TheTechGuide Forum
General Category => Tech Clinic => Topic started by: dmac5586 on February 14, 2006, 10:16:23 AM
-
is this where you post HJT log files?
i have ran spyware doctor but it doesnt seem to fix it.....
Logfile of HijackThis v1.99.1
Scan saved at 10:09:08 AM, on 2/14/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gan Ning\Desktop\New Folder\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\jkkjg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6055DDC0-97C3-44C6-8BDB-CDCDA3571EDC}: NameServer = 208.27.113.151 208.25.241.60
O20 - Winlogon Notify: chpcsrtu - C:\WINDOWS\SYSTEM32\chpcsrtu.dll
O20 - Winlogon Notify: jkkjg - C:\WINDOWS\System32\jkkjg.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
-
Can you do the following please
I see no Anti-virus protection on this computer and your way behind on windows updates
We'll have to do something about that or your going to get worse infections than you have right now
Let's do this first
The first step, at minimum, make sure that the XP firewall is running and enabled
The link will explain how to enable it
http://www.microsoft.com/windowsxp/using/n...rnmore/icf.mspx (http://\"http://www.microsoft.com/windowsxp/using/networking/learnmore/icf.mspx\")
When that's done
I need you too disable Spyware Doctor's realtime protections so it won't interfere in anything we are trying
Please leave them disabled until we are sure you are clean
To deactivate Spyware Doctor's OnGuard Tools
1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".
Afterwards:
Download [color=\"red\"]VundoFix.exe[/color] (http://\"http://www.atribune.org/ccount/click.php?id=4\")[/url] to your desktop.- Double-click VundoFix.exe to run it.
- Put a check next to Run VundoFix as a task.
- You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
- When VundoFix re-opens, click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will shutdown your computer, click OK.
- Turn your computer back on.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log.
-
here is the hjt......
Logfile of HijackThis v1.99.1
Scan saved at 10:47:28 AM, on 2/14/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gan Ning\Desktop\VundoFix.exe
C:\Documents and Settings\Gan Ning\Desktop\New Folder\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6055DDC0-97C3-44C6-8BDB-CDCDA3571EDC}: NameServer = 208.27.113.151 208.25.241.60
O20 - Winlogon Notify: chpcsrtu - C:\WINDOWS\SYSTEM32\chpcsrtu.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
and here is the vundo...
VundoFix V4.2.22
Scan started at 10:39:30 AM 2/14/2006
Listing files found while scanning....
C:\WINDOWS\System32\jkkjg.dll
C:\WINDOWS\System32\gjkkj.ini
C:\WINDOWS\System32\gjkkj.bak1
C:\WINDOWS\System32\gjkkj.bak2
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.bak2
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\jkkjg.dll
VundoFix V4.2.22
Scan started at 10:43:55 AM 2/14/2006
Listing files found while scanning....
C:\WINDOWS\System32\jkkjg.dll
C:\WINDOWS\System32\gjkkj.ini
C:\WINDOWS\System32\gjkkj.bak1
C:\WINDOWS\System32\gjkkj.bak2
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.bak2
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\jkkjg.dll
Attempting to delete C:\WINDOWS\System32\jkkjg.dll
C:\WINDOWS\System32\jkkjg.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\gjkkj.ini
C:\WINDOWS\System32\gjkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\gjkkj.bak1
C:\WINDOWS\System32\gjkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\gjkkj.bak2
C:\WINDOWS\System32\gjkkj.bak2 Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V4.2.22
Scan started at 10:46:24 AM 2/14/2006
Listing files found while scanning....
No infected files were found.
-
Can you do the following please
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Can you also go to this site please
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to this file on your hard disk
It's a legit file, I just want to make sure it's OK <--Sorry, it's not legit, that was a bad copy and paste
C:\WINDOWS\SYSTEM32\chpcsrtu.dll <--this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
-
yea its something.....
File: chpcsrtu.dll
Status:
INFECTED/MALWARE
MD5 180c5a3e358ff32e884869edbeb13fa6
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Crypt.o
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing
-
Can you do the following please
==Download and then Install
Ewido anti-malware 3.5 (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck
"Install background guard" and "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
==Download the Killbox by Option^Explicit (http://\"http://www.atribune.org/downloads/KillBox.exe\").
* Save it to your desktop
Please save these instructions to a Notepad file and save it to your Desktop for reference
Leave the instructions open in notepad
Close down all browser windows, including this one
Run Killbox.exe
Select the radio button to "Replace on Reboot"
additionally, tick the "Use Dummy" box
In the full "Full Path of File to Delete"
Copy and paste the below line in bold
C:\WINDOWS\SYSTEM32\chpcsrtu.dll
Click the Red Circle with the White X
Killbox should prompt that it will be replaced on reboot
Allow to reboot now
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu
==Open Ewido anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows
=Do a "System scan only" with Hijackthis and put a check next to these entries:
This 020 may look different, but fix the 020 line regardless of what it reads
O20 - Winlogon Notify: chpcsrtu - C:\WINDOWS\SYSTEM32\chpcsrtu.dll
After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Post back all the following
1. Run a "Scan and Save logfile" with Hijackthis and post the fresh log
2. Post the whole report you saved earlier from Ewido's
-
here is the ewido thing.....
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 1:25:19 PM, 2/14/2006
+ Report-Checksum: BA3F2781
+ Scan result:
HKLM\SOFTWARE\VGroup -> Adware.SAHA : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\salm -> Adware.180Solutions : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\salm -> Adware.180Solutions : Cleaned with backup
C:\clogs.exe -> Adware.WinAD : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Gan Ning\Application Data\Mozilla\Firefox\Profiles\1vomw1jd.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Gan Ning\Application Data\Mozilla\Firefox\Profiles\1vomw1jd.default\cookies-1.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Gan Ning\Application Data\Mozilla\Firefox\Profiles\1vomw1jd.default\cookies-1.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Gan Ning\Application Data\Mozilla\Firefox\Profiles\1vomw1jd.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Gan Ning\Application Data\Mozilla\Firefox\Profiles\1vomw1jd.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Gan Ning\Application Data\Mozilla\Firefox\Profiles\1vomw1jd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Gan Ning\Application Data\Mozilla\Firefox\Profiles\1vomw1jd.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Gan Ning\Application Data\Mozilla\Firefox\Profiles\1vomw1jd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Gan Ning\Application Data\Mozilla\Firefox\Profiles\1vomw1jd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Gan Ning\Cookies\gan [email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Gan Ning\Cookies\gan ning@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Gan Ning\Cookies\gan ning@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Gan Ning\Cookies\gan ning@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Gan Ning\Cookies\gan ning@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Gan Ning\Desktop\New Folder\backups\backup-20060202-212056-250.dll -> Trojan.Crypt.o : Cleaned with backup
C:\Documents and Settings\Gan Ning\Desktop\New Folder\backups\backup-20060202-213054-926.dll -> Adware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Gan Ning\Desktop\New Folder\backups\backup-20060202-213144-804.dll -> Adware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Gan Ning\Desktop\New Folder\backups\backup-20060202-213249-314.dll -> Adware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Gan Ning\Desktop\New Folder\backups\backup-20060209-202712-235.dll -> Adware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Gan Ning\Desktop\New Folder\backups\backup-20060212-180209-260.dll -> Adware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Gan Ning\Desktop\New Folder\backups\backup-20060213-221428-848.dll -> Adware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Gan Ning\Desktop\New Folder\backups\backup-20060213-221442-814.dll -> Adware.Virtumonde : Cleaned with backup
C:\Documents and Settings\Gan Ning\Local Settings\Temp\jfgudk.exe -> Downloader.IstBar.or : Cleaned with backup
C:\Documents and Settings\Gan Ning\Local Settings\Temp\nein.exe -> Downloader.Small.bgl : Cleaned with backup
C:\Documents and Settings\Gan Ning\Local Settings\Temp\resD.tmp -> Adware.180Solutions : Cleaned with backup
C:\Documents and Settings\Gan Ning\Local Settings\Temp\setup4030.cab/liqp7c25q_.dll -> Adware.Sahat : Cleaned with backup
C:\Documents and Settings\Gan Ning\Local Settings\Temporary Internet Files\Content.IE5\MR29K5Y5\1[1].bin -> Downloader.Small.bue : Cleaned with backup
C:\Documents and Settings\Gan Ning\Local Settings\Temporary Internet Files\Content.IE5\MR29K5Y5\inst_0004[1].exe -> Downloader.Small.cam : Cleaned with backup
C:\Documents and Settings\Gan Ning\Local Settings\Temporary Internet Files\Content.IE5\MR29K5Y5\nein[1].exe -> Downloader.Small.bgl : Cleaned with backup
C:\Documents and Settings\Gan Ning\Local Settings\Temporary Internet Files\Content.IE5\MR29K5Y5\newfrn[1].exe -> Hijacker.VB.is : Cleaned with backup
C:\Documents and Settings\Gan Ning\Local Settings\Temporary Internet Files\Content.IE5\UPUWB19C\installerus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\Gan Ning\Local Settings\Temporary Internet Files\Content.IE5\UXTKFVZA\ltndload[1].dll -> Adware.Sud : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> TrackingCookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6IWP119O\876029[1].exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6IWP119O\toolbar3[1].cab/IExploreSkins.exe -> Adware.WebSearch : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6IWP119O\toolbar3[1].cab/TBPS.exe -> Adware.WebSearch : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\PWJFSGKU\clogs[1].rar -> Adware.WinAD : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\PWJFSGKU\stubinstaller6282[1].exe -> Downloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\installerus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\inst_0004.exe -> Downloader.Small.cam : Cleaned with backup
C:\SystemGuard.exe/1.html -> Hijacker.Linker.j : Cleaned with backup
C:\SystemGuard.exe/ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\1.html -> Hijacker.Linker.j : Cleaned with backup
C:\WINDOWS\876029.exe -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\aim.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\MsLS32.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\mspath.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\newfrn.exe -> Hijacker.VB.is : Cleaned with backup
C:\WINDOWS\ss.exe -> Trojan.LowZones.d : Cleaned with backup
C:\WINDOWS\system32\0ky00ol4.dll -> Adware.Sud : Cleaned with backup
C:\WINDOWS\system32\attyfjgl.dll -> Trojan.Crypt.o : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\system32\pi1_58.exe -> Downloader.Small.bue : Cleaned with backup
C:\WINDOWS\system32\rpcdlt.exe -> Logger.VB.eh : Cleaned with backup
C:\WINDOWS\Temp\Del1.tmp -> Downloader.Small.asf : Cleaned with backup
C:\WINDOWS\Temp\mit2.tmp/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\Temp\mit2.tmp.cab/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\Temp\NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\Temp\setup4030.cab/liqp7c25q_.dll -> Adware.Sahat : Cleaned with backup
C:\WINDOWS\tsecure.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\winfixer\WinFixer2006FreeInstall.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
::Report End
and here is the hjt...
Logfile of HijackThis v1.99.1
Scan saved at 1:33:48 PM, on 2/14/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gan Ning\Desktop\New Folder\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6055DDC0-97C3-44C6-8BDB-CDCDA3571EDC}: NameServer = 208.27.113.151 208.25.241.60
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
-
It's important to get windows security updates on your computer
Can you go to this link
http://www.microsoft.com/windowsxp/downloa...1/expresso.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/expresso.mspx\")
Download and Install Service pack 1a for Windows
Follow the prompts
This may take some time to udpate
Afterwards, reboot when prompted
Open Internet Explorer and click on TOOLS>>Windows updates
Go to Windows updates and install all other Critical (High Priority) updates
Keep revisiting until you have them all>>Excluding SP2 and Optionals
DO NOT install Service pack 2 at this time, we must make sure your system is completely clean and clear of malware
Afterwards, come back here and post a fresh hijackthis log
We'll go from there, but you must get those updates from Windows or you will be in big trouble in the future
If you have trouble reaching windows updates or downloading the updates
One or more bad guys may have changes registry settings, we'll deal with it later
-
Since the user has not returned, this topic is locked