Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CWS, Trojans and Keylogger havin' a party [CLOSED]


  • This topic is locked This topic is locked

#61
ruthyntrouble

ruthyntrouble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi Bobbi and Kat,

Yep! The stingy Chocaholic was right :tazz: that was the file I was talking about.

Ok. I redid the sys005 file again using "All Types" and the same thing happened as previous.

Here is the list you asked for...

Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
AOL Instant Messenger
ArcSoft VideoImpression 1.6FP
ATI Display Driver
BroadJump Client Foundation
Browser MOUSE
Dazzle Photo Editor
Do More - Business
DVD
Easy CD Creator 5 Basic
EPSON Printer Software
FinePixViewer Ver.2.0
FUJIFILM USB Driver
Gateway Drivers and Applications Recovery
Gateway Multi-function Keyboard
GTW V.92 Voice Modem
HelpSpot
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HP PSC & OfficeJet 4.2
HP Software Update
Intel® PRO Network Adapters and Drivers
InterActual Player
Learn2 Player (Uninstall Only)
LingvoSoft Dictionary Free (English-Spanish) for Pocket PC
LiveUpdate
MGI VideoWave 4
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office Sounds
Microsoft Picture It! Express 7.0
Microsoft Picture It! Photo 2002
Microsoft Reader
Microsoft Streets and Trips 2002
Microsoft Windows Journal Viewer
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Music Wizard 2.2
MUSICMATCH Jukebox
Network Play System (Patching)
Odyssey Client
OnDVD
PC-Doctor for Windows
PCFriendly
PhotoParade Player
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Shockwave
Spy Sweeper
Spyware Doctor 3.2
Synaptics TouchPad
Translation Services Provided by WorldLingo for Microsoft Word
Typing Instructor
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Viewpoint Media Player
Weather Services
Winamp3 (remove only)
Windows Blaster Worm Removal Tool (KB833330)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Messenger 5.0
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Wireless-G Notebook Adapter
Yahoo! Internet Mail
Yahoo! Messenger


Question?!?!

WHy does spyware detectors list THe Viewpoint Media Player as spyware? Is it?


Thanks Ruthy
  • 0

Advertisements


#62
Bobbi Flekman

Bobbi Flekman

    The Computer Whisperer

  • Expert
  • 3,761 posts
  • MVP
Hi Ruth,

Ok.  I redid the sys005 file again using "All Types" and the same thing happened as previous.

I don't know what you did, but this is not what I asked... Anyway I've attached a file to this post, which is the regfile I wanted you to import into the Registry. So.... Save it to somewhere close by, rename the file. Check to see that it changes it's icon. It should end up looking like the Registry Editor. Then double click the file to import it into the Registry.

Question?!?!

WHy does spyware detectors list THe Viewpoint Media Player as spyware?  Is it?

Viewpoint is a shady program. It used to contain spyware, and was bundled in lots of infections. But these days it is regarded as an optional. You can get rid of it if your want. What is Weather Services? I don't know that one.

Attached Files


  • 0

#63
ruthyntrouble

ruthyntrouble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi Bobbi.

The file was successfully add to the register.

THe Weather Services is part of the weather channel I added...well, hurricaines, tornadoes, power outages, OH MY! It sends alerts to a specific area(mine) when the weather in turbulent.

Thanks Ruthy

WHat next?
  • 0

#64
Bobbi Flekman

Bobbi Flekman

    The Computer Whisperer

  • Expert
  • 3,761 posts
  • MVP
Ok.... At the moment I don't know... I have no idea how your computer is performing.

Can you post a new log from HijackThis and tell me everything that is odd.
  • 0

#65
ruthyntrouble

ruthyntrouble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi Bobbi!


Right now everything seems to be in order...

With the sysfile change, does that mean the keylogger is disabled or what , since we didn't delete any file on it.

HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 2:42:25 PM, on 10/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Grouper.lnk = C:\WINNT\adduc32.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Tornado 21 - http://download.game...s/y/t21t0_x.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! GoStop - http://download.game...ts/y/gst1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photopara...ll/phpsetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122861135035
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.2...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{225E7E60-D36F-4D91-8256-B7677C95778D}: NameServer = 192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#66
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi Ruthy!! I was talking with Bobbi this morning..we'd like a new Ewido scan if that's possible. Make sure you check for updates when you open Ewido. Run the scan in Safe Mode with nothing else open or running. ...no programs, no files. Only Ewido. Save that log as well, and post it here in a reply :)

Things are looking GOOD!

pssss.....Somehow, I accidentally deleted your pm before I had replied. :tazz: I get over 100 pm's a day! I'm sorry!! Can you please re-send it? I think I remember what it was, and I DO have a couple of answers for you :)

:)
Kat
  • 0

#67
ruthyntrouble

ruthyntrouble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi Kat and Bobbi!

I ran the ewido scan and ALL those dang trojan downloaders showed up on the scan!!!! :tazz: I removed them with ewido in safe mode. How did they get in there? Are they in quarintine? Are they gone permanently now?

I tell ya all the hassle with that **** sure takes the enjoyment out of using the computer anymore. And my son got routed to a site today that loaded Hacktool.Rootkit on his computer....boy is it messed-up. :)

Here is the Ewido and HJT logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:09:49 AM, 10/11/2005
+ Report-Checksum: E0E27054

+ Scan result:

C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:jujby -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:jvapun -> Spyware.SearchPage : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:jwnkl -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kdegj -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kdttb -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kdupr -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kemse -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kfcgn -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kgqvz -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kgxfl -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:khlwgu -> Trojan.Agent.bi : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kjtbg -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kkdzp -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kotjt -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kplgn -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:krjtz -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:krmvq -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:ktqsm -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kxasm -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kymwi -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:kzfsl -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:lcdigi -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:lszge -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:lvxjj -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:maoia -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:mfcps -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:mkbsb -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:mlkdi -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:mmwrb -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:mxwyng -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:ndtggb -> Backdoor.Netag : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:niaqh -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:nioaz -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:nlmxv -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:ntxfr -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:nxaseq -> Trojan.Agent.bi : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:nzppe -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:oapse -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:obtms -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:ocxch -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:odyfd -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:ofhoo -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:ohnad -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:oibwe -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:ojuww -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:okoqd -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:ookms -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:oprhl -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:orbbb -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:orhel -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:osnjl -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:otrbh -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:oapse -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:obtms -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:ocxch -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:odyfd -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:ofhoo -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:ohnad -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:oibwe -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:ojuww -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:okoqd -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:ookms -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:oprhl -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:orhel -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:osnjl -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:otrbh -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:oujnr -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:oylnb -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:paavi -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:paeor -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:pdvei -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:pgiqf -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:phznv -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:pilsz -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:pkygd -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:plqtt -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:pouxw -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:ppigo -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:prjfy -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:ptwsm -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:pwgwrt -> Backdoor.Netag : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:pwirv -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:pwodm -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:pyaeg -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:pyfnt -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:pzakz -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qahyt -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qajay -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qbqkd -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qbybd -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qcghx -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qczil -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qdfam -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qedva -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qjmen -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qjqsz -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qldtl -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qmqpz -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qoilt -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qplnt -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qtwik -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:qwoqj -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:raagf -> TrojanDownloader.Agent.bq : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:rbfds -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:nzppe -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:oapse -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:obtms -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:ocxch -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:odyfd -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:ofhoo -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:ohnad -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:oibwe -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:ojuww -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:okoqd -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:ookms -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:osnjl -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:otrbh -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:oujnr -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:oylnb -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:paavi -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:paeor -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:pdvei -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:pgiqf -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:phznv -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:pilsz -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:plqtt -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:ppigo -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:prjfy -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:ptwsm -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:pwgwrt -> Backdoor.Netag : Ignored
C:\WINNT\_ISREG32.DLL:pwirv -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:pwodm -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:pyaeg -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:pyfnt -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:pzakz -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:qahyt -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:qajay -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:qbqkd -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:qbybd -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:qcghx -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:qczil -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:qdfam -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:qedva -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:qjmen -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:qjqsz -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:qldtl -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:qmqpz -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:qoilt -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:qplnt -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:qtwik -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:qwoqj -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:raagf -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:rbfds -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:rbspq -> TrojanDownloader.Agent.bc : Ignored
C:\WINNT\_ISREG32.DLL:rdccl -> TrojanDownloader.Agent.bq : Ignored
C:\WINNT\_ISREG32.DLL:rfbee -> TrojanDownloader.Agent.bc : Ignored
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:lcuqq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:mkygr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:nisbv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:njhcr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012927.DLL:npjum -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:nzppe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{DA924DAC-A2CA-444D-A346-208E6B4D0203}\RP23\A0012938.DLL:orbbb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\_ISREG32.DLL:pkygd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\_ISREG32.DLL:pouxw -> TrojanDownloader.Agent.bc : Cleaned with backup


::Report End

HERE IS THE FIRST SCAN IN SAFE MODE>>>>I removed the trojans but they came back when I did the scan while running in normal mode, WHY?




HJT LOG FILE:

Logfile of HijackThis v1.99.1
Scan saved at 12:16:19 AM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.gatewaybiz.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Grouper.lnk = C:\WINNT\adduc32.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

- C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144

- {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks -

http://download.game...ts/y/blt1_x.cab
O16 - DPF: Tornado 21 -

http://download.game...s/y/t21t0_x.cab
O16 - DPF: Video Poker -

http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo -

http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack -

http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta -

http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Chat -

http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dice -

http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Dots -

http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! GoStop -

http://download.game...ts/y/gst1_x.cab
O16 - DPF: Yahoo! Hearts -

http://download.game...nts/y/ht1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire -

http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong -

http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire -

http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker -

http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 -

http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids -

http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades -

http://download.game...nts/y/st2_x.cab
O16 - DPF: Yahoo! Spelldown -

http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 -

http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer -

http://download.game...nts/y/wt1_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} -

http://www.photopara...ll/phpsetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -

http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -

https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akama...ple.com/drakken

/us/win/QuickTimeInstaller.exe
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) -

http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) -

http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros.../client/wuweb_s

ite.cab?1122861135035
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility

Class) -

http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) -

http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) -

http://www.worldwinn...be/wordcube.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) -

hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -

https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -

http://212.150.183.2...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1}

(StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) -

http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) -

http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) -

http://mirror.worldw...man/hangman.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) -

http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) -

http://www.worldwinn...paint/paint.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} -

http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://download.game...ed2/popcaploade

r_v6.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) -

http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -

http://download.abac...abasetup144.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) -

http://www.worldwinn...ool/h2hpool.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{225E7E60-D36F-4D91-8256-B7677C95778D}:

NameServer = 192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program

Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software,

Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#68
Bobbi Flekman

Bobbi Flekman

    The Computer Whisperer

  • Expert
  • 3,761 posts
  • MVP
Hi Ruth,

We'll get you clean.... A huge part of the Ewido log is in System Restore. When we're done it will be gone with one push of the button.

I tell ya all the hassle with that **** sure takes the enjoyment out of using the computer anymore.  And my son got routed to a site today that loaded Hacktool.Rootkit on his computer....boy is it messed-up.  :tazz:

Yep.... These days you will have to have a secure computer to browse the web. If you want you can post a log from your son's comptuer as well. As long as you can keep them apart. :)

HERE IS THE FIRST SCAN IN SAFE MODE>>>>I removed the trojans but they came back when I did the scan while running in normal mode, WHY?

Safe Mode doesn't load everything that Normal Mode does. Ergo the logs you post will be different too. Can you post from Normal Mode unless specifically asked. Thanks.

Go to Online malware scan and submit C:\WINNT\_ISREG32.DLL.

Tell me the result.

Do the same for this file C:\WINNT\adduc32.exe
  • 0

#69
Bobbi Flekman

Bobbi Flekman

    The Computer Whisperer

  • Expert
  • 3,761 posts
  • MVP
Hey Ruth,

I just got an afterthought, and searched this page. One of the things I noticed is that this computer isn't running a firewall.... Do you have one?
If you don't have one, or use Microsoft's firewall in Windows XP, download
Sygate Personal Firewall, Kerio Personal Firewall or ZoneLabs Zone Alarm and install it.

Block everything that is not supposed to dial out!
And the same goes for your son's computer. Without a firewall, your computer is completely open for everything to get in and out as they please.
  • 0

#70
ruthyntrouble

ruthyntrouble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi Bobbi

The first file you wanted scanted said it was OK nothing was found.

The 2nd one posted this "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file".

Also on the firewall, I took a pic for you. I have always thought I was running a firewall....sheesh...is it NOT on...I am confused because it says it is...


Will await further instructions...

THanks Ruthy
  • 0

Advertisements


#71
Bobbi Flekman

Bobbi Flekman

    The Computer Whisperer

  • Expert
  • 3,761 posts
  • MVP
Hi Ruthy,

Can you run Ewido again and let it fix everything it finds.... Please post the log afterwards.

The adduc32.exe file breathes CoolWebSearch in my opinion, so let's be preventive about that. Please download CoolWebShredder, from http://www.trendmicro.com/cwshredder/
Extract CWShredder to its own folder. Restart in Safe Mode (How do I Safe Boot my computer?) and run the program.

Be sure all open windows are closed. Click the "Fix ->" button.

Make sure you let it fix all CWS Remnants.

Afterwards restart your computer and post a fresh HijackThis log in this thread.

I see no picture. What firewall were you running? It might be that it is one I don't know about.
  • 0

#72
ruthyntrouble

ruthyntrouble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi Bobbi.

Here are the scans. I ran Ewido 8 times..finally the scans came clean.
Also, I ran the SpyDoctor...still shows some evil in there...the sys file 070 that it lists is the file I changed the name. Remember sys005 file? Well, it is the same file! Also going to try and upload the pic I 'thought' I posted last night. Think I will reload the Microsoft firewall ...that is the one that it ShowS to be running...?

Logfile of HijackThis v1.99.1
Scan saved at 11:30:39 PM, on 10/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Grouper.lnk = C:\WINNT\adduc32.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Tornado 21 - http://download.game...s/y/t21t0_x.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct2_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! GoStop - http://download.game...ts/y/gst1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photopara...ll/phpsetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...ck/bjattack.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122861135035
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinn...be/wordcube.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwin...ed/wwlaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.2...sCamControl.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinn...apit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tile City Control) - http://www.worldwinn...ty/tilecity.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{225E7E60-D36F-4D91-8256-B7677C95778D}: NameServer = 192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:53:04 PM, 10/13/2005
+ Report-Checksum: 75126509

+ Scan result:

No infected objects found.


::Report End




Firewall_2.JPG Firewall_2.JPG Firewall_2.JPG
  • 0

#73
ruthyntrouble

ruthyntrouble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi Bobbi.

Sorry about the 3 attachments. Not sure how I did that. I browsed for 3 DIFF attachment but the same one posted everytime. There is one problem that I can't seem to correct and that is the pics don't load on pages. It is not security related...have tried setting it to the lowest settings and they still don't load.


Ok. Tried 3 times to upload another attachment...didn't work.

Also, CWShredder showed O infections. Clean!

After all the scans and fixes, I used CleanUp and got rid of all the "stuff". I also had turned off System Restore before I did all this so it wouldn't come back to haunt me.


Thanks and let me know,
Ruthy
  • 0

#74
Bobbi Flekman

Bobbi Flekman

    The Computer Whisperer

  • Expert
  • 3,761 posts
  • MVP
Hey Ruth,

The image you posted is from Microsoft's firewall. That one only does a half job. It will keep people out, but everythig that is in can open a line to the outside world and get answers back. So if you do have a keylogger, Microsoft will not prevent it, or alert you to the fact that it wants to send something out. It is best to take one of the firewalls I mentioned earlier. They're free and two-way, instead of the one-way that Microsoft's one is.

Can you go to http://www.bleepingc...mit-malware.php and submit that sys005 file. I'd like to take a closer look at it. Thanks.
  • 0

#75
ruthyntrouble

ruthyntrouble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi Bobbi,

I think I got the file you wanted to see uploaded in the bleeping forum.

I loaded ZA and it is giving me grief. so much to keep an eye on using this...ignorance is bliss with the Micro firewall... :tazz:

Thanks Ruth
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP