Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Command service Malware and Slow Computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Command service Malware and Slow Computer

Unread postby crazybrker » August 31st, 2006, 9:41 am

In normal mode the computer CPU is always runnng at 100% very very slow, and popups make it worse, its hard enough to make hjt logs. Please help. I hit it with norton ( which sucks) clean system huh? adaware and spybot s&d and Ewido. S&D returned with Command service and it couldnt be removed even in safe mode. Heres the log in normal mode. Thanks in advance....

Logfile of HijackThis v1.99.1
Scan saved at 5:51:10 AM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\orruho.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fbiyg.exe
C:\WINDOWS\system32\fbiyg.exe
C:\WINDOWS\system32\fbiyg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\fbiyg.exe
F2 - REG:system.ini: UserInit=userinit.exe,qwpdrtp.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469F-83B8-BD2AE6D9FA2E} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-83B8-BD2AE6D9FA2E} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [\\KAYLEE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\KAYLEE\EPSON Stylus Photo R300 Series" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus C86 Series on loren] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P37 "Auto EPSON Stylus C86 Series on loren" /O20 "\\LOREN\EPSONStylusC" /M "Stylus C86"
O4 - HKLM\..\Run: [ojvmgm] C:\WINDOWS\system32\orruho.exe reg_run
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [kgdni] C:\WINDOWS\system32\orruho.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: haevn.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8657749394
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/act ... Upload.ocx
O20 - Winlogon Notify: Run- - C:\WINDOWS\system32\gp48l3hu1.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
crazybrker
Active Member
 
Posts: 9
Joined: August 31st, 2006, 7:49 am
Advertisement
Register to Remove

Unread postby bamajim » August 31st, 2006, 10:48 am

crazybrker

Welcome to MRU

I am currently looking at your log and will have a reply soon

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby crazybrker » August 31st, 2006, 4:39 pm

Thanks for the help looking forward to it
crazybrker
Active Member
 
Posts: 9
Joined: August 31st, 2006, 7:49 am

Unread postby bamajim » August 31st, 2006, 10:22 pm

Crazybrker

First We need to disable Ewido background guard so it doesn't interfere with our fix
to do this
    Open Ewido
    Under "Your computers Security"
    Click change status on Resident shield to inactive
    Close Ewido
Next
    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Next Re run Hijackthis and post a fresh Hijckthis log

your reply should include
    your Combofix log
    a fresh Hijackthis log

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby crazybrker » September 1st, 2006, 2:18 am

compstill slow, there are still 51 processes, but i havent had a popup yet. so we re improving; here is combo fix log

User - 06-08-31 22:37:41.50
ComboFix 06.08.30BT - Running from: C:\

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{31E0A4B0-C33D-48AA-A0A8-62BAF4BA898F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{31E0A4B0-C33D-48AA-A0A8-62BAF4BA898F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{31E0A4B0-C33D-48AA-A0A8-62BAF4BA898F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{31E0A4B0-C33D-48AA-A0A8-62BAF4BA898F}\InprocServer32]
@="C:\\WINDOWS\\system32\\iuetmib1.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{E18E0473-9079-4D37-9126-454A01A58A3C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E18E0473-9079-4D37-9126-454A01A58A3C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E18E0473-9079-4D37-9126-454A01A58A3C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E18E0473-9079-4D37-9126-454A01A58A3C}\InprocServer32]
@="C:\\WINDOWS\\system32\\uwat.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{3747B12D-3CF3-4704-B191-0536B8CE56AC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3747B12D-3CF3-4704-B191-0536B8CE56AC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3747B12D-3CF3-4704-B191-0536B8CE56AC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3747B12D-3CF3-4704-B191-0536B8CE56AC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{0C2A5340-4A04-44AE-B270-BEC2E781B212}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C2A5340-4A04-44AE-B270-BEC2E781B212}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C2A5340-4A04-44AE-B270-BEC2E781B212}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0C2A5340-4A04-44AE-B270-BEC2E781B212}\InprocServer32]
@="C:\\WINDOWS\\system32\\marepl40.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKEY_CURRENT_USER\...\Run C:\WINDOWS\system32\orruho.exe
O4 - HKEY_LOCAL_MACHINE\...\Run C:\WINDOWS\system32\orruho.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\fbiyg.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\qwpdrtp.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-31 13:32 236261 -r--s---- C:\WINDOWS\system32\phbase.dll
2006-08-31 05:56 235204 -r--s---- C:\WINDOWS\system32\nbcfg.dll
2006-08-31 05:36 51712 --a------ C:\WINDOWS\system32\uyruxwb.dll
2006-08-31 05:36 127488 --a------ C:\WINDOWS\system32\upgxs.dat
2006-08-29 02:54 28672 --a------ C:\WINDOWS\system32\ra8pv.exe
2006-08-29 02:51 53 --a------ C:\WINDOWS\vwvwvv.dat
2006-08-29 02:51 28672 --a------ C:\WINDOWS\system32\fbiyg.exe
2006-08-29 02:51 127488 --a------ C:\WINDOWS\system32\orruho.exe
2006-08-29 02:51 127488 --a------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\haevn.exe
2006-08-21 08:36 78848 --a------ C:\WINDOWS\system32\nsj221.dll
2006-08-07 16:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


2006-08-29 02:51 127488 C:\WINDOWS\system32\orruho.exe
2006-08-31 05:36 51712 C:\WINDOWS\system32\uyruxwb.dll
2006-08-29 02:51 23552 C:\WINDOWS\system32\qwpdrtp.exe
2006-08-29 02:51 127488 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\haevn.exe
2006-08-31 13:50 481 C:\WINDOWS\nnxcx.dll
2006-08-31 05:36 127488 C:\WINDOWS\system32\upgxs.dat
2006-08-29 02:51 28672 C:\WINDOWS\system32\fbiyg.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-08-29 02:51 53 vwvwvv.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\User\Application Data\Sskdmns.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aaa00000.dll
C:\WINDOWS\system32\aaa00000.sys


((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))


2006-08-31 22:35 298,542 --a------ C:\combofix.exe
2006-08-31 22:19 235,752 -r--s---- C:\WINDOWS\system32\kt22l7fo1.dll
2006-08-31 22:19 234,525 -r--s---- C:\WINDOWS\system32\marepl40.dll
2006-08-31 22:12 234,525 -r--s---- C:\WINDOWS\system32\dn2601fse.dll
2006-08-31 13:32 236,261 -r--s---- C:\WINDOWS\system32\phbase.dll
2006-08-31 05:56 235,204 -r--s---- C:\WINDOWS\system32\nbcfg.dll
2006-08-31 05:36 51,712 --------- C:\WINDOWS\system32\uyruxwb.dll
2006-08-30 23:31 87,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-08-29 02:56 28,672 --a------ C:\WINDOWS\system32ra8pv.exe
2006-08-29 02:54 28,672 --a------ C:\WINDOWS\system32\ra8pv.exe
2006-08-29 02:52 186,223 --a------ C:\WINDOWS\srvuleexmw.exe
2006-08-29 02:51 481 --a------ C:\WINDOWS\nnxcx.dll
2006-08-29 02:51 28,672 --------- C:\WINDOWS\system32\fbiyg.exe
2006-08-29 02:51 23,552 --a------ C:\WINDOWS\system32\qwpdrtp.exe
2006-08-29 02:51 127,488 --------- C:\WINDOWS\system32\orruho.exe
2006-08-29 02:50 215,308 --a------ C:\WINDOWS\srvthaitgd.exe
2006-08-29 01:48 61,952 --a------ C:\WINDOWS\system32\ztvb3ef2.dll
2006-08-29 01:48 215,308 --a------ C:\WINDOWS\Setup90.exe
2006-08-29 01:48 1,233 --a------ C:\WINDOWS\system32\ztvb3ef2.sys
2006-08-21 08:36 78,848 --a------ C:\WINDOWS\system32\nsj221.dll
2006-08-07 16:02 534,208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02 161,472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-03 00:05 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2006-08-03 00:05 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2006-08-03 00:05 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2006-08-03 00:05 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-08-03 00:05 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2006-08-03 00:05 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2006-08-02 03:37 229,450 --a------ C:\WINDOWS\system32\ocpTools.dll
2006-07-31 09:25 24,576 --a------ C:\WINDOWS\system32\ewxcksr.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-31 05:16 -------- d-------- C:\Program Files\ewido anti-malware
2006-08-31 04:10 -------- d-------- C:\Documents and Settings\User\Application Data\Azureus
2006-08-31 00:40 -------- d-------- C:\Program Files\Norton AntiVirus
2006-08-31 00:40 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-31 00:00 -------- d-------- C:\Program Files\Symantec
2006-08-30 23:59 -------- d-------- C:\Program Files\Common Files
2006-08-30 23:38 -------- d-------- C:\Documents and Settings\User\Application Data\Symantec
2006-08-30 23:31 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-08-30 05:17 -------- d-------- C:\Program Files\msn gaming zone
2006-08-30 05:13 -------- d-------- C:\Program Files\MSN
2006-08-30 05:13 -------- d-------- C:\Program Files\Common Files\ooim
2006-08-30 01:31 -------- d-------- C:\Program Files\Azureus
2006-08-30 01:26 -------- d-------- C:\Program Files\PowerISO
2006-08-29 04:20 -------- d-------- C:\Program Files\Yahoo!
2006-08-29 04:17 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-29 04:06 -------- d-------- C:\Program Files\Matroska Pack
2006-08-29 04:03 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-29 03:14 -------- d-------- C:\Program Files\Online Services
2006-08-29 02:34 -------- d-------- C:\Documents and Settings\User\Application Data\Lavasoft
2006-08-29 02:33 -------- d-------- C:\Program Files\Lavasoft
2006-08-25 18:10 -------- d-------- C:\Program Files\LimeWire
2006-08-24 05:59 -------- d-------- C:\Documents and Settings\User\Application Data\Skype
2006-08-22 20:31 -------- d-------- C:\Documents and Settings\User\Application Data\LimeWire
2006-08-16 05:06 -------- d-------- C:\Documents and Settings\User\Application Data\Apple Computer
2006-08-16 04:19 -------- d-------- C:\Program Files\Kazaa Lite K++
2006-08-16 04:19 -------- d-------- C:\Documents and Settings\User\Application Data\Kazaa Lite
2006-08-14 23:54 -------- d-------- C:\Program Files\Internet Explorer
2006-08-07 16:02 31936 --a------ C:\WINDOWS\system32\drivers\symids.sys
2006-08-07 16:02 28352 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2006-08-07 16:02 24768 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2006-08-07 16:02 195776 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2006-08-07 16:02 110784 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2006-08-07 16:01 12992 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2006-08-03 00:05 -------- d-------- C:\Program Files\Common Files\Ahead
2006-08-03 00:05 -------- d-------- C:\Program Files\Ahead
2006-08-02 03:37 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-02 03:37 -------- d-------- C:\Program Files\OCP Software
2006-08-02 03:37 -------- d-------- C:\Program Files\Common Files\OCP Software
2006-08-01 19:39 -------- d-------- C:\Program Files\SmartArchiver
2006-07-29 04:11 30601 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-11 01:18 -------- d-------- C:\Documents and Settings\User\Application Data\Sprite Software
2006-07-11 01:18 -------- d-------- C:\Documents and Settings\User\Application Data\Sprite Setup Wizard
2006-07-11 01:18 -------- d-------- C:\Documents and Settings\User\Application Data\Sprite PC Agent
2006-07-07 21:51 -------- d---s---- C:\Documents and Settings\User\Application Data\Microsoft
2006-06-22 01:35 3082 --a------ C:\WINDOWS\system32\affv11300p4now.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
@=""
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"EOUApp"="C:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe"
"\\\\KAYLEE\\EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P39 \"\\\\KAYLEE\\EPSON Stylus Photo R300 Series\" /O6 \"USB003\" /M \"Stylus Photo R300\""
"Auto EPSON Stylus C86 Series on loren"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2R1.EXE /P37 \"Auto EPSON Stylus C86 Series on loren\" /O20 \"\\\\LOREN\\EPSONStylusC\" /M \"Stylus C86\""
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"CHotkey"="mHotkey.exe"
"ojvmgm"="C:\\WINDOWS\\system32\\orruho.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"kgdni"="C:\\WINDOWS\\system32\\orruho.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1139386937\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"ms041133971818"="C:\\WINDOWS\\ms041133971818.exe"
"RTHDCPL"="RTHDCPL.EXE"
"SMSERIAL"="sm56hlpr.exe"
"win32073971818113"="C:\\WINDOWS\\win32073971818113.exe"
"win32089718181133"="C:\\WINDOWS\\win32089718181133.exe"
"ztvb3ef2"="RUNDLL32.EXE w18dcfa0.dll,n 003b3eef0000000218dcfa0"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"NAV CfgWiz"="\"C:\\Program Files\\Norton AntiVirus\\CfgWiz.exe\" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE \"REBOOT\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime Alternative\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Alcmtr"="ALCMTR.EXE"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - User.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Thu 08/31/2006 22:44:23.25
ComboFix.txt


hjt log

Logfile of HijackThis v1.99.1
Scan saved at 11:07:04 PM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\orruho.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fbiyg.exe
C:\WINDOWS\system32\fbiyg.exe
C:\WINDOWS\system32\fbiyg.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\fbiyg.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,qwpdrtp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [\\KAYLEE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\KAYLEE\EPSON Stylus Photo R300 Series" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus C86 Series on loren] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P37 "Auto EPSON Stylus C86 Series on loren" /O20 "\\LOREN\EPSONStylusC" /M "Stylus C86"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ojvmgm] C:\WINDOWS\system32\orruho.exe reg_run
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kgdni] C:\WINDOWS\system32\orruho.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: haevn.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8657749394
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/act ... Upload.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

its wierd, most of my rescorces 60%+ are gojng to system, and like 15% to IE and the rest are scattered with all the other processes.
crazybrker
Active Member
 
Posts: 9
Joined: August 31st, 2006, 7:49 am

Unread postby crazybrker » September 1st, 2006, 5:53 am

Ok i think i got it all. Spybot and adaware couldnt delete C:\WINDOWS\system32\fbiyg.exe
so i found it manualy and it wouldnt let me delete it, so i changed the name to delete.txt and then it let me delete. This has worked on other problems ive had in the past, where the file is in use and you cant delete it, but you can rename it. So i change it to a simple txt file and delete then or after reboot.

After a run of adaware and S&D my computer is coming up clean thanks for the help. I still see some unknown processes, please take a look and see if its anything

Logfile of HijackThis v1.99.1
Scan saved at 2:52:59 AM, on 9/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,qwpdrtp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [\\KAYLEE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\KAYLEE\EPSON Stylus Photo R300 Series" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus C86 Series on loren] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P37 "Auto EPSON Stylus C86 Series on loren" /O20 "\\LOREN\EPSONStylusC" /M "Stylus C86"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ojvmgm] C:\WINDOWS\system32\orruho.exe reg_run
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kgdni] C:\WINDOWS\system32\orruho.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: haevn.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8657749394
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/act ... Upload.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
crazybrker
Active Member
 
Posts: 9
Joined: August 31st, 2006, 7:49 am

Unread postby bamajim » September 1st, 2006, 5:33 pm

crazybrker
Ok i think i got it all.

I appreciate your effort, but we still have a ways to go, please be patient :)

Please print out these instructions for reference

First We need to make sure we can see hidden files and folders
    Click Start.
    Click My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Uncheck the Hide file extensions for known file types.
    Click OK.
Next Open Notepad (Not Wordpad)
    Copy and paste the following into Notepad, making sure there is no space between the top of the open window and the first line.

Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ojvmgm"=-
"kgdni"=-


    Once it is copied and pasted your cursor will be a the end of the last line
    Hit Enter so your cursor is under the last line
    Click File->>Save as->>type in Fix.reg
    Under "Save as type"->>Select "All files" ->>Save it to your Desktop
    Close Notepad
    The Fix.reg file should now appear on your Desktop
    Rt Click that file ->>Select Merge.
    (It will appear that nothing has happened, but thats o.k.)

Next Rerun Hijackthis (scan only) and place checks beside the following entries
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
    R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
    F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,qwpdrtp.exe
    O4 - HKLM\..\Run: [ojvmgm] C:\WINDOWS\system32\orruho.exe reg_run
    O4 - HKCU\..\Run: [kgdni] C:\WINDOWS\system32\orruho.exe reg_run
    O4 - Global Startup: haevn.exe
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
Close all other open windows except Hijackthis and Select "Fix checked"

If prompted to Reboot, Select No and close Hijackthis

Next Using Windows Search (Click Start->>Search) Making sure your search includes "Looking in Hidden Files and Folders"
Locate and delete the following Folder
    C:\Program Files\Common Files\ooim
Locate and delete the following Files
    C:\WINDOWS\system32\kt22l7fo1.dll
    C:\WINDOWS\system32\marepl40.dll
    C:\WINDOWS\system32\dn2601fse.dll
    C:\WINDOWS\system32\phbase.dll
    C:\WINDOWS\system32\nbcfg.dll
    C:\WINDOWS\system32\uyruxwb.dll
    C:\WINDOWS\system32ra8pv.exe
    C:\WINDOWS\system32\ra8pv.exe
    C:\WINDOWS\srvuleexmw.exe
    C:\WINDOWS\nnxcx.dll
    C:\WINDOWS\system32\qwpdrtp.exe
    C:\WINDOWS\system32\orruho.exe
    C:\WINDOWS\srvthaitgd.exe
    C:\WINDOWS\system32\ztvb3ef2.dll
    C:\WINDOWS\Setup90.exe
    C:\WINDOWS\system32\ztvb3ef2.sys
    C:\WINDOWS\system32\nsj221.dll
    C:\WINDOWS\system32\ocpTools.dll
    C:\WINDOWS\system32\ewxcksr.exe
    haevn.exe

Close Windows Search

Reboot your PC->>Re run Hijackthis->> and post a fresh Hijackthis log

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby crazybrker » September 1st, 2006, 7:32 pm

wow I guess I still have a lot left to do, thanks. I will give it a shot when I get off work. I was reading about other peoples systems and I was wondering how bad is mine? I haven't accessed any bank acounts or any sensitive info since my computer was infected. I disconnected it from the net and only plug it in to download and post on here. Is there anything I should be worried about??? ill send the hjt log when I get home
crazybrker
Active Member
 
Posts: 9
Joined: August 31st, 2006, 7:49 am

Unread postby crazybrker » September 2nd, 2006, 3:11 am

see above post, give this one a try

Logfile of HijackThis v1.99.1
Scan saved at 12:08:34 AM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [\\KAYLEE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\KAYLEE\EPSON Stylus Photo R300 Series" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus C86 Series on loren] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P37 "Auto EPSON Stylus C86 Series on loren" /O20 "\\LOREN\EPSONStylusC" /M "Stylus C86"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8657749394
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/act ... Upload.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
crazybrker
Active Member
 
Posts: 9
Joined: August 31st, 2006, 7:49 am

Unread postby bamajim » September 3rd, 2006, 12:01 pm

crazybrker

I was reading about other peoples systems and I was wondering how bad is mine? I haven't accessed any bank acounts or any sensitive info since my computer was infected. I disconnected it from the net and only plug it in to download and post on here. Is there anything I should be worried about???


Not to worry, if I thought there was a risk of information theft I would have warned you in my first or second reply. The major things we look for are certain backdoor trojans, keyloogers and such. Your system showed no signs of them. I would ask that you stick with this thread until the end. Many posters make the mistake of having their systems cleaned or partially cleaned and then leave before they learn how to protect themselves from future attacks, and they wind up infected again. Please don't make that mistake.

Well done, did you have any problems removing what was instructed?
And how is your PC running now?

If were no problems, then lets continue, if there were then please indicate those problems in your next reply.

First Update Your Java

  • Download the latest version of  Java Runtime Environment (JRE) 5.0 Update 8.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_08-windows-i586-p to install the newest version.
Next Run an online virus scan called Kaspersky from HERE.
    1. Click on "Kaspersky Online Scanner"
    2. A new smaller window will pop up. Press on "Accept". After reading the contents.
    3. Now Kaspersky will update the anti-virus database. Let it run.
    4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
    5. Then click on "My Computer". And the scan will start.
    6. Once finished, save a log as ".txt" to the desktop.

Copy and post the results of the Kaspersky Online scan

Finally
Re run Hijackthis and post a fresh Hijackthis log

your reply should include
    your Kaspersky online results
    a fresh Hijackthis log
    an update on how your pc is running

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby crazybrker » September 5th, 2006, 4:17 am

looks like i have more

KASPERSKY ONLINE SCANNER REPORT
Tuesday, September 05, 2006 1:10:30 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/09/2006
Kaspersky Anti-Virus database records: 207963


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 68751
Number of viruses found 30
Number of infected objects 80 / 0
Number of suspicious objects 0
Duration of the scan process 01:20:54

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Application Data\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\hsperfdata_User\2720 Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\TempFolder.aaa\Macromedia.lok Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton AntiVirus\Savrt\0258NAV~.TMP Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023342.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023370.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023371.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023373.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023377.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023378.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023389.exe Infected: Trojan-Dropper.Win32.Mudrop.bq skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023390.exe Infected: Trojan-Downloader.Win32.Dyfuca.fb skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023391.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023393.exe Infected: Trojan-Downloader.Win32.VB.agk skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023394.exe Infected: Trojan-Downloader.Win32.VB.alt skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023395.exe Infected: Trojan-Downloader.Win32.VB.alt skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023396.exe Infected: Trojan-Downloader.Win32.VB.alt skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023397.exe Infected: Trojan-Downloader.Win32.Agent.ala skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023406.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023407.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023638.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023681.exe Infected: Trojan-Downloader.Win32.VB.als skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023682.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023683.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023684.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023685.exe Infected: Trojan-Downloader.Win32.VB.abt skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023696.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP105\A0023697.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP106\A0023709.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP106\A0023724.exe Infected: Trojan-Downloader.Win32.Agent.aqx skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025602.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025603.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025608.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025609.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025610.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025611.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025619.exe Infected: P2P-Worm.Win32.VB.dw skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025620.exe Infected: P2P-Worm.Win32.VB.dw skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025621.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025622.exe Infected: Trojan-Downloader.Win32.VB.alu skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025623.exe Infected: Trojan-Clicker.Win32.VB.ij skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025626.exe Infected: Trojan-Downloader.Win32.VB.nw skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025627.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025629.exe Infected: Trojan.Win32.Runner.j skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025630.exe Infected: Trojan.Win32.Runner.j skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025631.exe Infected: Backdoor.Win32.EggDrop.v skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025632.exe Infected: Trojan.Win32.Runner.j skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025634.exe Infected: Trojan.Win32.Runner.j skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0025636.exe Infected: Trojan.Win32.Runner.j skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0027663.exe Infected: Trojan-Downloader.Win32.Adload.ez skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP109\A0027664.exe Infected: Trojan-Downloader.Win32.Adload.ez skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029950.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029951.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029954.exe/data0004 Infected: Trojan.Win32.Runner.j skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029954.exe AWinstall: infected - 1 skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029954.exe CryptFF: infected - 1 skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029955.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029955.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.r skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029955.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029955.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029955.exe WiseSFX: infected - 4 skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029955.exe CryptFF: infected - 4 skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029956.exe Infected: Trojan-Downloader.Win32.VB.alt skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029958.exe Infected: Trojan-Downloader.Win32.Agent.aqx skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0029961.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0032542.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0032543.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0032544.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0032545.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0032546.exe Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0032548.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0032734.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0032741.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP110\A0032743.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP111\A0032764.exe Infected: Backdoor.Win32.Hupigon.cj skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP114\A0033795.exe Infected: Trojan.Win32.Runner.j skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP114\A0033799.exe/data0002 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP114\A0033799.exe/data0005 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP114\A0033799.exe/data0006 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP114\A0033799.exe NSIS: infected - 3 skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP114\A0033800.exe/data0002 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP114\A0033800.exe/data0005 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP114\A0033800.exe/data0006 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP114\A0033800.exe NSIS: infected - 3 skipped

C:\System Volume Information\_restore{87A38655-ECE1-4644-B2E8-D7AAB40F69B3}\RP116\change.log Object is locked skipped

C:\TESTOUT\STUDENTS\00000001\Bookmarks.BLB Object is locked skipped

C:\TESTOUT\STUDENTS\00000001\Bookmarks.DAT Object is locked skipped

C:\TESTOUT\STUDENTS\00000001\Bookmarks.IDX Object is locked skipped

C:\TESTOUT\STUDENTS\00000001\Progress.DAT Object is locked skipped

C:\TESTOUT\STUDENTS\00000001\Progress.IDX Object is locked skipped

C:\TESTOUT\STUDENTS\00000001\Settings.DAT Object is locked skipped

C:\TESTOUT\STUDENTS\00000001\Settings.IDX Object is locked skipped

C:\Torrents\Cal Pozo's Swing (Learn to dance in minutes)\VTS_01_1.VOB Object is locked skipped

C:\Torrents\Cal Pozo's Swing (Learn to dance in minutes)\VTS_01_2.VOB Object is locked skipped

C:\Torrents\Cal Pozo's Swing (Learn to dance in minutes)\VTS_01_3.VOB Object is locked skipped

C:\Torrents\Exercise - Yoga - 40 minutes workout - Yoga zone.mpg Object is locked skipped

C:\Torrents\hypnosis super pack (self-hypnosis MP3s)\hypnosis super pack (self-hypnosis MP3s).daa Object is locked skipped

C:\Torrents\Hypnotic Inductions and Meditations\Bob Griswold - Super Strength Self-Esteem - Guided Meditation.mp3 Object is locked skipped

C:\Torrents\Hypnotic Inductions and Meditations\Christopher Wayne Morrison - Procrastination to Motivation - Hypnosis.mp3 Object is locked skipped

C:\Torrents\Hypnotic Inductions and Meditations\Hypnosis - Stress & Anxiety Relief.mp3 Object is locked skipped

C:\Torrents\Hypnotic Inductions and Meditations\Hypnosis Potentials Unlimited Develop Psychic Potential Session1.mp3 Object is locked skipped

C:\Torrents\Hypnotic Inductions and Meditations\Hypnotic Induction for Deep Sleep.mp3 Object is locked skipped

C:\Torrents\Hypnotic Inductions and Meditations\Kelly Howell - Guided Meditation - Center and Ground.mp3 Object is locked skipped

C:\Torrents\Hypnotic Inductions and Meditations\Randy Thomas - hypnosis - Learn to Love Exercise.mp3 Object is locked skipped

C:\Torrents\Learn to Belly Dance\2 By Solid Veena & Veena-Belly Dance-Beyond-Basic.mpg Object is locked skipped

C:\Torrents\Learn to Belly Dance\3 By solid Bauchtan 6-Belly Fitness For Weight-Hip Drop Bellydance.mpg Object is locked skipped

C:\Torrents\Learn to Belly Dance\Bauchtanz 5 - Belly Fitness for Weight - cardio shimmy - Bellydance lauter.avi Object is locked skipped

C:\Torrents\Learn to Belly Dance\Belly Dance - Video Dance Lessons - Veena Neena - Bellydance Fitness For Beginners - Arms & Abs.avi Object is locked skipped

C:\Torrents\Learn to Belly Dance\Veena & Neena - Belly Dance - Fitness For Beginners - Basic Moves & Fat Burning.mpg Object is locked skipped

C:\Torrents\Learn to Belly Dance\Veena & Neena - Belly Dance - Fitness For Weight Loss - Bellydance Boogie.avi Object is locked skipped

C:\Torrents\Panda.Titanium.Antivirus.Plus.Antispyware.2006.Multilanguage.[WwW.LiMiTeDiVx.CoM]\Panda.Titanium.Antivirus.Plus.Antispyware.2006.Multilanguage.[WwW.LiMiTeDiVx.CoM].bin Object is locked skipped

C:\Torrents\Remote Viewing\RV1of4.avi Object is locked skipped

C:\Torrents\Remote Viewing\RV2of4.avi Object is locked skipped

C:\Torrents\Remote Viewing\RV3of4.avi Object is locked skipped

C:\Torrents\Remote Viewing\RV4of4.avi Object is locked skipped

C:\Torrents\Symantec Antivirus Corporate Edition v.10.0.1.1000\Symantec Antivirus Corporate Edition v.10.0.1.1000.exe Object is locked skipped

C:\Torrents\The.Descent[2005]DvDrip.AC3[Eng]-aXXo.avi Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{AA8EDDE9-9D62-4A52-8058-CEAAAEB3CCD3}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\delete.txt Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\orruho.exe Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\ztvb3ef2.dll Object is locked skipped

C:\WINDOWS\system32\__delete_on_reboot__uyruxwb.dll_tobedeleted Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



---------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:17:00 AM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Azureus\Azureus.exe
C:\TESTOUT\cmi\sastudent.exe
C:\TESTOUT\Cmi\Navigator.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [\\KAYLEE\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\KAYLEE\EPSON Stylus Photo R300 Series" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus C86 Series on loren] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P37 "Auto EPSON Stylus C86 Series on loren" /O20 "\\LOREN\EPSONStylusC" /M "Stylus C86"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8657749394
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/act ... Upload.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
crazybrker
Active Member
 
Posts: 9
Joined: August 31st, 2006, 7:49 am

Unread postby bamajim » September 5th, 2006, 4:38 pm

crazybrker

The infections found by Kaspersky are in System Restore files, which will be taken care of in the following instructions

Your Log is Clean from malware :)
I appreciate your patience in working through this.

Now that your log is clean

There are some final notes:
Disable and Enable System Restore
    Lets create a clean System Restore point
    the instructions are here
Make your Internet Explorer more secure
This can be done by following these simple instructions:
    Open Internet Explorer click Tools->> Options.
    Click Security tab
    Click once on the Internet icon so it becomes highlighted.
    Click Custom Level.
    Change the Download signed ActiveX controls to Prompt
    Change the Download unsigned ActiveX controls to Disable
    Change the Initialise and script ActiveX controls not marked as safe to Disable
    Change the Installation of desktop items to Prompt
    Change the Launching programs and files in an IFRAME to Prompt
    Change the Navigate sub-frames across different domains to Prompt
    When all these settings have been made, click OK.
    If it prompts you to save the settings, press Yes.
    Next press Apply and then OK to exit the Internet Properties page

Update your Anti Virus Software
    And clean out your Quarantine folders

Use and maintain a Firewall such as ZoneAlarm
    The Windows Firewall is good at blocking incoming threats, but not outgoing threats such as "Backdoor Trojans"
    Some others are
    Sygate
    And
    Sunbelt personal
    All of which are free


Visit Microsoft's Windows UpdateSite Frequently for critical updates

Backup your Documents and Files and a regular basis
To a disc or a USB key, not your Hardrive

You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe

Thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby crazybrker » September 6th, 2006, 2:38 am

thanks much, did the restore part, and got panda titanium antivirus + antispyware 2006, i like it so far, anytime something new trys to conect to the net on my computer it asks me first it comes with a firewall too, great program, thanks for all your help
crazybrker
Active Member
 
Posts: 9
Joined: August 31st, 2006, 7:49 am

Unread postby NonSuch » September 6th, 2006, 2:01 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 385 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware