Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Desktop Hijack [RESOLVED]


  • This topic is locked This topic is locked

#1
baitricus

baitricus

    New Member

  • Member
  • Pip
  • 7 posts
:tazz:

I have gone through all the steps in the "..You must read this post.." and still my desktop has this Black warning page with a link to http://www.teslaplus...ub=0&q=Removers

EWIDO also continues to alarm with the Virtomundo virus continually attempting to start. Thanks for your assistance.

Here is my Ewido Log File:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:04:00 PM, 01/11/2005
+ Report-Checksum: 4CA3E22

+ Scan result:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Install.dll\\.Owner -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Install.dll\\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKU\S-1-5-21-1993962763-789336058-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-1993962763-789336058-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1993962763-789336058-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-1993962763-789336058-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1993962763-789336058-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} -> Spyware.MoneyTree : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Inet-cash : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Inet-cash : Cleaned with backup
:mozilla.311:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.509:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.938:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
:mozilla.954:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\248E45FB-A7F8-4FB1-890E-6D91A7\76DE2C8C-0B6C-4145-B4B2-CBB981 -> Spyware.SafeSurfing : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\33BA7920-01EE-4407-A546-544472\DD4991AC-0BB8-4BB0-A838-09A610 -> Spyware.SafeSurfing : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3C97F78B-2924-49E7-A8DA-DAF215\113569C0-2A0D-4F51-9C6D-9A74E0 -> Spyware.SafeSurfing : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\402D84A3-6382-4972-9E0A-1F790F\6C32BB2C-32E3-417A-A8BB-9C6D21 -> Spyware.SafeSurfing : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7714432F-D659-4F42-86F1-C37FCC\660E7146-EE43-4C6D-A2FC-BD31CE -> Spyware.SafeSurfing : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\960BC742-C46D-4E3C-A37D-153675\23E4E009-46CF-4CCC-BEF5-196503 -> Spyware.SafeSurfing : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\96390987-ED60-43DE-8CC1-7A71C1\14816DF4-9A6B-4C62-B686-B4AC58 -> Spyware.SafeSurfing : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9B863D1E-9CE0-4E5C-A182-CA6FAB\62F08EC0-1551-47FA-BA04-99810C -> Spyware.SafeSurfing : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A0EF78F1-3A11-4545-BB91-1333E6\7B6DE2C6-C7C1-4E05-AD4B-8BC257 -> Spyware.SafeSurfing : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N53L1025NetInstaller.exe -> Not-A-Virus.Downloader.Agent.f : Cleaned with backup
C:\WINDOWS\system32\awvst.dll -> Spyware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\hp1C5A.tmp -> Trojan.Small.fs : Cleaned with backup
C:\WINDOWS\system32\hpF6AE.tmp -> Trojan.Small.fs : Cleaned with backup
C:\WINDOWS\system32\netlanm.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\oleext.dll -> Trojan.Promoter.c : Cleaned with backup
C:\WINDOWS\system32\pshwr.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\rastmon.dll -> Spyware.SafeSurfing : Cleaned with backup


::Report End



Here is the Hijack This report:

Logfile of HijackThis v1.99.1
Scan saved at 3:39:22 PM, on 01/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=22028
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\system32\hp69A7.tmp (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\awvst.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\system32\ichckupd.exe
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130617584998
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130119870416
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homestead...nd/MSSurVid.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: awvst - C:\WINDOWS\system32\awvst.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\DOCUMENTS AND SETTINGS\BARRY\DESKTOP\cwshredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fzhxdmt.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • 0

Advertisements


#2
Cloutz

Cloutz

    Visiting Staff

  • Member
  • PipPipPip
  • 547 posts
Hi there baitricus,

I'm currently working on your log,and as soon as another staff member reviews it I'll post a reply.

Thank you for your patience.

Nick
  • 0

#3
baitricus

baitricus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks Cloutz for the update, look forward to your assistance,
  • 0

#4
Cloutz

Cloutz

    Visiting Staff

  • Member
  • PipPipPip
  • 547 posts
Hi baitricus,

Please print these instructions out for use in Safe Mode.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....


  • At this point press enter one time.

  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:


  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\awvst.dll

  • Press Enter to continue with the fix.

  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\tsvwa.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\awvst.dll
    O20 - Winlogon Notify: awvst - C:\WINDOWS\system32\awvst.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Thanks,

Nick
  • 0

#5
baitricus

baitricus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I have performed the tasks you gave me Here are the requested reports:

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 8:06:48 PM, on 03/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=22028
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\system32\hpB330.tmp (file missing)
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\awvst.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\system32\ichckupd.exe
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130617584998
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130119870416
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homestead...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awvst - C:\WINDOWS\system32\awvst.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\DOCUMENTS AND SETTINGS\BARRY\DESKTOP\cwshredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fzhxdmt.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



Activescan:

Incident Status Location

Adware:adware/securityerror No disinfected C:\Documents and Settings\All Users\Start Menu\Online Security Center.url
Adware:adware/securityerror No disinfected C:\WINDOWS\SYSTEM32\msvol.tlb
Spyware:spyware/safesurf No disinfected C:\WINDOWS\SYSTEM32\pdrpdb.dll
Adware:adware/psguard No disinfected C:\WINDOWS\warnhp.html
Adware:adware/cws No disinfected C:\Documents and Settings\Barry\Favorites\Internet
Spyware:spyware/betterinet No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-43d9c9cd-340112fa.zip[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-43d9c9cd-340112fa.zip[ProbeLoader.class]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-43d9c9cd-340112fa.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-1226816d-2649c823.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-10317d84-54403d51.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-10317d84-54403d51.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5980c178-72d2829b.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5980c178-72d2829b.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5980ca7e-40ffe232.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5980ca7e-40ffe232.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6552e7c7-1ae3b5e2.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6552e7c7-1ae3b5e2.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6e0f3366-60c49fda.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6e0f3366-60c49fda.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-f336957-6b2adec8.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-f336957-6b2adec8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7093b05-105e8a18.zip[Dummy.class]
Virus:Trj/ClassLoader.P Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-7093b05-105e8a18.zip[Worker.class]
Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\pf78.exe
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\system32\pdrpdb.dll
Adware:Adware/SecurityError No disinfected C:\WINDOWS\system32\__delete_on_reboot__ld97E8.tmp
Adware:Adware/SecurityError No disinfected C:\WINDOWS\system32\__delete_on_reboot__ldB0CD.tmp


Vundofix:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\awvst.dll

The second filepath entered was C:\WINDOWS\system32\tsvwa.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 152 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe


Killing PID 228 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\awvst.dll Deleted sucessfully.
C:\WINDOWS\system32\tsvwa.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
  • 0

#6
baitricus

baitricus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Nick,

I just wanted to update you on my situation. It appears the virtumundo has been eliminated as the Ewida alarms have stopped. They were happening every time a new browser page was opened.

My desktop still has the html file as a background, and I am unable to get my normal background back.

Thansk for your help thus far, I know it may take several steps to get everything cleared out and I appreciate your assistance.

Barry :tazz:
  • 0

#7
Cloutz

Cloutz

    Visiting Staff

  • Member
  • PipPipPip
  • 547 posts
Hi Barry,

Thanks for keeping me updated. We will now deal with your desktop background :tazz:

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\system32\hpB330.tmp (file missing)
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\awvst.dll (file missing)
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\system32\ichckupd.exe
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O20 - Winlogon Notify: awvst - C:\WINDOWS\system32\awvst.dll (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fzhxdmt.exe (file missing)
===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Thanks,

Nick
  • 0

#8
baitricus

baitricus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks Nick

I ran through the steps you listed, except after runing the HJT program there was no listing for these items from your list. I checked and fixed all the others.

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\awvst.dll (file missing)
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\system32\ichckupd.exe

My desktop screen is now a bright white, when I right click and select properties I get this location: file://C:\WINDOWS\warnhp.html I have entered my desktop theme and background, but still get the bright white, even after 2 reboots.

here is the Activescan report:

Incident Status Location

Adware:adware/securityerror No disinfected C:\Documents and Settings\All Users\Desktop\Online Security Center.url
Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\pf78.exe
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\system32\pdrpdb.dll
A new Hijack this report:

Logfile of HijackThis v1.99.1
Scan saved at 11:33:47 PM, on 05/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=22028
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130617584998
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130119870416
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homestead...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\DOCUMENTS AND SETTINGS\BARRY\DESKTOP\cwshredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

The smitfiles content:


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 05/11/2005
The current time is: 20:31:49.32

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Center.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

ncompat.tlb
hp***.tmp
logfiles


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~

warnhp.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


And the Ewido Log


ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:27:36 PM, 05/11/2005
+ Report-Checksum: 2EAB4818

+ Scan result:

:mozilla.34:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Excite : Ignored
:mozilla.6:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Cqcounter : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Belstat : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Belstat : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.322:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.323:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.324:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.325:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.326:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.327:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.328:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.329:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.330:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.331:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.332:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.333:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.334:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.339:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.340:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.341:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.348:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.349:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.350:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.351:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.352:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.353:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.354:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.355:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.375:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.376:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.377:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.378:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
:mozilla.379:C:\Documents and Settings\Barry\Application Data\Mozilla\Firefox\Profiles\4vnhpm6a.default\cookies.txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__hpB330.tmp -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End
  • 0

#9
Cloutz

Cloutz

    Visiting Staff

  • Member
  • PipPipPip
  • 547 posts
Hi there baitricus,

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\warnhp.html
C:\Documents and Settings\All Users\Desktop\Online Security Center.url
C:\WINDOWS\pf78.exe
C:\WINDOWS\system32\pdrpdb.dll

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log in your next reply.


How is your system running now?

Nick
  • 0

#10
baitricus

baitricus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Nick,

I have performed the steps you gave me in your last post, nothing seems to have changed this time. The computer appears to be working fine, the popups and alarms are no more. But I still only have a bright white sc reen and cannot get my desktop background back.

Here is the report from the Activescan:


Incident Status Location

Spyware:Spyware/SafeSurf No disinfected C:\!KillBox\pdrpdb.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\!KillBox\pf78.exe
Adware:adware/securityerror No disinfected C:\Documents and Settings\Barry\Favorites\Antivirus Test Online.url
Adware:Adware/Webext No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73.tmp


Also here is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 12:22:13 AM, on 08/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=22028
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130617584998
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130119870416
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homestead...nd/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\DOCUMENTS AND SETTINGS\BARRY\DESKTOP\cwshredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • 0

#11
baitricus

baitricus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Nick, :)

I went into my Display properties, Desktop, customize desktop, on the web tab. There I found the html file name checked, I highlighted the description and hit the delete button. My desktop immediately reverted back to the original background.

I think you have succesfully led me to the proper solution.

Barry :) :tazz:

Edited by baitricus, 07 November 2005 - 11:40 PM.

  • 0

#12
Cloutz

Cloutz

    Visiting Staff

  • Member
  • PipPipPip
  • 547 posts
Hi Barry,

Im glad you got your desktop back :)

Everything looks great, your HijackThis log appears to be CLEAN!

Here are some tips, to reduce the potential for malware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have. Make sure you only have one (1) anti-virus program. Having more than one can cause more harm than good as they can interfere with eachother.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

Nick :tazz:
  • 0

#13
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP