[Kosti]

So is there anything else that I need to do???

[Advertisements]

Congratulations! your new log is clean. Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
MICROSOFT ANTISPYWARE - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programme for “on demand” scanning, having two or more antivirus systems is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated.

It just remains for me to wish you and the rest of your family happy safe surfing.

[Crustyoldbloke]

Congratulations! your new log is clean. Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
MICROSOFT ANTISPYWARE - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programme for “on demand” scanning, having two or more antivirus systems is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated.

It just remains for me to wish you and the rest of your family happy safe surfing.

[Kosti]

Thank you very much for your help, words can't describe how much I appreciate you taking the time to assist me through this stuff. Just a couple questions before I go out into the computer world on my own again Do you recommend me purchasing Norton Antivirus, or is the AVG antivirus that I installed suffice? Also, I have gone ahead and downloaded/installed the following from your list:

Microsoft Update
MVPS Hosts file
SiteAdvisor
SPYWARE BLASTER
AD-AWARE PERSONAL
FIREFOX

plus I already have spybot
One thing I noticed is that siteadvisor doesn't work with firefox, it only seems to work with IE...since I will be using firefox now, should I uninstall IE (and if so HOW?)...and how do I get siteadvisor to work on firefox?
The link for MICROSOFT ANTISPYWARE is not working...is Windows Defender (Beta 2) the same program? because from the search I've done I get the image that this is one and the same.
Finally...is there any other recommendations on any cleans, scans, or anything else that I should do on a regular basis, and how often to do them? (for example emptying out my cookies, or temporary internet files, or defragmenting, or scanning with spybot etc, etc, etc (ANYTHING at all, because I will do what it takes to keep the comp clean)

Thank you again...if more people in this world were as willingly helpful as you, it would be a much easier place to live in, that's for sure.

Hope you enjoyed the final round at Augusta...Mickelson played well today, but he's lucky Tiger couldn't putt today

Edited by Kosti, 09 April 2006 - 10:11 PM.

[Crustyoldbloke]

Lefty Michelson deserved the win. A friend of mine met him at St Andrews last year and told me what a friendly chap he is.

I am glad you switched to Fire Fox, you'll soon get used to it. Site Advisor is available for FF also, but if you go there with MSIE you get the plugin for it, go there with FF and you get redirected. Here's the link: http://www.siteadvis...preinstall.html

Windows Defender is the new name for MSAS. I will check the link.

AVG is excellent AV for your PC. Please ensure you uninstall all Norton and Symantec files.

Here's my routine. Daily update and scan for AVG, SpyWare Blaster in situ, twice daily scans and cleans for Ccleaner, daily on-demand Ewido scan, weekly SpyBot or Ad-Aware scans. Whilst I don't use MSIE, I won't uninstall it as it can be a good checking device.

You are very welcome to the help

I will leave this thread open for the next few days in case of misfortune.

[Kosti]

Hi Phil...just letting you know that the computer is running great and I check my computer regularly now...just out of curiosity I did a Panda Scan today just to see what would show up, and about 20 items still showed up, even though AVG, Ewido, Ad-Aware, and Windows Defender did not pick any of them up. What should I do to get rid of them? Or will there always be certain things on the comp? Here's the log for it


Incident Status Location

Adware:adware/blazefind Not disinfected C:\WINDOWS\System32Go.ico
Adware:adware/ncase Not disinfected C:\WINDOWS\180Solutions
Adware:adware/mediatickets Not disinfected Windows Registry
Potentially unwanted tool:application/spywarequake Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SPYWAREQUAKE
Adware:adware/surfassistant Not disinfected Windows Registry
Dialer:dialer.bb Not disinfected HKEY_CLASSES_ROOT\TypeLib\{8EA362BD-39CB-40F5-9226-73CD40999095}
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Kosti\Application Data\Mozilla\Firefox\Profiles\c5bwgaqz.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Kosti\Application Data\Mozilla\Firefox\Profiles\c5bwgaqz.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Kosti\Application Data\Mozilla\Firefox\Profiles\c5bwgaqz.default\cookies.txt[.findwhat.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Kosti\Application Data\Mozilla\Firefox\Profiles\c5bwgaqz.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Kosti\Application Data\Mozilla\Firefox\Profiles\c5bwgaqz.default\cookies.txt[.hitbox.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Kosti\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Kosti\Desktop\Smitrem\Process.exe
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Kosti\Application Data\Mozilla\Firefox\Profiles\c5bwgaqz.default\cookies.txt[]
Spyware:Spyware/ClearSearch Not disinfected C:\avenger\backup-09.04.2006- 5.51.22.39.zip[vkpnkizp.DLL]
Adware:Adware/Prositefinder Not disinfected C:\avenger\backup-09.04.2006- 5.51.22.39.zip[eje3fqqt.DLL]
Adware:Adware/Sqwire Not disinfected C:\avenger\backup-09.04.2006- 5.55.26.87.zip[muqoc.dll]
Adware:Adware/NetPals Not disinfected C:\avenger\backup-09.04.2006- 5.55.26.87.zip[backup-20060406-095805-429.inf]
Adware:Adware/IST.ISTBar Not disinfected C:\avenger\backup-09.04.2006- 5.55.26.87.zip[backup-20060406-095806-228.inf]
Adware:Adware/TPS Not disinfected C:\avenger\backup-09.04.2006- 5.55.26.87.zip[00000004.EXE]
Spyware:Cookie/bravenetA Not disinfected C:\avenger\backup-09.04.2006- 5.55.26.87.zip[00000024.TXT]


I don't know if you need this but I'll toss it in there too.

Logfile of HijackThis v1.99.1
Scan saved at 10:13:19 AM, on 17/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\saIE.dll
O3 - Toolbar: SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\saIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181...s/ccpm_0237.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartph...x/PCAXSetup.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

[Crustyoldbloke]

Hello again

Your HJT log is still clean.

It looks as though your scan result is showing up some bits and pieces of leftovers doing no harm but you can have them cleaned if you wish.

Copy everything in the quote box below (Starting with REGEDIT4) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the 'Save As Type' to 'All Files'. Save it as fixit.reg on your desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\SPYWAREQUAKE]
[-HKEY_CLASSES_ROOT\TypeLib\{8EA362BD-39CB-40F5-9226-73CD40999095]

Now we need to have the correct path for Avenger to follow. It should be like this:

C:\Documents and Settings\Kosti\Desktop\fixit.reg

Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Copy ALL THE TEXT contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\WINDOWS\180Solutions
Files to delete:
C:\WINDOWS\System32Go.ico
Programs to launch on reboot:
C:\Documents and Settings\Kosti\Desktop\fixit.reg

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger programme by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• Upon reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

C:\Documents and Settings\Kosti\Desktop\Smitrem\Process.exe is a false positive since AV scanners cannot tell the difference between good and bad with some malware cleaners.

Avenger backups – if you wish to delete these, then go into the Avenger programme and delete them.

Cookies – It is up to you to delete the ones you don’t want. If you use MSIE, go to TOOLS>INTERNET OPTIONS>GENERAL>DELETE COOKIES. If you use FF, go to TOOLS>OPTIONS>PRIVACY>COOKIES>CLEAR COOKIES.

[Crustyoldbloke]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.