[rambro]

Dear Gotmulk54,

The last time I spoke to you in the chat room, I told you to turn off your firewall, please tun it back on.

Rerun the Ewido scan, and post the log created from the scan in a reply to this post. I want to see this log.

[Advertisements]

ram, u want me to do it again, ive done it twice already? will the log even show anything anymore?

[Gotmulk54]

ram, u want me to do it again, ive done it twice already? will the log even show anything anymore?

[rambro]

Dear Gotmulk54,

I would like to see the log from the Ewido Scan.

[Gotmulk54]

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:46:19 PM, 7/7/2005
+ Report-Checksum: 70287343

+ Scan result:

:mozilla.12:C:\Documents and Settings\WJ\Application Data\Mozilla\Firefox\Profiles\mp2xoais.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\WJ\Application Data\Mozilla\Firefox\Profiles\mp2xoais.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.38:C:\Documents and Settings\WJ\Application Data\Mozilla\Firefox\Profiles\mp2xoais.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\WJ\Application Data\Mozilla\Firefox\Profiles\mp2xoais.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.43:C:\Documents and Settings\WJ\Application Data\Mozilla\Firefox\Profiles\mp2xoais.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.63:C:\Documents and Settings\WJ\Application Data\Mozilla\Firefox\Profiles\mp2xoais.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.64:C:\Documents and Settings\WJ\Application Data\Mozilla\Firefox\Profiles\mp2xoais.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\WJ\Cookies\wj@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\WJ\Desktop\Other\ActOfWarDirectActionv1.04NoDVDFixedexeEng.rar/ActOfWar.exe -> Heuristic.Win32.Backdoor.IrcBot : Error during cleaning
C:\Documents and Settings\WJ\My Documents\My Music\act_of_war_dvdfix_crack.rar/ACTOFWAR.EXE -> Heuristic.Win32.Backdoor.IrcBot : Error during cleaning


::Report End

[rambro]

Dear Gomulk54,

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
******************************

Dear Gotmulk54, some of your system restore files are infected with a virus, therefore I would like you to disable your System Restore, scan your computer system with your Norton Antivirus software, and then re-enable your System Restore.

Disable System Restore and run another virus scan for Windows XP

Follow the steps in each section in the order listed.

To disable System Restore

1. Click Start > My Computer.
2. Click Properties.
3. On the System Restore tab, check Turn off System Restore.
4. Click Apply > click OK.
5. Restart the computer.

Run your Norton Antivirus scan

1. Update you Norton Antiviru software to the latest virus definitions.
2. Scan the computer with your Norton Antivirus software.

To re-enable System Restore

1. Click Start > My Computer.
2. Click Properties.
3. On the System Restore tab, uncheck Turn off System Restore.
4. Click Apply > click OK.
5. Restart the computer.

See the following link: http://service1.syma...ion=2#_Section2
********************

Clear out (delete) your Quarantine files in norton antivirus.
***********************

1) Please download the Killbox. Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.

5) Select "Delete on Reboot".

6) Copy the file names below to the clipboard by highlighting them and pressing Control-C:


C:\WINDOWS\NDNuninstall6_38.exe
C:\Documents and Settings\WJ\Local Settings\Temp\GLB1A2B.EXE
C:\Temp\Bargains.exe


7) Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Now you will see, this is pasted in the "Full Path of File to Delete" field. There's a little arrow (dropdown-arrow) next to that field. If you expand it, these lines must be there together!

8) Click the red-and-white "Delete File" button.
Click "Ok" at the Delete on Reboot prompt.
Click "Ok" at the Reboot needed prompt.

9) Restart you computer.

As a double check, check to see if any of the above files were in fact deleted and let me know if it was deleted.
****************************************

Dear Gotmulk54, the next steps involve optional removals. These programs basically collect information about your computer system, your surfing habits and display advertisements. If you dont use these programs, I suggest you fix/remove these programs.

Click Start then Control Panel then Add and Remove Programs. Look for the following installed program/programs and if they are listed click on each one and then click on the Remove or Change button and if asked select "Yes" or "Ok" to remove:

Optional programs you can uninstall, through the Add/Remove program:

Relevant Knowledge provides detailed information about your Internet activities to MarketScore, including credit card numbers and purchases. Bundled with the iMesh P2P client, and also with an ineffective "web accelerator" named NetSetter. This software is an extremely invasive form of spyware since most people do not realize they have "agreed" to this level of monitoring by installing the software.

The Relevant Knowledge software monitors how you use the Internet as well as displays various surveys in popup windows. This process should be removed to protect your personal privacy. For more information visit their privacy policy agreement at http://www.relevantk...m/Agreement.htm.

RelevantKnowledge is a NetSetter/Marketscore foistware variant

See the following link: http://www.relevantknowledge.com/

Uninstall the following program/programs through Add/Remove programs:

RelevantKnowledge

WildTangent is related to online game playing. However, it is not necessary to the playing of the games, and can actually cause high system usage as well as system crashes. WildTangent collects data about your surfing habits. Wiltangent is considered foistware. Foistware is a term used to describe software downloaded to a computer without the owner's knowledge and it also downloads unsolicited advertising to your computer. It's unnecessary, I suggest you remove it. Note: If don't use the games associated with this application, by all means remove this program.

Uninstall the following program/programs through Add/Remove programs:

WildTangent

Reboot your comupter into safe mode.

Optional file/files marked in blue to be deleted (if they exist):

If you uninstalled RelevantKnowledge you need to remove the following files also:

C:\WINDOWS\system32\rk.bin
C:\WINDOWS\system32\rk.exe

Optional folder/folders marked in blue to be deleted (if they exist):

If you uninstalled WildTangent you need to remove the next folder also:

C:\Documents and Settings\WJ\Local Settings\Application Data\Wildtangent

Finally, go to the Start Menu, click "Run", and in the window type cleanmgr. This will run the System Cleanup program. Make sure the box next to "Temporary files" is checked, and then click "OK".

Please restart your computer, in Normal Mode, then post a new HijackThis log, along with the log from the MWAV antivirus tool application. Please also post the log from the Ewido scan.

In addition, let me know in detail how your computer system is running after performing the above steps.

[Gotmulk54]

Ram,

I encountered some issues...

nothing major but here we go:


First nothing was found on the virus scan, i ran it twice just to make sure(once with manual and once regualar just in case)

Next issues with killbox:

Only one of the three files would copy over so then i went looking for the other two files with their directory path

C:\WINDOWS\NDNuninstall6_38.exe
C:\Documents and Settings\WJ\Local Settings\Temp\GLB1A2B.EXE
...Neither to be found,

Next after reboot with the add/remove programs...the programs you said I have and should be able to remove...none of then appear on that either. Maybe I previously uninstalled them, but then again how would u pick up on them?


Please hit me back if you find out anything,

Thanks again,

Tom

[Gotmulk54]

one last thing i did a search and found the files rk.bin but rk.exe was not found, also i found a wild tangent folder that i deleted. Other than that no news, I hope this is information that you can use in our fight against "the man" thanks ram,

TOM

[rambro]

Dear Gotmulk54,

Thanks for the information. However, Tom, you have got to do a couple of things for me. Here they are:

Where is the ewido log, the WMAV log and the HijackThis log, that I asked for. In addition, if I send you a post, I would like you to read it all the way through at least once, before you start executing the steps.

I believe, you are not following my instructions, and that makes my job a great deal harder. Also, I believe you are not listening to me.

Edited by rambro, 08 July 2005 - 06:53 PM.

[Gotmulk54]

Rambro,

I'm sorry it seems that we have a misunderstanding...

You have been nothing but helpful to me and to that I am greatly appreciative...

but I in no way meant to insult you by not following your instructions...I have done my best to do so word for word.... I did read the post through more than once actually and take it personally insulting that you would assume otherwise. But that I can understand because of what I (failed to post) i did not post the other logs because what happended didnt happen as planned and so I wanted your advice before I did anything else like posting another post if there was something that you wanted me to do in response to the fact that things didnt work as planned. I did what you asked me the folders honestly were not present.... and no matter how many times and different ways I tried to paste and copy from clipboard nothing would work....


Ram, seriously...I'm sorry to have upset you...I did try and thought that I had followed your instructions to the "t" but it was my fault I did not post the logs...As I said earlier I was only thinking that you may have some other outside input incase that had happend

I will post the logs if you still desire them, if not ..and you wish to discontinue my log I understand and hold nothing against you, just please inform me of your decision...



I sincerely send my thanks to you and all gtg and geek u,

Gotmulk54 ( Tom)

[rambro]

Hi Gotmulk54,

It would be great if you can send me those logs I asked for. Thank you.

rambro

[rambro]

Dear Gomulk54,

Here are another set of instructions if you want to get rid of Incredimail. See the following link: http://www.oeupdates...ncrediMail.html

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
******************************

Run HijackThis and click "Scan." Place checks next to the following entries (if they exist):

Optional Fixes

I highly recommend you to fix these items:

If you choose to remove IncrediMail, put a check next to the following entry as well:

O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

Close all browser and other windows except for HijackThis, and click "Fix Checked" button to finish the repair. Close the HijackThis application.

Please reboot your computer into Safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.co.../safemode.shtml

Next, make sure your PC is configured to show hidden files. Here is how to do this:

Windows XP

* Click "Start".
* Open "My Computer".
* Select the "Tools" menu and click "Folder Options".
* Select the "View" Tab.
* Under the "Hidden files and folders" heading select "Show hidden files and folders".
* Make sure "Hide extensions for known file types" is unchecked
* Uncheck the "Hide protected operating system files (recommended)" option.
* Click "Yes" to confirm.
* Click "OK".

Here is a link for further explanation: http://www.xtra.co.n...1916458,00.html

Optional folder/folders marked in blue to be deleted (if they exist):

If you uninstalled IncrediMail you need to remove the next folder/folders also:

c:\program files\Incredimail
c:\documents and settings\username\local settings\application data\Im

Finally, go to the Start Menu, click "Run", and in the window type cleanmgr. This will run the System Cleanup program. Make sure the box next to "Temporary files" is checked, and then click "OK".

Restart your computer.
********************************

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_CLASSES_ROOT\.ima]

[-HKEY_CLASSES_ROOT\.imf]

[-HKEY_CLASSES_ROOT\.imi]

[-HKEY_CLASSES_ROOT\.imn]

[-HKEY_CLASSES_ROOT\.ims]

[-HKEY_CLASSES_ROOT\.imw]

[-HKEY_CLASSES_ROOT\Applications\Impcontent.exe]

[-HKEY_CLASSES_ROOT\Applications\Incredimail]

[-HKEY_CLASSES_ROOT\Incredicontent]

[-HKEY_CLASSES_ROOT\Incredimessage]

[-HKEY_LOCAL_MACHINE\Software\Classes\.imc]

[-HKEY_LOCAL_MACHINE\Software\Clients\Mail\Incredimail]

[HKEY_LOCAL_MACHINE\Software\Elishim\Protect\Browser]
"Incredimail"=-

[-HKEY_LOCAL_MACHINE\Software\Incredimail]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D\Most Recent Applications]
"Name"=-

[-HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\App Paths\Incredimail]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Incredimail]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".

Please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.
******************************

Restart your computer, in normal mode, and then please post a new HijackThis log.

In addition, let me know in detail how your computer system is running after performing the above steps.

[Michelle]

Hello GotMulk,
You should remember me as I helped you in another topic of yours which originated in chat. I was asked to take over this topic. However, are you going to actually come back this time or is this topic going to be a waste of my time like that last one? If it is tell me now.

Otherwise, tell me any problems you're having.

[Gotmulk54]

Bananafanafo,


FIrst off my apologies on the last topic, I left the grandmothers house alone for two days and asked her not to touch untill I got back...upon my return the internet was working again and so i left her alone, I however have no way of getting back to that computer although I still need to fully uninstall i wont b3e able to get back to that untill mid august when I return from summer school for two weeks.



Yes I would love for you to try and help you help me. I havent been able to access the computer for the last few days but I am able to now. Just tell me what to do and i will try and do it.

Thanks again bananafanafo,

Tom

[Michelle]

Please post a new HiJackThis log and tell me the exact problems you're having.

[Gotmulk54]

Here is the new log,


Logfile of HijackThis v1.99.1
Scan saved at 10:18:04 AM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\AIM+\AIM+.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.wm.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093113411609
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

The issue originated as just cleanin up programs -malware-spyware etc.

the issue now lies in getting fully rid of all these programs, primarily concentrated on incredimail most recently..

and just trying to get everything functioning properly and to best of capability