[Jonesie]

Hi...i'm not sure if I have a problem or not, but I need some advice, so here goes:

About a week ago I noticed an error message when I shut down my system that read "repentnt.exe: This application failed to initialize because the windows station is shutting down". I have no clue what this is. I did a search and found the file in my system32 file. The date it was created was 9/24/05, which is the same day I loaned my laptop to someone and they downloaded all kinds of malware including two worms, several trojans and miscellaneous spyware (never loaning my system to THEM again). I thought I had gotten rid of all of it and I'm hoping this isn't more. I tried to delete the file on a whim and it says "access denied." I tried scanning it with several AV programs but they couldn't scan it. I haven't tried killbox yet because I want to know what it is before I delete it. Also, I googled the file and could find no references. No antispyware, antitrojan, or antivirus programs found anything on my system.

Here's my ewido scan log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 23:27:28, 10/15/2005
+ Report-Checksum: 6384F1A4

+ Scan result:

No infected objects found.


::Report End


Here's my hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 01:06:11, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Downloaded Programs\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\Gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114910793200
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129426246237
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thankyou in advance.

Edited by Jonesie, 20 October 2005 - 08:56 AM.

[Advertisements]

Hi there sorry for the delay inresponse

• Please go to Jotti's malware scan
  
• Copy and paste the following file path C:\WINDOWS\System32\ repentnt.exe
  into the box on the top of the page:
  
  
• Click on the submit button
  
• Please post the results in your next reply.

[don77]

Hi there sorry for the delay inresponse

• Please go to Jotti's malware scan
  
• Copy and paste the following file path C:\WINDOWS\System32\ repentnt.exe
  into the box on the top of the page:
  
  
• Click on the submit button
  
• Please post the results in your next reply.

[Jonesie]

I honestly have no idea what's going on, but the file is gone now. The only file I found was a pf file in reference to it, which i scanned and found nothing.

Service
Service load: 0% 100%

File: REPENTNT.EXE-0F934585.pf
Status: OK
MD5 d7f33b56e96fefc76ef9dcb583d89a69
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Is there even an explaination for this??? I know I didn't delete it....

[don77]

• Please disable your current AV
• Click Here and run RAV online scan,
• Copy and paste back the log into this thread when it has finished,
• Be sure and enable your AV when done with the above

[Jonesie]

When i clicked the link it says that due to it's being acquired by Microsoft it's discontinuing it's anti-virus related business and that section of the website is closed.

[don77]

Sorry about that lets try another
ActiveScan run the scan with Active when it has completed it gives you an option to save the log, Do so and post it back here please

[Jonesie]

Okay.....I did a spyware and a virus scan from Panda. Here are the logs:


Incident Status Location

Adware:adware/superspider No disinfected C:\WINDOWS\SYSTEM32\a.exe
Adware:adware/apropos No disinfected Windows Registry
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\Yea\ab.exe[mc-58-12-0000137.exe]
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Yea\ab.exe[to.exe]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\InetGet\mc-58-12-0000140.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\cwebpage.dll
Adware:Adware/Maxifiles No disinfected C:\WINDOWS\system32\a.exe[mc-58-12-0000137.exe]
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\system32\a.exe[to.exe]



And:




Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\Yea\Local Settings\Temporary Internet Files\Content.IE5\0DQVSTQ3\menus[2].js

[don77]

OK< Lets do this ,

*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\a.exe 
 C:\Documents and Settings\Yea\ab.exe[mc-58-12-0000137.exe] 
 C:\Documents and Settings\Yea\ab.exe[to.exe] 
 C:\Program Files\Common Files\InetGet\mc-58-12-0000140.exe 
 C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe 
 C:\Program Files\DNS\cwebpage.dll 
 C:\WINDOWS\system32\a.exe[mc-58-12-0000137.exe] 
 C:\WINDOWS\system32\a.exe[to.exe] 
C:\Documents and Settings\Yea\Local Settings\Temporary Internet Files\Content.IE5\0DQVSTQ3\menus[2].js 

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Your computer should reboot automatically if not do a manual restart,
Run another scan with Active post back what it finds please

[Jonesie]

Okay - done. Here's my spyware scan:

Incident Status Location

Adware:adware/maxifiles Reported C:\PROGRAM FILES\COMMON FILES\Windows
Adware:adware/apropos Reported Windows Registry
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Yea\Cookies\yea@2o7[2].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Yea\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Reported C:\Documents and Settings\Yea\Cookies\[email protected][2].txt
Spyware:Cookie/Adtech Reported C:\Documents and Settings\Yea\Cookies\yea@adtech[2].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Yea\Cookies\yea@advertising[2].txt
Spyware:Cookie/Falkag Reported C:\Documents and Settings\Yea\Cookies\[email protected][2].txt
Spyware:Cookie/Ask Reported C:\Documents and Settings\Yea\Cookies\yea@ask[1].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Yea\Cookies\yea@atdmt[2].txt
Spyware:Cookie/BurstNet Reported C:\Documents and Settings\Yea\Cookies\yea@burstnet[2].txt
Spyware:Cookie/Casalemedia Reported C:\Documents and Settings\Yea\Cookies\yea@casalemedia[1].txt
Spyware:Cookie/did-it Reported C:\Documents and Settings\Yea\Cookies\yea@did-it[1].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Yea\Cookies\yea@doubleclick[2].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Yea\Cookies\yea@hitbox[1].txt
Spyware:Cookie/Maxserving Reported C:\Documents and Settings\Yea\Cookies\yea@maxserving[1].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Yea\Cookies\yea@mediaplex[1].txt
Spyware:Cookie/Overture Reported C:\Documents and Settings\Yea\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Yea\Cookies\yea@questionmarket[1].txt
Spyware:Cookie/RC Reported C:\Documents and Settings\Yea\Cookies\yea@rc[1].txt
Spyware:Cookie/RealMedia Reported C:\Documents and Settings\Yea\Cookies\yea@realmedia[2].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Yea\Cookies\[email protected][2].txt
Spyware:Cookie/Serving-sys Reported C:\Documents and Settings\Yea\Cookies\yea@serving-sys[1].txt
Spyware:Cookie/Statcounter Reported C:\Documents and Settings\Yea\Cookies\yea@statcounter[1].txt
Spyware:Cookie/WebtrendsLive Reported C:\Documents and Settings\Yea\Cookies\[email protected][2].txt
Spyware:Cookie/MammamediasolutionsReported C:\Documents and Settings\Yea\Cookies\yea@targetnet[1].txt
Spyware:Cookie/Target Reported C:\Documents and Settings\Yea\Cookies\yea@target[2].txt
Spyware:Cookie/Toplist Reported C:\Documents and Settings\Yea\Cookies\yea@toplist[1].txt
Spyware:Cookie/Tradedoubler Reported C:\Documents and Settings\Yea\Cookies\yea@tradedoubler[1].txt
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Yea\Cookies\yea@tribalfusion[1].txt
Spyware:Cookie/Valueclick Reported C:\Documents and Settings\Yea\Cookies\yea@valueclick[1].txt
Spyware:Cookie/BurstBeacon Reported C:\Documents and Settings\Yea\Cookies\[email protected][1].txt
Spyware:Cookie/Adserver Reported C:\Documents and Settings\Yea\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Reported C:\Documents and Settings\Yea\Cookies\yea@zedo[2].txt
Adware:Adware/CWS Reported C:\!Submit\menus[2].js
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Yea\Cookies\yea@2o7[2].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Yea\Cookies\[email protected][2].txt
Spyware:Cookie/PointRoll Reported C:\Documents and Settings\Yea\Cookies\[email protected][2].txt
Spyware:Cookie/Adtech Reported C:\Documents and Settings\Yea\Cookies\yea@adtech[2].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Yea\Cookies\yea@advertising[2].txt
Spyware:Cookie/Falkag Reported C:\Documents and Settings\Yea\Cookies\[email protected][2].txt
Spyware:Cookie/Ask Reported C:\Documents and Settings\Yea\Cookies\yea@ask[1].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Yea\Cookies\yea@atdmt[2].txt
Spyware:Cookie/BurstNet Reported C:\Documents and Settings\Yea\Cookies\yea@burstnet[2].txt
Spyware:Cookie/Casalemedia Reported C:\Documents and Settings\Yea\Cookies\yea@casalemedia[1].txt
Spyware:Cookie/did-it Reported C:\Documents and Settings\Yea\Cookies\yea@did-it[1].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Yea\Cookies\yea@doubleclick[2].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Yea\Cookies\yea@hitbox[1].txt
Spyware:Cookie/Maxserving Reported C:\Documents and Settings\Yea\Cookies\yea@maxserving[1].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Yea\Cookies\yea@mediaplex[1].txt
Spyware:Cookie/Overture Reported C:\Documents and Settings\Yea\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Yea\Cookies\yea@questionmarket[1].txt
Spyware:Cookie/RC Reported C:\Documents and Settings\Yea\Cookies\yea@rc[1].txt
Spyware:Cookie/RealMedia Reported C:\Documents and Settings\Yea\Cookies\yea@realmedia[2].txt
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Yea\Cookies\[email protected][2].txt
Spyware:Cookie/Serving-sys Reported C:\Documents and Settings\Yea\Cookies\yea@serving-sys[1].txt
Spyware:Cookie/Statcounter Reported C:\Documents and Settings\Yea\Cookies\yea@statcounter[1].txt
Spyware:Cookie/WebtrendsLive Reported C:\Documents and Settings\Yea\Cookies\[email protected][2].txt
Spyware:Cookie/MammamediasolutionsReported C:\Documents and Settings\Yea\Cookies\yea@targetnet[1].txt
Spyware:Cookie/Target Reported C:\Documents and Settings\Yea\Cookies\yea@target[2].txt
Spyware:Cookie/Toplist Reported C:\Documents and Settings\Yea\Cookies\yea@toplist[1].txt
Spyware:Cookie/Tradedoubler Reported C:\Documents and Settings\Yea\Cookies\yea@tradedoubler[1].txt
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Yea\Cookies\yea@tribalfusion[1].txt
Spyware:Cookie/Valueclick Reported C:\Documents and Settings\Yea\Cookies\yea@valueclick[1].txt
Spyware:Cookie/BurstBeacon Reported C:\Documents and Settings\Yea\Cookies\[email protected][1].txt
Spyware:Cookie/Adserver Reported C:\Documents and Settings\Yea\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Reported C:\Documents and Settings\Yea\Cookies\yea@zedo[2].txt

And my AV scan (I already deleted this one):


Incident Status Location

Adware:Adware/CWS No disinfected C:\!Submit\menus[2].js


Sorry it takes me so long to respond...and thanks so much for your help so far!!!

[don77]

Sorry it takes me so long to respond...and thanks so much for your help so far!!!

No worries

Most of those are tracking cookies, Lets run Ad-aware and it should clean them up for you,
Run Ad-Aware with the latest update.

• Download the latest version of Ad-Aware (Ad-Aware SE Build 1.06r1) from here.
• If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
• After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
• Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
• Once the definitions have been updated:
• Reconfigure Ad-Aware for Full Scan as per the following instructions:
  • Launch the program, and click on the Gear at the top of the start screen.
  • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
    • "Automatically save logfile"
    • Automatically quarantine objects prior to removal"
    • Safe Mode (always request confirmation)
    • Prompt to update outdated confirmation) - Change to 7 days.
  • Click the "Scanning" button (On the left side).
  • Under Drives & Folders, select "Scan within Archives"
  • Click "Click here to select Drives + folders" and select your installed hard drives.
  • Under Memory & Registry, select all options.
  • Click the "Advanced" button (On the left hand side).
  • Under "Shell Integration", select "Move deleted files to Recycle Bin".
  • Under "Log-file detail", select all options.
  • Click on the "Defaults" button on the left.
  • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
  • Click the "Tweak" button (Again, on the left hand side).
  • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
    • "Unload recognized processes during scanning."
    • "Obtain command line of scanned processes"
    • "Scan registry for all users instead of current user only"
  • Under "Cleaning Engine", select the following:
    • "Automatically try to unregister objects prior to deletion."
    • "During removal, unload explorer and IE if necessary"
    • "Let Windows remove files in use at next reboot."
    • "Delete quarrantined objects after restoring"
  • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
  • Click on "Proceed" to save these Preferences.
  • Click on the "Scan Now" button on the left.
  • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
• Close all programs except ad-aware.
• Click on "Next" in the bottom right corner to start the scan.
• Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
• After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Let me know how the computer is running now

[Jonesie]

I did all of that and ran windows cleanup! for good measure. My computer id running fine now - no error messages. But I just now checked and the repentnt.exe file is back again. Maybe I was hallucinating when i didn't see it there before, i don't know, but can you give me any idea of what this could be? AV software won't scan it, and all of the information I can get about it is that it was created 9/24/05 and that it's an application and it's 424 bytes. It has no associations and I can't even delete it.

[don77]

Could you look for the file again please,
Send a copy of it to me please,
I would like to send it off for submittion,

Make sure you can view all Hidden Files/Folders

You can send it to iamdon77 "at" yahoo.com ( replace the "at" with @ )

Thanks
Don

[Jonesie]

Ok - I tried to attach it to an email, but it doesn't come up in the browser. The system32 file comes up, so I know it's reading hidden files, but maybe I can't attach it because it says access denied every time I try to delete it? It does show when I open the folder in windows, so it is still there. It doesn't seem to want to be messed with...

I there another way I can try to send it to you?

[don77]

I got it Thank you, I can find nothing on it as well,,,

Please double-click on My Computer and locate the file " C:\WINDOWS\System32\ repentnt.exe
". Right-click on it and choose "Properties", then click on the "Version" tab at the top. Click on
"Company", "File Version", and "Internal Name" and please post whatever the text in the box immediately to the right says for each.

Run another scan with Active as well please and post back the results from that as well

[Jonesie]

When I go to properties there isn't a version tab. And I went to that malware scan site that you originally sent me to and uploaded the accesible version of the file and here's what it found :

File: repentnt.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 d1135554b4fd259b7bbf4b9fe280f10c
Packers detected: PE_PATCH
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Crypt.T
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Crypt.t
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Unknown.Win32Virus (probable variant)