Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

morwill search removal?

Started by rkr2rich , Nov 12 2005 11:55 AM

  • Please log in to reply

#1
rkr2rich
Posted 12 November 2005 - 11:55 AM

rkr2rich

    Member

  • Member
  • PipPip
  • 89 posts
How long should it take before someone helps me??? I've been waiting since October 25.
  • 0

Advertisements

#2
don77
Posted 12 November 2005 - 11:58 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
I have closed your other topic, Please post a fresh HJT log here please
  • 0

#3
rkr2rich
Posted 23 November 2005 - 11:16 AM

rkr2rich

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
I'm sorry...I didn't read your reply. Here's my log. Thanks


Logfile of HijackThis v1.99.1
Scan saved at 9:09:48 AM, on 11/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\file\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iwon.com/?v=1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Bho - {CAEFA8EB-B417-46c7-82D1-1B8D1D8EF924} - C:\WINDOWS\System32\ksvdhgck.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip....pGameLoader.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...81/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,19/mcgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go...GameManager.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#4
don77
Posted 23 November 2005 - 11:29 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
No problem Rich,

You have 2 Anti Virus programs running I highly recommend you remove one of them, Its your choice which you keep, just be sure and keep it updated and run a scan at least once a week with it,


Next
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Bho - {CAEFA8EB-B417-46c7-82D1-1B8D1D8EF924} - C:\WINDOWS\System32\ksvdhgck.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

Unless the next 2 were set by an admin or a thrid party software so as Spybot have HJT fix them
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O20 - Winlogon Notify: pmnlj - C:\WINDOWS\



Next Reboot into SAFE MODE
Search for and delete the Folders highlighted in Blue Files highlighted in BOLD

C:\WINDOWS\System32\ksvdhgck.dll

Restart your computer,

Run this online scan ActiveScan when it has finished scanning your computer it will give you an option to save the log, Please do so and post it back here along with a fresh HJT log for me please
  • 0

#5
rkr2rich
Posted 23 November 2005 - 04:57 PM

rkr2rich

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
HI, I could not find ksvdhgck.dll...I even searched files and folsers and could not come up with it. Here's the report from ActiveScan and a new HJT log.


Incident Status Location

Adware:adware/powerstrip Not disinfected C:\WINDOWS\PreProcess.data
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Richard\Application Data\Lycos
Adware:adware/sahagent Not disinfected Windows Registry
Adware:Adware/nCase Not disinfected C:\WINDOWS\SYSTEM32\SplWbr.dll
Virus:W32/Sobig.B Not disinfected Local Folders\Inbox\Screensaver[application.pi]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\Re: HARNELL ROD[~0000002.~]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\Re: 58 chevy ad[~0000002.~]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\Re: HARNELL ROD[~0000002.~]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\Re: 1980 Vespa Moped Ad #320747825[~0000002.~]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\sports afield May 1961[~0000002.~]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\Playboy October 1976 #336447187[~0000002.~]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\playboy September 1974 #337006542[~0000002.~]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\kingfish[~0000002.~]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\Kobo and the wishing picutres[~0000002.~]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\$2 win ticket Belmont Stakes[~0000002.~]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\playboy 10/76 336447187 SECOND NOTICE![~0000002.~]
Virus:JS/Kak.Worm Not disinfected Local Folders\Sent Items\playboy September 1974 337006542 [~0000002.~]



Logfile of HijackThis v1.99.1
Scan saved at 2:57:12 PM, on 11/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\file\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iwon.com/?v=1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip....pGameLoader.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...81/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,19/mcgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go...GameManager.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#6
don77
Posted 24 November 2005 - 09:42 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Looks good Rich,
Did you download "PartyPoker" ? sometimes it comes bundled with other programs, Just want to be sure if you downloaded it,

You need to log into your e-mail and delete any e-mails you don't recognize with attachments, You have some in your sent box and in your inbox

Next
*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\PreProcess.data 
C:\Documents and Settings\Richard\Application Data\Lycos 
C:\WINDOWS\SYSTEM32\SplWbr.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.


Your computer should reboot automatically if not restart manually

Next
Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

POst back the report.txt for me and let me know how your computer is running now
  • 0

#7
rkr2rich
Posted 24 November 2005 - 01:12 PM

rkr2rich

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
Donn77,
Yeah, the Party Poker's mine and everything seems to be working, do you have any idea where I might have picked up this infection, so I might avoid getting it again. I will certainly recommend your site to anyone who has a computer problem. You guys are the best.

I want to thank you for all your help and I will go to your site and send you a donation thru Paypal.

Thanks again and Happy Thanksgiving.

Rich

Here's the report from Ewido.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:47:40 AM, 11/24/2005
+ Report-Checksum: CE288DCB

+ Scan result:

C:\Documents and Settings\Janet\Cookies\janet@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\janet@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\janet@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\janet@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\janet@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\janet@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\janet@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\janet@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\janet@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\[email protected][1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Janet\Cookies\[email protected][1].txt -> Spyware.Cookie.Cj : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@adbrite[1].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@adviva[1].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\richard@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Richard\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup


::Report End
  • 0

#8
don77
Posted 24 November 2005 - 01:50 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Glad to hear it !!!

do you have any idea where I might have picked up this infection, so I might avoid getting it again.

Not sure where you may have been visiting but you have to be careful what sites your going to and what your clicking on,

Your very welcome, Happy Thanksgiving to you as well
And Thank you :tazz:


Please use the following suggestion to help prevent reinfection


Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep AD-Aware. and Spybot 1.3 handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
Click Start | Run | type in cleanmgr | OK

Let it scan your system for files to remove.

Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

Press OK to remove them.


Remeber to Check Windows for updates

Probably a good time to create a new restore point See Here for XP

See Here for ME Name it clean or something like that,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP