[coachwife6]

Please rereun adaware and cleanup again and then do the panda scan again and post the contents of the panda scan.

Edited by coachwife6, 26 August 2005 - 04:12 AM.

[Advertisements]

Ok reran adaware & cleanup- new panda scan


Incident Status Location

Spyware:Spyware/ISTBar No disinfected C:\!Submit\tsuninst.exe
Spyware:Spyware/BargainBuddy No disinfected C:\!Submit\virus.bmp

I used killbox before on these and now there in a new folder named !submit

Edited by Wayne Puckett, 26 August 2005 - 10:23 PM.

[Wayne Puckett]

Ok reran adaware & cleanup- new panda scan


Incident Status Location

Spyware:Spyware/ISTBar No disinfected C:\!Submit\tsuninst.exe
Spyware:Spyware/BargainBuddy No disinfected C:\!Submit\virus.bmp

I used killbox before on these and now there in a new folder named !submit

Edited by Wayne Puckett, 26 August 2005 - 10:23 PM.

[coachwife6]

Run Pocketkill box

* choose Tools > Delete Temp Files and click OK
* In Killbox - put a check next to "Delete on Reboot"
* Copy and paste each of the following lines (the ones in bold type) one at a time into the top most box.
* Then click the red button with the X after each
* It will ask you if you want to reboot each time you click it,
answer NO until after you've pasted the last file name, at which time you should answer Yes.
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\System 32\virus.bmp
run CleanUp! Reboot and tell me how it's going.

[Wayne Puckett]

Ok, I compleated Pocket Kill box and CleanUp! rebooted - from POST beep to Win XP logo took 40 minutes.
When I go to explore my computer it's slow. Something seems to be taking alot of memory up. When I go online machine seems to be ok pages load quicker.

Edited by Wayne Puckett, 27 August 2005 - 01:23 AM.

[coachwife6]

OK. Now that you're clean, Ill have peterm look at it. Just wanted to take one step at a time. I appreciate your efforts.

There is one more thing you might do:

Please download Rootkit Revealer (link is at the very bottom of the page)

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

[Wayne Puckett]

Thank you Coach Wife6

I ran Rootkit Revealer this is what I got. It seems like it hung up so I ran it twice and hung at same place * Documents and Settings\local-user\Application Data\Sun\Java\Deployment\tmps\si*
The 50 things it has found are from VeLite that I downloaded before we started working on this thing and then I realized maybe I should'nt have done this on an infected machine so I uninstalled it the next day.Early on in the thread on a HJT log we got rid of some VE things.Sorry for going on.
You ask me to save rootkitrevealer.txt to my desktop but I get an error message telling me it was not available because I was off line. I have a cable modem and I unplug the power to go off line I did have a virus in my Java Applet before but it was cleaned by Trend Micro or AVG.

Here is the log, saved as TXT to MyDocuments
I don't think this is all you need computer hangs.

HKLM\SOFTWARE\VE\1\Registry\DUSR\S-1-5-18 8/16/2005 12:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\1\Registry\DUSR\S-1-5-18\SymbolicLinkValue 8/16/2005 12:05 PM 108 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\Machine\SAM 8/16/2005 12:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\1\Registry\Machine\SAM\SymbolicLinkValue 8/16/2005 12:05 PM 42 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\Machine\SECURITY 8/16/2005 12:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\1\Registry\Machine\SECURITY\SymbolicLinkValue 8/16/2005 12:05 PM 52 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\Machine\SOFTWARE 8/16/2005 12:05 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\Machine\SYSTEM 8/16/2005 12:05 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\USER\.DEFAULT 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\1\Registry\USER\.DEFAULT\SymbolicLinkValue 8/17/2005 6:23 PM 108 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-18 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-18\SymbolicLinkValue 8/17/2005 6:23 PM 108 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-19 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-19\SymbolicLinkValue 8/17/2005 6:23 PM 108 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-19_Classes 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-19_Classes\SymbolicLinkValue 8/17/2005 6:23 PM 124 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-20 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-20\SymbolicLinkValue 8/17/2005 6:23 PM 108 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-20_Classes 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-20_Classes\SymbolicLinkValue 8/17/2005 6:23 PM 124 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-21-776561741-1580818891-1060284298-1003 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-21-776561741-1580818891-1060284298-1003\SymbolicLinkValue 8/17/2005 6:23 PM 182 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-21-776561741-1580818891-1060284298-1003_Classes 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\1\Registry\USER\S-1-5-21-776561741-1580818891-1060284298-1003_Classes\SymbolicLinkValue 8/17/2005 6:23 PM 198 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\Machine\HARDWARE 8/16/2005 12:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\Machine\HARDWARE\SymbolicLinkValue 8/16/2005 12:05 PM 52 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\Machine\SAM 8/16/2005 12:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\Machine\SAM\SymbolicLinkValue 8/16/2005 12:05 PM 42 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\Machine\SECURITY 8/16/2005 12:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\Machine\SECURITY\SymbolicLinkValue 8/16/2005 12:05 PM 52 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\Machine\SOFTWARE 8/16/2005 12:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\Machine\SOFTWARE\SymbolicLinkValue 8/16/2005 12:05 PM 52 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\Machine\SYSTEM 8/16/2005 12:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\Machine\SYSTEM\SymbolicLinkValue 8/16/2005 12:05 PM 48 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\.DEFAULT 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\.DEFAULT\SymbolicLinkValue 8/17/2005 6:23 PM 46 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-18 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-18\SymbolicLinkValue 8/17/2005 6:23 PM 46 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-19 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-19\SymbolicLinkValue 8/17/2005 6:23 PM 46 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-19_Classes 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-19_Classes\SymbolicLinkValue 8/17/2005 6:23 PM 62 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-20 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-20\SymbolicLinkValue 8/17/2005 6:23 PM 46 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-20_Classes 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-20_Classes\SymbolicLinkValue 8/17/2005 6:23 PM 62 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-21-776561741-1580818891-1060284298-1003 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-21-776561741-1580818891-1060284298-1003\SymbolicLinkValue 8/17/2005 6:23 PM 120 bytes Hidden from Windows API.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-21-776561741-1580818891-1060284298-1003_Classes 8/17/2005 6:23 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\VE\SPILL__0\Registry\USER\S-1-5-21-776561741-1580818891-1060284298-1003_Classes\SymbolicLinkValue 8/17/2005 6:23 PM 136 bytes Hidden from Windows API.

[coachwife6]

Since the computer hangs, let's try something else that cretemonster suggested to me:

Are you running Norton and AVG? Please get rid of one. Having more than one antivirals is bad for the system.

Go to add/remove programs and remove programs you no longer use.

I need you to go to start>.run>> and type in msconfig

Click enable all in the startup tab. Let me know what is running there.

Do the following in safe mode.

Download winpfind.zip.
and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard as a reply to where you are receiving help.

Edited by coachwife6, 28 August 2005 - 09:49 AM.

[Wayne Puckett]

I did have Norton but Norton and Webshots kept giving me errors when booting computer when infected with a virus. Norton subscription was going to end in Oct. and I do not haave cd for it, computer bought used.I unistalled Norton - all but Norton Ghost 2003 when I found GTG and installed AVG. I will do the other things as requested and post again.

[Wayne Puckett]

ok this computer does not like rootkit revealer or WinPFind.
This is what I have on msconfig

*GhostStart Tray App
DevDectect
avgcc
jusched
realsched
webshots*

I ran WinPFind in safe mode for 18 hrs. and got WinPFind error
*cannot open file C:\Documents and Settings\ALLUSERS\Start Menu\Programs\Start up\desktop.ini. *
I clicked ok with no more HD activity for 2 hrs.tried to copy and paste and could not.
So I restarted computer and tried in windows and got the same thing WinPFind gets to
*
Checking files in %Allusersprofile%\Startup folder* and got WinPFind ERROR I\Q Error 1816 clicked ok and program quit

Edited by Wayne Puckett, 29 August 2005 - 08:35 PM.

[coachwife6]

Are you just double clicking the zip files and trying to run the program???

If so, thats why they dont work!

They have to Unzip and Extract All Files or the programs wont run right!

After that---

1. Click Start.

2. Click Run.

3. Type SFC /scannow in the run command slot. (Note: there is a space after SFC and that's a FORWARD slash in the middle, there.)

4. Press OK button below on run command menu box..

It will ask for your operating system disc/CD. Put it in your CD-ROM, and let it work.

http://www.updatexp....cannow-sfc.html

[Wayne Puckett]

Sorry for the delay. Putter HD crashed. Got new HD and reinstalled every thing. Thanks to all your help and time! Cudos!