Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Gambling Popups - NetVenda?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Gambling Popups - NetVenda?

Unread postby Taff36 » October 18th, 2005, 11:32 am

Cant se3em to get rid of these. Spybot, Adaware and Avast to no avail. Log of hiJack this:

Logfile of HijackThis v1.99.1
Scan saved at 16:20:22, on 18/10/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-GB\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\FHJMSZWKQD.EXE
C:\PROGRAM FILES\VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\D-LINK\AIRPLUS G\AIRGCFG.EXE
C:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MAILSKINNER\MAILSKINNER.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SCREEN SCAPES TASK.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Supplied by TAFF !!
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINDOWS\MSLAGENT\4B_1,0,1,2_MSLAGENT.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [fhjmszwkqd] c:\windows\system\fhjmszwkqd.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Screen Scapes Task.lnk = C:\WINDOWS\Screen Scapes Task.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-gb/gb/games18.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downloadv3.com/binaries/D ... E_1048.cab
O18 - Filter: text/html - {C46F8722-14F9-4AC5-A8A3-0C2E05824C77} - C:\WINDOWS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\V0.26.DAT
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK
Advertisement
Register to Remove

Unread postby Woody_J » October 19th, 2005, 12:02 am

Hi Taff,

Welcome to the MalWare Removal forums! I'll be glad to help you with your computer problems.
HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

In order to help me help you, please observe the following while we work:
  1. If you don't know, stop and ask! Don't continue, we don't want to start all over again!
  2. Understand that cleaning your computer can sometimes take multiple passes/posts,
    and it's important to follow the steps as listed including re-running scans as listed
  3. Please reply to this thread, do not start another.

If you can do those three things, everything should go smoothly :D

I'll be back with you as soon as we've researched all the items.

Woody_J
User avatar
Woody_J
Regular Member
 
Posts: 234
Joined: August 20th, 2005, 12:41 am
Location: IN, USA

Unread postby Taff36 » October 19th, 2005, 12:34 am

Thanks Woody_J. There`s no great rush with this one. The computer belongs to a retired friend of mine whose wife uses it more than him! I suspect this infestation has come about because of innocence and is more annoying than anything else. I am off to an exhibition today so I probably won`t be able to respond until tomorrow - catch you later. Thanks again.
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby Woody_J » October 20th, 2005, 1:16 am

Hi Taff,

FIRST, I’d like you to make sure Windows shows your hidden files and folders:
To enable the viewing of Hidden files follow these steps:
  1. Close all programs so that you are at your desktop.
  2. Double-click on the My Computer icon
  3. Select the Tools menu and click Folder Options.
  4. After the new window appears select the View tab.
  5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  8. Press the Apply button and then the OK button and close My Computer.
    Now your computer is configured to show all hidden files.

SECOND, Reboot into SAFE MODE
    By pressing the F8 key right when Windows starts, usually right after you hear your computer
    beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
    you will be brought to a menu where you can choose to boot into safe mode.

    If it does not work on the first try, reboot and try again, as you have to be quick when you press it.

    I have found that during boot up, right after the computer displays the equipment , memory, etc
    installed on your computer, if you start lightly tapping the F8 key, the system will usually display the menu.

THIRD, Use Explorer to navigate to and delete the following files (if they are present):
  • c:\windows\system\fhjmszwkqd.exe <-- This file
  • C:\WINDOWS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\V0.26.DAT <-- This file
  • C:\WINDOWS\MSLAGENT <-- This entire folder
If you have any problem deleting a file, right click the file and check Properties to see if it's read-only.
Uncheck the read-only box, click Apply then OK. Then try to delete again.

Note the name and location of any file you cannot delete.


FOURTH, Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.


FIFTH, Reboot Normally.


SIXTH, Run the following online scan:
    Panda ActiveScan
    Please save the log it generates, I will need you to post it back here.



FINALLY, Please post back with a fresh HJT log, the Panda ActiveScan log, and let me know any problems you may have experienced!


Regards,

Woody_J
User avatar
Woody_J
Regular Member
 
Posts: 234
Joined: August 20th, 2005, 12:41 am
Location: IN, USA

Unread postby Taff36 » October 20th, 2005, 6:16 am

Hi Woody_J

Activescan showed a few problems. EGCOMSERVICE being one of them. I noticed that the system is being booted in selective mode and when booted normally it is showing an error message sayng that EGCOMSERVICE 1048.dll is missing. I seem to remember putting it into selective startup when an Epson printer link was missing and that was about 6 months ago. Anyway here`s the HiJack this log:
Logfile of HijackThis v1.99.1
Scan saved at 11:03:27, on 20/10/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\PROGRAM FILES\VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\D-LINK\AIRPLUS G\AIRGCFG.EXE
C:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\DFNUKSGXC.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MAILSKINNER\MAILSKINNER.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SCREEN SCAPES TASK.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Supplied by TAFF !!
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [dfnuksgxc] c:\windows\system\dfnuksgxc.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMSERVICE_1048.dll,InstantAccess
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Screen Scapes Task.lnk = C:\WINDOWS\Screen Scapes Task.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab

and ActiveScan:


Incident Status Location

Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM\MSCLOCK32.DLL
Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM\msclock32.dll
Dialer:dialer.b No disinfected C:\WINDOWS\SYSTEM\EGCOMSERVICE2.dll
Dialer:Dialer.Gen No disinfected C:\WINDOWS\SYSTEM\dickcam-uninstall.exe
Dialer:Dialer.Gen No disinfected C:\WINDOWS\Downloaded Program Files\dickcam.exe

Thanks for the help so far. Taff36
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby Woody_J » October 22nd, 2005, 2:13 pm

Hi Taff,

This malware appears to ‘morph’ itself, changing names (most likely upon reboot)
so we’re going to try to kill it before it gets a chance.

FIRST, I'd like you to download the following file:
SECOND, Run Killbox.exe

  1. Copy the first item in the following list to the Clipboard:
    (Highlight it, and press CTRL+C)

    C:\PROGRAM FILES\MAILSKINNER\MAILSKINNER.EXE
    C:\WINDOWS\Downloaded Program Files\dickcam.exe
    C:\WINDOWS\SYSTEM\DFNUKSGXC.EXE
    C:\WINDOWS\SYSTEM\dickcam-uninstall.exe
    C:\WINDOWS\SYSTEM\EGCOMSERVICE_1048.dll
    C:\WINDOWS\SYSTEM\EGCOMSERVICE2.dll
    C:\WINDOWS\SYSTEM\MSCLOCK32.DLL

  2. Click Delete a file on reboot.
  3. Click on the window below Full Path of File to Delete and paste the file
    (Either right click and choose Paste, or press CTRL+V)
  4. Click the red circle with a white cross .
  5. The program will ask you to confirm the delete. Answer yes.
  6. The program will ask you if you want to reboot. Answer NO.
  7. Repeat steps 3-6 for all remaining files
  8. When you have pasted the final file, and you are asked if you want to reboot, answer YES

Allow the system reboot into normal mode.


THIRD, End malicious processes: (if they are present)

  1. Press the CTRL+ALT+DEL keys simultaneously to open Task Manager
  2. Find MAILSKINNER.EXE and click on it
  3. Click End Process
  4. Repeat steps 2-3 for DFNUKSGXC.EXE
  5. Close Task Manager


FOURTH, Remove programs from Add/Remove Programs List
    Please go to:
    • Start
    • Settings
    • Control Panel
    • Add/Remove Programs

    Find and remove these programs (if they are present)

    • Mail Skinner
    • Instant Access


FIFTH, Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):
    O4 - HKLM\..\Run: [dfnuksgxc] c:\windows\system\dfnuksgxc.exe
    O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMSERVICE_1048.dll,InstantAccess


    OPTIONAL FIX:

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    If you (or a system administrator) did not place this restriction intentionally, it is OK to fix this line
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.



SIXTH, Run Spybot S & D (it is available from here.)
Please make sure you have the latest version!
  1. Download and Install Spybot S&D (if you haven't already), accept the Default Settings
  2. In the Menu Bar at the top of the Spybot window you will see 'Mode'.
    Make certain that 'default mode' has a check mark beside it.
  3. Close ALL windows except Spybot S&D
  4. Click the button to ‘Search for Updates’ then download and install the updates.
  5. Next click the button ‘Check for Problems'
  6. When Spybot is complete, it will be showing ‘RED’ entries bold 'BLACK' entries and ‘GREEN’ entries in the window
  7. Make certain there is a check mark beside all of the RED entries ONLY.
  8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
  9. REBOOT normally to complete the scan and clear memory.


SEVENTH, Run Adaware SE
If you are not running the latest version of AdAware, Ad-Aware SE build 1.06, please go here and download first!
  • Configure Ad-Aware SE Personal 1.06:
    • Click on the Gear button at the top of the window.
    • Click "General" on the left hand side to display the General Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
        • "Automatically save logfile"
        • "Automatically quarantine objects prior to removal"
        • "Safe Mode (always request confirmation)"
        • "Prompt to update outdated definitions" - change to 7 days from the default 14.
    • Click "Scanning" on the left hand side to display the Scan Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
        • "Scan within archives"
        • "Select drives & folders to scan" - select your hard drive(s).
        • "Scan active processes"
        • "Scan registry"
        • "Deep-scan registry"
        • "Scan my IE favorites for banned URLs"
        • "Scan my Hosts file"
    • Click "Advanced" on the left hand side to display the Advanced Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
        • "Move deleted files to Recycle Bin"
        • "Include additional object information"
        • "Include negligible objects information"
        • "Include environment information"
    • Click "Defaults" on the left hand side to display the Default Settings box.
      • Make sure these items have your preferred settings in them.:
        • "Default homepage"
        • "Default searchpage"
    • Click "Tweak" on the left hand side to display the Tweak Settings box.
      • Click the + (plus) sign next to the Log Files section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
        • "Include basic Ad-Aware settings in log file"
        • "Include additional Ad-Aware settings in log file"
        • "Include reference summary in log file"
        • "Include alternate data stream details in log file"
      • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
        • "Unload recognized processes & modules during scan"
        • "Scan registry for all users instead of current user only"
        • "Obtain command line of scanned processes"
      • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
        • "Always try to unload modules before deletion"
        • "During removal, unload Explorer and IE if necessary"
        • "Let Windows remove files in use at next reboot"
        • "Delete quarantined objects after restoring"
    • Once you are done with these settings, click "Proceed" to save them.
    • This will take you back to the main screen.
  • Run Ad-Aware SE Personal 1.06:
    • With ALL OTHER WINDOWS closed, click the "Start" button.
    • Uncheck the "Search for negligible risk entries" entry.
    • Choose the "Use custom scanning options" scan mode.
    • Click the "Next" button.
    • Ad-Aware will begin to scan for malware residing on your computer.
    • Allow the scan to finish.
    • Right-click on any entry in the list and click "Select All" to select the whole list.
    • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

EIGHTH, Run Trendmicro Housecall
Select Scan Now, It's Free!
Follow the prompts, and choose Complete Scan when prompted.
Please tell me of any files it can't clean.


NINTH, Copy the following code (highlight it and press CTRL+C, or Right-Click and choose Copy)

Code: Select all
cd c:\windows\system & dir /s /a > files1.txt & start notepad files1.txt

  1. Open Notepad, and Paste the code above
  2. Press File, select Save As…
    For File name: directory.bat
    For Save as type: All Files
  3. Click Save
  4. Locate directory.bat and double-click it.
  5. Notepad should open, please copy all the text, I’ll need you to post it here.

TENTH, Re-enable the startup items disabled with msconfig
  1. Press Start > Run… and type msconfig
  2. On the General tab, select the radio button next to Normal Startup…
  3. Click Apply then Close
    Windows will ask to reboot, it is not necessary here
This will allow HJT to report & fix items as necessary that otherwise would be hidden.


FINALLY, Please run HJT and post a fresh log, along with the text from the NINTH step, and any info from Spybot & Adaware scans :D

After running HJT and getting a fresh log, you may go back into msconfig
and disable the items which were disabled previously, especially if you will be rebooting.
If there are any items disabled that will require fixing, we'll need to reset again to
Normal Mode before fixing with HJT.

Regards,

Woody_J
User avatar
Woody_J
Regular Member
 
Posts: 234
Joined: August 20th, 2005, 12:41 am
Location: IN, USA

Unread postby Taff36 » October 23rd, 2005, 2:33 am

Woody_J,

Thanks for all that. Very easy to follow which is brilliant. I am away for the weekend but will tackle the problem on Monday and post back the results.

I may have given you the wrong message on start up about eggcom - I noticed it was slightly different to my post and I will check it on next boot up. I think it is error 1438 eggcommservice.dll is missing. Of course I now realise that by switching to normal boot up in msconfig I released it again! So it probably wasn`t in my first log. Anyway I`ve got the drift so I`ll look for the file in the latter stages.

I`ve got all the latest in Adaware and Spybot anyway on that machine and killbox is burnt to disk ready for action. I didn`t realise that Adaware personal had so many configurable settings so that`s going to be interesting for the future. I haven`t allowed that machine to connect to the internet since my last post in an effort to keep it isolated from any further attacks.

I notice we`re going to TrendMicro for the scan this time - any particular reason we`re using this rather than Oanda this time?

Regards

Taff36
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby Woody_J » October 23rd, 2005, 3:12 am

Hi Taff,

No single virus/trojan/malware application catches everything.
It's always helpful to have a second opinion. If you would like,
and have the time, there is no harm in performing both scans
to see what they uncover.
For what it's worth, another excellent online scanner is:
http://www.kaspersky.com/virusscanner
Feel free to run all of them if you have the time!

Regards,

Woody_J
User avatar
Woody_J
Regular Member
 
Posts: 234
Joined: August 20th, 2005, 12:41 am
Location: IN, USA

Unread postby Taff36 » October 23rd, 2005, 4:03 am

Thanks. I`ll see what time I have available. I am busy on a project at the moment but no reason why I can`t just set each scan going and return later so I may try at least a couple.
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby Taff36 » October 24th, 2005, 11:25 am

Woody_J,

At second stage EGCOMSERVICE_1048.dll wasn`t there but I expected that. Neither was dickcam.exe and a search of the drive didn`t find it either.

Just a note for you at second stage step 6 Killbox dosn`t ask if you want to reboot it confims the file deletion on reboot and presents an OK button. No problem.

Third stage - Neither malicious processes were active.

Fourth Stage - Mailwasher was removed from add/remove but Instant Access wasn`t there.

Fifth stage - HijackThis - All three were fixed including the last one (Instant access / Egcomservice_1048) (?)

Sixth stage - S&D - It found and deleted CONNECT MFC APPLICATION & MAGIC CONTROL.AGENT

Seventh stage - Adaware - found ADW SLAGENT.A & the dialer DIAL 185.A both removed.

Eighth stage - Trend Microcall - found 2 things and deleted them. I then went to Kaperski and it found:

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\Mservice.dll Infected: Trojan-Downloader.Win32.Wintrim.cu

Ninth stage went horribly wrong. The bat file produced an error:

Too many parameters - &

The notepad didn`t open but I found it to be blank anyway. Don`t know why that didn`t work.

Log of HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 16:15:10, on 24/10/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\PROGRAM FILES\VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\D-LINK\AIRPLUS G\AIRGCFG.EXE
C:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SCREEN SCAPES TASK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Supplied by TAFF !!
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Screen Scapes Task.lnk = C:\WINDOWS\Screen Scapes Task.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... n_ansi.cab

I`ve had a good look at the HijackThis log and I can`t see anything suspicious - so I stand to be corrected. :)

Regards

Taff36
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby Woody_J » October 24th, 2005, 4:45 pm

Hi Taff,

While Kaspersky found the following file, it doesn't mention whether it cleaned
it or not, so let's make sure.

First, I would like you to make sure windows shows your hidden files and folders:
Click here if you need help doing this.

Using Windows Explorer, navigate to and delete the following:

c:\WINDOWS\SYSTEM\Mservice.dll <-- this file

If you have a problem deleting this file, right click the file and check Properties to see if it's read-only.
Uncheck the read-only box, click Apply then OK. Then try to delete again.


If it still won't delete, click Start then Run... and type command and press OK
In the DOS shell which opens, type regsvr32 /u Mservice.dll
and hit Enter

Then attempt to delete the file again.

Please download CleanUP!
Run it, according to the instructions on that page, to allow it to clean all your temporary files.

Next, please re-hide system and hidden files and folders.

Let me know how it goes!

Regards,

Woody_J
User avatar
Woody_J
Regular Member
 
Posts: 234
Joined: August 20th, 2005, 12:41 am
Location: IN, USA

Unread postby Taff36 » October 25th, 2005, 11:42 am

Woody_J,

Looking Good. :D

Kaperski didn`t delete the file but it went without a wimper.

I had already run CCleaner so CleanUp only found 56 files.

Avast! Anti Virus reported that PSKAVS.dll was an infection but then I noticed it was in the C:\Windows\System\ActiveScan folder - Is this normal or just "Bitter Rivalry" - I sent it to the Avast! chest anyway because it`ll worry the owners when I return the computer and they run a scan.

I also deleted two other files I found searching the HDD - EGDACCESS_1058 and _1059 both .dll`s I think.

Turned System Restore back on too.

Otherwise no problems. I think it`s safe to return to the owners - what do you think?

Regards

Taff36
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby Woody_J » October 25th, 2005, 12:18 pm

Hi Taff!

It sounds like all is well now, and your log appears clean! :D

So, head over to Windows Update
and apply all critical updates, which will help keep the system secure against future infections!

You (or the owners) may wish to read Tony Klein's excellent article: How I got Infected in the First Place

A few more tools to help keep you safe:
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls
  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    Using IE-SPYAD to help block unwanted sites and activities

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.


Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help!

Woody_J
User avatar
Woody_J
Regular Member
 
Posts: 234
Joined: August 20th, 2005, 12:41 am
Location: IN, USA

Unread postby Taff36 » October 26th, 2005, 2:04 am

Woody_J,

Many thanks. I`ve picked up quite a few more tips with this thread, particularly your last post. I`m going to enrol with the University soon and hopefully have the time to learn some more. Keep up the good work!

Regards

Taff36
Taff36
Regular Member
 
Posts: 45
Joined: April 21st, 2005, 5:31 pm
Location: Midlands - UK

Unread postby NonSuch » October 30th, 2005, 8:22 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware