Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware removal...hijackthis.log [RESOLVED]

Started by geoff jones , Jun 22 2005 12:20 PM

  • This topic is locked This topic is locked

#16
geoff jones
Posted 28 June 2005 - 01:53 PM

geoff jones

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Excal,

That went fine with one exception. Windows explorer would not allow me to delete the file: lvwmf11n.dll from the system 32 folder. It kept saying that the file is being used by a different person or program. The ONLY thing running was explorer in "safe" mode....I had closed all else. ???

Oh, and BTW, while I was running ACTIVESCAN, Ewido popped in with at least 4 cleanups...

Anyway, below are the results of ACTIVESCAN and a new hijackthis log.
Thanks...Geoff



Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\czfgnt.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\InstallAPS.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\mrltus40.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\rpyncoi.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\uwgiv.dll
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\system32\VB3.exe
Virus:Trj/Clicker.DJ Disinfected C:\WINDOWS\system32\__delete_on_reboot__AUNPS2.DLL
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\temp\wrapperouter.exe
Logfile of HijackThis v1.99.1
Scan saved at 3:52:30 PM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.netscape.com/"); (C:\Documents and Settings\Geoffrey\Application Data\Mozilla\Profiles\default\h4qixami.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Geoffrey\Application Data\Mozilla\Profiles\default\h4qixami.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-image.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\lvwmf11n.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements

#17
Excal
Posted 28 June 2005 - 01:59 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Ack!!! lol

You have a l2m infection also :tazz:

we should get that cleaned up for you real quick ;)

You may have the latest version of VX2. Download L2mfix from one of these two locations:
  • One
    Two
  • Save the file to your desktop and double click l2mfix.exe.
  • Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
    Close any programs you have open since this step requires a reboot.
  • From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter
  • Press any key to reboot your computer.
  • After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.
  • Copy the contents of log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. ;)
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#18
geoff jones
Posted 28 June 2005 - 03:17 PM

geoff jones

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Excal,

Are they all this tough? :tazz:

See below

L2Mfix 1.03

Running From:
C:\Documents and Settings\Geoffrey\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Geoffrey\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Geoffrey\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1452 'explorer.exe'
Killing PID 1452 'explorer.exe'
Killing PID 1452 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 2348 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\czfgnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\czfgnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvwmf11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvwmf11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqutilse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqutilse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrltus40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mrltus40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uil.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\czfgnt.dll
Successfully Deleted: C:\WINDOWS\system32\czfgnt.dll
deleting: C:\WINDOWS\system32\czfgnt.dll
Successfully Deleted: C:\WINDOWS\system32\czfgnt.dll
deleting: C:\WINDOWS\system32\lvwmf11n.dll
Successfully Deleted: C:\WINDOWS\system32\lvwmf11n.dll
deleting: C:\WINDOWS\system32\lvwmf11n.dll
Successfully Deleted: C:\WINDOWS\system32\lvwmf11n.dll
deleting: C:\WINDOWS\system32\mqutilse.dll
Successfully Deleted: C:\WINDOWS\system32\mqutilse.dll
deleting: C:\WINDOWS\system32\mqutilse.dll
Successfully Deleted: C:\WINDOWS\system32\mqutilse.dll
deleting: C:\WINDOWS\system32\mrltus40.dll
Successfully Deleted: C:\WINDOWS\system32\mrltus40.dll
deleting: C:\WINDOWS\system32\mrltus40.dll
Successfully Deleted: C:\WINDOWS\system32\mrltus40.dll
deleting: C:\WINDOWS\system32\uil.dll
Successfully Deleted: C:\WINDOWS\system32\uil.dll
deleting: C:\WINDOWS\system32\uil.dll
Successfully Deleted: C:\WINDOWS\system32\uil.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: czfgnt.dll (164 bytes security) (deflated 48%)
adding: lvwmf11n.dll (164 bytes security) (deflated 48%)
adding: mqutilse.dll (164 bytes security) (deflated 48%)
adding: mrltus40.dll (164 bytes security) (deflated 48%)
adding: uil.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 37%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 81%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (deflated 82%)
adding: test2.txt (164 bytes security) (deflated 16%)
adding: test3.txt (164 bytes security) (deflated 16%)
adding: test5.txt (164 bytes security) (deflated 16%)
adding: xfind.txt (164 bytes security) (deflated 79%)
adding: backregs/8B1A4063-343B-4C63-9F31-4079FFB36F6E.reg (164 bytes security) (deflated 70%)
adding: backregs/F299ABD8-9B1D-46A6-A6F6-617E1AACF93D.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: czfgnt.dll
deleting local copy: czfgnt.dll
deleting local copy: lvwmf11n.dll
deleting local copy: lvwmf11n.dll
deleting local copy: mqutilse.dll
deleting local copy: mqutilse.dll
deleting local copy: mrltus40.dll
deleting local copy: mrltus40.dll
deleting local copy: uil.dll
deleting local copy: uil.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\czfgnt.dll
C:\WINDOWS\system32\czfgnt.dll
C:\WINDOWS\system32\lvwmf11n.dll
C:\WINDOWS\system32\lvwmf11n.dll
C:\WINDOWS\system32\mqutilse.dll
C:\WINDOWS\system32\mqutilse.dll
C:\WINDOWS\system32\mrltus40.dll
C:\WINDOWS\system32\mrltus40.dll
C:\WINDOWS\system32\uil.dll
C:\WINDOWS\system32\uil.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F299ABD8-9B1D-46A6-A6F6-617E1AACF93D}"=-
"{8B1A4063-343B-4C63-9F31-4079FFB36F6E}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F299ABD8-9B1D-46A6-A6F6-617E1AACF93D}]
[-HKEY_CLASSES_ROOT\CLSID\{8B1A4063-343B-4C63-9F31-4079FFB36F6E}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


Logfile of HijackThis v1.99.1
Scan saved at 5:16:10 PM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.netscape.com/"); (C:\Documents and Settings\Geoffrey\Application Data\Mozilla\Profiles\default\h4qixami.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Geoffrey\Application Data\Mozilla\Profiles\default\h4qixami.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-image.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#19
Excal
Posted 28 June 2005 - 04:17 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Sometimes they can be....lol




Go to Start->Run and type in services.msc and hit OK. Then look for System Startup Service (SvcProc) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Open HiJackthis, scan. Put a check next to the following. and click Fix Checked:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Reboot


Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

Unzip/extract the files inside . Open the folder and run FindIt's.bat and wait for a text to open. It will take a while ... be patient ... then post the results here please.

Run an online scan at the following and post the results:
Kaspersky


Post the HiJackthis log, Kaspersky log and the find it log please

Thanks,

:tazz:

Excal

Edited by Excal, 28 June 2005 - 04:18 PM.

  • 0

#20
geoff jones
Posted 28 June 2005 - 05:39 PM

geoff jones

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Excal,

Didn't do too well on this one,
first, the 023-service file you asked me to delete doesn't exist! so I moved on to th Findit's link and the webpage comes up: file cannot be found...I searched the net integration webpage but couldn't find a link to FindIt's...sorry

Attached are the Kaspersky log and the beloved Hijackthis:

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Tuesday, June 28, 2005 19:29:15
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/06/2005
Kaspersky Anti-Virus database records: 128186
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 48659
Number of viruses found: 13
Number of infected objects: 113
Number of suspicious objects: 0
Duration of the scan process: 2496 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\04BA2CC9.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0AC1121D.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0AD61E33.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0AD94830.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0ADD722C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0AE01C28.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0AEA1A1E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0AED441A.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0AF06E16.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0AF31813.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0AF7420F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0AFA6C0C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0AFD1608.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0B014004.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0B046A01.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0B0713FD.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0B0A3DFA.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0B0E67F6.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0B1111F2.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0B143BEF.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0DD770EA.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\0FFC7895.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\Program Files\Norton AntiVirus\Quarantine\12FA50C1.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\13947322.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\14F91605.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\16514E1C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\16B74423.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\1A00657B.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\22470022.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\2D043C20.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\2DD83C20.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\2E3E3228.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\38E13BFD.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\3968781F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\39CE6E27.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\3B456018.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\3C2D1F84.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\3EC27886.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\Program Files\Norton AntiVirus\Quarantine\3F2B0F6C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\3FEE5583.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\44532CA7.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\44E43586.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\44F8341E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\470F277F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\494F48A2.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\4CC6479A.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\4E2F797B.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\4F553A06.exe Infected: Trojan-Downloader.Win32.VB.ft
C:\Program Files\Norton AntiVirus\Quarantine\5089701C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\50EF6624.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\510D2A16.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\554F4B77.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\5C192C1B.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\5C7F2222.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\5D1957B0.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\Program Files\Norton AntiVirus\Quarantine\68105E21.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\6F1B1570.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\73A01A20.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\74061027.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\748B4632.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\Program Files\Norton AntiVirus\Quarantine\767908D2.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\7CE35DE2.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\7D9A5ACD.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\7EB545DF Infected: Trojan-Downloader.Win32.Small.abd
C:\Program Files\Norton AntiVirus\Quarantine\7EBC19D8.exe Infected: Trojan-Downloader.Win32.Delmed.a
C:\Program Files\Norton AntiVirus\Quarantine\7F30561E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\7F964C26.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP445\A0046100.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP445\A0046101.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP445\A0046170.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP446\A0046235.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP446\A0046271.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP446\A0046272.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046631.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046641.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046824.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046829.exe Infected: Trojan-Downloader.Win32.Intexp.c
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046836.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046842.exe Infected: Trojan.Win32.Stervis.c
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046896.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046897.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046906.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046907.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046909.exe Infected: Trojan.Win32.Stervis.c
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046911.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046912.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046922.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046932.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046937.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046942.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046951.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046954.exe Infected: Trojan.Win32.Stervis.c
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046957.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046958.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046959.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046960.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046965.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP451\A0046971.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP452\A0047052.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP452\A0047079.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP454\A0047888.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP454\A0047890.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP455\A0048199.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP455\A0048200.DLL Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP456\A0048329.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP456\A0048360.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP456\A0048394.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP456\A0048395.DLL Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP456\A0048405.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP457\A0048555.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP457\A0048556.DLL Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP458\A0048633.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{7061E6DD-6894-4920-9D79-1B7AA8102389}\RP458\A0048634.DLL Infected: Trojan-Clicker.Win32.Small.ez

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 7:39:03 PM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.netscape.com/"); (C:\Documents and Settings\Geoffrey\Application Data\Mozilla\Profiles\default\h4qixami.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Geoffrey\Application Data\Mozilla\Profiles\default\h4qixami.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-image.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#21
Excal
Posted 28 June 2005 - 06:04 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi geoff,

ACK!!!!

You have another new infection! but this one is only a baby one ;)
Please only surf the web if it is necessary, until we get you cleaned up. Then i will give you a whole list of Free programs that will make your computer safer ;)

This link should work now for findit.

Findit


All those things that Kaspersky found were items already taken care of and in Quarantine. Make sure you fo thru and empty out your Quarantine section of norton.


1. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

2. Close all browsers, windows and unneeded programs.

3. Open HiJack and do a scan.

4. Put a Check next to the following items:

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe

5. click the Fix Checked box

6. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

VBouncer or virtualBouncer

7. Please remove the following folders using Windows Explorer (if present):

C:\PROGRA~1\VBouncer

8. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

9. Please post the Active scan log, Findit log and a fresh HiJackThis log. Let me know how your computer is running.



thanks,

:tazz:

Excal
  • 0

#22
geoff jones
Posted 28 June 2005 - 07:34 PM

geoff jones

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Excal, Where are you in MA ?...I'm in NH.

I'm staying off the web completely...till we've got this licked.

Here ya' go...


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 06/28/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 64F6-37E3

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 64F6-37E3

Directory of C:\WINDOWS\system32

06/26/2001 07:52 AM 1,406 LAN.ico
12/08/1999 06:27 PM 766 PWR.ICO
10/17/2001 03:41 PM 1,078 USB.ico
06/26/2001 07:56 AM 1,406 Wireless.ico
4 File(s) 4,656 bytes
0 Dir(s) 51,019,804,672 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Geoffrey\Desktop\l2mfix\backup.zip[czfgnt.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Geoffrey\Desktop\l2mfix\backup.zip[lvwmf11n.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Geoffrey\Desktop\l2mfix\backup.zip[mqutilse.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Geoffrey\Desktop\l2mfix\backup.zip[mrltus40.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Geoffrey\Desktop\l2mfix\backup.zip[uil.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Geoffrey\Desktop\l2mfix\backup.zip[guard.tmp]
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\rpyncoi.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\uwgiv.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\temp\wrapperouter.exe
Logfile of HijackThis v1.99.1
Scan saved at 9:34:02 PM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.netscape.com/"); (C:\Documents and Settings\Geoffrey\Application Data\Mozilla\Profiles\default\h4qixami.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Geoffrey\Application Data\Mozilla\Profiles\default\h4qixami.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-image.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#23
Excal
Posted 28 June 2005 - 07:40 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
WOOT!!!!!!!!!!!!!!!!!!!!! Ur clean!!!!!!!!!!!!! Well your computer is anyways :tazz:

Those files that were picked up are the backups that the l2m program picked up. They will be gone when you get rid of that program

I live on the border of Springfield ;)

If oyu have any questions about any of the following, be sure to ask :help:

Great job, it appears your computer is clean ;)

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE

Spybot S&D


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast


The following free programs are great for prevention:

SpywareBlaster 3.4

Spywareguard

IE/Spyad


A Firewall is a must! Here are 3 good free versions:

Sygate

Kerio

ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox

Opera

This site is a great source for tightening up security on Internet Explorer settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.
  • 0

#24
geoff jones
Posted 28 June 2005 - 07:49 PM

geoff jones

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Excal,

I'll repeat my previous premature note...
Thank you Thank you Thankyou!

I'll also take advantage of everyone of your suggestions...

Know your area well....I worked for Springfield Food Service for a number of years.

Thanks again....Paypal on the way!
  • 0

#25
Excal
Posted 28 June 2005 - 08:20 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Thanks and its been my pleasure. You need anything else, you know where to find me ;)

:tazz:

Excal
  • 0

Advertisements

#26
Excal
Posted 11 July 2005 - 08:09 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP