Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

winfixer? aim virus?


  • Please log in to reply

#1
jp575

jp575

    Member

  • Member
  • PipPip
  • 58 posts
Thank you so much for help. I think that I have deleted winfixer, but my computer is still running slowly, I downloaded vundofix to rid my computer of the winfixer, and I used aim fix to try and get rid of the aim virus. Here is my hijack this log, hope it helps.

Logfile of HijackThis v1.99.1
Scan saved at 4:30:57 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril....wareScanner.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120538041896
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

Edited by jp575, 30 November 2005 - 06:41 PM.

  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please disable spycatcher for now.

Do you know what interceptor.dll is associated with, if not click Start>Run and type regedit tap enter key.


Regedit will open. Make sure My Computer is highlighted. At the top of the window click edit> Find> then copy and paste the following into the window.
[/color]
Interceptor.dll[/b]

Then click find now.
When you find the entry right click on it and select delete, answer ok at the prompt.
Next, press "F3" to continue searching, if another instance is found, repeat the above steps, until you see the "completed searching" message.


Run hijackthis. Click Do a System Scan Only. Put a Check in the box on the left side on these:


O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O20 - AppInit_DLLs: interceptor.dll


Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\Program Files\Viewpoint\<<this folder

Please download CleanUp! - Download - HomePage
Install and run. Click on the button labeled CleanUp!.

When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.
  • 0

#3
jp575

jp575

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Coachwife6, thanks a ton for helping me out on this removal, I really appreciate it!

I ran hijackthis and was able to delete all the files except the interceptor.dll, for some reason interceptor.dll didnt show up on regedit either. I got this message when trying to delete it from hijack this:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sITem=O20 - AppInit_DLLs: interceptor.dll)
Error #5 - Invalid procedure call or argument



Is there anything that I should do next?

thanks again
  • 0

#4
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
OK, about the interceptor, don't worry about it. Can I see a new log? Is everything working better? Can you run a silent runners log if it's not running well?

* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#5
jp575

jp575

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Hi, my computer is still running pretty slow, it takes a long time for it to boot up and sometimes when I try to open a program it takes forever for it to open. Could this be something not related to malware? like a hardware issue?

Here is the silent runners log:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sonic RecordNow!" = (empty string)
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"DellSupport" = ""C:\Program Files\Dell Support\DSAgnt.exe" /startup" ["Gteko Ltd."]
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\mnyexpr.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Dell QuickSet" = "C:\Program Files\Dell\QuickSet\quickset.exe" [empty string]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"DVDSentry" = "C:\WINDOWS\System32\DSentry.exe" [** WMI GetObject error **]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]
"McRegWiz" = "C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun" [empty string]
"SpyCatcher Reminder" = ""C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder" ["Tenebril Inc."]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" ["McAfee Inc."]
"MSKDetectorExe" = "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup" ["McAfee, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0A87E45F-537A-40B4-B812-E2544C21A09F}\(Default) = "SpywareBlock Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll" ["Tenebril Inc."]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}\(Default) = "McAfee AntiPhishing Filter" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\mcafee\spamkiller\mcapfbho.dll" ["McAfee, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "*_" (unwritable string)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" ["Sonic Solutions"]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "interceptor.dll" ["Tenebril Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! Sebring\DLLName = "C:\WINDOWS\System32\LgNotify.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL" ["Novell, Inc., c/o Corel Corporation Limited"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\DELL.BMP"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\SSTEXT3D.SCR" [MS]


Startup items in "Jake Piccus" & "All Users" startup folders:
-------------------------------------------------------------

C:\Documents and Settings\Jake Piccus\Start Menu\Programs\Startup
"Scheduler" -> shortcut to: "C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe" ["Tenebril Incorporated"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"SpyCatcher Protector" -> shortcut to: "C:\Program Files\SpyCatcher 2006\Protector.exe" ["Tenebril Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {CLSID}\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{39FD89BF-D3F1-45B6-BB56-3582CCF489E1}\
"MenuText" = "McAfee AntiPhishing Filter"
"CLSIDExtension" = "{7DD73374-7187-4103-8F29-622AA25E7C40}"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\mcafee\spamkiller\mcapfbho.dll" ["McAfee, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
McAfee Personal Firewall Service, MpfService, "C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe" ["McAfee Corporation"]
McAfee SpamKiller Server, MskService, "C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe" ["McAfee Inc."]
McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
RegSrvc, RegSrvc, "C:\WINDOWS\System32\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\WINDOWS\System32\S24EvMon.exe" ["Intel Corporation "]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt10\Driver = "hpzlnt10.dll" ["HP"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 41 seconds, including 9 seconds for message boxes)




here is the new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:14:15 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jake Piccus\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril....wareScanner.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120538041896
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

thanks
  • 0

#6
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
run Rootkit Revealer and let's see if there are any hidden registry keys not being read.

Download Rootkitreveal
http://www.sysintern...itrevealer.html


Extract rootkitreveal

Double click on rootkit revealer and press scan.

It will take some time to do a complete scan. When finished press file/save and post the contents of the log please.


-------------

Blacklight too:

Try this app: blacklight Beta from here:

http://www.f-secure....light/try.shtml

click "I accept" at bottom of page which takes you to download site.
Download the app to the desktop.
Double click it, accept the agreement, make sure "scan through windows explorer IS checked then hit "scan"
It should only take at most 5 minuites.

If any results Don't rename anything yet!
Sometimes legit items are listed along with baddies.
Just hit next> finish.

Log will be created on desktop that starts with fsbl-datetime.log

Post its results here.
  • 0

#7
jp575

jp575

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Hi, the blacklight scan did not find anything, however there was a log created with rootkit revealer.

here's the rootkit revealer log

HKLM\SOFTWARE\Classes\CLSID\{5844C458-A677-11d7-A773-00C04F68F44E}\Pins\Input\Types\{10ed2d83-f16f-0348-1000-8c26b23e9a26}\22 2/26/2005 2:52 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{5844C458-A677-11d7-A773-00C04F68F44E}\Pins\Input\Types\{c7aed331-0000-0348-1000-8c46b23e9a26}\22 2/26/2005 2:52 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{94F3F362-A677-11d7-A773-00C04F68F44E}\Pins\Input\Types\{10ed2d83-f16f-0348-2080-8c26b23e9a26}\22 2/26/2005 2:51 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{94F3F362-A677-11d7-A773-00C04F68F44E}\Pins\Input\Types\{c7aed331-0000-0348-2080-8c46b23e9a26}\22 2/26/2005 2:51 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 12/5/2005 11:06 AM 80 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt 12/4/2005 10:51 PM 150 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt 12/4/2005 10:51 PM 150 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt 12/4/2005 10:51 PM 1 bytes Hidden from Windows API.
C:\Documents and Settings\Jake Piccus\Desktop\fsbl-20051205065702.log 12/4/2005 11:03 PM 718 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Desktop\fsbl-20051205190559.log 12/5/2005 11:06 AM 392 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Desktop\fsbl-20051205190939.log 12/5/2005 11:09 AM 392 bytes Hidden from Windows API.
C:\Documents and Settings\Jake Piccus\Desktop\virus removal.txt 12/3/2005 11:19 PM 1.58 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\Application Data\Mozilla\Firefox\Profiles\5efr5tn3.default\Cache\C48533D7d01 12/5/2005 11:34 AM 97.52 KB Hidden from Windows API.
C:\Documents and Settings\Jake Piccus\Local Settings\Application Data\Mozilla\Firefox\Profiles\5efr5tn3.default\Cache\F2AF8144d01 12/5/2005 11:13 AM 30.64 KB Hidden from Windows API.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005112820051129 12/4/2005 2:47 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005112820051129\index.dat 12/4/2005 2:43 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005112820051205 12/5/2005 11:12 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005112820051205\index.dat 12/5/2005 11:12 AM 32.00 KB Hidden from Windows API.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005112920051130 12/4/2005 2:47 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005112920051130\index.dat 12/4/2005 2:43 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005113020051201 12/4/2005 2:47 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005113020051201\index.dat 12/4/2005 2:43 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005120120051202 12/4/2005 2:47 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005120120051202\index.dat 12/4/2005 2:43 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005120220051203 12/4/2005 2:47 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005120220051203\index.dat 12/4/2005 2:43 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005120320051204 12/4/2005 2:47 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005120320051204\index.dat 12/4/2005 2:43 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005120420051205 12/4/2005 2:42 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005120420051205\index.dat 12/4/2005 7:07 PM 32.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005120520051206 12/5/2005 11:12 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jake Piccus\Local Settings\History\History.IE5\MSHist012005120520051206\index.dat 12/5/2005 11:12 AM 32.00 KB Hidden from Windows API.
C:\Documents and Settings\Jake Piccus\Local Settings\Temp\F-Secure\BlackLight\fsbl0907.sys 12/5/2005 11:09 AM 18.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\Temp\F-Secure\BlackLight\fsbl8433.sys 12/5/2005 11:06 AM 18.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\Temp\F-Secure\BlackLight\fsse6550.dll 12/5/2005 11:09 AM 140.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Local Settings\Temporary Internet Files\Content.IE5\E9M5O72L\CA0VUJU3.lpk 12/5/2005 11:27 AM 1.80 KB Hidden from Windows API.
C:\Documents and Settings\Jake Piccus\Local Settings\Temporary Internet Files\Content.IE5\FEDSQ9GH\CA2VG5EF.lpk 12/5/2005 11:12 AM 1.80 KB Hidden from Windows API.
C:\Documents and Settings\Jake Piccus\Local Settings\Temporary Internet Files\Content.IE5\FEDSQ9GH\CAYJ8PIB.lpk 12/4/2005 7:16 PM 1.80 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake Piccus\Recent\fsbl-20051205190939.lnk 12/5/2005 11:19 AM 556 bytes Hidden from Windows API.
C:\RECYCLER\S-1-5-21-530991616-3321489743-2985782624-1007\Dc10.log 12/5/2005 11:09 AM 718 bytes Hidden from Windows API.
C:\RECYCLER\S-1-5-21-530991616-3321489743-2985782624-1007\Dc11.txt 12/3/2005 11:19 PM 1.58 KB Hidden from Windows API.
C:\RECYCLER\S-1-5-21-530991616-3321489743-2985782624-1007\Dc9.log 12/4/2005 11:03 PM 718 bytes Hidden from Windows API.
C:\WINDOWS\Prefetch\CONTROL.EXE-24FBF8B3.pf 12/5/2005 11:26 AM 32.88 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\HH.EXE-104606B2.pf 12/5/2005 11:27 AM 70.92 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\MSKCLNT.EXE-13428D40.pf 12/5/2005 11:31 AM 80.48 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\RSTRUI.EXE-05C31B56.pf 12/5/2005 11:26 AM 37.88 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3D540BCC.pf 12/5/2005 11:26 AM 31.65 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\DSentry.exe 8/13/2003 8:27 AM 28.00 KB Hidden from Windows API.



Thanks
  • 0

#8
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please navigate to this folder:

C:\WINDOWS\Prefetch

and delete the entire contents of that folder. To do this, click Edit on top and "select all". Once you do this on the left pane you will see an option "delete all selected items", click on that.

Next, let's update your java and empty the cache.

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.
  • 0

#9
jp575

jp575

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I deleted the contents of C:\WINDOWS\Prefetch, and I updated java and emptied the cache. Is there anything else I should do next? Were all the entries the rootkit revealer found actually rootkits? They're gone now right?

thanks
  • 0

#10
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
How is it running now?
  • 0

#11
jp575

jp575

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Hi, its running faster, thanks! :tazz: but it still seems a little slow when I try to open programs and when it boots up. Could this be because I have too many programs or a hardware issue? Do you know of a program that gets rid of useless programs and files on a computer?

thanks for imput
  • 0

#12
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You have a lot of programs on start-up that you don't need.

Go to start>>run>> and type in msconfig

Go to the start up tab and research the entries at www.answersthatwork.com

The ones you don't need at start-up, just uncheck them.

Here is a great tutorial on some things you can do to make your ocmputer more efficient.

Restore Your Computer's Performance
  • 0

#13
jp575

jp575

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
alright i'll do that thanks a bunch for all of your help!
  • 0

#14
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You're welcome. I'll leave this topic open a few days to see if you have any problems.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP