 2005 - 03:16 PM

Guest

Hi hatuttle

Please read through the instructions before you start (you may want to print this out).

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
Download nails.cmd fix
Unzip it to the desktop but please do NOT run it yet.

Please download sphjfix Save it to your desktop

Download Pocket Killbox and unzip it; save it to your Desktop.

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Now run the nails.cmd fix

Now run sphjfix and post the log.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpE426.tmp (file missing)
O4 - HKLM\..\Run: [Golum] C:\WINDOWS\System32\golum\services.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hwbyyica.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com....chm::/file.exe
O16 - DPF: {18A043AD-ABEC-2222-C7B7-119943671599} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
O16 - DPF: {23D37870-FF12-7061-E3C3-05D322A8556C} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {32D83038-2841-0A85-0E3A-43AF67043E37} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {5CA9E533-2585-2093-A449-7E1161E1C1E1} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.c...belgio_ver3.CAB
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\cfmon.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\system32\hpE426.tmp
C:\WINDOWS\System32\golum\services.exe
C:\Program Files\PSGuard\PSGuard.exe
C:\Program Files\Internet Explorer\hwbyyica.exe
c:\ied_s7.cab
c:\x.cab
c:\nosuch.mht!http://www.foxik.com....chm::/file.exe
C:\WINDOWS\System32\vbsys2
Let the system reboot.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
[B]Please post the logs From Panda, Ewido HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:

#3
hatuttle

Posted 17 June 2005 - 07:23 AM

Member

Topic Starter
Member
10 posts

Thank you for your assistance! Here are the logs you requested after I completed all the recommended scans and work.

Logfile of HijackThis v1.99.1
Scan saved at 1:00:09 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://education.dellnet.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpE426.tmp (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Atari Launcher] C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor
O4 - HKLM\..\Run: [AME_CSA] rundll32 csa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Golum] C:\WINDOWS\System32\golum\services.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {0BBAA4B8-0D7D-09C2-1F47-71935F537D51} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hwbyyica.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com....chm::/file.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {18A043AD-ABEC-2222-C7B7-119943671599} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {23D37870-FF12-7061-E3C3-05D322A8556C} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {32D83038-2841-0A85-0E3A-43AF67043E37} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish....ishUploader.cab
O16 - DPF: {5CA9E533-2585-2093-A449-7E1161E1C1E1} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094728414953
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://ftp.coupons.c...23/cpbrkpie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.c...belgio_ver3.CAB
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.bro...in/Download.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\cfmon.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

EWIDO
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:55:23 PM, 6/17/2005
+ Report-Checksum: 93EEC51D

+ Date of database: 6/16/2005
+ Version of scan engine: v3.0

+ Duration: 62 min
+ Scanned Files: 91962
+ Speed: 24.61 Files/Second
+ Infected files: 10
+ Removed files: 10
+ Files put in quarantine: 10
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Heather Tuttle\Cookies\heather tuttle@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather Tuttle\Cookies\heather tuttle@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather Tuttle\Cookies\heather tuttle@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather Tuttle\Cookies\heather tuttle@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Heather Tuttle\Cookies\heather [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP894\A0139294.exe -> TrojanDownloader.Zlob.G -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP894\A0139295.dll -> Trojan.Agent.eq -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP894\A0139296.exe -> Trojan.TopAntiSpyware -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP894\A0139299.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP894\A0139300.dll -> Spyware.Hijacker.Generic -> Cleaned with backup

::Report End

PANDA SCAN

Incident Status Location

Adware:Adware/SaveNow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\online dating.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Black Jack Online.url
Adware:Adware/Virmaid No disinfected C:\WINDOWS\system32\ole32vbs.exe
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Smitfraud No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Black Jack Online.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Network Security.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Gambling.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Alprazolam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Carisoprodol.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Diazepam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Hydrocodone.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Lortab.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Online Pharmacy.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Prozac.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Valium.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Vicodin.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Xanax.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy.url
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\blocklist.reg
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ActiveX.inf
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\istactivex.inf
Adware:Adware/SaveNow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf
Adware:Adware/Puper No disinfected C:\WINDOWS\SYSTEM32\LogFiles\HP6121600.so
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM32\LogFiles\M6121600.so
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM32\LogFiles\P6121600.so
Adware:Adware/Virmaid No disinfected C:\WINDOWS\SYSTEM32\ole32vbs.exe
Virus:Exploit/CodeBase.A Disinfected C:\x.htm

#4
Guest_thatman_*

Posted 17 June 2005 - 02:03 PM

Guest

Hi hatuttle

Please read through the instructions before you start (you may want to print this out).

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Pocket Killbox and unzip it; save it to your Desktop.

Please RIGHT-CLICK here and go to Save As (in Internet Explorer it's "Save Target As") in order to download Metallica’s reg file. Save it to your desktop.

Please set your system to show all files; please see here if you're unsure how to do this.

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet,

Reboot into Safe Mode: please see here if you are not sure how to do this.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpE426.tmp (file missing)
O4 - HKLM\..\Run: [Golum] C:\WINDOWS\System32\golum\services.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0BBAA4B8-0D7D-09C2-1F47-71935F537D51} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hwbyyica.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com....chm::/file.exe
O16 - DPF: {18A043AD-ABEC-2222-C7B7-119943671599} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {23232323-2323-2323-2323-232323231122} - file://c:\x.cab
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
O16 - DPF: {23D37870-FF12-7061-E3C3-05D322A8556C} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {32D83038-2841-0A85-0E3A-43AF67043E37} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {5CA9E533-2585-2093-A449-7E1161E1C1E1} - http://69.50.188.54/1/gdnBE208.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://www.advnt01.c...belgio_ver3.CAB
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
Click on Fix Checked when finished and exit HijackThis.

Now run Metallica’s reg file

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run CWShredder to fix your CWS problem.

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\System32\golum\services.exe
C:\Program Files\PSGuard\PSGuard.exe
C:\WINDOWS\System32\vbsys2
C:\WINDOWS\Downloaded Program Files\WUInst.inf
C:\GatorPatch.log
C:\Documents and Settings\Heather Tuttle\Favorites\online dating.url
C:\Documents and Settings\Heather Tuttle\Favorites\Black Jack Online.url
C:\WINDOWS\system32\ole32vbs.exe
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Adipex.url
C:\Documents and Settings\Heather Tuttle\Favorites\Black Jack Online.url
C:\Documents and Settings\Heather Tuttle\Favorites\Home Loan.url
C:\Documents and Settings\Heather Tuttle\Favorites\Network Security.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Dating.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Gambling\Online Gambling.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Gambling.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Adipex.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Alprazolam.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Carisoprodol.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Diazepam.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Hydrocodone.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Lortab.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Online Pharmacy.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Prozac.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Valium.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Vicodin.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Xanax.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy.url
C:\GatorPatch.log
C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
C:\WINDOWS\blocklist.reg
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ActiveX.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\istactivex.inf
C:\WINDOWS\Downloaded Program Files\WUInst.inf
C:\WINDOWS\SYSTEM32\LogFiles\HP6121600.so
C:\WINDOWS\SYSTEM32\LogFiles\M6121600.so
C:\WINDOWS\SYSTEM32\LogFiles\P6121600.so
C:\WINDOWS\SYSTEM32\ole32vbs.exe
C:\x.htm[/B].
Let the system reboot.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:

#5
hatuttle

Posted 20 June 2005 - 11:39 AM

Member

Topic Starter
Member
10 posts

I'm getting as far as the Run Killbox step and I'm not sure I'm doing it right. I have extracted it to my desktop and am in safemode. I click to run it and it pops up w/ a box and no files to delete. Does it take time to run or do I simply have no files needing to be deleted? Or maybe I'm doing it wrong??

#6
Guest_thatman_*

Posted 20 June 2005 - 11:47 AM

Guest

Hi hatuttle

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Delete all the files in BLUE

C:\WINDOWS\System32\golum\services.exe
C:\Program Files\PSGuard\PSGuard.exe
C:\WINDOWS\System32\vbsys2
C:\WINDOWS\Downloaded Program Files\WUInst.inf
C:\GatorPatch.log
C:\Documents and Settings\Heather Tuttle\Favorites\online dating.url
C:\Documents and Settings\Heather Tuttle\Favorites\Black Jack Online.url
C:\WINDOWS\system32\ole32vbs.exe
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Adipex.url
C:\Documents and Settings\Heather Tuttle\Favorites\Black Jack Online.url
C:\Documents and Settings\Heather Tuttle\Favorites\Home Loan.url
C:\Documents and Settings\Heather Tuttle\Favorites\Network Security.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Dating.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Gambling\Online Gambling.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Gambling.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Adipex.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Alprazolam.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Carisoprodol.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Diazepam.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Hydrocodone.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Lortab.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Online Pharmacy.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Prozac.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Valium.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Vicodin.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy\Xanax.url
C:\Documents and Settings\Heather Tuttle\Favorites\Online Pharmacy.url
C:\GatorPatch.log
C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
C:\WINDOWS\blocklist.reg
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ActiveX.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\istactivex.inf
C:\WINDOWS\Downloaded Program Files\WUInst.inf
C:\WINDOWS\SYSTEM32\LogFiles\HP6121600.so
C:\WINDOWS\SYSTEM32\LogFiles\M6121600.so
C:\WINDOWS\SYSTEM32\LogFiles\P6121600.so
C:\WINDOWS\SYSTEM32\ole32vbs.exe
C:\x.htm.
Let the system reboot.

Kc

#7
Guest_thatman_*

Posted 23 June 2005 - 11:03 AM

Guest

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.