Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

w32.Sinnaka Virus [RESOLVED]

Started by RSC , Nov 24 2005 03:50 PM

  • This topic is locked This topic is locked

#1
RSC
Posted 24 November 2005 - 03:50 PM

RSC

    Member

  • Member
  • PipPip
  • 19 posts
Hi. I was infected by the sinnaka virus today. I found this webpage and followed the procedure in the first time users page and installed some other software to try to prevent this. That did not help. I also found someone else's topic on this same virus and followed the steps listed by the administrator, but it did not fix the problem. I still have the icon in the system tray that says I have a virus. How do I remove that? Here is my Hijack this and Ewido log:

Logfile of HijackThis v1.98.0
Scan saved at 1:42:51 PM, on 11/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\UAService7.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wupdated.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
D:\Program Files\Free Surfer\fs20.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Program Files\Iconoid\iconoid.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\CursorXP\CursorXP.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Creative\TaskBar\CTLTask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\Logitech\SetPoint\KEM.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Outlook Express\MSIMN.EXE
D:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
D:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Roger Chow\My Documents\security suite\ewidoguard.exe
C:\Documents and Settings\Roger Chow\My Documents\security suite\ewidoctrl.exe
D:\Program Files\WinTV\WinTV2K.EXE
D:\spyware\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [freesurfer] D:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [win config] msgfix1.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [THGuard] D:\spyware\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\RunServices: [win config] msgfix1.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Iconoid] "D:\Program Files\Iconoid\iconoid.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] D:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Creative Detector] "d:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [TaskBar] "d:\Program Files\Creative\TaskBar\CTLTask.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = D:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\program files\partypoker\IEExtension.dll
O15 - Trusted Zone: cyrus.cob.calpoly.edu
O15 - Trusted Zone: http://*.download.windowsupdate.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {1A0D3E5B-69FE-63BD-95F2-7CAD765C8F3C} - http://66.246.197.126/1/gdnUS2218.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {649C7D6F-8B37-1C39-34E8-3DAE70DEC99F} - http://66.246.197.126/1/gdnUS2218.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:08:00 PM, 11/24/2005
+ Report-Checksum: A910F3A5

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}\TypeLib\\ -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb\ccc -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb\eee -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb\rrr -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb\ttt -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb\www -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
C:\Documents and Settings\Roger Chow\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-17d434ef-5997c589.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\Roger Chow\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-65afd8eb-2fdb4dbd.class -> Trojan.Java.Femad : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\WINNT\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
D:\spyware\backups\backup-20040710-151847-739.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End

Anything you can do would help. Thanks.
  • 0

Advertisements

#2
RSC
Posted 24 November 2005 - 08:47 PM

RSC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi,

I got infected with this virus today and have not been able to remove it. I have followed the procedure on the Start Here page from this site and nothing removed it. I also found someone else's post about this virus and followed everything that was told to him to do to remove it. Can someone please help me? I also noticed that many web page buttons do not work anymore, like the logon button for this website, and the search button on google. Is this part of the sinnaka virus? Here are my logs. Thanks in advance for the help.

Logfile of HijackThis v1.99.1
Scan saved at 6:34:44 PM, on 11/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\UAService7.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wupdated.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
D:\Program Files\Free Surfer\fs20.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Program Files\Iconoid\iconoid.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\CursorXP\CursorXP.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Creative\TaskBar\CTLTask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\Logitech\SetPoint\KEM.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Outlook Express\MSIMN.EXE
D:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
D:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Roger Chow\My Documents\security suite\ewidoguard.exe
C:\Documents and Settings\Roger Chow\My Documents\security suite\ewidoctrl.exe
D:\Program Files\WinTV\WinTV2K.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\spyware\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [freesurfer] D:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [win config] msgfix1.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [THGuard] D:\spyware\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\RunServices: [win config] msgfix1.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Iconoid] "D:\Program Files\Iconoid\iconoid.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] D:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Creative Detector] "d:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [TaskBar] "d:\Program Files\Creative\TaskBar\CTLTask.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = D:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\program files\partypoker\IEExtension.dll
O15 - Trusted Zone: cyrus.cob.calpoly.edu
O15 - Trusted Zone: *.calpoly.edu
O15 - Trusted Zone: http://*.download.windowsupdate.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {1A0D3E5B-69FE-63BD-95F2-7CAD765C8F3C} - http://66.246.197.126/1/gdnUS2218.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {649C7D6F-8B37-1C39-34E8-3DAE70DEC99F} - http://66.246.197.126/1/gdnUS2218.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O20 - Winlogon Notify: fcyxx - C:\WINNT\system32\fcyxx.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Roger Chow\My Documents\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Roger Chow\My Documents\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O23 - Service: Windows Update Service (Wupdated) - Unknown owner - C:\WINNT\system32\wupdated.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:08:00 PM, 11/24/2005
+ Report-Checksum: A910F3A5

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}\TypeLib\\ -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb\ccc -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb\eee -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb\rrr -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb\ttt -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\hsb\www -> Spyware.Hotsearchbar : Cleaned with backup
HKU\S-1-5-21-1644491937-1580818891-1343024091-1000\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
C:\Documents and Settings\Roger Chow\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-17d434ef-5997c589.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\Roger Chow\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-65afd8eb-2fdb4dbd.class -> Trojan.Java.Femad : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\WINNT\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
D:\spyware\backups\backup-20040710-151847-739.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End
  • 0

#3
Crustyoldbloke
Posted 25 November 2005 - 06:31 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Roger and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

Please note that I have merged your two posts into this thread to stop you getting two helpers.

You have quite a mixture of malware and Trojans that need to be eradicated. Let’s see what we can do with the first sweep.

Firstly could you please disable Ewido Guard from running during the fix, it may just hinder our attempts to change anything. Open Ewido and remove the guard option. You may have to reboot for the changes to take effect.

Download SpyAxeFix.exe © noahdfear. Save it to your desktop.

Close all other programmes and windows. Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder.

Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool. At one point when the tool runs, your taskbar will dissappear, and your computer will restart when the tool completes.

A text file named spyaxe.txt will be created in the SpyAxeFix folder. Post the contents of that log please.

Download: CCleaner

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

Windows Update Service (Wupdated)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste) ensuring there are NO spaces before or after the name:

Wupdated

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [win config] msgfix1.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\RunServices: [win config] msgfix1.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\program files\partypoker\IEExtension.dll
O16 - DPF: {1A0D3E5B-69FE-63BD-95F2-7CAD765C8F3C} - http://66.246.197.126/1/gdnUS2218.exe
O16 - DPF: {649C7D6F-8B37-1C39-34E8-3DAE70DEC99F} - http://66.246.197.126/1/gdnUS2218.exe
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O20 - Winlogon Notify: fcyxx - C:\WINNT\system32\fcyxx.dll (file missing)
O23 - Service: Windows Update Service (Wupdated) - Unknown owner - C:\WINNT\system32\wupdated.exe

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

SpyAxe

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete this folder (if present) using Windows Explorer:

C:\Program Files\SpyAxe\

Please delete these files (if present) using Windows Explorer:

C:\WINNT\system32\wupdated.exe
msgfix1.exeuse searcg to find this file

Close Windows Explorer

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log (from normal mode) and I will take another look.(2 logs).
  • 0

#4
RSC
Posted 25 November 2005 - 12:55 PM

RSC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Incredible. You got it. That stupid icon is gone and Spyaxe doesn't automatically load anymore. Even the button thing is fixed. Thanks a lot for the help, you may be superhuman. Here are my SpyaxeFix, and Hijackthis logs. I didn't notice any other programs that I didn't recognize.

Logfile of HijackThis v1.99.1
Scan saved at 10:51:48 AM, on 11/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Roger Chow\My Documents\security suite\ewidoctrl.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\UAService7.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\CTHELPER.EXE
D:\Program Files\Free Surfer\fs20.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Program Files\Iconoid\iconoid.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\CursorXP\CursorXP.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Creative\TaskBar\CTLTask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\Logitech\SetPoint\KEM.exe
D:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINNT\system32\rundll32.exe
D:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\HPZipm12.exe
D:\Program Files\Iconoid\iconoid.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\spyware\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [freesurfer] D:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Iconoid] "D:\Program Files\Iconoid\iconoid.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CursorXP] D:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Creative Detector] "d:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [TaskBar] "d:\Program Files\Creative\TaskBar\CTLTask.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = D:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
O15 - Trusted Zone: cyrus.cob.calpoly.edu
O15 - Trusted Zone: *.calpoly.edu
O15 - Trusted Zone: http://*.download.windowsupdate.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Roger Chow\My Documents\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)



SpyAxeFix © by noahdfear


Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Fri 11/25/2005
The current time is: 10:14:33.28

spyaxe directory present

spyaxe uninstaller present

Starting spyaxe uninstaller

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of spyaxe.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1160 'explorer.exe'
Killing PID 1160 'explorer.exe'
Error 0x5 : Access is denied.



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1576 'rundll32.exe'

svchosts.dll present

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
  • 0

#5
Crustyoldbloke
Posted 25 November 2005 - 02:59 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated. :)

Happy safe surfing Roger!
  • 0

#6
RSC
Posted 25 November 2005 - 05:22 PM

RSC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I noticed something different when I startup my computer now. It always startsup with Norton disabled, and won't allow some programs to run automatically on startup. What happened? I have gone back into the properties for the programs and told them to run on windows startup, but when I restart the computer they don't load automatically. Was it something that was done when I fixed the virus that caused this? Thanks.
  • 0

#7
Crustyoldbloke
Posted 25 November 2005 - 06:34 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Roger

I have read your reply and I am having difficulty in understanding exactly what you are telling me.

Are you saying that normally, Norton loads automatically and since the fix it is no longer doing this?

Please try and explain your problem better so I might understand what needs to be addressed.
  • 0

#8
RSC
Posted 25 November 2005 - 07:53 PM

RSC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Every time I start the computer, the norton icon in the system tray starts with a red circle and cross through it. I have to right click the icon and select "Enable File System Real Time Protection" to have it run like normal. At first I thought this was because I installed the Trojan Hunter software and there was a conflict with two anti-virus programs running, so norton was disabled. But I uninstalled the Trojan Hunter software and norton still starts up disabled. I also have several programs setup to startup with the computer, but the icons don't appear in the system tray. The only programs that are allowed to startup with the computer now are norton (disabled), volume, aim, and the local area connection icons. Thanks for the help.
  • 0

#9
Crustyoldbloke
Posted 26 November 2005 - 08:17 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Roger

If you take a look at your previous HJT logs, all the 04 entries are "start-ups". If they are not starting like they should, then there is a good chance that something has changed your configuration.

Please click START>RUN>type in MSCONFIG>hit ENTER. A new window should open. Under the first tab, GENERAL please ensure that the radio button for Normal startup is enabled. Then look at the tab on the far right STARTUP and ensure that all programmes listed have a checkmark or tick to the left of them. If they do not, do it now and click APPLY>OK.

Please confirm.

Edited by Crustyoldbloke, 26 November 2005 - 08:39 AM.

  • 0

#10
RSC
Posted 26 November 2005 - 10:27 AM

RSC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
When I tried to run MSCONFIG I got and error: "Cannot find the msconfig (or one of it's components). Make sure the path and filename are correct and that all required libraries are available."
  • 0

Advertisements

#11
Crustyoldbloke
Posted 26 November 2005 - 10:40 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
I think that now is a good time to run System File Checker, to make sure all of your protected files are not corrupt. The scan will automatically replace any corrupt files that it finds.

Click Start
Select Run
At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the programme, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:My Computer
Tools
Folder Options
View
"Uncheck" Hide protected operating system files.
Then rerun the scan.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.

Also, please rehide the protected files:My Computer
Tools
Folder Options
View
"Check" Hide protected operating system files.

  • 0

#12
RSC
Posted 26 November 2005 - 11:12 AM

RSC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
That's a little better. I think when I ran CCleaner or one of the other programs, it deleted the .exe files that the shortcuts in the startup menu were pointing to. For some reason I cannot find the programs anymore, but the shortcuts are still in the startup menu. I think it's just a matter of re-installing those programs. One last question. Do you know why windows sees the need to re-order my icons every time I startup? I got a program a while ago called iconoid that allowed me to save icon positions and make the textbox's transparent, because win2k doesn't have that capability. But when I startup, it bypasses that program now. I downloaded msconfig and ran it and iconoid is still checked in the startup tab. Thanks.
  • 0

#13
Crustyoldbloke
Posted 26 November 2005 - 11:24 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Roger

I haven't used Win2K for a few years so excuse me if my memory is not all it should be. Generally, if you right click on an empty part of your desktop, a little box will open. The top entry is Arrange icons by if you go onto that line and highlight it a second box should come into view and you'll see Auto Arrange. Make sure that one is not ticked/checked.

Did that help?
  • 0

#14
RSC
Posted 26 November 2005 - 03:47 PM

RSC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I've left that unchecked since I got iconoid. It's ok, I can live with it. Thanks for all the help.
  • 0

#15
Crustyoldbloke
Posted 26 November 2005 - 05:56 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
You are very welcome.

I will leave this thread open for afew days in case of misfortune.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP