Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Got something I can't find. Help. [RESOLVED]

Started by jer6663 , Nov 25 2005 08:30 PM

This topic is locked

#1
jer6663

Posted 25 November 2005 - 08:30 PM

New Member

Member
6 posts

Hello, I got numerous trojans that avg got rid of. But since then I still got a downloader I can't find. Also it keeps hijacking IE to http:///4.3.10
I've ran every program I could find (probably a mistake) Tried to keep it to reputible sites. Anyway I scanned with avg, spybot, adaware, cwshredder and trojan hunter. All come up clean except for some minor adaware. Ran clean up as directed.

Here is a copy of my log.

Logfile of HijackThis v1.99.1
Scan saved at 6:27:43 PM, on 11/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Audio Deck\EnMixCPL.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Jerry\Desktop\utilities\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.10
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.10
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.10
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.10
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.10
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Documents and Settings\Jerry\Desktop\updates\vid card\PCI Lat 2.3\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Audio Deck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photowork...ImageEditor.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109026032687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131903018625
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photowork...ropUploader.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8524452E-23A2-41D5-AD7E-49C14DA4AB99}: NameServer = 192.168.1.1
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcSandraSrv.exe

Ive deleted the lines with default mainpage http, but they keep coming back.
I'm so confused..lol.
Thanks ahead of time.

#2
Trevuren

Posted 25 November 2005 - 09:15 PM

Old Dog

Retired Staff
18,699 posts

Hi jer6663 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

2. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

#3
jer6663

Posted 25 November 2005 - 11:18 PM

New Member

Topic Starter
Member
6 posts

Thank you Trevuren for your help and time, greatly appreciated,

Ok I did as told. Ran spysweeper, it found stuff, deleted as told made file log rebooted then ran Hijack.

Sweeper log

********
8:33 PM: | Start of Session, Friday, November 25, 2005 |
8:33 PM: Spy Sweeper started
8:33 PM: Sweep initiated using definitions version 575
8:33 PM: Starting Memory Sweep
8:34 PM: Starting Registry Sweep
8:34 PM: Memory Sweep Complete, Elapsed Time: 00:00:00
8:36 PM: Registry Sweep Complete, Elapsed Time:00:02:06
8:36 PM: Starting Cookie Sweep
8:36 PM: Found Spy Cookie: 2o7.net cookie
8:36 PM: jerry@2o7[1].txt (ID = 1957)
8:36 PM: Found Spy Cookie: pointroll cookie
8:36 PM: [email protected][2].txt (ID = 3148)
8:36 PM: Found Spy Cookie: atlas dmt cookie
8:36 PM: jerry@atdmt[2].txt (ID = 2253)
8:36 PM: Found Spy Cookie: coremetrics cookie
8:36 PM: [email protected][1].txt (ID = 2472)
8:36 PM: Found Spy Cookie: dealtime cookie
8:36 PM: jerry@dealtime[1].txt (ID = 2505)
8:36 PM: Found Spy Cookie: overture cookie
8:36 PM: [email protected][1].txt (ID = 3106)
8:36 PM: [email protected][1].txt (ID = 2506)
8:36 PM: Found Spy Cookie: statcounter cookie
8:36 PM: jerry@statcounter[1].txt (ID = 3447)
8:36 PM: Found Spy Cookie: tracking cookie
8:36 PM: jerry@tracking[2].txt (ID = 3571)
8:36 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
8:36 PM: Starting File Sweep
8:44 PM: Found Adware: spysheriff
8:44 PM: secure32.html (ID = 184319)
8:44 PM: secure32.html (ID = 184319)
8:44 PM: Found System Monitor: potentially rootkit-masked files
8:44 PM: i386p.sys (ID = 0)
8:44 PM: qz.sys (ID = 0)
8:44 PM: qz.dll (ID = 0)
8:44 PM: avpe64.sys (ID = 0)
8:44 PM: avpe32.dll (ID = 0)
8:44 PM: msctl32.dll (ID = 0)
8:44 PM: stt82.ini (ID = 0)
8:44 PM: klgcptini.dat (ID = 0)
8:56 PM: File Sweep Complete, Elapsed Time: 00:19:57
8:56 PM: Full Sweep has completed. Elapsed time 00:22:05
8:56 PM: Traces Found: 19
8:58 PM: Removal process initiated
8:58 PM: Quarantining All Traces: potentially rootkit-masked files
8:58 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
8:58 PM: avpe32.dll is in use. It will be removed on reboot.
8:58 PM: msctl32.dll is in use. It will be removed on reboot.
8:58 PM: Quarantining All Traces: spysheriff
8:58 PM: Quarantining All Traces: 2o7.net cookie
8:58 PM: Quarantining All Traces: atlas dmt cookie
8:58 PM: Quarantining All Traces: coremetrics cookie
8:58 PM: Quarantining All Traces: dealtime cookie
8:58 PM: Quarantining All Traces: overture cookie
8:58 PM: Quarantining All Traces: pointroll cookie
8:58 PM: Quarantining All Traces: statcounter cookie
8:58 PM: Quarantining All Traces: tracking cookie
8:59 PM: Removal process completed. Elapsed time 00:00:32
********
8:30 PM: | Start of Session, Friday, November 25, 2005 |
8:30 PM: Spy Sweeper started
8:31 PM: Your spyware definitions have been updated.
8:33 PM: | End of Session, Friday, November 25, 2005 |

New hijack log

Logfile of HijackThis v1.99.1
Scan saved at 9:08:35 PM, on 11/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Audio Deck\EnMixCPL.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jerry\Desktop\utilities\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.10
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.10
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.10
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.10
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Documents and Settings\Jerry\Desktop\updates\vid card\PCI Lat 2.3\LtcyCfg.exe" /a
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Audio Deck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photowork...ImageEditor.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109026032687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131903018625
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photowork...ropUploader.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8524452E-23A2-41D5-AD7E-49C14DA4AB99}: NameServer = 192.168.1.1
O20 - Winlogon Notify: avpe32 - avpe32.dll (file missing)
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcSandraSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

The first IE page I opened after restart went to the /4.3.10 page.

I'm all ears....

#4
Trevuren

Posted 25 November 2005 - 11:48 PM

Old Dog

Retired Staff
18,699 posts

1. Download the following self-extracting file smitRem.exe and save the file to your DESKTOP.

Double click the Smitrem.exe icon on your Desktop.
Then click Run>Start and a Smitrem folder will apear on your desktop also.

2. Place a shortcut to Panda ActiveScan on your desktop.

3. Download the trial version of Ewido Security Suite

Please read Ewido Setup Instructions
Install the program
Update the definitions to the newest files.
DO NOT RUN IT YET

4. Install Ad-Aware SE 1.06, follow these download and setup instructions.

Ad-Aware SE Setup
Update the definitions
DO NOT RUN IT YET

5. REBOOT your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

6. Now open HJT, click SCAN and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.10
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.10
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.10
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.10
O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Documents and Settings\Jerry\Desktop\updates\vid card\PCI Lat 2.3\LtcyCfg.exe" /a
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: avpe32 - avpe32.dll (file missing)
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll (file missing)

7. Click the Fix Checked box and EXIT HJT

8. Using Windows Explorer, please locate and DELETE the following files/folders (with all their content), if they are still present:

C:\Documents and Settings\Jerry\Desktop\updates\vid card

9. Open the smitRem folder

Double click the RunThis.bat file to start the tool.
Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

NOTE:The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Please post that log along with all others requested in your next reply.

10. Open Ad-aware and do a full scan. Let ir remove all it finds.

11. Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido

12. Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

13. REBOOT back into Normal Mode

14. Click the Panda ActiveScan shortcut

Do a full system scan.
Make sure the autoclean box is checked!

15. Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

16. Please download SpyAxeFix.exe © noahdfear and save it to your desktop.

Close all other programs and windows.
Double click SpyAxeFix.exe
Then click Start to extract the tool to it's own folder.
Open the SpyAxeFix folder
Double click the SpyAxeFix.bat to start the tool.
At one point when the tool runs, your taskbar will dissappear (this is normal)
Your computer will restart when the tool completes.
A text file named spyaxe.txt will be created in the SpyAxeFix folder.
Please post the contents of that log.

17. Run HJT, Scan, produce a log and post it in your next reply.

18. So , in the next reply, I need the following logs:

HijachThis log
SyAxe.txt
Ewido log
smitfiles.txt
Panda Scan log

Regards,

Trevuren

#5
jer6663

Posted 26 November 2005 - 05:07 PM

New Member

Topic Starter
Member
6 posts

Ok took awhile.
Active scan did not give me the option to autoclean, or should I D/L the trial version? could not include log.
Also spyaxe would not work. said bad file path or do not have permissin. I am the only user on this pc as admin..far as I know.
Also deleted vid card folder.
Here are my logs...

HJT

Logfile of HijackThis v1.99.1
Scan saved at 2:56:26 PM, on 11/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jerry\Desktop\utilities\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Audio Deck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photowork...ImageEditor.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109026032687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131903018625
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photowork...ropUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8524452E-23A2-41D5-AD7E-49C14DA4AB99}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcSandraSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:08:50 PM, 11/26/2005
+ Report-Checksum: 903FFFAF

+ Scan result:

C:\Documents and Settings\Jerry\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Ignored
HKU\S-1-5-21-1659004503-1606980848-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-1659004503-1606980848-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1659004503-1606980848-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-1659004503-1606980848-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
C:\Documents and Settings\Jerry\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jerry\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.ab : Cleaned with backup

::Report End

SMITFILES...

smitRem © log file
version 2.7

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 11/26/2005
The current time is: 12:03:31.50

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :tazz:

Panda scan log

Incident Status Location

Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\tool4.exe
Adware:adware/gator Not disinfected Windows Registry
Virus:Bck/KllExp.B Not disinfected C:\WINDOWS\tool4.exe

Thanks.

#6
Trevuren

Posted 26 November 2005 - 05:15 PM

Old Dog

Retired Staff
18,699 posts

1. Download "Registry Search Tool" (RegSrch.vbs) from HERE

2. Start it and paste in spyaxe.

3. Wait for it to complete the search, click ok at the prompt.

4. Then when wordpad opens, copy the text as a reply into this thread.

Regards,

Trevuren

#7
jer6663

Posted 26 November 2005 - 05:26 PM

New Member

Topic Starter
Member
6 posts

Wow, that was fast. ok here it is..

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "spyaxe" 11/26/2005 3:24:44 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\S-1-5-21-1659004503-1606980848-725345543-1004\Software\Microsoft\Internet Explorer\TypedURLs]
"url1"="http://noahdfear.gee....com/SpyAxeFix"

[HKEY_USERS\S-1-5-21-1659004503-1606980848-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"d"="C:\\Documents and Settings\\Jerry\\Desktop\\SpyAxeFix.exe"

[HKEY_USERS\S-1-5-21-1659004503-1606980848-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"b"="C:\\Documents and Settings\\Jerry\\Desktop\\SpyAxeFix.exe"

[HKEY_USERS\S-1-5-21-1659004503-1606980848-725345543-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Jerry\\Desktop\\SpyAxeFix.exe"="SpyAxeFix"

[HKEY_USERS\S-1-5-21-1659004503-1606980848-725345543-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Jerry\\Desktop\\SpyAxeFix\\SpyAxeFix.bat"="SpyAxeFix"

[HKEY_USERS\S-1-5-21-1659004503-1606980848-725345543-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Jerry\\LOCALS~1\\Temp\\Rar$DI00.406\\SpyAxeFix.bat"="SpyAxeFix"

[HKEY_USERS\S-1-5-21-1659004503-1606980848-725345543-1004\Software\WinRAR\ArcHistory]
"0"="C:\\Documents and Settings\\Jerry\\Desktop\\SpyAxeFix.exe"

#8
Trevuren

Posted 26 November 2005 - 05:40 PM

Old Dog

Retired Staff
18,699 posts

Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren

#9
jer6663

Posted 26 November 2005 - 05:41 PM

New Member

Topic Starter
Member
6 posts

lets do it.

#10
Trevuren

Posted 26 November 2005 - 05:44 PM

Old Dog

Retired Staff
18,699 posts

Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:

Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading deselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE

Right-click "My Computer", and then left click "Properties".
Left click on "System Restore Tab"
Check box beside "Turn Off System Restore"
Left click on "Apply"

TO ENABLE SYSTEM RESTORE

Remove check mark from "Turn Off System Restore"
Click on "Apply"

3.Preventitive measures:

Please read and follow the following advice by TonyKlein on how to reduce the potential for spyware infection in the future:

How Did I Get Infected in the First Place

Regards,

Trevuren

#11
jer6663

Posted 26 November 2005 - 05:53 PM

New Member

Topic Starter
Member
6 posts

Ok done, thank you very much. Will go to paypal right now, worth every penny.

#12
Trevuren

Posted 26 November 2005 - 06:12 PM

Old Dog

Retired Staff
18,699 posts

My Pleasure and Thank You

Trevuren

#13
Trevuren

Posted 26 November 2005 - 06:12 PM

Old Dog

Retired Staff
18,699 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.