Post by: irish-paddy on January 24, 2005, 04:21:12 PM
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> I only started my internet connection on the 14th jan 2005. i dont really have a clue about viruses and firewalls etc. My internet is broadband and i stupidly/accidently turned off my firewall. the longest me connection ever lasted was 2mins.
i have spent the last week and a half learning and trying to remove spywares/viruses etc. etc. etc.
ITS WORKING ALOT BETTER NOW BUT I DONT REALLY KNOW WHAT I DONE AND IM SURE SOMETHING IS STILL WRONG AS IT WONT LET ME OPEN NORTON ANTI-VIRUS EVEN AFTER MANY UNINSTALLATION/RE-INSTALLATIONS. it also doesnt let me open "hijackthis" except in safe mode and i cant get onto nortons website either. i want to use ebay etc. but am too scared to use credit card.
WOULD REALLY REALLY appreciate help from anyone.
cheers
irish paddy
p.s.
heres my log thing if anyone cares
Logfile of HijackThis v1.99.0
Scan saved at 16:10:56, on 24/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\Run: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\Run: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Spool] C:\WINDOWS\TEMP\msvcreal.exe
O4 - HKLM\..\Run: [xcz] C:\WINDOWS\xcz.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [e2M35W] C:\WINDOWS\yilcrmb.exe
O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunServices: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\RunServices: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunServices: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CTI Central Management - Unknown - C:\WINDOWS\cti.exe (file missing)
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Post by: guestolo on January 24, 2005, 09:18:02 PM
with some cleaning we can get you running smooth again, but please try and do whatever you can
First: Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- NT login service <<exact service name
Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
Do the same for this one if running
CTI Central Management
============================================
Download
Windows CleanUp! by StevenGould (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now but, Don't run a scan yet
This will clean all your temp folders, cookies, prefetch, etc...
===============================================
Download and UNZIP to a folder Hoster by Toadbee (http://\"http://members.aol.com/toadbee/hoster.zip\")
Open up Hoster and click the RESTORE ORIGINAL HOSTS button
==========================================
Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe (http://\"http://www.diamondcs.com.au/tds/downloads/tds3setup.exe\")
This is good for 30 days
Install it and Restart your computer when prompted
Don't run a scan yet
When your back in Windows it's important to update the latest RADIUS database
IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3 (http://\"http://www.diamondcs.com.au/tds/radius.td3\")
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3
Launch TDS-3.You can run this in safe mode.... In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to freeze at times
Detections will appear in the lower pane of tds window after the scan is finished ( it'll take a while ) Right click the list> select save as txt.>> save this to a convienent location
After saving the scandump go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION
RESTART the computer
=======================================================
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Ad-Aware may check for updates and run a scan when installing
Allow to update but don't run a scan at this time
I prefer you run this in safe mode, but make sure you update first
In safe mode
Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer back to Safe mode to finish the cleaning process
Open Windows CleanUp! in safe mode>>>Start>>All programs>>Cleanup
Click the CleanUp button
Let it finish scanning for files, when it's done it will prompt you to log off, Don't, instead Restart your computer back to Normal mode
You should also try and do an online Virus scan at Trend Micro's >> Set to Autoclean
http://housecall.trendmicro.com/ (http://\"http://housecall.trendmicro.com/\")
And/or at Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm (http://\"http://www.pandasoftware.com/activescan/com/activescan_principal.htm\")
If you can't access either Trend Micro's or Panda's try opening up Hoster again
and Restore original hosts
Then try again
Try and do all the above if you can, If not, do what you can, Post back a fresh hijackthis log afterwards
Could you also post the scandump.txt from TDS-3
Let me know what you could accomplish and what still needs to be done
Regardless, post back a fresh hijackthis log
Try and post a log in Normal mode if you can
Post by: irish-paddy on January 25, 2005, 06:47:48 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Cheers for the help. much appreciated.done everything right down until >>Start>>All programs>>Cleanup. couldnt find this so i done a disk clean up (is that wat u meant?).
restarted back in normal mode and norton anti-virus automatically came up. i didnt want to do a scan with it so i restarted back in safe mode. tried to do a scan with norton but it wouldnt open.
restarted back in normal mode. didnt try to use norton just closed them but then spybot search and destroy came up with some msg and it wouldnt close. also something kept turning off my internet firewall.
anyway i was on internet when norton came up saying email message scanned about 30times. somehow my computer was sending loads off stuff to different email addresses.
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> (i just had to disconnect and reconnect cuz i had to turn my firewall on it somehow got turned off.) uninstalled spybot.
i was just wondering wat this file is, its in c: and its a folder called "78a710ce9dfe875110" theres a folder inside it called "sp2" which access is denied to, is this a virus?
heres my new log
Logfile of HijackThis v1.99.0
Scan saved at 20:54:29, on 25/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/ (http://\"http://www.mytalktalk.net/\")
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\Run: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\Run: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Spool] C:\WINDOWS\TEMP\msvcreal.exe
O4 - HKLM\..\Run: [xcz] C:\WINDOWS\xcz.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\Run: [e2M35W] C:\WINDOWS\yilcrmb.exe
O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunServices: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\RunServices: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunServices: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKLM\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
scandump
Scan Control Dumped @ 20:01:44 25-01-05
RegVal Trace: Ill ICQ Notify: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [windows update=msnmsgrs.exe]
RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft System Checkup=libsysmgr.exe
RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunServices [Microsoft System Checkup=libsysmgr.exe
RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [NT Logging Service=syslog32.exe
RegVal Trace: Worm.Leox please submit: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunServices [windows update=msnmsgrs.exe]
RegVal Trace: DDoS.RAT.SDBot: HKEY_CURRENT_USER
File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Windows Update=swwhost.exe]
RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Windows Update=swwhost.exe]
RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunServices [Microsoft Windows Update=swwhost.exe]
RegVal Trace: TrojanProxy.Win32.Ranky: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Spool=C:\WINDOWS\TEMP\msvcreal.exe]
Positive identification: DDoS.RAT.SDBot.up
File: c:\windows\system32\libsysmgr.exe
Positive identification: TrojanDownloader.Win32.Dyfuca.ds
File: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\gnu96rm3\optimize[1].exe.tcf
Suspicious Filename: Dual extensions
File: c:\documents and settings\patrick deighan\desktop\my music\music\music albums\tenacious d\imp.wps.doc
Positive identification (embedded in file): Adware.ToolBat.EliteBar.z (dll)
File: c:\documents and settings\patrick deighan\local settings\temp\suicidetb.exe.tcf
Positive identification: DDoS.RAT.Wootbot.fj
File: c:\program files\avpersonal\infected\msrepair.vir
Positive identification: DDoS.RAT.Wootbot.fj
File: c:\program files\avpersonal\infected\msrepair.vir00
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir00
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir01
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir02
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir03
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir04
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir05
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir06
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir07
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir08
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir09
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir10
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir11
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir12
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir13
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir14
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir15
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir16
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir17
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir18
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir19
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir20
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir21
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir22
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir23
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir24
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir25
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir26
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir27
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir28
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir29
Positive identification: DDoS.RAT.rBot.acu
File: c:\program files\avpersonal\infected\navprotect.vir30
Positive identification: Trojan.Win32.LowZones.ab
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp159\a0091709.exe
Positive identification: Adware.BargainBuddy.n2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp159\a0091725.exe
Positive identification: DDoS.RAT.Agobot.yj
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp160\a0092949.exe
Positive identification: TrojanDownloader.Win32.IstBar.go1
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0094172.exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0094183.exe.tcf
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0094186.exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0095185.exe.tcf
Positive variant identification: Beast 2.02 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0095186.exe.tcf
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0095194.exe
Positive variant identification: Beast 2.02 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0095205.exe.tcf
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp164\a0095331.exe.tcf
Positive variant identification: Beast 2.02 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp164\a0095332.exe.tcf
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp164\a0095335.exe
Positive identification: DDoS.RAT.Agobot.yj
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp164\a0095340.exe
Positive variant identification: Beast 2.02 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp165\a0095350.exe.tcf
Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp165\a0096346.dll.tcf
Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp166\a0096428.dll.tcf
Positive variant identification: Beast 2.02 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp167\a0096447.exe.tcf
Positive identification: DDoS.RAT.Agobot.yj
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp167\a0096454.exe
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp167\a0096457.exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp167\a0096459.exe.tcf
Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0096666.dll.tcf
Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0096682.dll.tcf
Positive variant identification: Beast 2.02 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0096683.exe.tcf
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0096684.exe.tcf
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0096687.exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0097682.exe.tcf
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0098683.exe.tcf
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0098685.exe.tcf
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0098688.exe
Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0098691.dll.tcf
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0098700.exe.tcf
Positive identification: Adware.WinAD.m
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0098704.exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0099741.exe.tcf
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0099744.exe
Positive identification: DDoS.RAT.Agobot.yj
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0099765.exe
Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0099772.dll.tcf
Positive identification: DDoS.RAT.SDBot.rz
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0099773.exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp170\a0100808.exe.tcf
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp170\a0100811.exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp170\a0100819.exe.tcf
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp170\a0101861.exe
Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp171\a0102857.dll.tcf
Positive identification (DLL): Adware.Relevance.b (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp171\a0102858.dll
Positive identification (DLL): Adware.Relevance.b (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp171\a0102859.dll
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103694.exe
Positive variant identification: Beast 2.02 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103695.exe
Positive identification: DDoS.RAT.rBot.yo
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103699.exe
Positive identification: Adware.BargainBuddy.n2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103729.exe
Positive identification (DLL): Adware.Relevance.b (dll)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103730.dll
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103751.exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103767.exe
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103772.exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp176\a0103812.exe
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp176\a0103826.exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp176\a0103839.exe
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp176\a0103842.exe
Positive identification: DDoS.RAT.rBot.dy
File: c:\windows\system32\crsss.exe
Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
File: c:\windows\system32\doolsav.dat
Positive identification: DDoS.RAT.SDBot.up
File: c:\windows\system32\libsysmgr.exe
Positive identification: DDoS.RAT.rBot.yo
File: c:\windows\system32\mssw32.exe.tcf
Positive variant identification: Beast 2.02 (Variant)
File: c:\windows\system32\msvccc.exe.tcf
Positive identification: DDoS.RAT.rBot.acu
File: c:\windows\system32\navprotect.exe
Positive identification: DDoS.RAT.SDBot.rz
File: c:\windows\system32\ntsysman.exe
Positive identification: TrojanProxy.Win32.Agent.bz2
File: c:\windows\system32\svphostu.exe
Positive identification: DDoS.RAT.rBot.adk
File: c:\windows\system32\trass.exe
Positive identification: DDoS.RAT.Agobot.yj
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\6jylazox\bot[1].exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\windows\system32\drivers\etc\svwhost32.exe
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\windows\system32\drivers\etc\svwhost32.exe.tcf
Positive variant identification: Microjoiner 1.7 (Variant)
File: c:\windows\system32\drivers\etc\svwhost32.exe8278.tcf
Positive identification: TrojanDownloader.Win32.Dyfuca.ds
File: c:\windows\temp\optimize.exe.tcf
Positive identification: TrojanDownloader.Win32.IstBar.fr2
File: c:\windows\temp\sidefind.exe.tcf
Positive identification (DLL): TrojanDownloader.Win32.IstBar.gh (dll)
File: c:\windows\temp\icd1.tmp\istactivex.dll
TROJ ISTBAR.ZA housecall.trendmicro.com found that virus couldnt clean or delete it. compressed it and i think i deleted.
i registeredon paypal (ebay) with my credit card was this safe?
thanks again for all the help. cheers
Post by: irish-paddy on January 25, 2005, 06:52:10 PM
Post by: guestolo on January 25, 2005, 09:18:20 PM
We must remove
Try and do everything I ask
Please try and Print these instructions, or save to a Notepad file on the desktop
Many of these fixes should be ran in safe mode with your Browser window closed
I asked you to do this
Download
Windows CleanUp! by StevenGould (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now but, Don't run a scan yet
This will clean all your temp folders, cookies, prefetch, etc...
Your confusing me, you said this
Quote
(i just had to disconnect and reconnect cuz i had to turn my firewall on it somehow got turned off.) uninstalled spybot
Are you sure your not talking about Spyware Doctor?????
Leave it uninstalled
But I definitely see Spybot entries in your log, so it's not uninstalled correctly
I prefer you don't uninstall it
But you have TEA TIMER running which can get in the way of fixes
I need you to Disable Tea Timer until we are done with these fixes
That is what is getting in the way
I see these in your hijackthis log
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Look for Spybot on your computer and disable Tea Timer
Open Spybot>>Click Mode at the top>>Click ADVANCED
YES to the prompt
Click on TOOLS>>RESIDENT>>Uncheck "Resident TEA TIMER"
RESTART your computer to ensure it's disabled
If you can't find Spybot access your Add/Remove programs and uninstall it until we are done with some fixes, and then restart your computer
Again---If you uninstalled Spybot
I assume that you let TDS-3 fix all the Positive Identification files
IN SAFE MODE
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Access your Add/Remove Programs and remove if found
Admanager Controller
AdStatus Service
If both are found, Try and remove
Look for these files and folders and delete it they exist
C:\WINDOWS\System32\kxcddqojunj.exe <--file
c:\windows\system32\csmss32.exe <--file
C:\WINDOWS\xcz.exe <--file
C:\Program Files\Admanager Controller <--folder
C:\Program Files\AdStatus Service <--folder
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\Run: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\Run: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Spool] C:\WINDOWS\TEMP\msvcreal.exe
O4 - HKLM\..\Run: [xcz] C:\WINDOWS\xcz.exe
O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\Run: [e2M35W] C:\WINDOWS\yilcrmb.exe
O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe <--although it looks legitimate, it's NOT!
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunServices: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\RunServices: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunServices: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKLM\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe (file missing)
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
Open up Windows Cleanup>>In safe mode
Click on the CleanUp button
Let it finish scanning for files, When it's done it will prompt you to Log off
Don't at this time
I need you to Disable System Restore, many bad files are found in this folder
To guarantee they are removed we must disable it
I'll let you know when to Re-enable it
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'. or Turn off System Restore
4. Click the 'OK' button.
5. You should get a prompt to restart the computer. Click Yes. If you don't get a prompt Restart anyways
When your back in Windows
Go back and Re-Enable System Restore
By all means run Trojan Hunter
If this is the Trial version ensure that you update to the latest Ruleset
Access this link
http://www.misec.net/trojanhunter/updating/ (http://\"http://www.misec.net/trojanhunter/updating/\")
Download the Latest ruleset>>>It's a zipped file
UNZIP it to your Trojan Hunter folder allowing it to overwrite if prompted
The default location of T.H is specified by your log
Unzip to C:\Program Files\TrojanHunter 4.1
Run a full system scan allowing it to fix whatever it finds
Restart your computer
Did you run Ad-Aware SE 1.05?
If not download it now and run the scan as previously instructed
Remember to restart your computer after you are done cleaning
PLEASE, Try and post back a Fresh hijackthis log in Normal Mode
I can't see everything when your in Safe mode
Try and do everything I asked from above, look it over carefully and print it out,
Do what you can, ALL if you can!!!!
Post by: Guest on January 27, 2005, 07:00:23 PM
(i just had to disconnect and reconnect cuz i had to turn my firewall on it somehow got turned off.) uninstalled spybot
I didnt download spyware doctor it was Spybot
DisabledTea Timer
IN SAFE MODE
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
DONE ALL OF THAT
C:\WINDOWS\System32\kxcddqojunj.exe <--file COULDNT FIND
c:\windows\system32\csmss32.exe <--file COULDNT FIND
C:\WINDOWS\xcz.exe <--file COULDNT FIND
C:\Program Files\Admanager Controller <--DELETED
C:\Program Files\AdStatus Service <--DELETED
O4 - HKLM\..\Run: [Microsoft Windows W32 Services] mssw32.exe = NOT FOUND
O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe = NOT FOUND
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe = NOT FOUND
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe = NOT FOUND
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe = NOT FOUND
O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe = NOT FOUND
O4 - HKCU\..\RunOnce: [Win32 DRK Driver] wdrk32.exe = NOT FOUND
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] swwhost.exe = NOT FOUND
These were not found. tried a few times. All of the rest were fixed though.
Done a clean up, didnt restart.
Disabled system restore, restarted and turned it back on, in normal mode.
Yeah i already run Ad-Aware SE 1.05. DONE ALL OF THIS BUT HAVE BEEN HAVING TROUBLE STAYING ON THE INTERNET as modem keeps kicking me off.
Here is my new hijackthis log
Logfile of HijackThis v1.99.0
Scan saved at 22:29:44, on 27/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\svphost.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/ (http://\"http://www.mytalktalk.net/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Post by: Guest on January 27, 2005, 07:03:17 PM
ALSO DID TROJAN HUNTER AND CLEANED ONE TROJAN.
HOPE THIS WORKS
Post by: guestolo on January 27, 2005, 07:21:50 PM
So are you saying that you still have Spybot installed then????????
Leave it installed, it sounds like you do if you disabled the Tea Timer
Leave Tea Timer disabled for now
You mentioned earlier you uninstalled Spybot
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> I know you say you didn't download Spyware Doctor
I don't advise you do either, but however, this BHO we fixed earlier in your log is associated with Spyware Doctor, and it looks like it's been uninstalled
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> /blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> RESTART your computer into safe mode
Find and delete this file
C:\WINDOWS\system32\svphost.exe <--this file, don't confuse it with svchost.exe which is legit
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
Run Windows CleanUp again
Restart your computer back to Normal Mode and post a fresh hijackthis log
Post by: Guest on January 28, 2005, 02:40:21 PM
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> sorry 4 confusing u so much. i did uninstall spybot, but i reinstalled it and then removed teatimer.i think i also did previously install Spyware Doctor but i uninstalled it as i thought it contained viruses.
gona go delete
C:\WINDOWS\system32\svphost.exe <--this file, don't confuse it with svchost.exe
and gona fix
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
and ill Run Windows CleanUp and post u back a log in a min
cheers
Post by: Guest on January 28, 2005, 03:19:58 PM
C:\WINDOWS\system32\svphost.exe
found a file beside it called C:\WINDOWS\system32\svphostu.exe is this a virus?
The computer is alot faster and feeling a lot better. thanks very much. cheers.
/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' /> heres my new log
Logfile of HijackThis v1.99.0
Scan saved at 19:07:53, on 28/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\csmss32.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/ (http://\"http://www.mytalktalk.net/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Post by: guestolo on January 28, 2005, 03:36:28 PM
Quote
found a file beside it called C:\WINDOWS\system32\svphostu.exe is this a virus?Nope, but it is a Trojan
/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' /> Yah, we have to get rid of that one,
Can you first Disable System Restore
This will clear all your Restore points and ensures you don't restore any nasties
Don't reenable it yet
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Instead
Can you boot to safe mode
Find and delete these files
C:\WINDOWS\system32\svphostu.exe <--file
C:\windows\system32\csmss32.exe <--file, exact name
In safe mode do another scan with Hijackthis and fix this entry
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
Restart back to Normal mode >>Enable System Restore and post a fresh log, thanks
Concerning this entry in your log
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
Did your Network or Domain set this? Just checking
Post by: irish-paddy on January 29, 2005, 04:46:14 PM
Would not be deleted. Access was denied. I copied a similiar file (i.e. a file with a different name but had same symbol) and gave it the same name.
I then renamed the file to 'csmss32.exe'and pasted it into C:\windows\system32 and allowed it to overwrite.
Then i deleted it and emptied recycle bin. Im not sure if this will work or not will it?
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> C:\WINDOWS\system32\svphostu.exe <--file deleted
Hijackthis entry
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
fixed
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
What do u mean by, 'did ur network or domain set this?' i use a home dell computer. i dont have a clue what 'O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1' is.
once again thanks 4 all ur help and time
heres my new log
Logfile of HijackThis v1.99.0
Scan saved at 20:30:25, on 29/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/ (http://\"http://www.mytalktalk.net/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Post by: guestolo on January 29, 2005, 05:08:20 PM
Normally I see that 017 line address directed to your ISP or domain
Having it set to LocalHost will do no harm
Let's make sure that the file is gone>>I'm not exactly sure what you did
I hope you didn't rename a needed file, what file did you overwrite??????
Confusing me again
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />Open Hijackthis>>Open Misc tools>>Click the Delete file on Reboot button
Copy and paste the bold line to the whole path of the file name box
C:\windows\system32\csmss32.exe
Click the Open button
If hijackthis prompts you that the file will be deleted and you must restart your computer
Restart your computer
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!
Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Hold onto Ad-Aware along with Spybot and check for updates every couple of weeks
A little added protection
Open Spybot>>Click on Immunization>>OK>>Immunize at the top
Do this after every update
Hold onto Windows CleanUp! and clean those temp folders, etc.. at least every couple of weeks
If you want to hold onto TDS-3 for the complete 30 days
Ensure you update the latest RADIUS database before running a final scan
Bookmark this link and update from previous instructions>>This is up to you
Hold onto it or uninstall it
http://tds.diamondcs.com.au/index.php?page=update (http://\"http://tds.diamondcs.com.au/index.php?page=update\")
The same goes for the TrojanHunter
You will want to manually update the Latest Ruleset before running a final scan
http://www.misec.net/trojanhunter/updating/ (http://\"http://www.misec.net/trojanhunter/updating/\")
If it's the Trial version>>It's also good for 30 days
Be sure to shut down the TrojanGuard before uninstalling
How's everything running?
Post by: irish-paddy on January 29, 2005, 06:17:08 PM
(although rundll32 'encountered an error and had to close' wheni restarted after i deleted C:\windows\system32\csmss32.exe in hijackthis>misc tools
-sorry 4confusing u again, i do that alot.
What i did was
>copied a file,
>pasted it (a copy of it) onto desktop,
>renamed it 'csmss32.exe'
>then cut and pasted it from desktop to c;windows/system32
>let it overwrite the old 'csmss32.exe'
>then deleted it.
still confused?
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />have just done everything
downloaded IE-SPYAD2.EXE
downloaded spywareblaster
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' /> My computer and my new internet connection feels alot, lot lot lot safer now. Cheers!!!!!!!!!!!!!!!p.s. i dont like trojan hunter as it never detected csmss32.exe
Post by: Guest_guestolo_* on January 29, 2005, 06:19:59 PM
I can't sign into the forum, so bare with me here if you see me signed in as a guest
Post by: Guest on January 29, 2005, 06:21:36 PM
Post by: irish-paddy on January 29, 2005, 06:37:01 PM
Post by: irish-paddy on January 29, 2005, 06:40:33 PM
is that guestolo? 4give me if i dont send my log its just that u mightnt really be guestolo and ive (i mean guestolo has) put in too much hard work to let sum hacker do me in
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />
Post by: irish-paddy on January 29, 2005, 07:03:18 PM
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> dont mean to offend u if that is u.computer seems to be workin great.
wat wud u reccommend for a firewall??
i will also probably be downloading lots of music, and as i am a man with little money ill have to use a free one. wat would u recommend?
thanks again guestolo for all ur help...
/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: Josetann on January 29, 2005, 11:20:59 PM
Post by: guestolo on January 30, 2005, 01:45:43 PM
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' /> XP's SP1 built in firewall is free and built in but not the best and is not on by default
Installing SP2 increases the built in firewall a little bit and on by default
But I would recommend that you install one of these free software firewalls if you need one>>You will have to search for the free download on each site
Sygate Personal Firewall (http://\"http://smb.sygate.com/products/spf_standard.htm\")
Zone Alarm by Zonelabs (http://\"http://www.zonelabs.com/store/content/home.jsp\")
Kerio Personal Firewall (http://\"http://www.kerio.com/us/kpf_download.html\")
OutPost by Agnitum (http://\"http://outpost.uk.com/\")
You only need one, if you install one ensure to shut down XP's built in firewall if enabled
I only use Sygates and I like it
Can't comment on the others but many use the free version of ZoneAlarm
I've been hearing good things about Outpost too.....
As far as file sharing programs, I don't use one but you should take a look at this link and decide
Don't install any free version that contains Spyware
http://www.spywareinfo.com/articles/p2p/ (http://\"http://www.spywareinfo.com/articles/p2p/\")
If you decide on WinMX, many users complain about slow download times and hard to use
Others swear by it and say it's not setup right if those are the conditions
They have chat rooms where you can ask questions about it, that's if you decide on WinMX
Before installing the firewall software, but make sure you do, or at minimal enable XP's
I would like to ensure that you are free of leftover registry entries and a .dll file from the infection you had
Recommended by this link from McAfee's
http://vil.nai.com/vil/content/v_130135.htm (http://\"http://vil.nai.com/vil/content/v_130135.htm\")
Can you do a search for this .dll on your computer and let me know if it exists
WINACPI.DLL
Possibly in your System32 folder, but do a search for it
Also let's look for the leftover Registry entries that may be left behind
You may want to make a Restore point first if your uncomfortable in the Registry
From that link at McAfee's here is an example
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ "InprocServer32"= C:\winnt\System32\winacpi.dll
You will want to Expand (+) the following
+HKEY_CLASSES_ROOT
+CLSID
Your looking for this exact CLSID
{5E2121EE-0300-11D4-8D3B-444553540000}
You don't have to delete it, just let me know if it exists
Do the same for the bolded entries below
Let me know if they exist
# HKEY_CURRENT_USER\Software\mzs
# HKEY_CLASSES_ROOT\acpi.acpi.1
# HKEY_CLASSES_ROOT\acpi.ext
I would like to also look for a couple not mentioned by McAfee's
Look for this one in bold
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\sysacpildap
And if you could do me one more favor
Navigate to this key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
List should exist, I don't want you to do anything with it except for
Left click and Highlight List
Right click on it and EXPORT it
Name it and save it>>Possible to MyDocuments
Exit out of Registry editor>>>Navigate to MyDocuments and right click on the saved backup you named
EG...If you saved it as name you will see it as name.reg
After you right click on it Choose EDIT
Copy and paste the whole contents back here
Also let me know if any of those other keys exists
If your uncomfortable in the Registry don't worry about doing the above
We can find a different solution, but if you could do the above that would help... Thanks
Post by: irish-paddy on January 30, 2005, 03:54:10 PM
yeah u were rite, found it in system32
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> sorry for eing so dumb but iwas trying there and i dont know how to get into the registry editorive got the xp firewall on but im just going to buy a better. gona get one in the shops, paid $45.00 for 'xoftspy' spyware remover and it was useless.
gona try outpost 30day free trial and if its good will prob buy it.
if u let me know how 2get into registry ill certainly try all that.
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> heres my log if thats any good
Logfile of HijackThis v1.99.0
Scan saved at 20:43:40, on 30/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/ (http://\"http://www.mytalktalk.net/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Post by: guestolo on January 30, 2005, 04:06:29 PM
But first
To enter the Registry
Go to START>>RUN>>type in regedit
hit OK
Please don't delete anything in the registry, just export that one key and let me know if the others exist
If your uncomfortable in the registry I can supply a free and easy tools to search for you
more efficiently. Let me know
If you haven't deleted WINACPI.DLL yet
Don't yet, we'll get it another way
Again, just try to do what I asked in the registry, don't delete anything
This one showed back up in your hijackthis log, don't worry about it right now
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
By the way OUTPOST does have a free version, but if you would like to purchase the full version, by all means
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: irish-paddy on January 30, 2005, 04:25:02 PM
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> i installed the 30day version of outpost.ive been getting messages from it saying there are hidden stuff requesting inbound and outbound network access
Post by: irish-paddy on January 30, 2005, 04:27:06 PM
Messenger
Hidden process requests an outbound network connection
Process: C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
Launced by: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
Outpost Firewall Pro should:
0 Allow network activity for this process according to application rules
0 Block network access for this process instance
! ..........................process can be controlled by another process and transmit private information.
Post by: irish-paddy on January 30, 2005, 04:28:36 PM
gona go and try all that stuff now in the registry
/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />
Post by: irish-paddy on January 30, 2005, 04:59:43 PM
+CLSID
{5E2121EE-0300-11D4-8D3B-444553540000}
Yeah this file exists
HKEY_CURRENT_USER\Software\mzs
This is there too
# HKEY_CLASSES_ROOT\acpi.acpi.1
# HKEY_CLASSES_ROOT\acpi.ext
both these exist too
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\sysacpildap
Yep this is there too
(there is somethin called thi there too '{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}' inside HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
heres the contents
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"c:\\z.exe"="c:\\z.exe:*:Enabled:cmsscs"
"C:\\WINDOWS\\tgbcde\\module32.exe"="C:\\WINDOWS\\tgbcde\\module32.exe:*:Enabled:module32"
"c:\\windows\\system32\\csmss32.exe"="c:\\windows\\system32\\csmss32.exe:*:Enabled:csmss32"
also got this warning just now in outpost
| Attack Detection Report x
attack was detected
attack type My address
IP Address localhost:loopback
had to disable outpost to get on the internet again.
i thought everything was fixed but outpost doesnt think so
Post by: guestolo on January 30, 2005, 05:33:41 PM
Don't Worry about the above one
We may have to rid you of that entry in hijackthis that loopbacks to 127.0.0.1
But don't do nothing with it yet
I suggest that you try another online virus scan, let's make sure we're not missing anything
free Online Virus scan at RAV's
http://www.ravantivirus.com/scan/ (http://\"http://www.ravantivirus.com/scan/\")
When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and definition files
Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan
Then click the Scan my PC button
Let it completely finish scanning
Copy and Paste the results back here
Could you also
Download this virus checker from Kapersky
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, just double click to run
Double click to Run it
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.
****If prompted that a Virus was found and you need to purchase the product, with the Mwav scanner from Kapersky's to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
Don't worry, we're getting close to being totally clean
Together those 2 scans may take an hour
Can you do me a favor
Could you please go to this link
http://www.billsway.com/vbspage/ (http://\"http://www.billsway.com/vbspage/\") and scroll down to
Registry Search Tool
Download,UNZIP and run "RegSrch.vbs" >>Allow this to run, even if prompted from your AV
Copy and paste this in the dialog box:
{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}
Hit OK
After a while a prompt will come up.(About 10 seconds) Click OK to write the results to wordpad or notepad and post them
Do the same for this one
tgbcde
Let me know if these files exist
C:\Windows\System32\mtwirl32.dll <--file
C:\Windows\library32.dll
C:\\WINDOWS\tgbcde\module32.exe
c:\\windows\system32\csmss32.exe
C:\Y.exe
C:\Z.exe
and then we'll try some more fixes, hopefully get it all
Don't try and fix them yet, let me know if they exist
EDIT>>One of these nasties interferes with the operation of your firewall
That's why I recommended you didn't install it, kept the XP firewall enabled until we cleaned it out
But hold onto Outpost
Post by: irish-paddy on January 31, 2005, 09:40:34 AM
Scan started at 31/01/2005 12:22:07
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\autoclk.exe - Trojan:Win32/KillReg.D -> Infected
C:\WINDOWS\YEA.REG - Trojan:WinREG/IEZones.C* -> Infected
C:\WINDOWS\SYSTEM32\msvccc.exe.tcf - TrojanDropper:Win32/Delf.BN -> Suspicious
C:\WINDOWS\SYSTEM32\wdrk32.exe - Win32/HLLW.Forbot -> Infected
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\0006_adult[1].cab.tcf->istactivex.dll - TrojanDownloader:Win32/IstBar.GD.dll -> Infected
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\0006_regular[1].cab.tcf->istactivex.dll - TrojanDownloader:Win32/IstBar.GD.dll -> Infected
Scanned
============================
Objects: 28040
Directories: 2281
Archives: 2836
Size(Kb): 1010303
Infected files: 5
Found
============================
Viruses found: 4
Suspicious files: 1
Disinfected files: 0
Mail files: 48
escan results:
File C:\WINDOWS\System32\winacpi.dll infected by "Trojan-Proxy.Win32.Agent.ck" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wdrk32.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\swwhost.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ahadp.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\YEA.REG infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dust.exe infected by "Trojan-Dropper.Win32.Agent.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ieupdate.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ldrx32c.exe infected by "Trojan-Downloader.Win32.Small.aig" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msnmsgrs.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msvccc.exe.tcf infected by "TrojanDropper.Win32.Delf.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\svc.exe infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\svcshost.exe infected by "Backdoor.Win32.Wootbot.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\winasp.exe infected by "Backdoor.Win32.ForBot.r" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000035.dll infected by "Trojan-Proxy.Win32.Agent.ck" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000054.dll infected by "Trojan-Proxy.Win32.Agent.ck" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ahadp.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.10\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.11\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.12\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.13\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.14\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.4\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.5\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.6\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.7\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.8\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.9\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\LastGood\System32\setup.exe.tcf infected by "Trojan-Dropper.Win32.Small.na" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SECURITY\templates\asa\asa.dbx infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SECURITY\templates\asa\sman.dbx tagged as not-a-virus:RiskWare.Tool.Hideout. No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\a176af[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\ldrx32c[1].exe infected by "Trojan-Downloader.Win32.Small.aig" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.4[1].gif infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.6[1].gif infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\loader2[1].ocx infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe.tcf infected by "TrojanDropper.Win32.Joiner.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe1564.tcf infected by "TrojanDropper.Win32.Joiner.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe8278.tcf infected by "TrojanDropper.Win32.Joiner.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\dust.exe infected by "Trojan-Dropper.Win32.Agent.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\ieupdate.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\ldrx32c.exe infected by "Trojan-Downloader.Win32.Small.aig" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\msnmsgrs.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\msvccc.exe.tcf infected by "TrojanDropper.Win32.Delf.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\svc.exe infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\svcshost.exe infected by "Backdoor.Win32.Wootbot.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\winasp.exe infected by "Backdoor.Win32.ForBot.r" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\YEA.REG infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: No Action Taken.
Mon Jan 31 13:07:47 2005 => ***** Scanning complete. *****
Mon Jan 31 13:07:47 2005 => Total Files Scanned: 37384
Mon Jan 31 13:07:47 2005 => Total Virus(es) Found: 52
Mon Jan 31 13:07:47 2005 => Total Disinfected Files: 0
Mon Jan 31 13:07:47 2005 => Total Files Renamed: 0
Mon Jan 31 13:07:47 2005 => Total Deleted Files: 0
Mon Jan 31 13:07:47 2005 => Total Errors: 17
Mon Jan 31 13:07:48 2005 => Time Elapsed: 00:42:49
Mon Jan 31 13:07:48 2005 => Virus Database Date: 2005/01/28
Mon Jan 31 13:07:48 2005 => Virus Database Count: 117012
Mon Jan 31 13:07:48 2005 => Scan Completed.
did the search in RegSrch.vbs
{3F143C3A-1457-6CCA-03A7-7AA23B61E40F} was not found
tgbcde "instances found three times"
heres the wordpad results
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "tgbcde" 31/01/2005 14:24:33
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\tgbcde\\module32.exe"="C:\\WINDOWS\\tgbcde\\module32.exe:*:Enabled:module32"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\tgbcde\\module32.exe"="C:\\WINDOWS\\tgbcde\\module32.exe:*:Enabled:module32"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\tgbcde\\module32.exe"="C:\\WINDOWS\\tgbcde\\module32.exe:*:Enabled:module32"
C:\Windows\System32\mtwirl32.dll <--file NOT FOUND
C:\Windows\library32.dll NOT FOUND
C:\\WINDOWS\tgbcde\module32.exe NOT FOUND
c:\\windows\system32\csmss32.exe FOUND
C:\Y.exe NOT FOUND
C:\Z.exe NOT FOUND
Well thats everything. hopefully we can get it sorted out.
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: irish-paddy on January 31, 2005, 09:53:36 AM
i was also thinking of downloading winmx, it sounds safest but im not sure if its safe to download it yet, especially as there are still loads of viruses on my computer
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: irish-paddy on January 31, 2005, 09:56:51 AM
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\0006_adult[1].cab.tcf
that 0006_adult has been appearing on my comp even before i started the internet, and ive never been on any dodgy sites (not yet
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> - only jokin) could that have been got from a cd or dvd sum1 watched on my comp?
just wonderin
Post by: irish-paddy on January 31, 2005, 10:00:26 AM
Post by: irish-paddy on January 31, 2005, 10:02:11 AM
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />
Post by: guestolo on January 31, 2005, 10:09:12 AM
I'm on my way to work so we'll have to tackle this later
But we should be able to get it all
We have to try and delete all those files
We'll get a tool to help us, sorry I don't have time right now
Don't remove any .dll if you start any cleanup, we'll unregister them first
Try to do minimal surfing until later
If you do delete any files let me know which ones
Post by: irish-paddy on January 31, 2005, 11:06:14 AM
ill not do anything and ill stay off the internet till later.
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />
Post by: guestolo on January 31, 2005, 02:37:15 PM
First>>>===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this on the Desktop, we'll need this later
Quote
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\sysacpildap][-HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}]
[-HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}]
[-HKEY_CURRENT_USER\Software\mzs]
[-HKEY_CLASSES_ROOT\acpi.acpi.1]
[-HKEY_CLASSES_ROOT\acpi.ext]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"tgbcde"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\tgbcde]
Make sure that Windows is set to Show Hidden Files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
And know how to start in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
I'll be asking you to do this shortly
Download Pocket Killbox from here:
http://www.downloads.subratam.org/KillBox.zip (http://\"http://www.downloads.subratam.org/KillBox.zip\")
Unzip the files to the folder of your choice.
Disconnect from the Internet completely
Disable System Restore>>Right click my Computer---Left click Properties--
Open System Restore Tab--Check "Turn of System Restore"
Double-click on Killbox.exe to run it
Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to "Delete on Reboot"
For any .dll file, additionally put a mark next to "Unregister .dll before deleting"
Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"
C:\WINDOWS\autoclk.exe
C:\WINDOWS\YEA.REG
C:\WINDOWS\SYSTEM32\msvccc.exe.tcf
C:\WINDOWS\SYSTEM32\wdrk32.exe
C:\WINDOWS\system32\swwhost.exe
C:\WINDOWS\ahadp.exe
C:\WINDOWS\System32\dust.exe
C:\WINDOWS\SYSTEM32\CMSSCS.EXE
C:\WINDOWS\System32\ieupdate.exe
C:\WINDOWS\System32\ldrx32c.exe
C:\WINDOWS\System32\msnmsgrs.exe
C:\WINDOWS\System32\svc.exe
C:\WINDOWS\System32\svcshost.exe
C:\WINDOWS\System32\winasp.exe
C:\WINDOWS\ahadp.exe
C:\WINDOWS\LastGood\System32\setup.exe.tcf
C:\WINDOWS\SECURITY\templates\asa\asa.dbx
C:\WINDOWS\SECURITY\templates\asa\sman.dbx
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe.tcf
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe1564.tcf
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe8278.tcf
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
C:\WINDOWS\tgbcde\module32.exe
C:\windows\system32\csmss32.exe
C:\Y.exe
C:\Z.exe
C:\WINDOWS\System32\winacpi.dll
C:\Windows\System32\mtwirl32.dll
C:\Windows\library32.dll
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
C:\WINDOWS\Downloaded Program Files\AdStatServX.dll
When you've pasted the last full path of file to delete, Answer YES
And allow the system to Reboot
Please Reboot into SAFE MODE at this time
Go to START>>RUN>>type in
regedit
Navigate to these entries in the registry
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
Highlight LIST
On the right hand side look for any of these entries
"C:\\WINDOWS\\tgbcde\\module32.exe"="C:\\WINDOWS\\tgbcde\\module32.exe:*:Enabled:module32"
"c:\\windows\\system32\\csmss32.exe"="c:\\windows\\system32\\csmss32.exe:*:Enabled:csmss32"
"c:\\z.exe"="c:\\z.exe:*:Enabled:cmsscs"
If you see them on the right hand side
Try right clicking on them
EG>>>C:\\WINDOWS\\tgbcde\\module32.exe
and choose DELETE
Navigate to these keys and do the same as above
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
Notice the differences are the ControlSet entries
Exit the Registry Editor
Double click on fix.reg you saved earlier to desktop and allow it to merge to the registry
Stay in safe mode
If you find these folders try and delete them
C:\WINDOWS\tgbcde <--this folder
C:\WINDOWS\EliteSideBar <--folder
C:\WINDOWS\SECURITY\templates\asa <--folder
C:\WINDOWS\Downloaded Program Files\CONFLICT <--let me know if these folders(controls) exist
Again, in safe mode
Run Windows CleanUp! one more time
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
In safe mode
Open Ad-Aware and Perform another full system scan
Removing all Critical objects
Restart back to Normal Mode
Re-enable System Restore
Open Up Hoster and let it create a New Host file
Restore original hosts
Run another scan with Kapersky's <<I mean eScan's MWAV
Copy and paste back here the results from the lower pane
Also post back a fresh Hijackthis log
Do what you can from the above, all if you can, run the scan again with Mwav
and post results and Post a fresh hijackthis log regardless of what you were able to accomplish
Could you also
Download ServiceFilter.zip (http://\"http://www.bleepingcomputer.com/files/windows/ServiceFilter.zip\")
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.
P.S I didn't mean for you to uninstall Outpost, it will just be effected by this
until we get you clean>>>Seeing that it is now uninstalled, leave it removed
for now
Post by: Guest on January 31, 2005, 05:15:43 PM
C:\WINDOWS\tgbcde NOT FOUND
C:\WINDOWS\EliteSideBar FOUND AND DELETED
C:\WINDOWS\SECURITY\templates\asa FOUND AND DELETED
C:\WINDOWS\Downloaded Program Files\CONFLICT NOT FOUND
DONE system cleanup
no critical errors found in AR-AWARE scan
just doing the escan/kapersky now, will post results back soon
Post by: guestolo on January 31, 2005, 05:21:46 PM
Quote
DONE system cleanup
You are talking about Windows CleanUp! by StevenGould (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Right?
Are you sending me this info from another computer?
Post by: irish-paddy on January 31, 2005, 05:52:49 PM
File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.10\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.11\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.12\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.13\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.14\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.4\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.5\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.6\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.7\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.8\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.9\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\a176af[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\ldrx32c[1].exe infected by "Trojan-Downloader.Win32.Small.aig" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.4[1].gif infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.6[1].gif infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\loader2[1].ocx infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Logfile of HijackThis v1.99.0
Scan saved at 22:47:06, on 31/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/ (http://\"http://www.mytalktalk.net/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
heres the post_this
The script did not recognize the services listed below.
This does not mean that they are a problem.
To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"
########################################
ServiceFilter 1.1
by rand1038
Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Jan 31, 2005 22:51:06
===> Begin Service Listing <===
Unknown Service #1
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Manual
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect Archive ...
Service Type: Own Process
Path: c:\program files\norton antivirus\savscan.exe
State: Running
Process ID: 1736
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{f79a1568-d6c5-4c69-a086-936cf52dbbe3}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
---> End Service Listing <---
There are 84 Win32 services on this machine.
2 were unrecognized.
Script Execution Time: 17.29688 seconds.
sorry it took so long, and once again many thanks 4 all ur time and help!
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: irish-paddy on January 31, 2005, 05:58:08 PM
"windows explorer has encountered a problem" and had to close.
Post by: guestolo on January 31, 2005, 06:00:32 PM
It's not called System cleanup
Post by: irish-paddy on January 31, 2005, 06:20:49 PM
Post by: guestolo on January 31, 2005, 06:45:40 PM
Save this too a Notepad file on the desktop again
Disconnect from the Internet!!!!!!!
Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to "Delete on Reboot"
For any .dll file, additionally put a mark next to "Unregister .dll before deleting"
Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"
C:\WINDOWS\_MSRSTRT.EXE
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\a176af[1].js
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\ldrx32c[1].exe
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.4[1].gif
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.6[1].gif
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\loader2[1].ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.14\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\AdStatServX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\AdStatServX.dll
When you've pasted the last full path of file to delete, Answer YES
And allow the system to Reboot
Please Reboot into SAFE MODE at this time
Let me know if you can find any of these subfolders
Remember, you may have to Unhide Protected files and folders
from my instructions before
C:\WINDOWS\Downloaded Program Files\CONFLICT.9 <--folder
and the other CONFLICT. sub folders
Also look for those other files and delete them if they exist in your Temporary directory
EG
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.4[1].gif <--file
You should be able to also delete the subfolder
OT2JQP0H
Stay in safe mode and run Windows CleanUp! by Steve Gould again
Restart back to Normal mode
You should be able to Re-install OUTPOST
TRIAL or FREE version
When, and if you get that error messeage again
windows explorer has encountered a problem
Is that the whole error message
Go to
start -> control panel -> Administrative tools -> Events Viewer
on the Applications option, find any errors that occured after the last time this happened. If you expand event viewer wide enough, you will see an event column. Post any event numbers for the errors. If you double click the error, it will tell you what the error is and little info on that error.
Post back with a fresh Hijackthis log afterwards
Can you also navigate to this key in your registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]
Don't delete it!
Instead Highlight ModuleUsage
and then right click on it and EXPORT it
Name it and save it
Well your in the registry can you highlight this key
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls
On the right hand side you will see a long list
Let me know if you see any of these entries that look like this
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll
Exit out of the Registry editor
Navigate to where you save that EXPORT key
Right click on the entry you exported from the Registry and choose EDIT
Copy and paste the contents back here, thanks
Post by: Guest on January 31, 2005, 08:12:30 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: irish-paddy on January 31, 2005, 08:35:22 PM
/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' /> C:\WINDOWS\Downloaded Program Files\CONFLICT.9 NOT FOUND
C:\WINDOWS\Downloaded Program Files\CONFLICT.9 NOT FOUND
BUT IN HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls I DID FIND ALOT OF THESE KINDA FILES
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/aucfg.ini]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.10/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.11/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.12/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.13/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.14/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.3/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.4/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.5/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.6/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.7/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.8/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.9/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ravllio.vxd]
".Owner"="{A3009861-330C-4E10-822B-39D16EC8829D}"
"{A3009861-330C-4E10-822B-39D16EC8829D}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ravonline.dll]
".Owner"="{A3009861-330C-4E10-822B-39D16EC8829D}"
"{A3009861-330C-4E10-822B-39D16EC8829D}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ravscan.dll]
".Owner"="{A3009861-330C-4E10-822B-39D16EC8829D}"
"{A3009861-330C-4E10-822B-39D16EC8829D}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ravupdt.dll]
".Owner"="{A3009861-330C-4E10-822B-39D16EC8829D}"
"{A3009861-330C-4E10-822B-39D16EC8829D}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ravupdt.ini]
".Owner"="{A3009861-330C-4E10-822B-39D16EC8829D}"
"{A3009861-330C-4E10-822B-39D16EC8829D}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/xscan53.ocx]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/loadhttp.dll]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/patchw32.dll]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/runtsckl.exe]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mfc42.dll]
".Owner"="Unknown Owner"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvcrt.dll]
".Owner"="Unknown Owner"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/tmupdate.ini]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""
Post by: guestolo on January 31, 2005, 09:11:44 PM
But can you first make a Restore point
START>>All programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Name it and Create
After that is done
Back in the Registry Editor
Navigate to this key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]
Expand (+) ModuleUsage
Still on the left hand side look for and left click to Highlight and right click and delete the entries that look like this
C:/WINDOWS/Downloaded Program Files/CONFLICT.1/AdStatServX.dll]
and the one without Conflict in it
C:/WINDOWS/Downloaded Program Files/AdStatServX.dll]
Also navigate to this key
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls
Left click to Highlight shareddlls
On the right hand side again left click once to Highlight and then right click and delete any entries that look like this
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll
and this one without "Conflict"
C:/WINDOWS/Downloaded Program Files/AdStatServX.dll]
After that is done
RESTART your computer, if you can't delete any of those registry entries try in safe mode
Back in Windows
Can you open up that Registry tool you download earlier
Open up RegSrch.vbs
Copy and paste this in the dialog box:
AdStatServX.dll
Hit OK and post back the results
Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the Whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Change the save as type to All Files
Name the file as Export.bat
Save this file on the desktop
Quote
regedit /e HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
copy HKLMRun.txt + HKCURun.txt = Output.txt
del /q HKLMRun.txt
del /q HKCURun.txt
notepad Output.txt
del /q Output.txt
Double click on Export.bat
It will produce a log>>Output.txt
Can you copy and paste the Whole contents of the Output.txt back here too, thanks
and one more hijackthis log
Sorry to put you thru a lot, but you had many problems on your computer
Your first log indicated this....
I believe we almost got it all however, just some final cleanup
Post by: irish-paddy on February 01, 2005, 05:50:15 AM
still getting this msg
Messenger
Hidden process requests an outbound network connection
Process: C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
Launced by: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
Outpost Firewall Pro should:
0 Allow network activity for this process according to application rules
0 Block network access for this process instance
! ..........................process can be controlled by another process and transmit private information.
just got this msg also
| Attack Detection Report x
attack was detected
attack type My address
IP Address localhost:loopback
other programs such as
"Syslog Daemon" and "diinfo"
is requesting an outbound network connection.
details c:\Program Files\TrojanHunter 4.1
----thsec.dll
i have just been blocking these. is this a bad thing that they're req outbound net. connection
1.deleted everything in the regestry.
2.No instances of "AdStatServX.dll" found in RegSrch.vbs
3.export.bat
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DiTask.exe"="\"C:\\Program Files\\Eicon\\Diva\\DiTask.exe\""
"Divamon.exe"="\"C:\\Program Files\\Eicon\\Diva\\Divamon.exe\""
"Eicon TechnologyLAN_DAEMON"="\"C:\\Program Files\\Eicon\\Diva\\watch.exe\""
"CGServer"="\"C:\\Program Files\\Eicon\\Diva\\cgserver.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.1\\THGuard.exe\""
"Outpost Firewall"="C:\\PROGRA~1\\Agnitum\\OUTPOS~1\\outpost.exe /waitservice"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
4.Hijackthis log
Logfile of HijackThis v1.99.0
Scan saved at 10:45:16, on 01/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/ (http://\"http://www.mytalktalk.net/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
5. It should be me apologising for putting you thru all this. so sorry and thanks.
p.s. i have to go away here for a couple of days so i wont be on the internet or the computer till thursday. just post me back my next set of instructions and when i get back on thur ill get round to doing them.
cheers
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />
Post by: guestolo on February 02, 2005, 04:59:50 PM
"Syslog Daemon" and "diinfo"
All seem to be related too
Quote
Name: [Eicon NetworksLAN_DAEMON or Eicon TechnologyL]Status: UShould be safe
File: watch.exe
Associated with an http://www.eicon.com/worldwide/default.htm (http://\"http://www.eicon.com/worldwide/default.htm\") Eicon Networks ISDN or ADSL modem. Watch protocols your connection with numbers and duration. You need callvu.exe (from Start Menu) to see your connection statistics. You can manually start watch.exe before you go online. Needs diinfo.exe (started by DiTask) to work correctly which can be started manually
http://castlecops.com/startuplist-1093.html (http://\"http://castlecops.com/startuplist-1093.html\")
Process: C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
You have Messenger running on startup
If you don't prefer to run on startup
Right click the MSN Messenger icon by the clock
Enter the options and disable on startup
I prefer to disable this on startup
There is also another Messenger service you should definitely disable if not done already
Next: Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Messenger
Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
from Automatic
Do the same for Alerter
Both are not needed services
Can you try something for me please
Do another scan with Hijackthis and put a check next to these entries:
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
Enter your Control panel>>>Open NETWORK CONNECTIONS. Then right click on your default connection there and choose properties.
Then click on NETWORKING tab. Then click on INTERNET PROTOCOL. IN the window that comes up
Take note how you are set now
Then click on the obtain DNS SERVER ADDRESS automatically radio button, if not set this way already
Then click ok to close those windows.
RESTART your computer
Hold onto the backup made by hijackthis
If you have troubles, you can restore that backup with Hijackthis
and set your Internet Protocol like it was
If everything seems well with your network connection
Let's try one final scan with TDS-3
IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3 (http://\"http://www.diamondcs.com.au/tds/radius.td3\")
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3
Launch TDS-3.You can run this in safe mode.... In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to freeze at times
Detections will appear in the lower pane of tds window after the scan is finished ( it'll take a while ) Right click the list> select save as txt.>> save this to a convienent location
After saving the scandump go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION
RESTART the computer
Post back another fresh hijackthis log and the scandump.txt and let me know how everythings running
Post by: irish-paddy on February 03, 2005, 05:38:23 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Hi guestolo. sorry it took so long to reply.Does that mean that these things requesting outbound net conn. r safe?
done everything,
Done a full system scan saved link http://www.diamondcs.com.au/tds/radius.td3 (http://\"http://www.diamondcs.com.au/tds/radius.td3\") to the directory and allowed it to overwrite. TDS-3 didnt come back with any results at all. take it this is a good thing.
heres my log.
Logfile of HijackThis v1.99.0
Scan saved at 22:29:56, on 03/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/ (http://\"http://www.mytalktalk.net/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Post by: guestolo on February 03, 2005, 06:37:35 PM
User preference if you want to allow those Outbound traffic
The ones related too your DSL Modem you may want to allow
I suppose when and if you use MSN Messenger you will have to allow it access
If you don't need it running on startup, do as I said and disable it
When your times up with TrojanHunter be sure to disable TrojanGuard by the clock ahead of time and then uninstall it
Make sure you install Spyware Blaster and IE-Spyad
If everything's running better I would disable System Restore one last time and restart your computer and then re-enable it
Post by: irish-paddy on February 03, 2005, 07:50:46 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> cant believe everythings fixed!!!!!! /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> brilliant!Here remember the file "C:\78a710ce9dfe875110\sp2" that wouldnt let me access? take it thats no harm then.
Thanks 4 all ur help guestolo uve been absolutely great!!!!! If theres anything i can ever do for u just let me no. ill send u over sum irish spuds or sumfin
/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />
Post by: guestolo on February 03, 2005, 08:18:42 PM
What happens when you scan it at this Online Malware scan
Not sure if this will work, It sounds like part of the sdbot virus
Can you go to this site please
Give the link time to load
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Use the Browse button at the top of that links page and navigate to this file
sp2.exe <--I'm assuming it has the .exe extension
Right click on it and Select it
Use the Submit button on the site
Wait for the scan results and post them back here
Also what version of Windows to you have PRO or HOME
If your unsure go to
START>>RUN>>type in winver
Hit OK
Post by: irish-paddy on February 04, 2005, 08:17:32 AM
i was selecting it and trying to upload it but it was just saying access is denied.
im using the windows home version xp.
i also scanned the folders with tds-3 and it found nothing
Post by: irish-paddy on February 04, 2005, 09:37:33 AM
im going to download winmx now, will this folder sp2 wont do any real harm will it? if u tell me how i can just delete it
Post by: irish-paddy on February 06, 2005, 03:23:17 PM
Post by: guestolo on February 06, 2005, 03:29:35 PM
No extension
Are you sure that your showing extensions for known file types?
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
You can try and take full control of it
Remember you will have to start in safe mode to see the Security tab
http://support.microsoft.com/default.aspx?...;308421&sd=tech (http://\"http://support.microsoft.com/default.aspx?scid=kb;en-us;308421&sd=tech\")
Post by: irish-paddy on February 06, 2005, 06:56:31 PM
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' /> done what u said, there was a folder inside sp2 called update and a file in that folder called 'update.exe'done the online scanner thing and it said the file was fine.
also do u know how i can change my settings so my comp will allow me to access my Email Removed, after i type in my password it doesnt let me into my inbox or anything.
cheers
paddy
Post by: guestolo on February 07, 2005, 01:20:24 AM
You can also go back and hide hidden files and folders
Hotmail
Try this
In Internet Explorer, on the Tools menu, click Internet Options, and select the Content tab
Under Certificates, click Clear SSL State
Click OK when you receive the message that the SSL cache was successfully cleared
Under Personal information, click AutoComplete
Under Clear AutoComplete history, click Clear Forms. Click OK when you are prompted to confirm the operation.
Verify that Internet Explorer is configured to use SSL 2.0 and SSL 3.0:
In Internet Explorer, on the Tools menu, click Internet Options, and select the Advanced tab
In the Settings box, under the Security header, click to select the Use SSL 2.0 and Use SSL 3.0 check boxes (if they are not already selected), and then click OK
Or click the RESTORE DEFAULTS at the bottom of the Advanced box
Verify that the Date and Time Settings on Your Computer Are Correct:
Go to START>>RUN
type in
regsvr32 softpub.dll
Hit OK
Do this with all browser windows closed
Restart your computer
Visit windows updates and get ALL latest Critical updates
Don't install the recommended unless needed
Don't install Service pack 2 at this time
Restart your computer when prompted
Some more info
http://www.duxcw.com/faq/win/xp/secure.htm (http://\"http://www.duxcw.com/faq/win/xp/secure.htm\")
Post by: Guest on February 07, 2005, 02:39:55 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> cheers guestolo u fixed yet another problem. thankx
/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />
Post by: guestolo on February 07, 2005, 03:04:36 PM
What was the fix to your Hotmail problem?
Just for future reference
And may be of some help to others
Post by: Guest on February 08, 2005, 04:06:18 PM
Configure Security settings for the Trusted sites zone in IE: IE, Tools, Internet Options, Security tab, select Trusted sites, Default Level. Sites, enter the address (URL) of the site in the Add this Web site to the zone: box, Add, OK, Apply.
just followed those instructions there and it worked perfectly. cheers for all ur help guestolo
Post by: guestolo on February 08, 2005, 04:11:24 PM
I'm going to lock this Tennis match up
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Stay safe