Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

unknown adware [RESOLVED]


  • This topic is locked This topic is locked

#1
silverfalcon

silverfalcon

    Member

  • Member
  • PipPip
  • 16 posts
hey I have this adware that i got yesterday and looking around i can't seem to find what is causing it, i tried a few things but ended up with no help, Any help would be great because i am lost
thanks

Logfile of HijackThis v1.99.1
Scan saved at 1:02:40 PM, on 11/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser mouse\1.2\mouse32a.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Pop up Blocker\pd.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O4 - HKLM\..\Run: [FLMBROWSERMOUSE] C:\Program Files\Browser mouse\1.2\mouse32a.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PD - {CFA68635-9AE4-4D4D-B9A7-F2F11447CD2C} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\enl6l13s1.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi silverfalcon and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.



Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Please post a fresh Hjt lof for review.

Regards,

Trevuren

  • 0

#3
silverfalcon

silverfalcon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:48:47 PM, on 11/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Browser mouse\1.2\mouse32a.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\explorer.exe
C:\hjt\HijackThis.exe

O4 - HKLM\..\Run: [FLMBROWSERMOUSE] C:\Program Files\Browser mouse\1.2\mouse32a.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PD - {CFA68635-9AE4-4D4D-B9A7-F2F11447CD2C} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



********
7:59 PM: | Start of Session, Sunday, November 20, 2005 |
7:59 PM: Spy Sweeper started
7:59 PM: Sweep initiated using definitions version 574
8:00 PM: Starting Memory Sweep
8:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 PM: Found Adware: icannnews
8:01 PM: Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
8:01 PM: Detected running threat: C:\WINDOWS\system32\enl6l13s1.dll (ID = 83)
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:02 PM: Detected running threat: C:\WINDOWS\system32\mpcsubs.dll (ID = 83)
8:02 PM: Memory Sweep Complete, Elapsed Time: 00:02:49
8:02 PM: Starting Registry Sweep
8:03 PM: Found Adware: dialerplatform
8:03 PM: HKLM\software\ptssa\ (2 subtraces) (ID = 125166)
8:03 PM: Found Adware: purityscan
8:03 PM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137348)
8:03 PM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137349)
8:03 PM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137678)
8:03 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137679)
8:03 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\ (2 subtraces) (ID = 137680)
8:03 PM: HKLM\software\classes\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 137687)
8:03 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137986)
8:03 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
8:03 PM: HKCR\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 139091)
8:03 PM: Found Trojan Horse: trojan-backdoor-5sec
8:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {0656a137-b161-cadd-9777-e37a75727e78} (ID = 144013)
8:03 PM: Found Trojan Horse: trojan-downloader-chup
8:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {0211c4d9-bc71-8916-38ad-9dea5d213614} (ID = 144455)
8:03 PM: Found Trojan Horse: trojan-downloader-procounter.biz
8:03 PM: HKLM\system\currentcontrolset\services\moto\ || imagepath (ID = 383423)
8:03 PM: Found Trojan Horse: trojan-backdoor-zubox
8:03 PM: HKCR\acpi.acpi.1\ (3 subtraces) (ID = 484081)
8:03 PM: HKCR\acpi.acpi.1\clsid\ (1 subtraces) (ID = 484083)
8:03 PM: HKCR\acpi.ext\ (5 subtraces) (ID = 484085)
8:03 PM: HKCR\*\shellex\contextmenuhandlers\sysacpildap\ (1 subtraces) (ID = 484093)
8:03 PM: HKCR\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484124)
8:03 PM: HKLM\software\classes\acpi.acpi.1\ (3 subtraces) (ID = 484140)
8:03 PM: HKLM\software\classes\acpi.ext\ (5 subtraces) (ID = 484144)
8:03 PM: HKLM\software\classes\*\shellex\contextmenuhandlers\sysacpildap\ (1 subtraces) (ID = 484152)
8:03 PM: HKLM\software\classes\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484210)
8:03 PM: Found Adware: mirinda
8:03 PM: HKCR\clsid\{7a1693a1-afaf-4f1e-9b05-eec38a85fbf3}\ (4 subtraces) (ID = 501125)
8:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 PM: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\ || c:\windows\tool1.exe (ID = 890587)
8:03 PM: Found Adware: spysheriff
8:03 PM: HKU\WRSS_Profile_S-1-5-21-2000478354-1532298954-682003330-500\software\spysheriff\ (ID = 142125)
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\classes\clsid\{0211c4d9-bc71-8916-38ad-9dea5d213614}\ (3 subtraces) (ID = 144454)
8:03 PM: Found Trojan Horse: trojan-downloader-moneymind
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\xjado\ (1 subtraces) (ID = 144725)
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\mzs\mdms\ (4 subtraces) (ID = 480808)
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\mzs\mdms\mzu\ || pt (ID = 656825)
8:03 PM: Registry Sweep Complete, Elapsed Time:00:00:28
8:03 PM: Starting Cookie Sweep
8:03 PM: Found Spy Cookie: yieldmanager cookie
8:03 PM: titanium phoenix@ad.yieldmanager[2].txt (ID = 3751)
8:03 PM: Found Spy Cookie: adecn cookie
8:03 PM: titanium phoenix@adecn[1].txt (ID = 2063)
8:03 PM: Found Spy Cookie: adknowledge cookie
8:03 PM: titanium phoenix@adknowledge[2].txt (ID = 2072)
8:03 PM: Found Spy Cookie: hbmediapro cookie
8:03 PM: titanium phoenix@adopt.hbmediapro[2].txt (ID = 2768)
8:03 PM: Found Spy Cookie: specificclick.com cookie
8:03 PM: titanium phoenix@adopt.specificclick[1].txt (ID = 3400)
8:03 PM: Found Spy Cookie: addynamix cookie
8:03 PM: titanium phoenix@ads.addynamix[1].txt (ID = 2062)
8:03 PM: Found Spy Cookie: ask cookie
8:03 PM: titanium phoenix@ask[1].txt (ID = 2245)
8:03 PM: Found Spy Cookie: azjmp cookie
8:03 PM: titanium phoenix@azjmp[2].txt (ID = 2270)
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Excellent result :tazz:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    C:\Program Files\Winamp\winampa.exe<==Only this file

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

NOTE: Please tell me how your system is running. Any more popups?

Regards,

Trevuren

  • 0

#5
silverfalcon

silverfalcon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:26:09 PM, on 11/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser mouse\1.2\mouse32a.exe
C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Pop up Blocker\pd.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Winamp\winamp.exe
C:\hjt\HijackThis.exe

O4 - HKLM\..\Run: [FLMBROWSERMOUSE] C:\Program Files\Browser mouse\1.2\mouse32a.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PD - {CFA68635-9AE4-4D4D-B9A7-F2F11447CD2C} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren
  • 0

#7
silverfalcon

silverfalcon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
seems ok now
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:
  • Click Start. Open My Computer.
  • Select the Tools menu and click Folder Options. Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Hide protected operating system files (recommended)" option.
  • Click Yes to confirm. Click OK.
2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
TO ENABLE SYSTEM RESTORE
  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"

3.Preventitive measures:

Please read and follow the following advice by TonyKlein on how to reduce the potential for spyware infection in the future:

How Did I Get Infected in the First Place


Regards,

Trevuren

  • 0

#9
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP