[Metallica]

Wemur the malware is still active on your computer.
Please post a new FindIt log and do NOT reboot until you get an answer.
A reboot adds new files to the infection.

Regards,

Pieter

[Advertisements]

Thx for your reply . I installed Trojan Hunter and the first thing it brought up when I started it was Adware VX2.100 that's running in my memory... but... yes BUT, it seems that it isn't able to remove it or then I just don't understand this (maybe my english has gotten worse or something if that's the case )... this is what it says:


Cleaning module guard.tmp in process rundll32.exe
Unable to unload module guard.tmp from process rundll32.exe (2852)

File not found: C:\WINDOWS\system32\guard.tmp
Trojan cleaning finished.

When I ran the full scan these were the trojans that it pointed out:
Adware.ActAlert.100
Adware.ISTBar.207
Dialer.Sks.100
TrojanDownloader.Webdown.100
and this is what it did to them (not sure if this is necessary but anyways here goes ):


Renamed file C:\Documents and Settings\xxxxxxxx\Local Settings\Temp\Temporary Internet Files\Content.IE5\36V44L1H\xxx[1].exe to C:\Documents and Settings\xxxxxx\Local Settings\Temp\Temporary Internet Files\Content.IE5\36V44L1H\xxx[1].exe.tcf
Renamed file C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148533.exe to C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148533.exe.tcf
Renamed file C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148535.dll to C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148535.dll.tcf
Renamed file C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148538.exe to C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148538.exe.tcf
Renamed file C:\works\cd1\Autorun\autorun.exe to C:\works\cd1\Autorun\autorun.exe.tcf
Trojan cleaning finished.

Also while I was doing this scan my Norton Antivirus pointed out this virus that it deleted: dUH5VF.exe (Virus Name: Trojan.Digits)

Thx once again for mentioning this program ... and I hope the person who created this torrent search program was killed in that tsunami...

[Wemur]

Thx for your reply . I installed Trojan Hunter and the first thing it brought up when I started it was Adware VX2.100 that's running in my memory... but... yes BUT, it seems that it isn't able to remove it or then I just don't understand this (maybe my english has gotten worse or something if that's the case )... this is what it says:


Cleaning module guard.tmp in process rundll32.exe
Unable to unload module guard.tmp from process rundll32.exe (2852)

File not found: C:\WINDOWS\system32\guard.tmp
Trojan cleaning finished.

When I ran the full scan these were the trojans that it pointed out:
Adware.ActAlert.100
Adware.ISTBar.207
Dialer.Sks.100
TrojanDownloader.Webdown.100
and this is what it did to them (not sure if this is necessary but anyways here goes ):


Renamed file C:\Documents and Settings\xxxxxxxx\Local Settings\Temp\Temporary Internet Files\Content.IE5\36V44L1H\xxx[1].exe to C:\Documents and Settings\xxxxxx\Local Settings\Temp\Temporary Internet Files\Content.IE5\36V44L1H\xxx[1].exe.tcf
Renamed file C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148533.exe to C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148533.exe.tcf
Renamed file C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148535.dll to C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148535.dll.tcf
Renamed file C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148538.exe to C:\System Volume Information\_restore{DD0BE188-F29D-43C4-A655-0CD86499340D}\RP207\A0148538.exe.tcf
Renamed file C:\works\cd1\Autorun\autorun.exe to C:\works\cd1\Autorun\autorun.exe.tcf
Trojan cleaning finished.

Also while I was doing this scan my Norton Antivirus pointed out this virus that it deleted: dUH5VF.exe (Virus Name: Trojan.Digits)

Thx once again for mentioning this program ... and I hope the person who created this torrent search program was killed in that tsunami...

[Wemur]

Oooookayyy... Hmm well first off I'd like to correct the virus part in my last post because while I was writing that I had only had the FIRST notification from Norton and when I pressed Ok it notified of several other viruses too that it removed (didn't write them down cause there were pretty much of them and I guess you don't need all the info about this part )... Hmm well when I rebooted my system (had downloaded some Windows updates) Trojan Hunter notified me about this Adware thingy in my memory again and when I tried to clean it again my toolbar (isn't that thing down there called toolbar in english ?) disappeared completely and had to reboot once again and now I've done the Findit log:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: F:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Aseman C nimi on 53_11_02
Aseman sarjanumero on A8FF-B7A1

Kansio C:\WINDOWS\System32

12.01.2005 22:30 <KANSIO> dllcache
12.01.2005 22:28 224ÿ981 azao01j3e.dll
12.01.2005 22:24 223ÿ193 dn6o01j3e.dll
12.01.2005 17:11 224ÿ304 enjml1111.dll
20.06.2004 14:48 32 {BC5E3058-FA03-4016-8E86-09FCC25D59A5}.dat
20.06.2004 14:19 32 {4EAE1052-0ECC-4621-993B-B7657AD2BB15}.dat
18.11.2003 02:36 <KANSIO> Microsoft
5 tiedosto(a) 672ÿ542 tavua
2 kansio(ta) 17ÿ320ÿ296ÿ448 tavua vapaana

------- Hidden Files in System32 Directory -------

Aseman C nimi on 53_11_02
Aseman sarjanumero on A8FF-B7A1

Kansio C:\WINDOWS\System32

12.01.2005 22:30 <KANSIO> dllcache
20.06.2004 14:48 32 {BC5E3058-FA03-4016-8E86-09FCC25D59A5}.dat
20.06.2004 14:19 32 {4EAE1052-0ECC-4621-993B-B7657AD2BB15}.dat
20.06.2004 12:36 488 WindowsLogon.manifest
20.06.2004 12:36 488 logonui.exe.manifest
20.06.2004 12:34 749 sapi.cpl.manifest
20.06.2004 12:34 749 nwc.cpl.manifest
20.06.2004 12:34 749 ncpa.cpl.manifest
20.06.2004 12:34 749 wuaucpl.cpl.manifest
20.06.2004 12:34 749 cdplayer.exe.manifest
26.09.2003 09:11 2ÿ045 whlpda32e.dll
10 tiedosto(a) 6ÿ830 tavua
1 kansio(ta) 17ÿ320ÿ292ÿ352 tavua vapaana

------------ Files Named "Guard" ---------------

Aseman C nimi on 53_11_02
Aseman sarjanumero on A8FF-B7A1

Kansio C:\WINDOWS\System32

12.01.2005 22:29 224ÿ304 guard.tmp
12.01.2005 17:28 223ÿ193 guard.tmp.tcf
2 tiedosto(a) 447ÿ497 tavua
0 kansio(ta) 17ÿ320ÿ292ÿ352 tavua vapaana

------ Temp Files in System32 Directory ------

Aseman C nimi on 53_11_02
Aseman sarjanumero on A8FF-B7A1

Kansio C:\WINDOWS\System32

12.01.2005 22:29 224ÿ304 guard.tmp
1 tiedosto(a) 224ÿ304 tavua
0 kansio(ta) 17ÿ320ÿ292ÿ352 tavua vapaana

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1814209-FA6B-46CD-9712-629E61D05042}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enjml1111.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
azao01~1.dll Wed 12 Jan 2005 22.28.16 ..S.R 224 981 219,71 K
dn6o01~1.dll Wed 12 Jan 2005 22.24.04 ..S.R 223 193 217,96 K
enjml1~1.dll Wed 12 Jan 2005 17.11.04 ..S.R 224 304 219,05 K

3 items found: 3 files, 0 directories.
Total of file sizes: 672 478 bytes 656,71 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
"Lexmark 3100 Series"="\"C:\\Program Files\\Lexmark 3100 Series\\lxbrbmgr.exe\""
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"StarSkin"="C:\\PROGRAM FILES\\ROCKET DIVISION SOFTWARE\\STARSKIN\\STARSKIN.EXE -H"
"SoundMan"="SOUNDMAN.EXE"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"WinampAgent"="F:\\Winamp\\winampa.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"gcasServ"="\"C:\\Program Files\\GIANT Company Software\\GIANT AntiSpyware\\gcasServ.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.1\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




[Metallica]

I call that thing a "taakbalk" but hey, I am not english either.

Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\azao01j3e.dll
C:\WINDOWS\System32\dn6o01j3e.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\enjml1111.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1814209-FA6B-46CD-9712-629E61D05042}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP]


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.

Remind me to tell you how to clean out your System Restore files once we are sure you are clean. That is where Trojan Hunter found most of the malware.

Regards,

Pieter

[Wemur]

I'll start my post with this classical phrase: OMG!!!
And then I'll add some smileys to increase the OMG-effect:


So, well the first thing I noticed was that my Norton protection now starts up automatically as it used when everything was nice and normal so a BIG THX for that first.
THEN, I ran the Ad-aware SE (just the quick scan or whatever because it has picked up those 3 VX2 before even with that scan) and well: NOTHING!!!! Not a single critical detection! so a BIG THX for that also.
AND last but not least, my browser seems to have recovered to its normal state . Haven't had any weird pages coming up so far so a VERY BIG THX for that also!

Conclusion: a MASSIVE THX for all of you guys (I guess the biggest one goes for Metallica )

But you wanted me to remind you about my system restoration thingy... hmm... *REMINDING* xD
THX

[Metallica]

Ah yes. I would like to see one more HijackThis log to clean out any remnants.

Flush System Restore Points Windows XP:

Turn off System Restore:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Reboot

Turn on System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Your first clean Restore Point should be created automagically.

Safe surfing,

Regards,

Pieter

[Wemur]

Is this system restore thing necessary because I've had the system restore disabled for a very long time already and I don't really want to turn it back on (I disabled it because this one time I noticed that it had gathered up 7 gb:s of data)?
Hopefully this will be the last log I'll have to post :
Logfile of HijackThis v1.99.0
Scan saved at 16:42:01, on 13.1.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
F:\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\TrojanHunter 4.1\THGuard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
F:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://elisa.net/paketti/haku.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://elisa.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://elisa.net/paketti/haku.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://elisa.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Toimittaja Elisa Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Loogisen levyn hallinnan valvontapalvelu - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Tapahtumaloki - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NetMeeting etätyöpöydän jakaminen - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Verkon DDE - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Verkon DDE DSDM - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Etätyöpöydän ohjeen istunnonhallinta - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Älykortti-apuohjelma - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Älykortti - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Resurssilokit ja -hälytykset - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Aseman tilannevedos - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI resurssisovitin - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

[Metallica]

No problem if you disable System Restore again after the instructions in my last post. I rather use a backup program myself. I seem to remember you could set a maximum size though.

Anyway, the point was to flush out the ones with the viruses and trojans in them.

Regards,

Pieter

[admin]

How can I adjust how much space System Restore uses on my disk?

Answer: To adjust the amount of space System Restore uses on a disk, go to the Control Panel ('Start > Control Panel') and double click the 'System' icon. Then click on the 'System Restore' tab on the system applet. Depending on your disk setup use the following instructions:

• If you have just a single partition on your system: You can adjust the space system restore uses on the disk by moving the slider on this page left (to decrease space usage) or right (to increase space usage. The maximum space usage is 12% and is the default.

• If you have a multiple partitions on your system or multiple disks: Click on the drive you want to adjust in the available drives section on the System Restore page and then click the settings option. You can then adjust the space system restore uses on that drive by moving the slider to the left (to decrease space usage) or right (to increase space usage). The maximum space usage is 12% and is the default. Repeat for each drive as necessary.

http://www.microsoft...s/faqsrwxp.mspx

[Metallica]

Thanks.

[Wemur]

Just a quick question. I tried TDS-3 and after doing the full scan it found these:
guard.tmp.tcf
kidcz.dll.tcf
xxx[1]exe.tcf
So I'm asking are these serious because I thought we got rid of guard.tmp at least? Or does that tcf-ending make it ok and not harmful?

[Metallica]

To my knowledge TrojanHunter adds the .tcf extension to files it renames.

So I would assume those were rendered harmless by TrojanHunter earlier.

Regards,

Pieter

[h3llb3nt]

I've also had the bad luck to install Torrent Search 3.0, should I go about using the same steps as Wemur to remove my adware problems? Or will it be different for me? I don't mean to hijack Wemur's thread, I have made my own thread here: http://www.geekstogo...h_30-t7478.html . But if I can just use the same steps he did to fix the problems, then I will just delete my post. Thanks for help!

[scowie]

I also made the mistake of installing this malware infested program.

I also still had pop-ups while browsing with Mozilla after removing some of the spyware with Adaware and Spybot. Today I tried another spyware removal tool which seemed to fix this problem: Webroot Spy Sweeper. The adware that had been responsible was called AKSoft. You can get Spy Sweeper from www.download.com/ (they list it as one of the top 4 anti-spyware tools in their spy-ware centre)

I have also had the recycle bin problem which i fixed by deleting C:\Recycler. (It gets re-created when you reboot)

But the worst problem was the internet connection one, where my internet would work for some time before failing. I discovered the LSP-Fix for this after noticing a recently created dll in my winnt/system32 folder (sporder.dll) and doing a google search. You might want to delete this file if you have it (as well as the ntec32.exe)

For info on this problem and for the LSP-Fix go here: http://www.cexx.org/webhancer.htm
Torrent Search might not have had WebHancer in it but it had similar malware that uses the same nasty tactics

Hope this helps.