Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win Fixer 2005 [RESOLVED]


  • This topic is locked This topic is locked

#1
CameronGTG

CameronGTG

    Member

  • Member
  • PipPip
  • 19 posts
I have been following all of the steps listed on the site to remove unwanted files from my computer before running HiJackThis.

I found direction to download VundoFix to my desktop however I didn't get the...

QUOTE
Type in the filepath as instructed by the forum staff
.... as well as the 2nd filepath per intructions

Could someone let me know the the two file paths to enter in here that would be great - and anything else that pertains to ridding this computer of the Win Fixer 2005.

Also, I have another problem that I was hoping you would be able to help me out with, or direct me to someone who can.

Trend Micro OfficeScan Client - I don't like it. It informs me that I have mutliple viruses, and then reports that I cannot perform the clean action - something to do with the files being in the temporary folder. I tried to go into MSDOS mode via Programs > Accessories > Command Prompt and remove the files using the attrib -h and then del *.* if I remember correctly. I found this from a couple places on this site. I would like to get rid of the OfficeScan - however I don't believe that any other program has been able to pick up these viruses ?

Another Problem that I am having which I have not heard of before is when I click on the Control Panel in the Start Menu or from Windows Explorer all of my windows minimize and the Windows Explorer if open will close. What's up with that? I can however access functions such as display or mouse controls... etc if I can find the option to link in the Help and Search Menu. This won't however link me to the Control Panel

If there is anything else that you can see with this log, could you please let me know... I would love to have this computer run as well as it can - running as few processes as necessary.


Here is my Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 6:30:26 PM, on 9/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\OfficeScan\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\OfficeScan\tmlisten.exe
C:\WINDOWS\wanmpsvc.exe
C:\dmi\win32\bin\Win32sl.exe
C:\OfficeScan\ofcdog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\OfficeScan\Pccntmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\SYSTEM32\userinit.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\AOL\1103258047\ee\AOLHostManager.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Common Files\AOL\1103258047\ee\AOLServiceHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sacredheart.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103258047\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\agrrdt.exe reg_run
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sacredheart.edu
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {42F965C8-7834-40F3-B52D-CF7676E9893F} - http://it/laptops/RunNetWiz.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sacredheart.edu
O17 - HKLM\Software\..\Telephony: DomainName = sacredheart.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sacredheart.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sacredheart.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan\ntrtscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan\tmlisten.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe


Thank You Very Much,

Cameron
  • 0

Advertisements


#2
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi Cameron, welcome to GeeksToGo

Firstly, you made a wrong assumption, you don't have a vundo infection, so please delete that vundofix. Winfixer is promoted by many infections and vundo is just one of them, however you have a qoologic infection.

Ewido run in safe mode sometimes gets that infection, let's try that first. If no success then we'll move for manual removal.

Please update your Ewido for latest definitions.
  • Launch Ewido
  • You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed
  • After the updates are installed, exit Ewido
Download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

If Cleanup! asks if you want to reboot, click NO

Open Ewido
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
Reboot back to normal mode and go here to make an online scan:

http://www.pandasoft.../activescan.htm

Let it remove what it can, and save the results.

Then post the Ewido log, Activescan results and a new HijackThis log.
  • 0

#3
CameronGTG

CameronGTG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thank You for the response. I did as you asked. Here are my logs for Ewido, Activescan, and a new Hijackthis log.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:33:26 PM, 9/26/2005
+ Report-Checksum: 8F8F396C

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res\WToolsB.ResProtocol -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-1275210071-1336601894-1801674531-44675\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1275210071-1336601894-1801674531-44675\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-1275210071-1336601894-1801674531-44675\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1275210071-1336601894-1801674531-44675\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1275210071-1336601894-1801674531-44675\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
C:\WINDOWS\system32\drivers\df_kmd.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\WINDOWS\system32\pgbbw.dat -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\pctspk.ex_ -> Worm.Bobic.k : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\ProSiteFinder\prositefinder.exe -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ProSiteFinder\ProSiteFinder.dll -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ProSiteFinder\ProSiteFinder1\prositefinder1.dll -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ProSiteFinder\ProSiteFinder1\prositefinder1.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040222.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040224.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040225.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040324.SYS -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040332.scr -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040333.DLL -> Spyware.FunWeb : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040334.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040335.SCR -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040336.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040337.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040338.EXE -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040339.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040340.DLL -> Spyware.Wesbar : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040341.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040342.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040343.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040344.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040345.exe -> Spyware.PowerScan : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040346.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040348.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040353.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040355.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040357.exe -> Adware.Saha : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040358.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040360.DLL -> Spyware.SideFind : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040361.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040362.dll -> Spyware.AdMir : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040364.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040365.dll -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040366.dll -> TrojanDownloader.IstBar.kg : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040376.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040377.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040378.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040379.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040380.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040381.EXE -> Spyware.Wesbar : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040383.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040384.dll -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040385.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040386.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040387.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040388.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP384\A0040452.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP389\A0040637.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP389\A0040639.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP389\A0040640.DLL -> Spyware.AdMir : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP389\A0040642.exe -> Adware.Saha : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP389\A0040643.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP389\A0040657.dll -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP389\A0040658.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP389\A0040664.dll -> TrojanDownloader.IstBar.kg : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP393\A0040959.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP393\A0040960.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP394\A0041890.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP394\A0041894.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP399\A0042819.DLL -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP399\A0042820.EXE -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP382\A0040178.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP382\A0040179.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP386\A0040516.dll -> Spyware.SideFind : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP397\A0042232.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP397\A0042265.exe -> TrojanDownloader.Dyfuca.dp : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP397\A0042266.dll -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP397\A0042267.exe -> TrojanDownloader.Dyfuca.dp : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP397\A0042268.EXE -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP397\A0042276.EXE -> TrojanDownloader.IstBar : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP397\A0042492.dll -> Spyware.SideFind : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP397\A0042493.dll -> Spyware.SideFind : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP397\A0042544.EXE -> TrojanDownloader.IstBar.ij : Cleaned with backup
C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP397\A0042547.exe -> Spyware.WinAD : Cleaned with backup


::Report End








Incident Status Location

Adware:adware/qoologic No disinfected C:\WINDOWS\SYSTEM32\wuauclt.dll
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Media Gateway
Adware:adware/cws No disinfected D:\Favorites\Shop
Spyware:spyware/dyfuca No disinfected Windows Registry
Adware:Adware/Startpage.ACY No disinfected C:\Program Files\Support.com\adelphia\scripts\IEconfig.vbs
Adware:Adware/Prositefinder No disinfected C:\Program Files\ProSiteFinder\prositefinderh.exe
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040223.exe
Spyware:Spyware/ClearSearch No disinfected C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040349.DLL
Spyware:Spyware/ClearSearch No disinfected C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040350.DLL
Spyware:Spyware/ClearSearch No disinfected C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040351.DLL
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP383\A0040352.DLL
Spyware:Spyware/ClearSearch No disinfected C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP402\A0044037.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP402\A0044038.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP402\A0044039.exe
Adware:Adware/WinTools No disinfected C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP381\A0040065.cfg
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{49E1E45D-B34A-4536-86F9-FDA15C703FB8}\RP382\A0040177.exe









Logfile of HijackThis v1.99.1
Scan saved at 8:28:10 PM, on 9/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\OfficeScan\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\OfficeScan\tmlisten.exe
C:\WINDOWS\wanmpsvc.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan\ofcdog.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\OfficeScan\Pccntmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1103258047\ee\AOLHostManager.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\AOL\1103258047\ee\AOLServiceHost.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\HiJackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sacredheart.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103258047\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\agrrdt.exe reg_run
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sacredheart.edu
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {42F965C8-7834-40F3-B52D-CF7676E9893F} - http://it/laptops/RunNetWiz.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sacredheart.edu
O17 - HKLM\Software\..\Telephony: DomainName = sacredheart.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sacredheart.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sacredheart.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan\ntrtscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan\tmlisten.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe




Thanks,
Cameron
  • 0

#4
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi CameronGTG

Open HijackThis and click Scan. Put a check next to these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\agrrdt.exe reg_run
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {42F965C8-7834-40F3-B52D-CF7676E9893F} - http://it/laptops/RunNetWiz.CAB this last item I couldn't find any information about it, if you don't know what it is, then fix it.


Close all other windows except HijackThis and click Fix Checked.

Next boot into safe mode again.

In Control Panel Add/Remove programs uninstall these:

Media Gateway
ProSiteFinder


Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Then delete these folders:

C:\PROGRAM FILES\Media Gateway
C:\Program Files\ProSiteFinder

and delete these files:

C:\Program Files\Support.com\adelphia\scripts\IEconfig.vbs
C:\WINDOWS\SYSTEM32\wuauclt.dll
C:\WINDOWS\system32\agrrdt.exe

Reboot back to normal mode and post a new HijackThis log. Are the popups gone now?
  • 0

#5
CameronGTG

CameronGTG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK,

I followed your steps. I did not find C:\Windows\System32\agrrdt.exe

I did find the rest.

Here is my new logfile.


Logfile of HijackThis v1.99.1
Scan saved at 11:59:49 PM, on 9/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\OfficeScan\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\OfficeScan\tmlisten.exe
C:\WINDOWS\wanmpsvc.exe
C:\dmi\win32\bin\Win32sl.exe
C:\OfficeScan\ofcdog.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\OfficeScan\Pccntmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\AOL\1103258047\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1103258047\ee\AOLServiceHost.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sacredheart.edu
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103258047\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sacredheart.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sacredheart.edu
O17 - HKLM\Software\..\Telephony: DomainName = sacredheart.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sacredheart.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sacredheart.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan\ntrtscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan\tmlisten.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe




Officescan came up with a popup saying that a virus was detected in this file, however it was unable to clean it.

This is the info the file provided, it was located in my temporary folder under my D:\ Drive :


http://stech.web-nex...et/rcverlib.exe


Can I just get rid of the OfficeScan, or is it worth keeping??


Thank You,
Cameron
  • 0

#6
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi Cameron,

Officescan is ok, but there are free alternative antivirus scanners for home use. Is this a home computer?

Two entries in HijackThis came back, I guess because we fixed them before deleting the file, let's try again. Open HijackThis and click Scan. Put a check next to these:

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)


Close all other windows except HijackThis and click Fix Checked.

Then run Cleanup to clean your temporary files. Make a habit of cleaning them on a regular basis.
You didn't tell if the popups are gone now, how is the computer running?

Post a HijackThis log again to make sure those items are gone.
  • 0

#7
CameronGTG

CameronGTG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Ok Awesome the pop ups are gone.

I ran CleanUp

Here is my HiJackThis Log :

Logfile of HijackThis v1.99.1
Scan saved at 11:55:09 PM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Common Files\AOL\1103258047\ee\AOLHostManager.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\AOL\1103258047\ee\AOLServiceHost.exe
C:\WINDOWS\SYSTEM32\userinit.exe
C:\Program Files\HiJackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sacredheart.edu
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103258047\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sacredheart.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sacredheart.edu
O17 - HKLM\Software\..\Telephony: DomainName = sacredheart.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sacredheart.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sacredheart.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe






So what do you think, is there anything else that I need to do?

My next problem is the Control Panel that I mentioned in my first post.

Thanks,
Cameron
  • 0

#8
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi Cameron,

See if this helps..

http://www.dougknox....osetfolders.htm
  • 0

#9
CameronGTG

CameronGTG

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello,

Ok so I used that site that you gave me, and now I can access the Control Panel, but it took away my access to use the Flying Windows Icon + 'E' to access Windows Explorer, which is no big problem I guess...

Thank you.

Also this is my girlfriends computer that I have been working on, so I told her to watch for popups, she and I have not seen any so I think we are good.

Thanks again.
  • 0

#10
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
So it took away the keyboard access? Well you can always use My Computer..

Now first thing to do is to get a resident antivirus on that computer. You can find the link to AVG in my signature, please download that, it's a very good antivirus program and what's better is that it's free. Also in my signature you can find the link to Activescan, it's an online free virus scanner. In addition to having a resident antivirus it's a good idea to make an online scan like once a month to make sure of being clean.

Now let's reset your restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Please take the following into consideration to maintain a clean computer.

Now you should go get a firewall. Don't rely on the Windows firewall as it monitors only incoming traffic. Pick one of these, they are all free.
Kerio
Zonealarm
Sygate

I'll also recommend you to install a monitoring software which will monitor certain areas on your computer and will place alerts when those are being modified. One such software I'll recommend is Prevx, but it's for advanced users as the messages it displays can be hard to decipher. One other similar but more user friendly software is Winpatrol. Both are free programs.

Winpatrol

Prevx

Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe
  • 0

#11
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP