Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help with spyware removal ....please [resolved]

Started by douglasreno , Dec 18 2004 06:55 AM

Please log in to reply

#16
douglasreno

Posted 20 December 2004 - 05:06 AM

Member

Topic Starter
Member
15 posts

Here is the log file from find it nt 2000:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/20/2004 05:50a 223,548 mjacm32.dll
12/19/2004 10:48p 223,100 n4n60e5seh.dll
12/19/2004 02:45p 223,548 k8440ihqe84e0.dll
12/18/2004 07:45a <DIR> dllcache
12/18/2004 07:40a 225,050 q0nula591d.dll
12/15/2004 10:39p 224,723 f6l00g3me6.dll
12/15/2004 09:55p 225,336 lv4609hse.dll
12/15/2004 09:53p 225,992 ir0ol5d31.dll
12/15/2004 08:34p 223,703 mkhcp.dll
12/14/2004 10:05p 225,640 ktlul7391.dll
12/14/2004 08:07p 223,816 fNxmapi.dll
12/14/2004 05:18p 224,513 i0lola331d.dll
12/14/2004 06:01a 224,890 rem.dll
12/11/2004 06:20p 223,304 e802lido180c.dll
12/08/2004 06:21p 223,123 gpj8l31u1.dll
12/07/2004 06:27p 223,123 r6r60g9se6.dll
12/07/2004 06:18p 226,129 j00s0ad7ed0.dll
12/06/2004 04:21p 226,129 ITMFILTER.DLL
17 File(s) 3,815,667 bytes
1 Dir(s) 7,233,389,056 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/18/2004 07:45a <DIR> dllcache
08/13/2004 09:50p <DIR> GroupPolicy
08/13/2004 09:31p 21,692 folder.htt
08/13/2004 09:31p 271 desktop.ini
2 File(s) 21,963 bytes
2 Dir(s) 7,233,396,736 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 7,233,392,640 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B050EB16-A35D-4FE1-98F4-A172E7A572BA}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k8440ihqe84e0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------------ Locate.com Results ------------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\bo.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MCAgentExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McAgent.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

#17
admin

Posted 20 December 2004 - 09:00 AM

Founder Geek

Community Leader
24,639 posts

Download the Pocket Killbox.
Unzip the contents of KillBox.zip to a convenient location.
Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\mjacm32.dll
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps 4-8 above for these files:
- C:\WINDOWS\System32\n4n60e5seh.dll
- C:\WINDOWS\System32\k8440ihqe84e0.dll
- C:\WINDOWS\System32\q0nula591d.dll
- C:\WINDOWS\System32\f6l00g3me6.dll
- C:\WINDOWS\System32\lv4609hse.dll
- C:\WINDOWS\System32\ir0ol5d31.dll
- C:\WINDOWS\System32\mkhcp.dll
- C:\WINDOWS\System32\ktlul7391.dll
- C:\WINDOWS\System32\fNxmapi.dll
- C:\WINDOWS\System32\i0lola331d.dll
- C:\WINDOWS\System32\rem.dll
- C:\WINDOWS\System32\e802lido180c.dll
- C:\WINDOWS\System32\gpj8l31u1.dll
- C:\WINDOWS\System32\r6r60g9se6.dll
- C:\WINDOWS\System32\j00s0ad7ed0.dll
- C:\WINDOWS\System32\ITMFILTER.DLL
- C:\WINDOWS\System32\k8440ihqe84e0.dll
- C:\WINDOWS\System32\bo.exe
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\Guard.tmp
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.
Double-click on find.bat and post the new output.txt.

#18
douglasreno

Posted 20 December 2004 - 05:01 PM

Member

Topic Starter
Member
15 posts

ok here is the file..... let me know if there is anything else
Doug

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/18/2004 07:45a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 7,241,298,944 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/18/2004 07:45a <DIR> dllcache
08/13/2004 09:50p <DIR> GroupPolicy
08/13/2004 09:31p 21,692 folder.htt
08/13/2004 09:31p 271 desktop.ini
2 File(s) 21,963 bytes
2 Dir(s) 7,241,298,944 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 7,241,294,848 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B050EB16-A35D-4FE1-98F4-A172E7A572BA}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AdminDebug]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n4n60e5seh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------------ Locate.com Results ------------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McUpdate.exe"
"MCAgentExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McAgent.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

#19
admin

Posted 20 December 2004 - 05:16 PM

Founder Geek

Community Leader
24,639 posts

Nice work! Looks like you got it. Please post a fresh HijackThis log so we can clean anything leftover. :tazz:

#20
douglasreno

Posted 20 December 2004 - 05:31 PM

Member

Topic Starter
Member
15 posts

Logfile of HijackThis v1.99.0
Scan saved at 6:35:11 PM, on 12/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\My Documents\My Downloads\HijackThis-1.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - Global Startup: strings.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

#21
admin

Posted 20 December 2004 - 06:38 PM

Founder Geek

Community Leader
24,639 posts

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - Global Startup: strings.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINDOWS\System32\strings.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:

#22
douglasreno

Posted 20 December 2004 - 07:13 PM

Member

Topic Starter
Member
15 posts

here looks like everythings clean thank you.

Logfile of HijackThis v1.99.0
Scan saved at 8:14:49 PM, on 12/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\My Documents\My Downloads\HijackThis-1.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

#23
douglasreno

Posted 20 December 2004 - 07:15 PM

Member

Topic Starter
Member
15 posts

how do i prevent this from happening again,??? any steps or tips you have be great

#24
coachwife6

Posted 21 December 2004 - 11:51 AM

SuperStar

Retired Staff
11,413 posts

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox

.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats.