Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Look2me has my XP box


  • Please log in to reply

#16
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry for the delays,work got real busy this week!

It looks like the Look2me infection is gone!

How is the PC running?
  • 0

Advertisements


#17
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi again. I think we are clean. :tazz:
Everything ran clean today except Kaspersky (post follows). I'm not sure where the C:\RECYCLERS\ directory came from but I'm guessing it's either and archive from a scan or Oulook Express trying to re-build something I've deleted from its home directory. The other entries look like quarantine backup files from the various scans performed previously. The FINAL question is - How do I set the "XP System Restore Point" to what is now a clean system. I'd like as well to thank you for all the assistance in this matter as a bit of a Linux geek myself I've never had to deal with this. However we all live to learn and learn to live. :)

Final (I hope scan)

=-=-=-=-=-=-=-=
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 17, 2005 11:23:05
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/10/2005
Kaspersky Anti-Virus database records: 154622
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 35016
Number of viruses found 3
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 4284 sec

Infected Object Name Virus Name
C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\0EA1D869-C14A-4972-A455-6EDD93/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\0EA1D869-C14A-4972-A455-6EDD93 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\CA55C5F4-723A-4925-851C-5B53C6/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\CA55C5F4-723A-4925-851C-5B53C6 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc5.dbx/[From "Active-Tech Calgary" ][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED/message.zip/message.html Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc5.dbx/[From "Active-Tech Calgary" ][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED/message.zip Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc5.dbx/[From "Active-Tech Calgary" ][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc5.dbx Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc6.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/text Infected: Email-Worm.Win32.Mimail.txt
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc6.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip/message.html Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc6.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip Infected: Email-Worm.Win32.Mimail.a
C:\RECYCLER\S-1-5-21-2299825339-3581506895-1790521817-500\Dc6.dbx Infected: Email-Worm.Win32.Mimail.a
C:\WINDOWS\temp\ASHeuristic\0EA1D869-C14A-4972-A455-6EDD93.vir/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\WINDOWS\temp\ASHeuristic\0EA1D869-C14A-4972-A455-6EDD93.vir Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
Scan process completed.

=-=-=-=-=-=-=-=
BTW I'm installing a real firewall (iptables) on this weekend
  • 0

#18
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Configure Windows to Show All Hidden Files and Folders
http://www.bleepingc...torial=62#winxp

Navigate to C:\Windows\Temp

Clean out that entire folder and make sure to get this rascal

C:\WINDOWS\temp\ASHeuristic


Copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.


Post back with a fresh HijackThis log and lets wrap this up!
  • 0

#19
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Have my fingers crossed in hope that this is it.



Logfile of HijackThis v1.99.1
Scan saved at 6:20:20 PM, on 10/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\ZipToA.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
O16 - DPF: {3B2E9991-0C57-426F-A5E4-784C7A5C6420} (Datasheet control) - http://alldatasheet.com/Datasheet.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095293862129
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe




The following entry attracts my attention only because I don't know what it is.

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
  • 0

#20
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go ahead and remove that 016 entry with HijackThis!

How is the PC running?
  • 0

#21
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
To all appearances it is totally clean. The machine runs MUCH faster than when we started. (Needs more memory though - only has 128M)
Once again THANK YOU for all your help in this matter. :woot: Still have some work to do my self to secure the whole network and block certain services but that is in an OS I speak fairly well (Linux) It's the dedication and willingness to share time and knowledge of people like yourself that make working with computers for those of us less experienced much less of a headache. My hat is off to you and all the people dedicated to forums like this one. :tazz: :)
  • 0

#22
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Restart the PC and Renable System Restore,this will flush out all the old nasty restore points and create a nice new clean one!

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Make sure to visit the Windows Update Site freqently!!
http://windowsupdate.microsoft.com/
  • 0

#23
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I am confident we can call this thread closed. :tazz: Been running since your last post with NO identifiable problems at all. Once again thans for all your help and dedication in this matter. :)
  • 0

#24
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sounds good boss,Ill leave the thread open for a while!

Come back if ya need help again! :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP