Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problematic Popups Help! [RESOLVED]

Started by Erikkson , Sep 19 2006 04:33 AM

  • This topic is locked This topic is locked

#1
Erikkson
Posted 19 September 2006 - 04:33 AM

Erikkson

    New Member

  • Member
  • Pip
  • 8 posts
Hi guys, I have read the thread for newbies

I did the sinful thing of downloading stuff from warez sites to solve a problem, and now the zipped files have inundated me with Browser Hijack modules and spywares.

I have tried to use Lavasoft Ad-Aware and Norton Antivirus to remove most of them. But there are 2 files that Ad-Aware and Norton cannot remove..they are the files at these locations

C:\Windows\system32\e0jm0a11ed.dll and

HKey_Local_Machine:Software\microsoft\windowsnt\currentversion\winlogon\notify\

Try as I might, but Windows won't let me delete them. So I tried to use HijackThis to help me with a log file, and I hope some Kind Soul will help me out to identify which file to delete. God Bless You.

Logfile of HijackThis v1.99.1
Scan saved at 6:10:51 PM, on 19-Sep-06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\CoolMon\CoolMon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton AntiVirus\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Erikkson\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151947591031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151947572515
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\e0jm0a11ed.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWF0cml4\command.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)






Ad-Aware SE Build 1.04
Logfile Created on:Tuesday, September 19, 2006 9:00:21 PM
Using definitions file:SE1R123 14.09.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.Look2Me(TAC index:7):2 total references
MRU List(TAC index:0):10 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects


19-Sep-06 9:00:21 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 440
ThreadCreationTime : 19-Sep-06 5:40:36 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 528
ThreadCreationTime : 19-Sep-06 5:40:40 AM
BasePriority : High


Adware.Look2Me Object Recognized!
Type : Process
Data : e0jm0a11ed.dll
Category : Possible Browser Hijack attempt
Comment : iieshare.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\e0jm0a11ed.dll)


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 572
ThreadCreationTime : 19-Sep-06 5:40:40 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 584
ThreadCreationTime : 19-Sep-06 5:40:40 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 764
ThreadCreationTime : 19-Sep-06 5:40:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 816
ThreadCreationTime : 19-Sep-06 5:40:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1108
ThreadCreationTime : 19-Sep-06 5:40:42 AM
BasePriority : Normal
FileVersion : 5.1.2600.1699 (xpsp2.050610-1533)
ProductVersion : 5.1.2600.1699
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:8 [pg2.exe]
FilePath : C:\Program Files\PeerGuardian2\
ProcessID : 1516
ThreadCreationTime : 19-Sep-06 5:40:47 AM
BasePriority : Normal
FileVersion : 1, 0, 6, 4
ProductVersion : 2, 0, 6, 4
ProductName : PeerGuardian 2
CompanyName : Methlabs
FileDescription : PeerGuardian 2
InternalName : PG2
LegalCopyright : Copyright © 2004-2005 Cory Nelson
OriginalFilename : pg2.exe
Comments : http://peerguardian.sourceforge.net

#:9 [coolmon.exe]
FilePath : C:\Program Files\CoolMon\
ProcessID : 1540
ThreadCreationTime : 19-Sep-06 5:40:47 AM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : CoolMon
CompanyName : The CoolMon Project
FileDescription : CoolMon Executeable
InternalName : CoolMon
LegalCopyright : Copyright 2001 - 2003, The CoolMon Project
OriginalFilename : CoolMon.exe

#:10 [hotsync.exe]
FilePath : C:\Program Files\palmOne\
ProcessID : 1548
ThreadCreationTime : 19-Sep-06 5:40:47 AM
BasePriority : Normal
FileVersion : 4.0.4
ProductVersion : 4.1.0
ProductName : HotSync® Manager, Palm Desktop
CompanyName : Palm, Inc.
FileDescription : HotSync® Manager Application
InternalName : HotSync®
LegalCopyright : Copyright © 1995-2001 Palm, Inc.
LegalTrademarks : HotSync® is a registered trademark of Palm, Inc.
OriginalFilename : Hotsync.exe

#:11 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ProcessID : 1556
ThreadCreationTime : 19-Sep-06 5:40:47 AM
BasePriority : Normal
FileVersion : 9.79.025
ProductVersion : 9.79.025
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
LegalCopyright : © 1987-2003 Logitech. All rights reserved.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : Em_Exec.exe
Comments : Created by the MouseWare team

#:12 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1792
ThreadCreationTime : 19-Sep-06 5:40:51 AM
BasePriority : Normal
FileVersion : 6.14.10.9131
ProductVersion : 6.14.10.9131
ProductName : NVIDIA Driver Helper Service, Version 91.31
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 91.31
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1876
ThreadCreationTime : 19-Sep-06 5:40:51 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:14 [winvnc4.exe]
FilePath : C:\Program Files\RealVNC\VNC4\
ProcessID : 2036
ThreadCreationTime : 19-Sep-06 5:40:54 AM
BasePriority : Normal
FileVersion : 4.1.2
ProductVersion : 4.1.2
ProductName : VNC Server Free Edition
CompanyName : RealVNC Ltd.
FileDescription : VNC Server Free Edition for Win32
InternalName : free4/winvnc
LegalCopyright : Copyright © RealVNC Ltd. 2002-2005
LegalTrademarks : RealVNC
OriginalFilename : winvnc4.exe

#:15 [devldr32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1784
ThreadCreationTime : 19-Sep-06 5:45:57 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 17
ProductName : Creative Ring3 NT Inteface
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
LegalCopyright : Copyright © Creative Technology Ltd. 1998-2001
OriginalFilename : DevLdr32.exe

#:16 [navapw32.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 1816
ThreadCreationTime : 19-Sep-06 5:59:08 AM
BasePriority : Normal
FileVersion : 8.00.58
ProductVersion : 8.00.58
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Agent
InternalName : NAVAPW32
LegalCopyright : Copyright © 2000-2001 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPW32.EXE

#:17 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 412
ThreadCreationTime : 19-Sep-06 5:59:09 AM
BasePriority : Normal
FileVersion : 8.00.58
ProductVersion : 8.00.58
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2001 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:18 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 3864
ThreadCreationTime : 19-Sep-06 8:07:07 AM
BasePriority : Normal
FileVersion : 8.0.0792.00
ProductVersion : 8.0.0792
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr.exe
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : msnmsgr.exe

#:19 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3628
ThreadCreationTime : 19-Sep-06 8:07:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:20 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2544
ThreadCreationTime : 19-Sep-06 9:42:08 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:21 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 2064
ThreadCreationTime : 19-Sep-06 9:55:11 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:22 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 2356
ThreadCreationTime : 19-Sep-06 12:52:04 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:23 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Professional\
ProcessID : 2968
ThreadCreationTime : 19-Sep-06 1:00:06 PM
BasePriority : Normal
FileVersion : 6.2.0.191
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

MRU List Object Recognized!
Location: : C:\Documents and Settings\Erikkson\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-602162358-1965331169-682003330-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-602162358-1965331169-682003330-1003\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-602162358-1965331169-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-602162358-1965331169-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-602162358-1965331169-682003330-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-602162358-1965331169-682003330-1003\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-602162358-1965331169-682003330-1003\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : S-1-5-21-602162358-1965331169-682003330-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
3 entries scanned.
New critical objects:0
Objects found so far: 11




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adware.Look2Me Object Recognized!
Type : Regkey
Data :
Category : Possible Browser Hijack attempt
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon\notify

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 12

9:10:03 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:42.250
Objects scanned:109801
Objects identified:1
Objects ignored:0
New critical objects:1


Please :whistling:

Edited by Erikkson, 19 September 2006 - 07:12 AM.

  • 0

Advertisements

#2
Armodeluxe
Posted 22 September 2006 - 09:23 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi Erikkson,

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#3
Erikkson
Posted 22 September 2006 - 07:56 PM

Erikkson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello Armodeluxe, here it is:

Erikkson - 06-09-23 9:47:06.26 Service Pack 1
ComboFix 06.09.23 - Running from: "C:\Documents and Settings\Erikkson\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{2366FCA3-55AE-4C76-A69D-9749E838B7CC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2366FCA3-55AE-4C76-A69D-9749E838B7CC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2366FCA3-55AE-4C76-A69D-9749E838B7CC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2366FCA3-55AE-4C76-A69D-9749E838B7CC}\InprocServer32]
@="C:\\WINDOWS\\system32\\oje2.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\crmctl32.dll
C:\WINDOWS\system32\hrr0059me.dll
C:\WINDOWS\system32\jtr0079me.dll
C:\WINDOWS\system32\k280lclm1fqa.dll
C:\WINDOWS\system32\oje2.dll
C:\WINDOWS\system32\rYsman.dll
C:\WINDOWS\system32\guard.tmp


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\teller2.chk
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar
C:\WINDOWS\TWF0cml4


((((((((((((((((((((((((((((((( Files Created from 2006-08-23 to 2006-09-23 ))))))))))))))))))))))))))))))))))


2006-09-19 13:58 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2006-09-19 13:58 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-19 09:19 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2006-09-19 09:19 69,632 --a------ C:\WINDOWS\system32\EIrDaComm.dll
2006-09-19 09:19 64,512 --a------ C:\WINDOWS\system32\MSCC2DE.DLL
2006-09-19 09:19 544,256 --a------ C:\WINDOWS\system32\janGraphics.dll
2006-09-19 09:19 42,496 --a------ C:\WINDOWS\system32\FLXGDDE.DLL
2006-09-19 09:19 415,504 --a------ C:\WINDOWS\system32\MSREPL35.DLL
2006-09-19 09:19 36,352 --a------ C:\WINDOWS\system32\RCHTXDE.DLL
2006-09-19 09:19 35,328 --a------ C:\WINDOWS\system32\DBGRDDE.DLL
2006-09-19 09:19 34,816 --a------ C:\WINDOWS\system32\MCIDE.DLL
2006-09-19 09:19 33,792 --a------ C:\WINDOWS\system32\CMDLGDE.DLL
2006-09-19 09:19 32,768 --a------ C:\WINDOWS\system32\DBLSTDE.DLL
2006-09-19 09:19 28,672 --a------ C:\WINDOWS\system32\SmartMenuXP.dll
2006-09-19 09:19 252,176 --a------ C:\WINDOWS\system32\MSRD2X35.DLL
2006-09-19 09:19 24,848 --a------ C:\WINDOWS\system32\MSJTER35.DLL
2006-09-19 09:19 24,576 --a------ C:\WINDOWS\system32\SmartSubClass.dll
2006-09-19 09:19 158,208 --a------ C:\WINDOWS\system32\MSCMCDE.DLL
2006-09-19 09:19 148,240 --a------ C:\WINDOWS\system32\MSJINT35.DLL
2006-09-19 09:19 14,336 --a------ C:\WINDOWS\system32\MSCOMDE.DLL
2006-09-19 09:19 125,712 --a------ C:\WINDOWS\system32\VB6DE.DLL
2006-09-19 09:19 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2006-09-19 09:19 1,046,288 --a------ C:\WINDOWS\system32\MSJET35.DLL


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-23 09:47 -------- d-------- C:\Program Files\PeerGuardian2
2006-09-19 13:59 -------- d-------- C:\Program Files\Norton AntiVirus
2006-09-19 13:58 -------- d-------- C:\Program Files\Symantec
2006-09-19 13:58 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-19 12:44 -------- d-------- C:\Documents and Settings\Erikkson\Application Data\Lavasoft
2006-09-19 12:43 -------- d-------- C:\Program Files\Lavasoft
2006-09-19 09:19 -------- d-------- C:\Program Files\VisSie
2006-09-19 09:19 -------- d-------- C:\Documents and Settings\Erikkson\Application Data\7soft
2006-09-17 18:15 -------- d-------- C:\Documents and Settings\Erikkson\Application Data\Ahead
2006-09-12 02:14 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-12 02:14 -------- d-------- C:\Program Files\Siemens Data Suite
2006-09-12 02:11 -------- d-------- C:\Program Files\Common Files\Siemens AG Shared
2006-09-12 02:11 -------- d-------- C:\Program Files\Common Files
2006-09-06 10:34 -------- d-------- C:\Program Files\AVI MPEG RM WMV Joiner
2006-08-29 11:30 -------- d-------- C:\Program Files\Hewlett-Packard
2006-08-25 23:52 -------- d-------- C:\Documents and Settings\Erikkson\Application Data\Seven Zip
2006-08-12 21:16 -------- d-------- C:\Documents and Settings\Erikkson\Application Data\Arcsoft
2006-08-12 21:13 -------- d-------- C:\Program Files\palmOne
2006-08-01 19:16 -------- d---s---- C:\Documents and Settings\Erikkson\Application Data\Microsoft
2006-07-04 02:11 260096 --a------ C:\WINDOWS\system32\mstask.dll
2006-07-04 02:11 172544 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-07-04 02:11 10752 --a------ C:\WINDOWS\system32\mstinit.exe
2006-07-03 09:24 62 --ahs---- C:\Documents and Settings\Erikkson\Application Data\desktop.ini
2006-07-03 01:36 0 -rahs---- C:\MSDOS.SYS
2006-07-03 01:36 0 -rahs---- C:\IO.SYS
2006-07-03 01:36 0 --a------ C:\CONFIG.SYS
2006-07-03 01:36 0 --a------ C:\AUTOEXEC.BAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Acrobat Speed Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Erikkson^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
"path"="C:\\Documents and Settings\\Erikkson\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Erikkson\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"item"="PowerReg Scheduler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_e7"
"hkey"="HKLM"
"command"="C:\\\\dfndrff_e7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_e7"
"hkey"="HKLM"
"command"="C:\\\\kybrdff_e7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_e7"
"hkey"="HKLM"
"command"="C:\\\\nwnmff_e7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDLL32"
"hkey"="HKLM"
"command"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\shell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ibm00001"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\ibm00001.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpySheriff]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySheriff"
"hkey"="HKCU"
"command"="C:\\Program Files\\SpySheriff\\SpySheriff.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\vfr9ccf5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w1f478aa.dll,n 0049ccf10000000a1f478aa"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winstall"
"hkey"="HKCU"
"command"="C:\\winstall.exe"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 23-Sep-06 9:49:02.64
ComboFix.txt



while running combofix, Norton Antivirus also sent me this alert. Should I just ignore it?
Posted Image
  • 0

#4
Armodeluxe
Posted 23 September 2006 - 06:39 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Yes Norton is flagging the combofix file, ignore it if we ever need to run it again.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\shell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ibm00001"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\ibm00001.exe\""
"inimapping"="0"


The above entry you disabled in msconfig belongs to a password stealing trojan. So it is advisable that you change all passwords, logins stored on the computer. You had quite a big bundle of malware there I see. Even if you were able to rid of them all, if not most, we should run some other tools to make sure nothing is left behind.

Now please copy the following text in the code box to Notepad. Make sure there is no empty line above REGEDIT4. In Notepad go to File > Save As. Name it Fixit.reg, in the drop down box at the bottom choose "All Files", and save it on your desktop. Then double click on Fixit.reg and let it merge with the registry.. 

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\shell]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpySheriff]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\vfr9ccf5]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows installer]

Next,

1. First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and tapping F8 just before Windows starts to load until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido .
5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

Also please post this log:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Please check if all the logs fit into the post and none of them get cut off. If that happens, please post the sections that were cut off in a second post.
  • 0

#5
Erikkson
Posted 29 September 2006 - 01:32 AM

Erikkson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and tapping F8 just before Windows starts to load until a menu appears. Highlight Safe Mode and hit enter.


Hello Armodeluxe, I did everything up till step 3. However there is a slight problem...whenever I reboot into Safe Mode, the computer will just freeze, and I have to do a cold reset. Perhaps it is due to my graphics card or its driver, I can't tell for sure.

Is it safe to boot to normal Windows and proceed to step 4?

Thanks.

Edited by Erikkson, 29 September 2006 - 01:34 AM.

  • 0

#6
Armodeluxe
Posted 29 September 2006 - 07:56 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Yes, ok, you can run them in normal mode.
  • 0

#7
Erikkson
Posted 29 September 2006 - 02:12 PM

Erikkson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Please check if all the logs fit into the post and none of them get cut off. If that happens, please post the sections that were cut off in a second post.

Hello Armodeluxe, here it is :whistling:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:02:14 AM 30-Sep-06

+ Scan result:



D:\Softwares\Nero Burning ROM v6.6.0.16 Ultra Plus\NERO Burning ROM 6.3.0.3+Crack\run.exe -> Logger.Briss.j : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\erikkson@web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\[email protected][2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Documents and Settings\Erikkson\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.av : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe -> Trojan.Sinowal.ay : Cleaned with backup (quarantined).
D:\Softwares\Engineering\Microsoft Visual Studio 6.0 ENTERPRISE EDITION\COMMON\TOOLS\BIND.EXE -> Trojan.Small : Cleaned with backup (quarantined).


::Report end












SmitFraudFix v2.102

Scan done at 4:09:15.41, 30-Sep-06
Run from C:\Documents and Settings\Erikkson\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\uniq FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Erikkson


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Erikkson\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Erikkson\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#8
Armodeluxe
Posted 30 September 2006 - 06:50 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
See the password stealers were still present, Ewido got them:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.av : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe -> Trojan.Sinowal.ay : Cleaned with backup (quarantined).


I'm concerned about this removal:

D:\Softwares\Engineering\Microsoft Visual Studio 6.0 ENTERPRISE EDITION\COMMON\TOOLS\BIND.EXE -> Trojan.Small : Cleaned with backup (quarantined).


Did you have the legit copy of Microsoft Visual Studio 6.0 ENTERPRISE EDITION or is that a crack version as well? If you had the legit version, that may be a false positive from Ewido, please let me know. I suggest you rid of all crack software, by now you have learned the hard way that they are never safe.

Smitfraudfix found just one file, no need to run it for a mere one file, just delete this from under your C:\ drive:

C:\uniq

Let's run an online scan to make sure we're not leaving anything behind.

Please do an online scan with Kaspersky WebScanner. If you have any quarantined items in your antivirus, please delete those archives before the scan.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
Erikkson
Posted 30 September 2006 - 09:33 PM

Erikkson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

I'm concerned about this removal:

D:\Softwares\Engineering\Microsoft Visual Studio 6.0 ENTERPRISE EDITION\COMMON\TOOLS\BIND.EXE -> Trojan.Small : Cleaned with backup (quarantined).


Did you have the legit copy of Microsoft Visual Studio 6.0 ENTERPRISE EDITION or is that a crack version as well? If you had the legit version, that may be a false positive from Ewido, please let me know. I suggest you rid of all crack software, by now you have learned the hard way that they are never safe.


Hello Armodeluxe, yes it is a cracked version. I have removed the entire software.

Click on Kaspersky Online Scanner

  • Copy and paste that information in your next post.



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 01, 2006 11:28:01 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/09/2006
Kaspersky Anti-Virus database records: 227775
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 69865
Number of viruses found: 20
Number of infected objects: 56 / 0
Number of suspicious objects: 0
Duration of the scan process: 04:26:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Documents\Felix\zipped\edonkey2000\eDonkey61.exe/data0005/UCMIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\Documents and Settings\All Users\Documents\Felix\zipped\edonkey2000\eDonkey61.exe/data0005 Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\Documents and Settings\All Users\Documents\Felix\zipped\edonkey2000\eDonkey61.exe NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Documents\Felix\zipped\vnc-4_1_2-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\Felix\zipped\vnc-4_1_2-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\Felix\zipped\vnc-4_1_2-x86_win32.exe Inno: infected - 2 skipped
C:\Documents and Settings\Erikkson\Application Data\Kazaa Lite\db\data1024.dbb Object is locked skipped
C:\Documents and Settings\Erikkson\Application Data\Kazaa Lite\db\data256.dbb Object is locked skipped
C:\Documents and Settings\Erikkson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Erikkson\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Erikkson\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Erikkson\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Erikkson\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\infected.dat Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr.log Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_CEC0_452B_C045_1ADB\dfsr.db Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_CEC0_452B_C045_1ADB\fsr.log Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_CEC0_452B_C045_1ADB\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_CEC0_452B_C045_1ADB\tmp.edb Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\History\History.IE5\MSHist012006100120061002\index.dat Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Temp\Perflib_Perfdata_62c.dat Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Temp\~DF33EA.tmp Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Temp\~DF33F6.tmp Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Temp\~DF52EF.tmp Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Temp\~DF5317.tmp Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Temporary Internet Files\Content.IE5\8B3Z6SD5\Decadence-The-Movie[1].WMV.AVI Object is locked skipped
C:\Documents and Settings\Erikkson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Erikkson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Erikkson\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Erikkson\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Kazaa Lite K++\My Shared Folder\download11546692498959390.dat Object is locked skipped
C:\Program Files\Kazaa Lite K++\My Shared Folder\download11546692528962578.dat Object is locked skipped
C:\Program Files\Kazaa Lite K++\My Shared Folder\download11556690001852578.dat Object is locked skipped
C:\Program Files\PeerGuardian2\history.db Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP101\A0009756.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP101\A0009756.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP101\A0009756.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0028046.exe Infected: Trojan-Downloader.Win32.Adload.fo skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0028047.exe Infected: Trojan-Downloader.Win32.Harnig.co skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0028048.exe Infected: Trojan-Downloader.Win32.Small.bwy skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0028050.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029058.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029059.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029061.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029061.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029061.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029062.exe Infected: Trojan.Win32.VB.asv skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029063.exe Infected: Trojan-Downloader.Win32.VB.ach skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029064.exe Infected: Trojan-Downloader.Win32.Adload.l skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029065.exe Infected: not-virus:Hoax.Win32.Renos.ey skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029067.exe Infected: Trojan-Downloader.Win32.Adload.fk skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029070.exe Infected: Trojan-PSW.Win32.Sinowal.ay skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029072.exe Infected: not-virus:Hoax.Win32.Renos.ey skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029094.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029098.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029103.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.h skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029115.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP157\A0029125.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP158\A0029139.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP158\A0029140.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP158\A0029252.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP159\A0030538.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP160\A0030547.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP160\A0030551.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP161\A0030557.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP161\A0030561.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP162\A0030579.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP162\A0030581.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP162\A0030586.dll Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP162\A0030597.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP162\A0030601.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP162\A0030602.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP162\A0030603.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP162\A0030604.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP162\A0030605.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP167\A0036263.dll Infected: Trojan-PSW.Win32.Sinowal.av skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP167\A0036264.exe Infected: Trojan-PSW.Win32.Sinowal.ay skipped
C:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP168\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP167\A0036266.exe Infected: Trojan-Spy.Win32.Briss.j skipped
D:\System Volume Information\_restore{F4522C92-E898-42EF-AAE2-D13EC31F5F7A}\RP168\change.log Object is locked skipped

Scan process completed.
  • 0

#10
Armodeluxe
Posted 30 September 2006 - 11:42 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
All it found was infected system restore points and this adware bundled edonkey:

C:\Documents and Settings\All Users\Documents\Felix\zipped\edonkey2000\eDonkey61.exe

I would suggest that you rid of it, but it's your choice.

Please post a final HijackThis log to make sure nothing is coming back and let me know of any problems you still have, if any.
  • 0

#11
Erikkson
Posted 01 October 2006 - 02:56 PM

Erikkson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

All it found was infected system restore points and this adware bundled edonkey:

C:\Documents and Settings\All Users\Documents\Felix\zipped\edonkey2000\eDonkey61.exe

I would suggest that you rid of it, but it's your choice.

Please post a final HijackThis log to make sure nothing is coming back and let me know of any problems you still have, if any.

Hello Armodeluxe, the edonkey software has been removed :whistling: Below is the HijackThis log file

Logfile of HijackThis v1.99.1
Scan saved at 4:55:00 AM, on 02-Oct-06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\CoolMon\CoolMon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Erikkson\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151947591031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151947572515
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#12
Armodeluxe
Posted 02 October 2006 - 06:22 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Open HijackThis and click Scan. Put a check next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com

Close all other windows except HijackThis and click Fix Checked.

Now is the right time to get SP2, you can get it here:
http://www.microsoft...p2/default.mspx

Now let's reset your restore points.

Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'

Next goto Start Menu > Run > type

cleanmgr

click OK, when Disk Cleanup opens goto the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created. To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Please take the following into consideration to maintain a clean computer.

Now you should go get a firewall. Don't rely on the Windows firewall that comes with SP2 as it monitors only incoming traffic. Pick one of these, they are all free.
Kerio
Zonealarm
Outpost
Sygate

I'll also recommend you to install a monitoring software which will monitor certain areas on your computer and will place alerts when those are being modified. One such software I'll recommend is Prevx, but it's for advanced users as the messages it displays can be hard to decipher. One other similar but more user friendly software is Winpatrol. Both are free programs.
Winpatrol
Prevx

Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe
  • 0

#13
Erikkson
Posted 02 October 2006 - 08:45 AM

Erikkson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Open HijackThis and click Scan. Put a check next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com

Close all other windows except HijackThis and click Fix Checked.



A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe


Hello Armodeluxe, appreciate your help truly. You really put in the time and effort to look into my problem and follow up on my logs. And all I can say is

Thank you
Danke
Obrigado
Gracias
Xie Xie Ni
Grazie
Arigato Gosaimasu :whistling:

And yes, I have also donated a small sum of money to help you and others fight malware. Check your account.

Once again, thanks. :blink:
  • 0

#14
Armodeluxe
Posted 02 October 2006 - 02:36 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Thanks for the contribution, I appreciate it. :whistling:

I wish you some safe surfing.
  • 0

#15
Armodeluxe
Posted 14 October 2006 - 05:39 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP