Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

WinFixer 05 - HJT Log [resolved]

Started by cools , Sep 24 2005 12:24 PM

  • This topic is locked This topic is locked

#1
cools
Posted 24 September 2005 - 12:24 PM

cools

    New Member

  • Member
  • Pip
  • 7 posts
I can't get rid of WinFixer, Thankfully my firewall blocks it from downloading but my roomate keeps allowing internet access for it. Please advise.



Logfile of HijackThis v1.99.1
Scan saved at 2:11:23 PM, on 9/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Downloaded Program Files\UWFX5RS_0001_0808NetInstaller.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\InterVideo\WinDVD4PR\WinScheduler.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kelly G\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\tusro.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NI.UWFX5RS_0001_0808] "C:\WINDOWS\Downloaded Program Files\UWFX5RS_0001_0808NetInstaller.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVD4PR\WinScheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094094676598
O16 - DPF: {DF304508-B304-11D3-B860-00201857EBF5} (Pixami Print Layout Control) - http://www.imagestat...ab?ver=2,0,0,50
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: tusro - C:\WINDOWS\system32\tusro.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Thank You!
  • 0

Advertisements

#2
g2i2r4
Posted 24 September 2005 - 12:44 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome Cools to Geeks to Go!

Download the Killbox.
Unzip it to the desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\Downloaded Program Files\UWFX5RS_0001_0808NetInstaller.exe
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

***

Please print these instructions out for use in Safe Mode.
Please note: your AntiVirus program may prompt you to a malicious program running. Allow the entire script to run.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\tusro.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\orsut.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\tusro.dll (file missing)

    O4 - HKLM\..\Run: [NI.UWFX5RS_0001_0808] "C:\WINDOWS\Downloaded Program Files\UWFX5RS_0001_0808NetInstaller.exe"

    O20 - Winlogon Notify: tusro - C:\WINDOWS\system32\tusro.dll (file missing)
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
***

Download and install Cleanup from here (Alternate site if the above is not working, go Here)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

***

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
cools
Posted 24 September 2005 - 01:37 PM

cools

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Everything went smoothly except for the second filename

C:\WINDOWS\system32\orsut.*

It keeps telling me that doesn't exist and to check the filename
  • 0

#4
g2i2r4
Posted 24 September 2005 - 01:53 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please move on with the rest of the advise. Let's see how far we come.
  • 0

#5
cools
Posted 24 September 2005 - 03:22 PM

cools

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Results After action:

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 5:17:58 PM, on 9/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\InterVideo\WinDVD4PR\WinScheduler.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kelly G\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVD4PR\WinScheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094094676598
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {DF304508-B304-11D3-B860-00201857EBF5} (Pixami Print Layout Control) - http://www.imagestat...ab?ver=2,0,0,50
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe



Active Scan:
Incident Status Location

Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/quicksearch No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf
Adware:adware/sidesearch No disinfected C:\WINDOWS\sepsd.bin
Dialer:dialer.b No disinfected C:\WINDOWS\tmlpcert2005
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Spyware:spyware/adclicker No disinfected C:\WINDOWS\usta32.ini
Adware:adware/cws No disinfected Windows Registry
Adware:Adware/BrowserAid No disinfected C:\WINDOWS\SYSTEM32\D0CE0C16B1.DLL
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
Hacktool:HackTool/Launchurl.A No disinfected C:\WINDOWS\launchurl.exe
Adware:Adware/WinTools No disinfected C:\NULL
Adware:Adware/WinAD No disinfected C:\System Volume Information\_restore{989F729B-15AD-440B-93CB-D76855AA477A}\RP368\A0023715.exe
  • 0

#6
g2i2r4
Posted 24 September 2005 - 03:52 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Let's check if there is anything on your computer that could be related to these findings.
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post

  • 0

#7
cools
Posted 24 September 2005 - 04:07 PM

cools

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you so much for all of this! Oh, and the WinFixer thing is no longer appeariing

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop 7.0
Adobe Reader 6.0.1
Ahead Nero - Burning Rom
AOL Instant Messenger
AVG Free Edition
CleanUp!
HijackThis 1.99.1
InterVideo WinDVD Recorder
Java 2 Runtime Environment, SE v1.4.2_05
Joy of Cooking
Microsoft Office Basic Edition 2003
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (0.9.3)
Palm Desktop
Panda ActiveScan
Pop-Up Stopper Free Edition
QuarkXPress 5.0
SiS Audio Driver
SoulSeek Client 156c
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB890175
Windows XP Service Pack 2
ZoneAlarm
  • 0

#8
g2i2r4
Posted 24 September 2005 - 04:16 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Let's clean up a bit.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Note:
You may want to update Firefox to version 1.06.
  • 0

#9
cools
Posted 24 September 2005 - 04:57 PM

cools

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I downloaded it and ran it once. You will see messages like: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process"so I ran it again and it came up clean

********
6:21 PM: |··· Start of Session, Saturday, September 24, 2005 ···|
6:21 PM: Spy Sweeper started
6:21 PM: Sweep initiated using definitions version 540
6:21 PM: Starting Memory Sweep
6:24 PM: Memory Sweep Complete, Elapsed Time: 00:02:53
6:24 PM: Starting Registry Sweep
6:24 PM: Found Adware: browseraid
6:24 PM: HKU\S-1-5-21-602162358-1993962763-1343024091-1004\software\a70f6a1d-0195-42a2-934c-d8ac0f7c08eb\ (1 subtraces) (ID = 105078)
6:24 PM: Found Adware: cnsmin
6:24 PM: HKCR\clsid\{205ff73b-ca67-11d5-99dd-444553540006}\ (14 subtraces) (ID = 106160)
6:24 PM: HKCR\interface\{205ff73a-ca67-11d5-99dd-444553540006}\ (8 subtraces) (ID = 106176)
6:24 PM: HKLM\software\classes\clsid\{205ff73b-ca67-11d5-99dd-444553540006}\ (14 subtraces) (ID = 106191)
6:24 PM: HKLM\software\classes\interface\{205ff73a-ca67-11d5-99dd-444553540006}\ (8 subtraces) (ID = 106197)
6:24 PM: HKLM\software\classes\typelib\{205ff72e-ca67-11d5-99dd-444553540006}\ (9 subtraces) (ID = 106202)
6:24 PM: HKCR\typelib\{205ff72e-ca67-11d5-99dd-444553540006}\ (9 subtraces) (ID = 106257)
6:24 PM: Found Adware: comet cursor
6:24 PM: HKCR\appid\dmserver.exe\ (1 subtraces) (ID = 106303)
6:24 PM: HKCR\appid\{bac984c9-78c8-4105-9e97-1675a4052686}\ (1 subtraces) (ID = 106304)
6:24 PM: HKCR\interface\{4a0f42b7-a61b-4131-bf41-bf05a2635bfd}\ (8 subtraces) (ID = 106455)
6:24 PM: HKCR\interface\{9dbdd71c-0a7f-48ac-9ffa-e102b3750b9d}\ (8 subtraces) (ID = 106461)
6:24 PM: HKCR\interface\{c2e56e18-2f04-4ab9-9333-b2db3c350956}\ (8 subtraces) (ID = 106489)
6:24 PM: HKCR\interface\{e9cbbeed-20b6-456c-8589-cf364d9d2370}\ (8 subtraces) (ID = 106503)
6:24 PM: HKCR\interface\{f8c5ea77-7d72-405c-b90a-093655b0f544}\ (8 subtraces) (ID = 106509)
6:24 PM: HKLM\software\classes\appid\dmserver.exe\ (1 subtraces) (ID = 106525)
6:24 PM: HKLM\software\classes\appid\{bac984c9-78c8-4105-9e97-1675a4052686}\ (1 subtraces) (ID = 106526)
6:24 PM: HKLM\software\classes\interface\{4a0f42b7-a61b-4131-bf41-bf05a2635bfd}\ (8 subtraces) (ID = 106636)
6:24 PM: HKLM\software\classes\interface\{9dbdd71c-0a7f-48ac-9ffa-e102b3750b9d}\ (8 subtraces) (ID = 106642)
6:24 PM: HKLM\software\classes\interface\{c2e56e18-2f04-4ab9-9333-b2db3c350956}\ (8 subtraces) (ID = 106667)
6:24 PM: HKLM\software\classes\interface\{e9cbbeed-20b6-456c-8589-cf364d9d2370}\ (8 subtraces) (ID = 106680)
6:24 PM: HKLM\software\classes\interface\{f8c5ea77-7d72-405c-b90a-093655b0f544}\ (8 subtraces) (ID = 106687)
6:24 PM: Found Adware: gain-supported software
6:24 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/hdplugin1019.dll\ (2 subtraces) (ID = 126765)
6:24 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\hdplugin1019.dll (ID = 126786)
6:24 PM: Found Adware: hotbar
6:24 PM: HKCR\clsid\{0774f696-d801-4c18-81a7-a3a32b8bef19}\ (10 subtraces) (ID = 127230)
6:24 PM: HKCR\clsid\{1e6ac766-9094-4bcf-abd3-39e2eaea5fcd}\ (18 subtraces) (ID = 127232)
6:24 PM: HKCR\clsid\{454b4812-e572-4703-a1bb-63490809eac0}\ (11 subtraces) (ID = 127252)
6:24 PM: HKCR\clsid\{580a1f3f-89b4-433b-bbdb-b97aeb13f3fc}\ (11 subtraces) (ID = 127253)
6:24 PM: HKCR\clsid\{2178c864-b8bc-41ae-a1fb-eb6a32f87eb1}\ (12 subtraces) (ID = 127255)
6:24 PM: HKCR\clsid\{a798e2b4-b6a0-4b96-8c53-8ec7a3b0895a}\ (16 subtraces) (ID = 127262)
6:24 PM: HKCR\hbhostie.bho.1\ (3 subtraces) (ID = 127281)
6:24 PM: HKCR\hbhostie.bho\ (5 subtraces) (ID = 127282)
6:24 PM: HKCR\interface\{3f04cbf7-cd62-4403-b090-b432dedcb159}\ (8 subtraces) (ID = 127325)
6:24 PM: HKCR\interface\{34f4d917-31e4-464c-b8b3-84c1ce76b395}\ (8 subtraces) (ID = 127334)
6:24 PM: HKCR\interface\{8578d35e-c6c0-4808-9a80-0f6c29a2c423}\ (8 subtraces) (ID = 127339)
6:24 PM: HKCR\interface\{bc190da5-0187-4d99-b3ac-6c45ea1b9324}\ (8 subtraces) (ID = 127353)
6:24 PM: HKCR\rprtspsclient.psexecuter.1\ (3 subtraces) (ID = 127362)
6:24 PM: HKCR\rprtspsclient.psexecuter\ (5 subtraces) (ID = 127363)
6:24 PM: HKCR\shprrprts.hbax.1\ (3 subtraces) (ID = 127365)
6:24 PM: HKCR\shprrprts.hbax\ (5 subtraces) (ID = 127366)
6:24 PM: HKCR\shprrprts.hbcommband.1\ (3 subtraces) (ID = 127367)
6:24 PM: HKCR\shprrprts.hbcommband\ (5 subtraces) (ID = 127368)
6:24 PM: HKCR\shprrprts.hbinfoband.1\ (3 subtraces) (ID = 127369)
6:24 PM: HKCR\shprrprts.hbinfoband\ (5 subtraces) (ID = 127370)
6:24 PM: HKCR\shprrprts.iebutton.1\ (3 subtraces) (ID = 127371)
6:24 PM: HKCR\shprrprts.iebutton\ (5 subtraces) (ID = 127372)
6:24 PM: HKCR\shprrprts.iebuttona.1\ (3 subtraces) (ID = 127373)
6:24 PM: HKCR\shprrprts.iebuttona\ (5 subtraces) (ID = 127374)
6:24 PM: HKCR\shprrprts.smrtshprctl.1\ (3 subtraces) (ID = 127375)
6:24 PM: HKCR\shprrprts.smrtshprctl\ (5 subtraces) (ID = 127376)
6:24 PM: HKLM\software\classes\clsid\{0774f696-d801-4c18-81a7-a3a32b8bef19}\ (10 subtraces) (ID = 127395)
6:24 PM: HKLM\software\classes\clsid\{1e6ac766-9094-4bcf-abd3-39e2eaea5fcd}\ (18 subtraces) (ID = 127397)
6:24 PM: HKLM\software\classes\clsid\{454b4812-e572-4703-a1bb-63490809eac0}\ (11 subtraces) (ID = 127415)
6:24 PM: HKLM\software\classes\clsid\{580a1f3f-89b4-433b-bbdb-b97aeb13f3fc}\ (11 subtraces) (ID = 127417)
6:24 PM: HKLM\software\classes\clsid\{2178c864-b8bc-41ae-a1fb-eb6a32f87eb1}\ (12 subtraces) (ID = 127419)
6:24 PM: HKLM\software\classes\clsid\{a798e2b4-b6a0-4b96-8c53-8ec7a3b0895a}\ (16 subtraces) (ID = 127426)
6:24 PM: HKLM\software\classes\hbhostie.bho.1\ (3 subtraces) (ID = 127446)
6:24 PM: HKLM\software\classes\hbhostie.bho\ (5 subtraces) (ID = 127447)
6:24 PM: HKLM\software\classes\interface\{3f04cbf7-cd62-4403-b090-b432dedcb159}\ (8 subtraces) (ID = 127490)
6:24 PM: HKLM\software\classes\interface\{34f4d917-31e4-464c-b8b3-84c1ce76b395}\ (8 subtraces) (ID = 127499)
6:24 PM: HKLM\software\classes\interface\{8578d35e-c6c0-4808-9a80-0f6c29a2c423}\ (8 subtraces) (ID = 127503)
6:24 PM: HKLM\software\classes\interface\{bc190da5-0187-4d99-b3ac-6c45ea1b9324}\ (8 subtraces) (ID = 127514)
6:24 PM: HKLM\software\classes\rprtspsclient.psexecuter.1\ (3 subtraces) (ID = 127521)
6:24 PM: HKLM\software\classes\rprtspsclient.psexecuter\ (5 subtraces) (ID = 127522)
6:24 PM: HKLM\software\classes\shprrprts.hbax.1\ (3 subtraces) (ID = 127524)
6:24 PM: HKLM\software\classes\shprrprts.hbax\ (5 subtraces) (ID = 127525)
6:24 PM: HKLM\software\classes\shprrprts.hbcommband.1\ (3 subtraces) (ID = 127526)
6:24 PM: HKLM\software\classes\shprrprts.hbcommband\ (5 subtraces) (ID = 127527)
6:24 PM: HKLM\software\classes\shprrprts.hbinfoband.1\ (3 subtraces) (ID = 127528)
6:24 PM: HKLM\software\classes\shprrprts.hbinfoband\ (5 subtraces) (ID = 127529)
6:24 PM: HKLM\software\classes\shprrprts.iebutton.1\ (3 subtraces) (ID = 127530)
6:24 PM: HKLM\software\classes\shprrprts.iebutton\ (5 subtraces) (ID = 127531)
6:24 PM: HKLM\software\classes\shprrprts.iebuttona.1\ (3 subtraces) (ID = 127532)
6:24 PM: HKLM\software\classes\shprrprts.iebuttona\ (5 subtraces) (ID = 127533)
6:24 PM: HKLM\software\classes\shprrprts.smrtshprctl.1\ (3 subtraces) (ID = 127534)
6:24 PM: HKLM\software\classes\shprrprts.smrtshprctl\ (5 subtraces) (ID = 127535)
6:24 PM: HKLM\software\classes\typelib\{842d315a-7e1e-448b-96e8-9e76d1820be2}\ (9 subtraces) (ID = 127546)
6:24 PM: HKLM\software\classes\typelib\{b5901229-25cc-43c9-b604-3bb6ac2b48a5}\ (9 subtraces) (ID = 127555)
6:24 PM: HKLM\software\classes\typelib\{c83daed4-0611-4f7a-978e-7feafcb2f91b}\ (9 subtraces) (ID = 127557)
6:24 PM: HKU\S-1-5-21-602162358-1993962763-1343024091-1004\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
6:24 PM: HKU\S-1-5-21-602162358-1993962763-1343024091-1004\software\shopperreports\ (1 subtraces) (ID = 127631)
6:24 PM: HKLM\software\shopperreports\ (1 subtraces) (ID = 127632)
6:24 PM: HKCR\typelib\{842d315a-7e1e-448b-96e8-9e76d1820be2}\ (9 subtraces) (ID = 127644)
6:24 PM: HKCR\typelib\{b5901229-25cc-43c9-b604-3bb6ac2b48a5}\ (9 subtraces) (ID = 127654)
6:24 PM: HKCR\typelib\{c83daed4-0611-4f7a-978e-7feafcb2f91b}\ (9 subtraces) (ID = 127656)
6:24 PM: Found Adware: ie driver
6:24 PM: HKU\S-1-5-21-602162358-1993962763-1343024091-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {120e090d-9136-4b78-8258-f0b44b4bd2ac} (ID = 127930)
6:24 PM: Found Adware: instant access
6:24 PM: HKU\S-1-5-21-602162358-1993962763-1343024091-1004\software\p2eclient\ (1 subtraces) (ID = 128846)
6:24 PM: Found Adware: internetoptimizer
6:24 PM: HKCR\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\ (8 subtraces) (ID = 128885)
6:24 PM: HKLM\software\classes\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\ (8 subtraces) (ID = 128896)
6:24 PM: Found Adware: ist istbar
6:24 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/istactivex.dll\ (2 subtraces) (ID = 129124)
6:24 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\istactivex.dll (ID = 129174)
6:24 PM: Found Adware: minigolf
6:24 PM: HKLM\software\minigolf\ (ID = 135062)
6:24 PM: Found Adware: moneytree
6:24 PM: HKCR\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}\ (8 subtraces) (ID = 135185)
6:24 PM: Found Adware: roings search enhancment
6:24 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm21.ocx\ (2 subtraces) (ID = 140172)
6:24 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mm21.ocx (ID = 140201)
6:24 PM: Found Adware: searchtoolbar
6:24 PM: HKU\S-1-5-21-602162358-1993962763-1343024091-1004\software\{12ee7a5e-0674-42f9-a76b-000000004d00}\ (3 subtraces) (ID = 141347)
6:24 PM: Found Adware: websearch toolbar
6:24 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (7 subtraces) (ID = 146518)
6:24 PM: Found Adware: wildmedia
6:24 PM: HKCR\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (8 subtraces) (ID = 146695)
6:24 PM: HKLM\software\classes\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (8 subtraces) (ID = 146709)
6:24 PM: Found Adware: winad
6:24 PM: HKCR\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 147155)
6:24 PM: HKCR\mediaaccx.installer\ (3 subtraces) (ID = 147158)
6:24 PM: HKLM\software\classes\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 147169)
6:24 PM: HKLM\software\classes\mediaaccx.installer\ (3 subtraces) (ID = 147172)
6:24 PM: HKLM\software\media access\ (1 subtraces) (ID = 147182)
6:24 PM: HKLM\software\microsoft\code store database\distribution units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (10 subtraces) (ID = 147185)
6:24 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
6:24 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
6:24 PM: Found Adware: winantispyware 2005
6:24 PM: HKLM\software\winsoftware\winfixer 2005\ (1 subtraces) (ID = 528193)
6:24 PM: Registry Sweep Complete, Elapsed Time:00:00:15
6:24 PM: Starting Cookie Sweep
6:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:24 PM: Starting File Sweep
6:24 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
6:26 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
6:26 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
6:26 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
6:26 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
6:26 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
6:26 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
6:26 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
6:26 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
6:26 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
6:26 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
6:26 PM: Warning: Failed to open file "c:\windows\system32\catroot2\edb.log". The process cannot access the file because it is being used by another process
6:26 PM: Warning: Failed to open file "c:\windows\system32\catroot2\tmp.edb". The process cannot access the file because it is being used by another process
6:26 PM: Found Trojan Horse: 2nd-thought
6:26 PM: null (ID = 48354)
6:26 PM: Found Adware: bho_sep
6:26 PM: sepsd.bin (ID = 75367)
6:26 PM: tmlpcert2005 (ID = 63918)
6:26 PM: unstall.exe (ID = 74177)
6:26 PM: Found Adware: clipgenie
6:26 PM: launchurl.exe (ID = 53067)
6:26 PM: stlb2.xml (ID = 75193)
6:26 PM: d0ce0c16b1.dll (ID = 51916)
6:27 PM: Warning: Failed to open file "c:\windows\temp\zlt010c2.tmp". The process cannot access the file because it is being used by another process
6:27 PM: mediaaccx.dll (ID = 90412)
6:27 PM: install.dll (ID = 53285)
6:27 PM: install.inf (ID = 53286)
6:27 PM: hdplugin1019.inf (ID = 61473)
6:30 PM: Found Adware: downloadware
6:30 PM: c:\program files\medialoads (241 subtraces) (ID = -2147481081)
6:30 PM: channelstyles.css (ID = 53062)
6:30 PM: bikpreview.wmv (ID = 53028)
6:30 PM: casinopreview.wmv (ID = 53029)
6:30 PM: celebpreview.wmv (ID = 53030)
6:30 PM: extpreview.wmv (ID = 53042)
6:30 PM: grvpreview.wmv (ID = 53061)
6:30 PM: wrdpreview.wmv (ID = 53093)
6:30 PM: guistyles.css (ID = 53062)
6:30 PM: launch.html (ID = 53068)
6:30 PM: main.html (ID = 53069)
6:30 PM: f1_1.html (ID = 53043)
6:30 PM: f1_2a.html (ID = 53044)
6:30 PM: f1_2b_categories.html (ID = 53045)
6:30 PM: f1_3.html (ID = 53046)
6:30 PM: f2.html (ID = 53047)
6:30 PM: f3_1.html (ID = 53048)
6:30 PM: f3_2a_player.html (ID = 53049)
6:30 PM: f3_2b.html (ID = 53050)
6:30 PM: f3_3.html (ID = 53051)
6:30 PM: f3_4a_files.html (ID = 53052)
6:30 PM: f3_4b.html (ID = 53053)
6:30 PM: f3_5.html (ID = 53054)
6:31 PM: player.html (ID = 53078)
6:31 PM: playerslices.htm (ID = 53080)
6:31 PM: playerstyles.css (ID = 53062)
6:31 PM: scroller.swf (ID = 53090)
6:32 PM: Found Adware: emarketmakers
6:32 PM: dvd.exe (ID = 60103)
6:32 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
6:32 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
6:32 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
6:32 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
6:32 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
6:32 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
6:32 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
6:32 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
6:32 PM: Warning: Failed to open file "c:\documents and settings\kelly g\ntuser.dat". The process cannot access the file because it is being used by another process
6:32 PM: Warning: Failed to open file "c:\documents and settings\kelly g\ntuser.dat.log". The process cannot access the file because it is being used by another process
6:32 PM: Warning: Failed to open file "c:\documents and settings\kelly g\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
6:32 PM: Warning: Failed to open file "c:\documents and settings\kelly g\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
6:32 PM: Found Adware: cws-aboutblank
6:32 PM: blank.htm (ID = 54894)
6:34 PM: File Sweep Complete, Elapsed Time: 00:09:41
6:34 PM: Full Sweep has completed. Elapsed time 00:12:56
6:34 PM: Traces Found: 1028
6:36 PM: Removal process initiated
6:36 PM: Quarantining All Traces: browseraid
6:36 PM: Quarantining All Traces: cnsmin
6:36 PM: Quarantining All Traces: comet cursor
6:36 PM: Quarantining All Traces: gain-supported software
6:36 PM: Quarantining All Traces: hotbar
6:36 PM: Quarantining All Traces: ie driver
6:36 PM: Quarantining All Traces: instant access
6:36 PM: Quarantining All Traces: internetoptimizer
6:37 PM: Quarantining All Traces: ist istbar
6:37 PM: Quarantining All Traces: minigolf
6:37 PM: Quarantining All Traces: moneytree
6:37 PM: Quarantining All Traces: roings search enhancment
6:37 PM: Quarantining All Traces: searchtoolbar
6:37 PM: Quarantining All Traces: websearch toolbar
6:37 PM: Quarantining All Traces: wildmedia
6:37 PM: Quarantining All Traces: winad
6:37 PM: Quarantining All Traces: winantispyware 2005
6:37 PM: Quarantining All Traces: 2nd-thought
6:37 PM: Quarantining All Traces: bho_sep
6:37 PM: Quarantining All Traces: clipgenie
6:37 PM: Quarantining All Traces: downloadware
6:37 PM: Quarantining All Traces: emarketmakers
6:37 PM: Quarantining All Traces: cws-aboutblank
6:37 PM: Removal process completed. Elapsed time 00:00:44
********
6:21 PM: |··· Start of Session, Saturday, September 24, 2005 ···|
6:21 PM: Spy Sweeper started
6:21 PM: |··· End of Session, Saturday, September 24, 2005 ···|
  • 0

#10
g2i2r4
Posted 24 September 2005 - 05:03 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
That's good news. Can you rerun Panda to see what leftovers we need to remove?
  • 0

#11
cools
Posted 24 September 2005 - 05:52 PM

cools

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Incident Status Location

Adware:adware/quicksearch No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf
Spyware:spyware/adclicker No disinfected C:\WINDOWS\usta32.ini
Adware:adware/wintools No disinfected Windows Registry
Adware:Adware/BrowserAid No disinfected C:\System Volume Information\_restore{989F729B-15AD-440B-93CB-D76855AA477A}\RP401\A0028132.DLL
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{989F729B-15AD-440B-93CB-D76855AA477A}\RP401\A0028133.exe
Hacktool:HackTool/Launchurl.A No disinfected C:\System Volume Information\_restore{989F729B-15AD-440B-93CB-D76855AA477A}\RP401\A0028134.exe
Adware:Adware/WinAD No disinfected C:\System Volume Information\_restore{989F729B-15AD-440B-93CB-D76855AA477A}\RP368\A0023715.exe
  • 0

#12
g2i2r4
Posted 24 September 2005 - 05:57 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf
C:\WINDOWS\usta32.ini

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

How are things now?
  • 0

#13
cools
Posted 24 September 2005 - 06:15 PM

cools

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Clean as a whistle - Youare awesome Thank you soooo much!
  • 0

#14
g2i2r4
Posted 25 September 2005 - 06:25 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You're welcome and thank you :tazz:

----------

Please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Re-enable system restore with the instructions from the tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer always has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & Hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware – Download and install Ad-Aware. You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from your Computer

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP