|
Note: The following is only a text archive!
To view the actual forum discussion, please visit our website at http://www.tech-forums.net
Pages:1
HiJackThis Log File(Click here to view the original thread with full colors/images)
Posted by: smittygray
I ran adaware, spybot, and symantec and still get winfix popups as well as other various internet sites. Both popups started around the same time. I'm also not able to remain in 'standby' for more than 3 seconds - computer wakes up. Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 1:10:03 AM, on 9/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Dual-Band Wireless A+G Notebook Adapter\WPC55AG.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\Timothy Ray\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://education.dellnet.com/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://channels.aimtoday.com/search/aimtoolbar.jsp[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://education.dellnet.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://education.dellnet.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://channels.aimtoday.com/search/aimtoolbar.jsp[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://go.microsoft.com/fwlink/?LinkId=488[/url]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\java\Packages\xmltcp.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WPC55AG.exe] C:\Program Files\Dual-Band Wireless A+G Notebook Adapter\WPC55AG.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url]
O20 - Winlogon Notify: Guardian - C:\WINDOWS\system32\msg117.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: xmltcp - C:\WINDOWS\java\Packages\xmltcp.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
Posted by: MicroBell
[b]Hi and Welcome to TF[/b]
You have 2 very nasty infections which we will remove in steps.
Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
[list]
[*] [URL=http://www.lavasoftusa.com/support/download/][B][COLOR=Purple]Ad-Aware® SE Personal Edition[/COLOR][/B][/URL]
[COLOR=Red][B]*Note*[/B][/COLOR] For Ad-AwareSE also install the [URL=http://www.lavasoft.de/software/addons/vx2cleaner.shtml][B][COLOR=Purple]VX2 Addon Cleaner[/COLOR][/B][/URL] To run this tool once Adaware is updated click on [B]Add-ons [/B] in the lefthand column. Select [B]VX2 Cleaner V2.0[/B] and click [B]Run Tool[/B]. Click [B]"OK"[/B] , then, if something is found, click [B]"Clean"[/B] as in the directions given. Click "Close", and exit Ad-Aware.
[*] [URL=http://www.majorgeeks.com/download2471.html][B][COLOR=Purple]Spybot Search & Destroy[/COLOR][/B][/URL]
[*] [URL=http://www.trendmicro.com/cwshredder/][B][COLOR=Purple]CWShredder[/COLOR][/B][/URL][/list]
Also make sure you are using the the latest version (1.99.1) of [URL=http://www.majorgeeks.com/download3155.html][B][COLOR=Purple]HijackThis[/COLOR][/B][/URL] and it's installed in it's own folder on the root drive. [color=red][B](C:\HJT)[/B][/color]
[b]STEP 1
========[/b]
Download L2mfix from one of these two locations:
[url]http://www.atribune.org/downloads/l2mfix.exe[/url]
[url]http://www.downloads.subratam.org/l2mfix.exe[/url]
Save the file to your desktop and double click [B]l2mfix.exe[/B]. Click the [B]Install[/B] button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
Close any programs you have open since this step requires a reboot.
From the [B]l2mfix folder[/B] on your desktop, double click [B]l2mfix.bat[/B] and select option #[B]2[/B] for [B]Run Fix[/B] by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and save it as I will ask for it later.
[COLOR=red]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/COLOR]
Once that's complete....move on to the next step.
[b]STEP 2
========[/b]
Please print these instructions out for use in Safe Mode.
Please download [url=http://www.atribune.org/downloads/VundoFix.exe][b][color=red]VundoFix.exe[/color][/b][/url] to your desktop.[list]
[*]Double-click [b]VundoFix.exe[/b] to extract the files
[*]This will create a [b]VundoFix[/b] folder on your desktop.
[*]After the files are extracted, please reboot your computer into [b]Safe Mode[/b]. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
[*]Once in safe mode open the [b]VundoFix[/b] folder and doubleclick on [b]KillVundo.bat[/b]
[*]You will first be presented with a warning and a list of forums to seek help at.
it should look like this
[quote][color=blue]VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
[url=http://www.atribune.org/forums]http://www.atribune.org/forums[/url]
[url=http://www.247fixes.com/forums]http://www.247fixes.com/forums[/url]
[url=http://www.geekstogo.com/forum]http://www.geekstogo.com/forum[/url]
[url=http://forums.net-integration.net]http://forums.net-integration.net[/url][/color]
[/quote]
[*] At this point press enter one time.
[*] Next you will see:
[quote][color=blue]Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.[/color][/quote]
[*]At this point please type the following file path (make sure to enter it exactly as below!):[list]
[b]C:\WINDOWS\java\Packages\xmltcp.dll
[/b]
[/list]
[*]Press [color=red][b]Enter[/b][/color], then press the [color=red][b]F6[/b][/color] key, then press [color=red][b]Enter[/b][/color] one more time to continue with the fix.
[*] Next you will see:
[quote][color=blue]Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.[/color][/quote]
[*]At this point please type the following file path (make sure to enter it exactly as below!):[list][b]C:\WINDOWS\java\Packages\pctlmx.dll[/b] This will be the vundo filename spelt backwards.
[/list]
[*]Press [color=red][b]Enter[/b][/color], then press the [color=red][b]F6[/b][/color] key, then press [color=red][b]Enter[/b][/color] one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HiJackThis, please place a check next to the following items and click [b]FIX CHECKED[/b]:[list]
[b]
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\java\Packages\xmltcp.dll
O20 - Winlogon Notify: Guardian - C:\WINDOWS\system32\msg117.dll
O20 - Winlogon Notify: xmltcp - C:\WINDOWS\java\Packages\xmltcp.dll
[/b]
[/list]
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.
[/list]Download and install [URL=http://cleanup.stevengould.org][b][color=blue]Cleanup[/color][/b][/URL] but [b]DO NOT[/b] run it yet!
[b]*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.[/b]
Open [b]Cleanup![/b] by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "[b]Options...[/b]"
*Move the arrow down to "[b]Custom CleanUp![/b]"
*Put a check next to the following:[list]
[*]Empty Recycle Bins
[*]Delete Cookies
[*]Delete Prefetch files
[X]Scan local drives for temporary files[b] (Please uncheck this option)[/b]
[*]Cleanup! All Users
[/list]Click [b]OK[/b]
Press the [b]CleanUp![/b] button to start the program. Reboot/logoff when prompted. Once back to normal windows...
Then, please run this online virus scan: [url=http://www.pandasoftware.com/activescan/][b][color=red]ActiveScan[/color][/b][/url]
Copy the [b]results of the ActiveScan[/b] and paste them here along with a new [b]HiJackThis log[/b] the [b]vundofix.txt[/b] file from the vundofix folder and the l2mfix log.
So I Need....
[b]Hijackthis log
Vundo log
Panda log
L2MFIX log[/b]
Posted by: smittygray
Thanks for your help. I'll try this when I get home this evening.
Posted by: smittygray
Activescan:
Incident Status Location
Spyware:spyware/cydoor No disinfected C:\WINDOWS\SYSTEM32\cd_clint.dll
Adware:adware/look2me No disinfected C:\WINDOWS\SYSTEM32\msg117.dll
Spyware:spyware/bundleware No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Timothy Ray\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-73edb6d1-22bd3d5e.zip[Dummy.class]
Spyware:Spyware/New.net No disinfected C:\Program Files\iMesh\Client\imesh_336.exe
Adware:Adware/eZula No disinfected C:\Program Files\iMesh\Client\TTIL_imesh.exe
Virus:Trj/Pakes.AV Disinfected C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP108\A0022678.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM32\msg117.dll
Adware:Adware/WinTools No disinfected C:\WINDOWS\SYSTEM32\msietn.dll
Virus:Trj/Agent.AJK Disinfected C:\WINDOWS\SYSTEM32\pmkhe.dll
Vundo:
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email]Craig.Peacock@beyondlogic.org[/email]
Suspending PID 168 'smss.exe'
Threads [172][176][180]
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email]Craig.Peacock@beyondlogic.org[/email]
Killing PID 916 'explorer.exe'
Killing PID 916 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email]Craig.Peacock@beyondlogic.org[/email]
Error, Cannot find a process with an image name of rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email]Craig.Peacock@beyondlogic.org[/email]
Killing PID 240 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.
HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 9:03:21 PM, on 9/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Dual-Band Wireless A+G Notebook Adapter\WPC55AG.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Timothy Ray\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://education.dellnet.com/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://channels.aimtoday.com/search/aimtoolbar.jsp[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://education.dellnet.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://education.dellnet.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://channels.aimtoday.com/search/aimtoolbar.jsp[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://go.microsoft.com/fwlink/?LinkId=488[/url]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WPC55AG.exe] C:\Program Files\Dual-Band Wireless A+G Notebook Adapter\WPC55AG.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url]
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
l2mfix:
Setting Directory
C:\
C:\
System Rebooted!
Running From:
C:\
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email]Craig.Peacock@beyondlogic.org[/email]
Killing PID 1356 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email]Craig.Peacock@beyondlogic.org[/email]
Killing PID 1520 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Zipping up files for submission:
adding: clear.reg (188 bytes security) (deflated 22%)
adding: lo2.txt (188 bytes security) (deflated 49%)
adding: test.txt (188 bytes security) (stored 0%)
adding: test2.txt (188 bytes security) (stored 0%)
adding: test3.txt (188 bytes security) (stored 0%)
adding: test5.txt (188 bytes security) (stored 0%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Warning (option /rga:(ci)) - There is no ACE to remove!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access Everyone
(IO) ALLOW Full access Everyone
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
**************************************************
**************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName" =hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,
2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName" =hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,
74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\msg117.dll"
"Impersonate"=dword:00000000
"Logon"="StartProcessAtWinLogon"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName" =hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,
79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName" =hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,
79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName" =hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,
79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xmltcp]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\java\\Packages\\xmltcp.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
The following are the files found:
**************************************************
**************************
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
**************************************************
**************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Shell Extensions\Approved]
"{DDFFA75A-E81D-4454-89FC-B9FD0631E726}"=-
[-HKEY_CLASSES_ROOT\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}]
REGEDIT4
[- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
**************************************************
**************************
Desktop.ini Contents:
**************************************************
**************************
**************************************************
**************************
�
Posted by: MicroBell
Outstanding!!
Download [b]KillBox[/b] [url]http://www.bleepingcomputer.com/files/spyware/KillBox.zip[/url]
Run the Cleanup utility again and reboot/logoff when prompted.
Then reboot into safe mode.
Open add/remove programs and remove iMesh if listed.
C:\Program Files\[b]iMesh[/b] <--delete that folder
Clear your Java Cache...
1. From the Start button, click Settings > Control Panel
2. In the Control Panel, open the "Java Plug-in Control Panel"
3. Select the Cache Tab
4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory
Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in [b][color=red]RED[/b][/color].
[b]HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[color=red]xmltc
p[/b][/color]
[b]HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[color=red]Guard
ian[/b][/color]
**Delete that [b]xmltcp[/b] and [b]Guardian[/b] folders IF it's still there!**
Close regedit.
Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says [b]"Delete on Reboot"[/b] and checkmark the box [b]"Unregister DLL"[/b] (If available) Click the RED X and it will ask you to confirm the file for deletion…say [b]YES[/b] and when the next box opens prompting you to reboot now...click [b]NO[/b]...and proceed with the next file. Once you get to the last one click [b]YES[/b] and it will reboot.
[b]C:\WINDOWS\SYSTEM32\cd_clint.dll
C:\WINDOWS\SYSTEM32\msg117.dll
C:\WINDOWS\SYSTEM32\msietn.dll
C:\WINDOWS\SYSTEM32\pmkhe.dll[/b]
Once you reboot...run another Panda scan and post it's log.
Posted by: smittygray
Thanks again. Here are the results:
Incident Status Location
Adware:adware/superspider No disinfected Windows Registry
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP109\A0022827.exe
Spyware:Spyware/New.net No disinfected C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP109\A0022828.exe
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP109\A0022840.dll
Adware:Adware/WinTools No disinfected C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP109\A0022841.dll
Posted by: MicroBell
Well done! Give me one more hijackthis log. Any more Winfix popups?
Posted by: smittygray
Nope, no more winfix popups. Here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 12:21:50 PM, on 9/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Dual-Band Wireless A+G Notebook Adapter\WPC55AG.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\Timothy Ray\Desktop\Spyware Stuff\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://education.dellnet.com/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://channels.aimtoday.com/search/aimtoolbar.jsp[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://education.dellnet.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://education.dellnet.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://channels.aimtoday.com/search/aimtoolbar.jsp[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://go.microsoft.com/fwlink/?LinkId=488[/url]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WPC55AG.exe] C:\Program Files\Dual-Band Wireless A+G Notebook Adapter\WPC55AG.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url]
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
Posted by: MicroBell
Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below.
[COLOR=Purple][SIZE=3][b][u]Reset hidden/system files and folders[/u][/b][/SIZE][/COLOR]
[COLOR=Red][B]Windows XP
===============[/B][/COLOR]
[list][*]Click [i][B]Start[/B][/i].
[*]Open [i][B]My Computer[/B][/i].
[*]Select the [i][B]Tools menu[/B][/i] and click [i][B]Folder Options[/B][/i].
[*]Select the [i][B]View[/B][/i] tab.
[*][i]Deselect[/i] the [i][B]Show hidden files and folders[/B][/i] option.
[*][i]Select[/i] the [i][B]Hide file extensions for known types[/B][/i] option.
[*][i]Select[/i] the [i][B]Hide protected operating system files[/B][/i] option.
[*]Click [i][B]Yes[/B][/i] to confirm.
[*]Click [i][B]OK[/B][/i].[/list]
[COLOR=Red][B]Windows 2000
===============[/B][/COLOR]
[list]
[*]Open [i][B]My Computer[/B][/i].
[*]Select the [i][B]Tools menu[/B][/i] and click [i][B]Folder Options[/B][/i].
[*]Select the [i][B]View[/B][/i] tab.
[*][i]Select[/i] the [i] [B]Advanced settings box[/B] [/i] option.
[*][i]Select[/i] the [i] [B]Hidden files[/B] [/i] Folders.
[*][i]Deselect[/i] the [i] [B]Show all files[/B] [/i] option.
[*]Click [i][B]Yes[/B][/i] to confirm.
[*]Click [i][B]OK[/B][/i].[/list]
[COLOR=Red][B]Windows ME
===============[/B][/COLOR]
[list]
[*]Open [i][B]My Computer[/B][/i].
[*]Select the [i][B]Tools menu[/B][/i] and click [i][B]Folder Options[/B][/i].
[*]Select the [i][B]View[/B][/i] tab.
[*][i]Deselect[/i] the [i][B]Show hidden files and folders[/B][/i] option.
[*][i]Select[/i] the [i][B]Hide protected operating system files[/B][/i] option.
[*]Click [i][B]Yes[/B][/i] to confirm.
[*]Click [i][B]OK[/B][/i].[/list]
[COLOR=Red][B]Windows 95/98/98SE
===============[/B][/COLOR]
[list]
[*]Open [i][B]My Computer[/B][/i].
[*]Select the [i][B]View[/B][/i]
[*][i]Select[/i] the [i] [B]Folder Options [/B] [/i] option.
[*][i]Select[/i] the [i] [B]View[/B] tab.[/i] option.
[*][i]Select[/i] the [i] [B]Advance Advanced settings box[/B] [/i] option.
[*][i]Select[/i] the [i] [B]Hidden files[/B] [/i] folder.
[*][i]Deselect[/i] the [i] [B]Show all files[/B] [/i] option
[*]Click [i] [B]Apply[/B] [/i] to confirm.
[*]Click [i][B]OK[/B][/i].[/list]
[COLOR=Purple][SIZE=3][B][u]Create a new System Restore point[/u][/b][/SIZE][/COLOR]
[COLOR=Red][B]Windows XP
===============[/B][/COLOR]
[list][*] Click Start >> Run - type [I][B]SYSDM.CPL[/B][/I] & press [B]Enter[/B]
[*] Select the [B]System Restore[/B] Tab
[*] Tick on the checkbox - [b]"Turn off System Restore on all drives"[/b]
[*] Click [B]Apply[/B]
[*]Then [B]untick[/B] the same checkbox & click [B]OK[/B]
[*] This deletes [b]ALL[/b] restore points that had the infection and creates a clean one[/list]
[COLOR=Red][B]Windows ME
===============[/B][/COLOR]
[list]
[*]Click the [i][B]Start[/B][/i] tab.
[*][i]Select[/i] the [i] [B]Settings[/B] [/i] option.
[*][i]Select[/i] the [i] [B]Control Panel[/B] [/i] option.
[*][i]Double Click[/i] the [i] [B]System icon Performance tab[/B] [/i] option.
[*][i]Select[/i] [i] [B]File System[/B] [/i]
[*][i]Select[/i] the [i] [B]Troubleshooting tab[/B] [/i]
[*][i]Check[/i] the [i] [B]Disable System Restore box[/B][/i]
[*]Click [i] [B]Apply[/B] [/i] to confirm.
[*]Click [i][B]OK[/B][/i].[/list]
Reboot the PC and [B]repeat[/B] the above procedure again
When you get to this option
[list][*][i][B]Uncheck[/B][/i] the [i] [B]Disable System Restore box[/B][/i][/list]
For [B]Windows ME[/B]..we [B]MUST[/B] create a new restore point now as [B]Windows ME[/B] will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.
[list]
[*]Click the [B]Start[/B] button.
[*]Point to [B]Programs[/B], point to [B]Accessories[/B], point to [B]System Tools[/B], and then click [B]System Restore[/B].
[*]Choose [B]Create a restore point[/B], and then click [B]Next[/B].
[*]In the [B]Restore point description box[/B], type a name for your restore point, and then click [B]Next[/B].
Click [B]OK[/B][/list]
[COLOR=Purple][SIZE=3][B][u]Enable Windows Auto Update[/u][/b][/SIZE][/COLOR]
[list][*] Go to Start>Run - type [b]wuaucpl.cpl[/b]
[*] Tick on the checkbox - [B]"Keep my computer up to date"[/B]
[*] Under settings, choose [B]"Automatically download the updates, and install them on the schedule that I specify". [/B]
[*] Click on [i]"[B]OK[/B]"[/i]. [/list]
Please visit [URL=http://v4.windowsupdate.microsoft.com/en/default.asp][B][COLOR=DarkOrchid]Microsoft's Window's Update Page[/COLOR][/B][/URL] and install the latest service packs, patch’s and security updates for your system.
[COLOR=Purple][SIZE=3][B][u]Recommended Protection Programs[/u][/b][/SIZE][/COLOR]
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
[list][*][url=http://www.javacoolsoftware.com/spywareblaster.html][B][COLOR=DarkOrchid]SpywareBlaster[/COLOR][/B][/url] to help prevent spyware from installing in the first place.
[*][url=http://www.javacoolsoftware.com/spywareguard.html][B][COLOR=DarkOrchid]SpywareGuard[/COLOR][/B][/url] to catch and block spyware before it can execute.
[*][url=https://netfiles.uiuc.edu/ehowes/www/resource.htm][B][COLOR=DarkOrchid]IESpy-Ad[/COLOR][/B][/url] to block access to malicious websites so you cannot be redirected to them from an infected site or email.
[*][URL=http://www.winpatrol.com/winpatrol.html][B][COLOR=DarkOrchid]WinPatrol[/COLOR][/B][/URL] to monitor any changes that programs make to the registry.[/list]
If you do not have a firewall, here are 4 free ones available for personal use:
[list]
[*][url=http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=dbtopnav_za][color=blue][B]ZoneAlarm[/B][/color][/url]
[*][url=http://smb.sygate.com/products/spf_standard.htm][color=blue][B]Sygate Personal Firewall[/B][/color][/url]
[*][url=http://www.kerio.com/us/kpf_download.html][color=blue][B]Kerio Personal Firewall[/B][/color][/url]
[*][url=http://www.agnitum.com/download/outpost1.html][color=blue][B]OutPost Firewall[/B][/color][/url] [/list]
In today’s world you [b]MUST[/b] have an Antivirus program. If you do not have one, here are 3 [b]FREE[/b] ones available for personal use:
[list]
[*] [URL=http://free.grisoft.com/doc/Get+AVG+FREE/lng/us/tpl/v5][B][COLOR=Purple] Grisoft AVG Anti-Virus System [/COLOR][/B][/URL]
[*] [URL=http://www.avast.com/eng/avast_4_home.html][B][COLOR=Purple] Alwil Avast 4 Home Edition[/COLOR][/B][/URL]
[*] [URL=http://www.bitdefender.com/bd/site/products.php?p_id=24][B][COLOR=Purple] Softwin BitDefender Free Edition Version 7[/COLOR][/B][/URL] [/list]
In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles [list][*] [URL=http://forums.net-integration.net/index.php?showtopic=3051][color=blue][b]HOW DID I GET INFECTED IN THE FIRST PLACE?[/b][/color][/URL]
[*] [URL=http://www.greyknight17.com/spyware.htm#prevent][color=blue][B]THE ANTI-SPYWARE TUTORIAL[/B][/color][/URL]
[*] [url=http://www.bleepingcomputer.com/forums/Making_Internet_Explorer_Safer-tut102.html][color=blue][B]MAKING INTERNET EXPLORER SAFER[/B][/color][/url][/list]
Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the [B]adware/spyware/virus/worms[/B] from getting on the system in the first place.
Posted by: smittygray
Nope, no more issues. Thank you very much for your help through all of this. It is very much appreciated.
Posted by: MicroBell
Your Welcome! :O)
vBulletin Copyright ©2000 - 2003, Jelsoft Enterprises Limited.
PPC Management
vB Easy Archive Final - Created by Xenon
|