Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Look2me has my XP box

Started by LeatherCat , Oct 04 2005 08:40 PM

  • Please log in to reply

#16
Wizard
Posted 15 October 2005 - 03:36 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry for the delays,work got real busy this week!

It looks like the Look2me infection is gone!

How is the PC running?
  • 0

Advertisements

#17
LeatherCat
Posted 17 October 2005 - 05:56 PM

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi again. I think we are clean. :tazz:
Everything ran clean today except Kaspersky (post follows). I'm not sure where the C:\RECYCLERS\ directory came from but I'm guessing it's either and archive from a scan or Oulook Express trying to re-build something I've deleted from its home directory. The other entries look like quarantine backup files from the various scans performed previously. The FINAL question is - How do I set the "XP System Restore Point" to what is now a clean system. I'd like as well to thank you for all the assistance in this matter as a bit of a Linux geek myself I've never had to deal with this. However we all live to learn and learn to live. :)

Final (I hope scan)

=-=-=-=-=-=-=-=
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 17, 2005 11:23:05
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/10/2005
Kaspersky Anti-Virus database records: 154622
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 35016
Number of viruses found 3
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 4284 sec

Infected Object Name Virus Name
C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\0EA1D869-C14A-4972-A455-6EDD93/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\0EA1D869-C14A-4972-A455-6EDD93 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\CA55C5F4-723A-4925-851C-5B53C6/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\CA55C5F4-723A-4925-851C-5B53C6 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc5.dbx/[From "Active-Tech Calgary" ][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED/message.zip/message.html Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc5.dbx/[From "Active-Tech Calgary" ][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED/message.zip Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc5.dbx/[From "Active-Tech Calgary" ][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc5.dbx Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc6.dbx/[From [email protected]][Date Fri, 1 Aug 2003 15:42:37 -0600]/text Infected: Email-Worm.Win32.Mimail.txt
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc6.dbx/[From [email protected]][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip/message.html Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc6.dbx/[From [email protected]][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc6.dbx Infected: Email-Worm.Win32.Mimail.a
C:\WINDOWS\temp\ASHeuristic\0EA1D869-C14A-4972-A455-6EDD93.vir/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\WINDOWS\temp\ASHeuristic\0EA1D869-C14A-4972-A455-6EDD93.vir Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
Scan process completed.

=-=-=-=-=-=-=-=
BTW I'm installing a real firewall (iptables) on this weekend
  • 0

#18
Wizard
Posted 18 October 2005 - 01:18 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Configure Windows to Show All Hidden Files and Folders
http://www.bleepingc...torial=62#winxp

Navigate to C:\Windows\Temp

Clean out that entire folder and make sure to get this rascal

C:\WINDOWS\temp\ASHeuristic


Copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.


Post back with a fresh HijackThis log and lets wrap this up!
  • 0

#19
LeatherCat
Posted 18 October 2005 - 06:31 PM

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Have my fingers crossed in hope that this is it.



Logfile of HijackThis v1.99.1
Scan saved at 6:20:20 PM, on 10/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\ZipToA.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
O16 - DPF: {3B2E9991-0C57-426F-A5E4-784C7A5C6420} (Datasheet control) - http://alldatasheet.com/Datasheet.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095293862129
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe




The following entry attracts my attention only because I don't know what it is.

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
  • 0

#20
Wizard
Posted 19 October 2005 - 04:05 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go ahead and remove that 016 entry with HijackThis!

How is the PC running?
  • 0

#21
LeatherCat
Posted 20 October 2005 - 11:22 PM

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
To all appearances it is totally clean. The machine runs MUCH faster than when we started. (Needs more memory though - only has 128M)
Once again THANK YOU for all your help in this matter. :woot: Still have some work to do my self to secure the whole network and block certain services but that is in an OS I speak fairly well (Linux) It's the dedication and willingness to share time and knowledge of people like yourself that make working with computers for those of us less experienced much less of a headache. My hat is off to you and all the people dedicated to forums like this one. :tazz: :)
  • 0

#22
Wizard
Posted 21 October 2005 - 03:04 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Restart the PC and Renable System Restore,this will flush out all the old nasty restore points and create a nice new clean one!

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Make sure to visit the Windows Update Site freqently!!
http://windowsupdate.microsoft.com/
  • 0

#23
LeatherCat
Posted 25 October 2005 - 09:50 PM

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I am confident we can call this thread closed. :tazz: Been running since your last post with NO identifiable problems at all. Once again thans for all your help and dedication in this matter. :)
  • 0

#24
Wizard
Posted 26 October 2005 - 03:55 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sounds good boss,Ill leave the thread open for a while!

Come back if ya need help again! :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP