Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

winfixer2005 installer [RESOLVED]

Started by paul14 , Aug 07 2005 07:38 AM

  • This topic is locked This topic is locked

#1
paul14
Posted 07 August 2005 - 07:38 AM

paul14

    Member

  • Member
  • PipPip
  • 14 posts
Hi all,

I have picked up winfixer installer and all its pop ups from somwhere and i can't get rid of it i have run all the anti spy ware i can think of, i have even been in the registry and found what i could and deleted it but it just keeps coming back. Apart from a full format i just don't know what to do, please help me.
Here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 14:31:07, on 07/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\paul\My Documents\zip opening\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\CONFLICT.11\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark...en/AMClient.cab
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\CvMp3Lib.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.EXE (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
Rawe
Posted 12 August 2005 - 11:28 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please download the l2mfix from one of the locations below;

http://www.atribune....oads/l2mfix.exe

http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double-click l2mfix.exe

Click the Install - button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into your next reply.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to!

Note; if you recieve any error messages for CMD or Autoexec.bat>> select option 5 from the l2mfix and once at the site, click on the link that apply to your operating system!

Double-click the file it downloads and extract the files to its predetermined System32 folder!

- Rawe :tazz:
  • 0

#3
paul14
Posted 12 August 2005 - 11:45 AM

paul14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi, here is my log

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\CvMp3Lib.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{49D0BCCD-DF70-C6FC-DA8D-8A105D0CFC02}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{47952ED8-4388-4A00-899F-A8F36F68F0E0}"=""
"{D120D80B-BD26-4A74-8E43-2C2AF0966139}"="QuickPar ContextMenu extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2697AC8F-085B-4047-AEDB-E8AE39653731}"=""
"{6313FEFD-FCD3-40F5-AADF-A16DF145B948}"=""
"{0FB0D664-4D60-49CE-A906-E3C0F44C7620}"=""
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"="Trend Micro Anti-Spyware Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{47952ED8-4388-4A00-899F-A8F36F68F0E0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47952ED8-4388-4A00-899F-A8F36F68F0E0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47952ED8-4388-4A00-899F-A8F36F68F0E0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47952ED8-4388-4A00-899F-A8F36F68F0E0}\InprocServer32]
@="C:\\WINDOWS\\system32\\kwdusr.dll"
"ThreadingModel"="Apartment"
"default"=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2697AC8F-085B-4047-AEDB-E8AE39653731}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2697AC8F-085B-4047-AEDB-E8AE39653731}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2697AC8F-085B-4047-AEDB-E8AE39653731}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2697AC8F-085B-4047-AEDB-E8AE39653731}\InprocServer32]
@=""
"ThreadingModel"="Apartment"
"default"=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6313FEFD-FCD3-40F5-AADF-A16DF145B948}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6313FEFD-FCD3-40F5-AADF-A16DF145B948}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6313FEFD-FCD3-40F5-AADF-A16DF145B948}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6313FEFD-FCD3-40F5-AADF-A16DF145B948}\InprocServer32]
@=""
"ThreadingModel"="Apartment"
"default"=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0FB0D664-4D60-49CE-A906-E3C0F44C7620}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0FB0D664-4D60-49CE-A906-E3C0F44C7620}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0FB0D664-4D60-49CE-A906-E3C0F44C7620}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0FB0D664-4D60-49CE-A906-E3C0F44C7620}\InprocServer32]
@=""
"ThreadingModel"="Apartment"
"default"=""

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is E48B-3832

Directory of C:\WINDOWS\System32

12/08/2005 17:32 417,792 kwdusr.dll
12/08/2005 17:31 417,792 guard.tmp
22/07/2005 10:19 417,792 CvMp3Lib.dll
29/06/2005 17:56 <DIR> dllcache
16/10/2003 20:46 <DIR> Microsoft
3 File(s) 1,253,376 bytes
2 Dir(s) 59,233,918,976 bytes free
  • 0

#4
Rawe
Posted 12 August 2005 - 11:47 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double-click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. ;)

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

- Rawe :tazz:
  • 0

#5
paul14
Posted 12 August 2005 - 12:09 PM

paul14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
L2Mfix 1.03a

Running From:
C:\Documents and Settings\paul\My Documents\zip opening\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\paul\My Documents\zip opening\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\paul\My Documents\zip opening\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'
Killing PID 2620 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 2732 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\CvMp3Lib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\CvMp3Lib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kwdusr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kwdusr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\CvMp3Lib.dll
Successfully Deleted: C:\WINDOWS\system32\CvMp3Lib.dll
deleting: C:\WINDOWS\system32\CvMp3Lib.dll
Successfully Deleted: C:\WINDOWS\system32\CvMp3Lib.dll
deleting: C:\WINDOWS\system32\kwdusr.dll
Successfully Deleted: C:\WINDOWS\system32\kwdusr.dll
deleting: C:\WINDOWS\system32\kwdusr.dll
Successfully Deleted: C:\WINDOWS\system32\kwdusr.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: CvMp3Lib.dll (140 bytes security) (deflated 48%)
adding: kwdusr.dll (140 bytes security) (deflated 48%)
adding: guard.tmp (140 bytes security) (deflated 48%)
adding: clear.reg (140 bytes security) (deflated 51%)
adding: echo.reg (140 bytes security) (deflated 13%)
adding: direct.txt (140 bytes security) (deflated 11%)
adding: lo2.txt (140 bytes security) (deflated 79%)
adding: readme.txt (140 bytes security) (deflated 49%)
adding: report.txt (140 bytes security) (deflated 70%)
adding: test.txt (140 bytes security) (deflated 74%)
adding: test2.txt (140 bytes security) (deflated 33%)
adding: test3.txt (140 bytes security) (deflated 33%)
adding: test5.txt (140 bytes security) (deflated 33%)
adding: xfind.txt (140 bytes security) (deflated 70%)
adding: backregs/0FB0D664-4D60-49CE-A906-E3C0F44C7620.reg (140 bytes security) (deflated 72%)
adding: backregs/2697AC8F-085B-4047-AEDB-E8AE39653731.reg (140 bytes security) (deflated 71%)
adding: backregs/47952ED8-4388-4A00-899F-A8F36F68F0E0.reg (140 bytes security) (deflated 70%)
adding: backregs/6313FEFD-FCD3-40F5-AADF-A16DF145B948.reg (140 bytes security) (deflated 71%)
adding: backregs/shell.reg (140 bytes security) (deflated 61%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: CvMp3Lib.dll
deleting local copy: CvMp3Lib.dll
deleting local copy: kwdusr.dll
deleting local copy: kwdusr.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\CvMp3Lib.dll
C:\WINDOWS\system32\CvMp3Lib.dll
C:\WINDOWS\system32\kwdusr.dll
C:\WINDOWS\system32\kwdusr.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{47952ED8-4388-4A00-899F-A8F36F68F0E0}"=-
"{2697AC8F-085B-4047-AEDB-E8AE39653731}"=-
"{6313FEFD-FCD3-40F5-AADF-A16DF145B948}"=-
"{0FB0D664-4D60-49CE-A906-E3C0F44C7620}"=-
[-HKEY_CLASSES_ROOT\CLSID\{47952ED8-4388-4A00-899F-A8F36F68F0E0}]
[-HKEY_CLASSES_ROOT\CLSID\{2697AC8F-085B-4047-AEDB-E8AE39653731}]
[-HKEY_CLASSES_ROOT\CLSID\{6313FEFD-FCD3-40F5-AADF-A16DF145B948}]
[-HKEY_CLASSES_ROOT\CLSID\{0FB0D664-4D60-49CE-A906-E3C0F44C7620}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 19:09:38, on 12/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\paul\My Documents\zip opening\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
Rawe
Posted 12 August 2005 - 12:18 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again

Do these steps for now and we'll see what's left after;

1- Check your current Windows updates. Install any available critical updates then reboot. If there is nothing available, forget it.

2- Download CleanUp
Install the program, dont run it yet, we will later.

3- Click "Start", Run and type in; MRT
Click "Ok". When a window pops up, click "Next". Let it scan and let me know of the results on your next reply.

4- If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
But don't run the scan quite yet.

5- Launch Ad-Aware SE and click on the gear to access the Configuration menu. Please make sure that this setting is applied;

Click on Tweak => Cleaning engine => UNcheck "Always try to unload modules before deletion". Click "Finish". Do a Full System Scan and remove ALL it finds.

6- Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
7- Reboot when done!


8- Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start to scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
9- Post me a fresh HiJackThis log along with the Kaspersky results.

- Rawe :tazz:
  • 0

#7
paul14
Posted 12 August 2005 - 12:26 PM

paul14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi will it be ok if i do this lot tomorrow because i have to go out now, sorry.

best regards
paul :tazz:
  • 0

#8
Rawe
Posted 12 August 2005 - 12:54 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Yep, it's k, I get an email notification about any replies to this thread :tazz:
So I won't definately miss your reply tomorrow.

Have a great day ;)
  • 0

#9
paul14
Posted 13 August 2005 - 04:21 AM

paul14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Good morning Rawe,

the MRT-scan came back clean.

here is the Kaspersky results

KASPERSKY ON-LINE SCANNER REPORT
Saturday, August 13, 2005 10:43:52
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 13/08/2005
Kaspersky Anti-Virus database records: 134959
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 43674
Number of viruses found: 18
Number of infected objects: 37
Number of suspicious objects: 0
Duration of the scan process: 2340 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP1\A0001018.sys Infected: Rootkit.Win32.Agent.af
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP18\A0005384.exe Infected: Trojan-Downloader.Win32.Small.ahx
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP18\A0005414.sys Infected: Rootkit.Win32.Agent.af
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP20\A0005449.sys Infected: Rootkit.Win32.Agent.af
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP20\A0005490.sys Infected: Rootkit.Win32.Agent.af
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP20\A0005497.sys Infected: Rootkit.Win32.Agent.af
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP20\A0005532.sys Infected: Rootkit.Win32.Agent.af
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013021.exe Infected: Trojan.Win32.Dialer.eh
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013022.exe Infected: Trojan.Win32.Dialer.eh
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013028.exe/stream/data0005 Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013028.exe/stream Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013028.exe Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013029.dll Infected: Trojan-Downloader.Win32.Axload.e
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013030.exe Infected: Trojan-Downloader.Win32.Apropo.r
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013037.exe Infected: Trojan.Win32.Dialer.eh
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013038.dll Infected: Trojan-Downloader.Win32.Agent.jt
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013039.exe Infected: Trojan.Win32.StartPage.sx
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013040.exe Infected: Trojan.Win32.StartPage.sx
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013041.exe Infected: Trojan.Win32.StartPage.sx
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013047.exe Infected: Trojan-Downloader.Win32.IstBar.jn
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013048.exe Infected: Trojan-Downloader.Win32.IstBar.ku
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013049.exe Infected: Trojan-Downloader.Win32.IstBar.ir
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013050.exe Infected: Trojan-Downloader.Win32.IstBar.gen
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013052.exe Infected: Trojan-Downloader.Win32.IstBar.ir
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013054.exe Infected: VirTool.Win32.Patcher.a
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013055.exe Infected: VirTool.Win32.Patcher.a
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013062.ocx Infected: Trojan-Downloader.Win32.Agent.ex
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013066.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013067.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013068.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013070.exe Infected: Trojan-Downloader.Win32.Dyfuca.dk
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013074.dll Infected: Trojan.Win32.Dialer.eh
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013076.EXE Infected: Trojan-Dropper.Win32.SurfSide.a
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013079.exe Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013082.exe Infected: Trojan-Downloader.Win32.Lookme.g
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013084.dll Infected: Trojan-Downloader.Win32.IstBar.gen
C:\System Volume Information\_restore{3E9B5466-5ECF-4A23-89FC-A361A60963B1}\RP29\A0013085.dll Infected: Trojan-Downloader.Win32.IstBar.gen

Scan process completed.



Here is a new hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 11:20:47, on 13/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\paul\My Documents\zip opening\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#10
Rawe
Posted 13 August 2005 - 04:27 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, hi again, this should be easy to tackle since the infections are at the system restore;

Please do the following steps. You might want to print them out.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
  • Click "Next", read the agreement, Click "Next"
  • Choose "Custom" click "Next".
  • Leave the default installation directoy as it is, then click "Next".
  • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
  • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
  • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
Disable SpySweeper Shields
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, exit SpySweeper.
Run CleanUp, but don't reboot yet!

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, launch SpySweeper:
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Reboot into normal mode.

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".

System Restore will now be active again. ;) Be sure to set a new restore point.

Post me a fresh HiJackThis log with the SpySweeper log.

- Rawe :tazz:
  • 0

Advertisements

#11
paul14
Posted 13 August 2005 - 05:13 AM

paul14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi again,

here is the spysweeper log.

********
11:46: |··· Start of Session, 13 August 2005 ···|
11:46: Spy Sweeper started
11:46: Sweep initiated using definitions version 516
11:46: Starting Memory Sweep
11:47: Memory Sweep Complete, Elapsed Time: 00:01:00
11:47: Starting Registry Sweep
11:47: Found Adware: blazefind_adstat
11:47: HKCR\adstatservx.installer\ (3 subtraces) (ID = 104585)
11:47: HKLM\software\classes\adstatservx.installer\ (3 subtraces) (ID = 104586)
11:47: Found Adware: cws_ns3
11:47: HKU\S-1-5-21-4159782051-1916452886-1421531899-1005\software\microsoft\internet explorer\toolbar\shellbrowser\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 121295)
11:47: Found Adware: istbar
11:47: HKLM\software\classes\istx.installer.2\ (3 subtraces) (ID = 129095)
11:47: Found Adware: minigolf
11:47: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/wildapp.dll\ (1 subtraces) (ID = 135051)
11:47: Found Adware: richfind
11:47: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/basis.xml\ (1 subtraces) (ID = 139921)
11:47: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/nav.bmp\ (1 subtraces) (ID = 139922)
11:47: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/version.txt\ (1 subtraces) (ID = 139924)
11:47: Found Adware: supaseek toolbar
11:47: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/toolbar.dll\ (1 subtraces) (ID = 143125)
11:47: Found Trojan Horse: topconverting downloader
11:47: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mp3.ocx\ (2 subtraces) (ID = 143816)
11:47: Found Adware: win comm
11:47: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/wincommx.dll\ (2 subtraces) (ID = 146974)
11:47: Found Adware: winad
11:47: HKCR\loaderx.installer\ (5 subtraces) (ID = 147156)
11:47: HKCR\mediapassx.installer\ (3 subtraces) (ID = 147160)
11:47: HKCR\prevadx.installer\ (3 subtraces) (ID = 147161)
11:47: HKLM\software\classes\loaderx.installer\ (5 subtraces) (ID = 147170)
11:47: HKLM\software\classes\mediapassx.installer\ (3 subtraces) (ID = 147174)
11:47: HKLM\software\classes\prevadx.installer\ (3 subtraces) (ID = 147175)
11:47: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediapassx.dll\ (1 subtraces) (ID = 147192)
11:47: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/winadtoolsx.dll\ || .owner (ID = 147196)
11:47: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/winadtoolsx.dll\ || {15ad4789-cdb4-47e1-a9da-992ee8e6bad6} (ID = 147197)
11:47: Found Adware: icannnews
11:47: HKCR\activexctrl\ (3 subtraces) (ID = 169450)
11:47: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169454)
11:47: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169455)
11:47: HKCR\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (10 subtraces) (ID = 169456)
11:47: HKLM\software\classes\activexctrl\ (3 subtraces) (ID = 169457)
11:47: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169461)
11:47: HKLM\software\classes\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169462)
11:47: HKLM\software\classes\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (10 subtraces) (ID = 169463)
11:47: Registry Sweep Complete, Elapsed Time:00:00:09
11:47: Starting Cookie Sweep
11:47: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:47: Starting File Sweep
11:53: wpnsta.dll (ID = 125214)
11:54: Found Adware: clickyes2enter dialer
11:54: surfya.exe (ID = 129630)
11:54: File Sweep Complete, Elapsed Time: 00:06:52
11:54: Full Sweep has completed. Elapsed time 00:08:10
11:54: Traces Found: 129
11:57: Removal process initiated
11:57: Quarantining All Traces: blazefind_adstat
11:57: Quarantining All Traces: cws_ns3
11:57: Quarantining All Traces: istbar
11:57: Quarantining All Traces: minigolf
11:57: Quarantining All Traces: richfind
11:58: Quarantining All Traces: supaseek toolbar
11:58: Quarantining All Traces: topconverting downloader
11:58: Quarantining All Traces: win comm
11:58: Quarantining All Traces: winad
11:58: Quarantining All Traces: icannnews
11:58: Quarantining All Traces: clickyes2enter dialer
11:59: Removal process completed. Elapsed time 00:01:41
********
11:35: |··· Start of Session, 13 August 2005 ···|
11:35: Spy Sweeper started
11:37: Your spyware definitions have been updated.
11:46: Program Version 4.0.4 (Build 430) Using Spyware Definitions 516
11:46: |··· End of Session, 13 August 2005 ···|



here is a new hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 12:10:05, on 13/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\paul\My Documents\zip opening\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#12
Rawe
Posted 13 August 2005 - 05:28 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again,

any particular problems at the moment?
  • 0

#13
paul14
Posted 13 August 2005 - 05:36 AM

paul14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi, again

i have been popup free all morning so it might look as though you have done it again :tazz:

i can't thank you enough, if it is ok i will reply to this thread in a couple of days and let you know if i am still popup free.


best regards and a million thanks

paul. ;)
  • 0

#14
Rawe
Posted 13 August 2005 - 05:39 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Sure, I'll leave the thread open for couple of days for you to report.

In the meantime;

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)

Visit;
http://www.windowsupdate.com to get ANY available critical updates. Install them & reboot.

- Rawe :tazz:

If you want to learn how to help people with malware problems like I helped you, feel free to take a look at this thread; http://www.geekstogo...here-t4817.html
  • 0

#15
paul14
Posted 14 August 2005 - 06:13 AM

paul14

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi again, Been pop up free for over 24 hours now and no other obvious problems to report, so i think it's time to put this thread to bed.


once again a million thanks to you.

best regards
paul. :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP