Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Stuck with Win Fixer

Started by mgaff14 , Aug 16 2005 12:49 PM

  • This topic is locked This topic is locked

#1
mgaff14
Posted 16 August 2005 - 12:49 PM

mgaff14

    New Member

  • Member
  • Pip
  • 4 posts
Here's the log I got on the machine I'm working on. Can you tell me what steps to use to remove all these bugs?



Logfile of HijackThis v1.99.1
Scan saved at 1:29:39 PM, on 08/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Cobian Backup 4\CobBU.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Cobian Backup 4\cobui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Utils\printkey.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\tbps.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\PROGRA~1\COMMON~1\WinTools\WSup.exe
C:\WINDOWS\system32\logon.scr
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50038
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eweb.verizon.com/home.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://eweb.verizon.com/home.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50038
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://eweb.verizon.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50038
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eweb.verizon.com/home.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.ver...gi-bin/getproxy
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O1 - Hosts: 144.70.99.20 ftwixos sapfwp02 # IXOS DB Server - Prod
O1 - Hosts: 144.70.99.8 saftw1sp0 # SSP 0 - Starfire1
O1 - Hosts: 144.70.99.10 saftw2sp0 # SSP 0 - Starfire2
O1 - Hosts: 144.70.99.12 saftw3sp0 # SSP 0 - Starfire3
O1 - Hosts: 144.70.99.27 saftw4sp0 # SSP 0 - Starfire4
O1 - Hosts: 144.70.99.28 saftw5sp0 # SSP 0 – Starfire5
O1 - Hosts: 144.70.99.13 saftw6sp0 # SSP 0 - Starfire6
O1 - Hosts: 144.70.99.68 saftw7sp0 # SSP 0 - Starfire7
O1 - Hosts: 144.70.99.94 saftwadm # FTW E250 Admin Server
O1 - Hosts: 144.70.99.21 saftwccs # CCS NT Box
O1 - Hosts: 144.70.99.230 saftwemc1 # EMC Connectrix
O1 - Hosts: 144.70.99.1 saftwi01 # GTE DB/App Server
O1 - Hosts: 144.70.99.2 saftwi02 # LAW DB Server - Prod
O1 - Hosts: 144.70.99.3 saftwi03 # P01 App Server
O1 - Hosts: 144.70.99.4 saftwi04 # P01 App Server
O1 - Hosts: 144.70.99.5 saftwi05 # P01 App Server
O1 - Hosts: 144.70.99.6 saftwi06 # P01 App Server
O1 - Hosts: 144.70.99.7 saftwi07 #
O1 - Hosts: 144.70.99.14 saftwi08 # P07 DB Server
O1 - Hosts: 144.70.99.15 saftwi09 # P02 DB Server
O1 - Hosts: 144.70.99.16 saftwi10 # P02 App Server
O1 - Hosts: 144.70.99.17 saftwi11 # P02 App Server
O1 - Hosts: 144.70.99.18 saftwi12 #
O1 - Hosts: 144.70.99.19 saftwi13 #
O1 - Hosts: 144.70.99.22 saftwi14 # P00 DB/App Server
O1 - Hosts: 144.70.99.23 saftwi15 #
O1 - Hosts: 144.70.99.24 saftwi16 # P04 DB Server
O1 - Hosts: 144.70.99.25 saftwi17 # P04 App Server
O1 - Hosts: 144.70.99.30 saftwi30 # Printserver
O1 - Hosts: 144.70.99.32 saftwi32 # P05 DB Server
O1 - Hosts: 144.70.99.33 saftwi33 # P05 App Server
O1 - Hosts: 144.70.99.34 saftwi34 # P07 App Server
O1 - Hosts: 144.70.99.35 saftwi35 #
O1 - Hosts: 144.70.99.36 saftwi36 #
O1 - Hosts: 144.70.99.40 saftwi40 # P02 App Server
O1 - Hosts: 144.70.99.41 saftwi41 # P02 App Server
O1 - Hosts: 144.70.99.42 saftwi42 # P02 App Server
O1 - Hosts: 144.70.99.43 saftwi43 # P02 App Server
O1 - Hosts: 144.70.99.44 saftwi44 # P02 App Server
O1 - Hosts: 144.70.99.45 saftwi45 # P02 App Server
O1 - Hosts: 144.70.99.46 saftwi46 # T01 App Server
O1 - Hosts: 144.70.99.47 saftwi47 # T01 DB Server
O1 - Hosts: 144.70.99.48 saftwi48 # T01 App Server
O1 - Hosts: 138.83.131.36 saftwi50 # P06 DB/App Server
O1 - Hosts: 144.70.99.51 saftwi51 #
O1 - Hosts: 138.83.131.38 saftwi52 # P08 DB/App Server
O1 - Hosts: 144.70.99.53 saftwi53 # P01 DB Server
O1 - Hosts: 144.70.99.55 saftwi55 #
O1 - Hosts: 144.70.99.60 saftwi60 # Vframe DB Server
O1 - Hosts: 144.70.99.61 saftwi61 # Vframe ESSBASE Server
O1 - Hosts: 144.70.99.62 saftwi62 # Vframe Web Server
O1 - Hosts: 144.70.99.63 saftwi63 # Vframe Web Server
O1 - Hosts: 138.83.138.43 saftwi66 # WebSphere Server
O1 - Hosts: 138.83.138.44 saftwi67 # WebSphere Server
O1 - Hosts: 138.83.138.45 saftwi69 # WebSphere Server
O1 - Hosts: 138.83.138.46 saftwi70 # WebSphere Server
O1 - Hosts: 138.83.138.49 saftwi73 # WebSphere Server
O1 - Hosts: 138.83.138.50 saftwi74 # WebSphere Server
O1 - Hosts: 138.83.138.51 saftwi75 # WebSphere Server
O1 - Hosts: 138.83.138.52 saftwi76 # WebSphere Server
O1 - Hosts: 138.83.138.54 saftwi79 uatldap1 # WUA/SSO UAT Server
O1 - Hosts: 138.83.138.55 saftwi80 uatldap2 # WUA/SS0 UAT Server
O1 - Hosts: 138.83.138.56 saftwi81 uatlogin1 #
O1 - Hosts: 138.83.138.57 saftwi82 uatlogin2 #
O1 - Hosts: 138.83.131.30 saftwi86 # Vframe Server
O1 - Hosts: 138.83.131.31 saftwi87 # Vframe Server
O1 - Hosts: 138.83.131.32 saftwi88 # Vframe Server
O1 - Hosts: 144.70.99.50 saftwm50 # saftwi50 Maint Interface
O1 - Hosts: 144.70.99.52 saftwm52 # saftwi52 Maint Interface
O1 - Hosts: 144.70.99.66 saftwm66 # saftwi66 Maint Interface
O1 - Hosts: 144.70.99.67 saftwm67 # saftwi67 Maint Interface
O1 - Hosts: 144.70.99.69 saftwm69 # saftwi69 Maint Interface
O1 - Hosts: 144.70.99.70 saftwm70 # saftwi79 Maint Interface
O1 - Hosts: 144.70.99.73 saftwm73 # saftwi72 Maint Interface
O1 - Hosts: 144.70.99.74 saftwm74 # saftwi74 Maint Interface
O1 - Hosts: 144.70.99.75 saftwm75 # saftwi75 Maint Interface
O1 - Hosts: 144.70.99.76 saftwm76 # saftwi76 Maint Interface
O1 - Hosts: 144.70.99.79 saftwm79 # saftwi79 Maint Interface
O1 - Hosts: 144.70.99.80 saftwm80 # saftwi80 Maint Interface
O1 - Hosts: 144.70.99.81 saftwm81 # saftwi81 Maint Interface
O1 - Hosts: 144.70.99.82 saftwm82 # saftwi82 Maint Interface
O1 - Hosts: 144.70.99.86 saftwm86 # saftwi86 Maint Interface
O1 - Hosts: 144.70.99.87 saftwm87 # saftwi87 Maint Interface
O1 - Hosts: 144.70.99.88 saftwm88 # saftwi88 Maint Interface
O1 - Hosts: 144.70.99.120 saftwsf1 # Sunfire1 - Main SC Interface
O1 - Hosts: 144.70.99.107 saftwsf1-sc0 # Sunfire1 Service Controller 0
O1 - Hosts: 144.70.99.108 saftwsf1-sc1 # Sunfire1 Service Controller 1
O1 - Hosts: 144.70.99.121 saftwsf2 # Sunfire2 - Main SC Interface
O1 - Hosts: 144.70.99.109 saftwsf2-sc0 # Sunfire2 Service Controller 0
O1 - Hosts: 144.70.99.110 saftwsf2-sc1 # Sunfire2 Service Controller 1
O1 - Hosts: 144.70.99.122 saftwsf3 # Sunfire3 - Main SC Interface
O1 - Hosts: 144.70.99.111 saftwsf3-sc0 # Sunfire3 Service Controller 0
O1 - Hosts: 144.70.99.112 saftwsf3-sc1 # Sunfire3 Service Controller 1
O1 - Hosts: 144.70.99.119 saftwsf4 # Sunfire4 - Main SC Interface
O1 - Hosts: 144.70.99.113 saftwsf4-sc0 # Sunfire4 Service Controller 0
O1 - Hosts: 144.70.99.114 saftwsf4-sc1 # Sunfire4 Service Controller 1
O1 - Hosts: 144.70.99.124 saftwsf5 # Sunfire5 - Future
O1 - Hosts: 144.70.99.117 saftwsun #
O1 - Hosts: 144.70.99.115 saftwterm # Terminal Controller Interface
O1 - Hosts: 144.70.99.229 safwd01 # EDMS Failover Interface
O1 - Hosts: 138.83.138.90 safwdf01 # Netgen Server/ EDMS Server
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Cobian BackUp 4.0] "C:\Cobian Backup 4\CobBU.exe"
O4 - HKLM\..\Run: [*wavevga] C:\WINDOWS\msagent\chars\wavevga.exe
O4 - HKLM\..\Run: [*fontdos] C:\WINDOWS\Cursors\fontdos.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Shortcut to printkey.exe.lnk = C:\Utils\printkey.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: SmartShopper - Compare product prices - {679B2A8D-B2FF-41ed-B3ED-C5CFB8564CB0} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare travel rates - {9E4DF170-217F-4658-A11F-590664542B73} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://eweb.verizon.com/home.shtml
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} - http://www.clicktrac...info/ctadl1.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spam...ckerutility.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://webclass1.ver...aDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webe...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\Software\..\Telephony: DomainName = us1.ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = verizon.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = verizon.com
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Castanet Tuner 4.6 (Marimba) - Marimba, Inc. - C:\Marimba\CASTAN~1\Tuner.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
  • 0

Advertisements

#2
Buckeye_Sam
Posted 21 August 2005 - 06:13 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
mgaff14
Posted 22 August 2005 - 06:40 AM

mgaff14

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here's an updated log....

Logfile of HijackThis v1.99.1
Scan saved at 7:38:17 AM, on 08/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Cobian Backup 4\CobBU.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Cobian Backup 4\cobui.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Utils\printkey.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eweb.verizon.com/home.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://eweb.verizon.com/home.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://eweb.verizon.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eweb.verizon.com/home.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.ver...gi-bin/getproxy
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 144.70.99.20 ftwixos sapfwp02 # IXOS DB Server - Prod
O1 - Hosts: 144.70.99.8 saftw1sp0 # SSP 0 - Starfire1
O1 - Hosts: 144.70.99.10 saftw2sp0 # SSP 0 - Starfire2
O1 - Hosts: 144.70.99.12 saftw3sp0 # SSP 0 - Starfire3
O1 - Hosts: 144.70.99.27 saftw4sp0 # SSP 0 - Starfire4
O1 - Hosts: 144.70.99.28 saftw5sp0 # SSP 0 – Starfire5
O1 - Hosts: 144.70.99.13 saftw6sp0 # SSP 0 - Starfire6
O1 - Hosts: 144.70.99.68 saftw7sp0 # SSP 0 - Starfire7
O1 - Hosts: 144.70.99.94 saftwadm # FTW E250 Admin Server
O1 - Hosts: 144.70.99.21 saftwccs # CCS NT Box
O1 - Hosts: 144.70.99.230 saftwemc1 # EMC Connectrix
O1 - Hosts: 144.70.99.1 saftwi01 # GTE DB/App Server
O1 - Hosts: 144.70.99.2 saftwi02 # LAW DB Server - Prod
O1 - Hosts: 144.70.99.3 saftwi03 # P01 App Server
O1 - Hosts: 144.70.99.4 saftwi04 # P01 App Server
O1 - Hosts: 144.70.99.5 saftwi05 # P01 App Server
O1 - Hosts: 144.70.99.6 saftwi06 # P01 App Server
O1 - Hosts: 144.70.99.7 saftwi07 #
O1 - Hosts: 144.70.99.14 saftwi08 # P07 DB Server
O1 - Hosts: 144.70.99.15 saftwi09 # P02 DB Server
O1 - Hosts: 144.70.99.16 saftwi10 # P02 App Server
O1 - Hosts: 144.70.99.17 saftwi11 # P02 App Server
O1 - Hosts: 144.70.99.18 saftwi12 #
O1 - Hosts: 144.70.99.19 saftwi13 #
O1 - Hosts: 144.70.99.22 saftwi14 # P00 DB/App Server
O1 - Hosts: 144.70.99.23 saftwi15 #
O1 - Hosts: 144.70.99.24 saftwi16 # P04 DB Server
O1 - Hosts: 144.70.99.25 saftwi17 # P04 App Server
O1 - Hosts: 144.70.99.30 saftwi30 # Printserver
O1 - Hosts: 144.70.99.32 saftwi32 # P05 DB Server
O1 - Hosts: 144.70.99.33 saftwi33 # P05 App Server
O1 - Hosts: 144.70.99.34 saftwi34 # P07 App Server
O1 - Hosts: 144.70.99.35 saftwi35 #
O1 - Hosts: 144.70.99.36 saftwi36 #
O1 - Hosts: 144.70.99.40 saftwi40 # P02 App Server
O1 - Hosts: 144.70.99.41 saftwi41 # P02 App Server
O1 - Hosts: 144.70.99.42 saftwi42 # P02 App Server
O1 - Hosts: 144.70.99.43 saftwi43 # P02 App Server
O1 - Hosts: 144.70.99.44 saftwi44 # P02 App Server
O1 - Hosts: 144.70.99.45 saftwi45 # P02 App Server
O1 - Hosts: 144.70.99.46 saftwi46 # T01 App Server
O1 - Hosts: 144.70.99.47 saftwi47 # T01 DB Server
O1 - Hosts: 144.70.99.48 saftwi48 # T01 App Server
O1 - Hosts: 138.83.131.36 saftwi50 # P06 DB/App Server
O1 - Hosts: 144.70.99.51 saftwi51 #
O1 - Hosts: 138.83.131.38 saftwi52 # P08 DB/App Server
O1 - Hosts: 144.70.99.53 saftwi53 # P01 DB Server
O1 - Hosts: 144.70.99.55 saftwi55 #
O1 - Hosts: 144.70.99.60 saftwi60 # Vframe DB Server
O1 - Hosts: 144.70.99.61 saftwi61 # Vframe ESSBASE Server
O1 - Hosts: 144.70.99.62 saftwi62 # Vframe Web Server
O1 - Hosts: 144.70.99.63 saftwi63 # Vframe Web Server
O1 - Hosts: 138.83.138.43 saftwi66 # WebSphere Server
O1 - Hosts: 138.83.138.44 saftwi67 # WebSphere Server
O1 - Hosts: 138.83.138.45 saftwi69 # WebSphere Server
O1 - Hosts: 138.83.138.46 saftwi70 # WebSphere Server
O1 - Hosts: 138.83.138.49 saftwi73 # WebSphere Server
O1 - Hosts: 138.83.138.50 saftwi74 # WebSphere Server
O1 - Hosts: 138.83.138.51 saftwi75 # WebSphere Server
O1 - Hosts: 138.83.138.52 saftwi76 # WebSphere Server
O1 - Hosts: 138.83.138.54 saftwi79 uatldap1 # WUA/SSO UAT Server
O1 - Hosts: 138.83.138.55 saftwi80 uatldap2 # WUA/SS0 UAT Server
O1 - Hosts: 138.83.138.56 saftwi81 uatlogin1 #
O1 - Hosts: 138.83.138.57 saftwi82 uatlogin2 #
O1 - Hosts: 138.83.131.30 saftwi86 # Vframe Server
O1 - Hosts: 138.83.131.31 saftwi87 # Vframe Server
O1 - Hosts: 138.83.131.32 saftwi88 # Vframe Server
O1 - Hosts: 144.70.99.50 saftwm50 # saftwi50 Maint Interface
O1 - Hosts: 144.70.99.52 saftwm52 # saftwi52 Maint Interface
O1 - Hosts: 144.70.99.66 saftwm66 # saftwi66 Maint Interface
O1 - Hosts: 144.70.99.67 saftwm67 # saftwi67 Maint Interface
O1 - Hosts: 144.70.99.69 saftwm69 # saftwi69 Maint Interface
O1 - Hosts: 144.70.99.70 saftwm70 # saftwi79 Maint Interface
O1 - Hosts: 144.70.99.73 saftwm73 # saftwi72 Maint Interface
O1 - Hosts: 144.70.99.74 saftwm74 # saftwi74 Maint Interface
O1 - Hosts: 144.70.99.75 saftwm75 # saftwi75 Maint Interface
O1 - Hosts: 144.70.99.76 saftwm76 # saftwi76 Maint Interface
O1 - Hosts: 144.70.99.79 saftwm79 # saftwi79 Maint Interface
O1 - Hosts: 144.70.99.80 saftwm80 # saftwi80 Maint Interface
O1 - Hosts: 144.70.99.81 saftwm81 # saftwi81 Maint Interface
O1 - Hosts: 144.70.99.82 saftwm82 # saftwi82 Maint Interface
O1 - Hosts: 144.70.99.86 saftwm86 # saftwi86 Maint Interface
O1 - Hosts: 144.70.99.87 saftwm87 # saftwi87 Maint Interface
O1 - Hosts: 144.70.99.88 saftwm88 # saftwi88 Maint Interface
O1 - Hosts: 144.70.99.120 saftwsf1 # Sunfire1 - Main SC Interface
O1 - Hosts: 144.70.99.107 saftwsf1-sc0 # Sunfire1 Service Controller 0
O1 - Hosts: 144.70.99.108 saftwsf1-sc1 # Sunfire1 Service Controller 1
O1 - Hosts: 144.70.99.121 saftwsf2 # Sunfire2 - Main SC Interface
O1 - Hosts: 144.70.99.109 saftwsf2-sc0 # Sunfire2 Service Controller 0
O1 - Hosts: 144.70.99.110 saftwsf2-sc1 # Sunfire2 Service Controller 1
O1 - Hosts: 144.70.99.122 saftwsf3 # Sunfire3 - Main SC Interface
O1 - Hosts: 144.70.99.111 saftwsf3-sc0 # Sunfire3 Service Controller 0
O1 - Hosts: 144.70.99.112 saftwsf3-sc1 # Sunfire3 Service Controller 1
O1 - Hosts: 144.70.99.119 saftwsf4 # Sunfire4 - Main SC Interface
O1 - Hosts: 144.70.99.113 saftwsf4-sc0 # Sunfire4 Service Controller 0
O1 - Hosts: 144.70.99.114 saftwsf4-sc1 # Sunfire4 Service Controller 1
O1 - Hosts: 144.70.99.124 saftwsf5 # Sunfire5 - Future
O1 - Hosts: 144.70.99.117 saftwsun #
O1 - Hosts: 144.70.99.115 saftwterm # Terminal Controller Interface
O1 - Hosts: 144.70.99.229 safwd01 # EDMS Failover Interface
O1 - Hosts: 138.83.138.90 safwdf01 # Netgen Server/ EDMS Server
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Cobian BackUp 4.0] "C:\Cobian Backup 4\CobBU.exe"
O4 - HKLM\..\Run: [*wavevga] C:\WINDOWS\msagent\chars\wavevga.exe
O4 - HKLM\..\Run: [*fontdos] C:\WINDOWS\Cursors\fontdos.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - Global Startup: Shortcut to printkey.exe.lnk = C:\Utils\printkey.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SmartShopper - Compare product prices - {679B2A8D-B2FF-41ed-B3ED-C5CFB8564CB0} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare travel rates - {9E4DF170-217F-4658-A11F-590664542B73} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://eweb.verizon.com/home.shtml
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} - http://www.clicktrac...info/ctadl1.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spam...ckerutility.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://webclass1.ver...aDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webe...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\Software\..\Telephony: DomainName = us1.ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = verizon.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = verizon.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Castanet Tuner 4.6 (Marimba) - Marimba, Inc. - C:\Marimba\CASTAN~1\Tuner.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
  • 0

#4
Buckeye_Sam
Posted 22 August 2005 - 04:01 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Before we start let me ask you about the hosts file entries. Have those been added by you?
  • 0

#5
mgaff14
Posted 23 August 2005 - 12:31 PM

mgaff14

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
The 144.70.*.* and the 138.83.*.* listings in the hosts file are items that are automatically updated from a legitimate application that we utilize.
  • 0

#6
Buckeye_Sam
Posted 23 August 2005 - 07:12 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I thought maybe that was the case, but I wanted to verify it.

Are you familiar with these entries, which run at startup?

O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"




Let's get you cleaned up. :tazz:
First we need to download and prepare some tools that we will need to fix your problem.
  • Please download Ewido Security Suite
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck..
      • Install background guard
      • Install scan via context menu
    • Launch ewido, there should be an icon on your desktop, double-click it.
    • You will need to update ewido to the latest definition files.
      • On the left hand side of the main screen click update.
      • Then click on Start Update.
    • The update will start and a progress bar will show the updates being installed.
      (the status bar at the bottom will display "Update successful")
    • Exit ewido. DO NOT scan yet.
    If you are having problems with the updater, you can use this link to manually update ewido.
    Ewido Manual Updates

  • Please download Adaware SE 1.06
    Install Adaware and check for updates, but don't run it yet.

  • Please download CleanUp 4.0
    Install CleanUp, but don't run it yet.

==============


Now that you have the right tools we can start fixing your problem.

Please make sure that you can View Hidden Files


Please print out these instructions as the rest of this fix must be done in Safe mode and you won't be able to access the Internet.

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


=============


Once in Safe mode, follow these steps:
  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
    O4 - HKLM\..\Run: [*wavevga] C:\WINDOWS\msagent\chars\wavevga.exe
    O4 - HKLM\..\Run: [*fontdos] C:\WINDOWS\Cursors\fontdos.exe
    O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
    O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
    O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} - http://www.clicktrac...info/ctadl1.cab


  • Delete these files (Do not be concerned if they do not exist);


    C:\Program Files\Common Files\WinTools <-- delete this folder
    C:\WINDOWS\msagent\chars\wavevga.exe
    C:\WINDOWS\Cursors\fontdos.exe



  • Run CleanUp 4.0. This will remove all of your temp files.

  • Open Ad-aware and do a full scan. Remove everything that it finds.

  • Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop.
    • Close Ewido.

  • Reboot back into normal mode.

  • Please run this online virus scan - Panda Virus Scan
    • Make sure it is set to clean automatically.
    • There may be files that this scan will not remove. Please save that information to include in your next post.

  • Reboot your computer and post the following information in your next reply:
    • A new Hijackthis log
    • The Ewido log
    • The log from Panda online virus scan
Let me know how things are running and what problems you are still having.
  • 0

#7
mgaff14
Posted 24 August 2005 - 08:51 AM

mgaff14

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for your time Sam,

I had trouble getting the definition files for ewido to load, they would copy down, but disappear as soon as I closed ewido. I ran the other steps and tried a re-boot before trying ewido. Something that I removed disabled my IP driver and I was unable to connect to the network for web information.

I finally have just given up and decided to re-ghost the PC and start from scratch. I would have done this earlier, but this particular user has several "tweaks" that I have to re-create.

Time to turn to the lesser of two evils.

Thanks again for you time and assistance.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP