Post by: Ryugata on May 24, 2006, 12:40:18 AM
Can anyone help me with this like delete it or something?
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> It's very frustrating and it slows down my computer.Thank you in advance.
Post by: guestolo on May 24, 2006, 09:58:30 PM
Hijackthis 1.99.1
Open Hijackthis.exe
Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Post by: Ryugata on May 25, 2006, 12:48:56 AM
Logfile of HijackThis v1.99.1
Scan saved at 10:46:15 PM, on 5/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\bmdv\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\thgjnqkA.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win32097-45512001.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\XPAgent.exe
C:\WINDOWS\system32\msvbvm50.exe
C:\windows\system32\rlvknlg.exe
C:\WINDOWS\system32\ntvdmd.exe
C:\WINDOWS\system32\hotplug.exe
C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe
C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\PROGRA~1\COMMON~1\mrmi\mrmia.exe
c:\windows\system32\dwdsregt.exe
c:\SS1001.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\twinpqez.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jrnie.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,umumpar.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30848B2D-18F3-4DAE-8C1A-6DFD7503DDDA} - \
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7F82BC50-AB36-41CE-899E-A22084FCCA87} - \
O2 - BHO: (no name) - {AFAADE19-A460-E700-9A96-FABD204885D2} - C:\Program Files\cdmagent\knerdlxewb.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [defender] C:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard22.exe
O4 - HKLM\..\Run: [newname] C:\\newname22.exe
O4 - HKLM\..\Run: [thgjnqkA] C:\WINDOWS\thgjnqkA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32097-45512001] C:\WINDOWS\win32097-45512001.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [{F6-6B-B6-6F-ZN}] c:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinpqez.exe GID003
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [expsrv] "C:\Documents and Settings\ngo\expsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [kbdth3] "C:\WINDOWS\system32\kbdth3.exe"
O4 - HKCU\..\Run: [msoeacct] "C:\WINDOWS\system32\msoeacct.exe"
O4 - HKCU\..\Run: [icaapi] "C:\WINDOWS\system32\icaapi.exe"
O4 - HKCU\..\Run: [netmsg] "C:\WINDOWS\system32\netmsg.exe"
O4 - HKCU\..\Run: [mfc42enu] "C:\WINDOWS\system32\mfc42enu.exe"
O4 - HKCU\..\Run: [untfs] "C:\WINDOWS\system32\untfs.exe"
O4 - HKCU\..\Run: [wmstream] "C:\WINDOWS\system32\wmstream.exe"
O4 - HKCU\..\Run: [ieencode] "C:\WINDOWS\system32\ieencode.exe"
O4 - HKCU\..\Run: [encdec] "C:\WINDOWS\system32\encdec.exe"
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [vmmanager] C:\WINDOWS\system32\vmmanager.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [msvbvm50] C:\WINDOWS\system32\msvbvm50.exe
O4 - HKCU\..\Run: [ntvdmd] C:\WINDOWS\system32\ntvdmd.exe
O4 - HKCU\..\Run: [hotplug] C:\WINDOWS\system32\hotplug.exe
O4 - HKCU\..\Run: [Waio] "C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [mrmi] C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\RunOnce: [Del41] cmd /c del C:\DOCUME~1\ngo\LOCALS~1\Temp\BundleInstall.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinpqez.exe
O4 - Startup: Z_Start.lnk = C:\ZIGID003.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab (http://\"http://static.windupdates.com/cab/MusicAccess/ie/bridge-c8.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B933694-63E1-4135-82D1-1858031918E2}: NameServer = 69.19.189.116 66.81.0.252
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B933694-63E1-4135-82D1-1858031918E2}: NameServer = 69.19.189.116 66.81.0.252
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\arsnt.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\dzmstor.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bmdv\command.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\thgjnqk.exe
Post by: guestolo on May 25, 2006, 08:37:17 AM
We should be able to clear it all however
Can you start with the following then we'll see where we stand
Can you download this tool please
LSPfix (http://\"http://www.cexx.org/lspfix.htm\")
Save and extract too desktop
Don't run it yet, we'll need it later
Download the latest version of Look2Me-Remover.exe (http://\"http://www.atribune.org/ccount/click.php?id=7\") by Atribune
and save it to your desktop
* Close all windows before continuing.
* Double-click Look2Me-Remover.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Remover will close and re-open in 1 minute. Click OK
* When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
* Your computer will then shutdown.
* After it has completed the shutdown>>Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX (http://\"http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX\")
Back in Windows
Post back all the following please
Even if it takes more than one reply to do so
1. Post back a fresh hijackthis log
2. Post the report from Look2Me-Destroyer, which may be found on your desktop or at C:\Look2Me-Destroyer.txt
3. I would like to see a different log from Hijackthis, close and then reopen Hijackthis
Open the "Misc tools section">>Open the "Uninstall Manager">>Click the SAVE LIST button
Save the list too desktop then copy and paste back here the Whole contents please
Post by: Run35c4p3H4ck3r on May 25, 2006, 10:50:49 AM
Post by: Ryugata on May 25, 2006, 07:48:36 PM
We should be able to clear it all however
Can you start with the following then we'll see where we stand
Can you download this tool please
LSPfix (http://\"http://www.cexx.org/lspfix.htm\")
Save and extract too desktop
Don't run it yet, we'll need it later
Download the latest version of Look2Me-Remover.exe (http://\"http://www.atribune.org/ccount/click.php?id=7\") by Atribune
and save it to your desktop
* Close all windows before continuing.
* Double-click Look2Me-Remover.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Remover will close and re-open in 1 minute. Click OK
Okm
* When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
* Your computer will then shutdown.
* After it has completed the shutdown>>Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX (http://\"http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX\")
Back in Windows
Post back all the following please
Even if it takes more than one reply to do so
1. Post back a fresh hijackthis log
2. Post the report from Look2Me-Destroyer, which may be found on your desktop or at C:\Look2Me-Destroyer.txt
3. I would like to see a different log from Hijackthis, close and then reopen Hijackthis
Open the "Misc tools section">>Open the "Uninstall Manager">>Click the SAVE LIST button
Save the list too desktop then copy and paste back here the Whole contents please[/quote]
Ok, for some reason, Look2me isn't responding. I did what you instructed and it froze when I clicked "Run this program as a task"
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
Post by: guestolo on May 25, 2006, 07:56:46 PM
try the instructions again please with Look2me-destroyer
sc start schedule
Post by: Ryugata on May 25, 2006, 08:13:57 PM
Post by: guestolo on May 25, 2006, 08:15:10 PM
Can you please post that uninstall list from Hijackthis please
We'll pick away at your problems till we have them all eliminated
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: Ryugata on May 25, 2006, 08:23:16 PM
Thanks, I tried that but it didn't work D;
Post by: guestolo on May 25, 2006, 08:27:40 PM
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> I need to see that list from Hijackthis
open Hijackthis
Open the "Misc tools section">>Open the "Uninstall Manager">>Click the SAVE LIST button
Save the list too desktop then copy and paste back here the Whole contents please
Run35c4p3H4ck3r>>Stay out of this thread unless you have something useful to add
Ryugata
If you want to stop what we are about to do, let me know, so we don't waste each others time
Post by: Ryugata on May 25, 2006, 08:41:13 PM
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Illustrator CS
Adobe Photoshop CS2
Adobe Reader 6.0.1
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
AIM+ (remove only)
Anti-Leech Plugin for Internet Explorer
AOL Instant Messenger
ArcSoft Camera Suite 1.3
BitTornado 0.3.8
Brother MFL Pro Suite
CC_ccStart
ccCommon
CDisplay 1.8
C-Media WDM Audio Driver
Command
Creative WebCam Center
Creative WebCam Live! Pro Driver (1.01.01.1011)
Creative WebCam Live! Pro User's Guide (English)
DivX
DivX Player
Enhanced Ads by Zeno removal
Get Yahoo! Messenger
GSpot Codec Information Appliance
Hijackthis 1.99.1
HijackThis 1.99.1
ICQ Toolbar
ICQ 5
IE Help
InterActual Player
InterVideo WinDVD Recorder 5
Java 2 Runtime Environment Standard Edition v1.3.1_04
KC Softwares VideoInspector
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
LJ.NET
LrcEdit 1.0
Macromedia Flash Player 8
Macromedia Shockwave Player
Mario Forever v 2.16 !
Media Access
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Windows Journal Viewer
mIRC
Mozilla Firefox (1.5)
MP30x Tools1.0
MSN
MSN Messenger 7.5
MSRedist
Nero OEM
Network Monitor
New.net Domains 7.22
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton WMI Update
PaperPort 8.0 SE
RadLight 4 BETA 1 (remove only)
RealPlayer
RelevantKnowledge
S3 S3Chromo
S3 S3Config3D
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
S3 S3RefreshLock
S3 S3TrayPlus
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Snowball Wars by OIN
Spybot - Search & Destroy 1.3
SpyHunter
Surf SideKick
Symantec Script Blocking Installer
SymNet
Synapse Media Player
TrustSiteX 1.0 Control
TSA
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VobSub v2.23 (Remove Only)
Web Nexus Network
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
Yahoo! extras
Yahoo! Install Manager
Yahoo! Messenger
YSIGet
Zeno Search Assistant removal
Post by: guestolo on May 25, 2006, 08:55:00 PM
Others may remove easily
Can you do the following please
A couple entries in your log may cause a loss of Internet connection if improperly removed
I know you have LSP fix, but can I also have you download and save to your desktop
Winsockfix XP (http://\"http://www.majorgeeks.com/download4372.html\")
Don't run it, just leave it there in case we need it
Access your add/remove programs
Remove all the following please, IF you can
If you can't remove something, just carry on
Reboot after you have removed all that you can from the list I posted below
Command
Enhanced Ads by Zeno removal
Media Access
Network Monitor
New.net Domains 7.22
RelevantKnowledge
Surf SideKick
TSA
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Web Nexus Network
Windows Overlay Components
Zeno Search Assistant removal
After you have removed the above, or any of the above you can
Finally, remove
Spybot - Search & Destroy 1.3
Spybot is a great program, but your version is outdated, we'll get you the latest version later
Finally, reboot the computer
Back in Windows
Try and run Look2Me-Destroyer again with the instructions I gave earlier
If it won't run, that's fine
If it will run Post the log from it please
Along with a fresh hijackthis log
If Look2me-destroyer still won't run, can you do the following
Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")
http://www.downloads.subratam.org/l2mfix.exe (http://\"http://www.downloads.subratam.org/l2mfix.exe\")
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.[/color]
if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
Post by: Ryugata on May 25, 2006, 09:38:24 PM
Here are the lists:
Look2Me log:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 5/25/2006 7:23:11 PM
Infected! C:\WINDOWS\system32\arsnt.dll
Infected! C:\WINDOWS\system32\dzmstor.dll
Infected! C:\WINDOWS\system32\arsnt.dll
Infected! C:\WINDOWS\system32\dzmstor.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\arsnt.dll
C:\WINDOWS\system32\arsnt.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dzmstor.dll
C:\WINDOWS\system32\dzmstor.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\arsnt.dll
C:\WINDOWS\system32\arsnt.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dzmstor.dll
C:\WINDOWS\system32\dzmstor.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A7E0209B-5E89-4238-A94A-34616BA3CBD6}"
HKCR\Clsid\{A7E0209B-5E89-4238-A94A-34616BA3CBD6}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6953E308-BD96-4820-A323-FD7462417385}"
HKCR\Clsid\{6953E308-BD96-4820-A323-FD7462417385}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
The Hijackthis list:
Logfile of HijackThis v1.99.1
Scan saved at 7:31:14 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\bmdv\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\defender22.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win32097-45512001.exe
C:\WINDOWS\system32\XPAgent.exe
C:\WINDOWS\system32\msvbvm50.exe
C:\WINDOWS\system32\ntvdmd.exe
C:\WINDOWS\system32\hotplug.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jrnie.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,umumpar.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30848B2D-18F3-4DAE-8C1A-6DFD7503DDDA} - \
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7F82BC50-AB36-41CE-899E-A22084FCCA87} - \
O2 - BHO: (no name) - {AFAADE19-A460-E700-9A96-FABD204885D2} - C:\Program Files\cdmagent\knerdlxewb.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [defender] C:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard22.exe
O4 - HKLM\..\Run: [newname] C:\\newname22.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32097-45512001] C:\WINDOWS\win32097-45512001.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinpqez.exe GID003
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [expsrv] "C:\Documents and Settings\ngo\expsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [kbdth3] "C:\WINDOWS\system32\kbdth3.exe"
O4 - HKCU\..\Run: [msoeacct] "C:\WINDOWS\system32\msoeacct.exe"
O4 - HKCU\..\Run: [icaapi] "C:\WINDOWS\system32\icaapi.exe"
O4 - HKCU\..\Run: [netmsg] "C:\WINDOWS\system32\netmsg.exe"
O4 - HKCU\..\Run: [mfc42enu] "C:\WINDOWS\system32\mfc42enu.exe"
O4 - HKCU\..\Run: [untfs] "C:\WINDOWS\system32\untfs.exe"
O4 - HKCU\..\Run: [wmstream] "C:\WINDOWS\system32\wmstream.exe"
O4 - HKCU\..\Run: [ieencode] "C:\WINDOWS\system32\ieencode.exe"
O4 - HKCU\..\Run: [encdec] "C:\WINDOWS\system32\encdec.exe"
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [vmmanager] C:\WINDOWS\system32\vmmanager.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [msvbvm50] C:\WINDOWS\system32\msvbvm50.exe
O4 - HKCU\..\Run: [ntvdmd] C:\WINDOWS\system32\ntvdmd.exe
O4 - HKCU\..\Run: [hotplug] C:\WINDOWS\system32\hotplug.exe
O4 - HKCU\..\Run: [Waio] "C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [mrmi] C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinpqez.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab (http://\"http://static.windupdates.com/cab/MusicAccess/ie/bridge-c8.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bmdv\command.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thank you so much for helping me. I really appreciate it :3
Post by: guestolo on May 25, 2006, 09:47:45 PM
Onto the next step, I want to ensure we get you totally clean
So stick with me until we are completely done please
Please download [color=\"red\"]Brute Force Uninstaller[/color] (http://\"http://www.merijn.org/files/bfu.zip\")[/b] to your desktop. (rightclick on this link and choose save as, if using IE save target as)
- Right click the BFU folder on your desktop, and choose Extract All
- Click "Next"
- In the box to choose where to extract the files to,
- Click "Browse"
- Click on the + sign next to "My Computer"
- Click on "Local Disk (C:) or whatever your primary drive is
- Click "Make New Folder"
- Type in BFU
- Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
- Download [color=\"red\"]qoofix.bat[/color] (http://\"http://downloads.subratam.org/Lon/qooFix.bat\") (rightclick on this link and choose save as, if using IE save target as)
- Place qoofix.bat in your C:\BFU - folder. [color=\"#FF0000\"](Important!)[/color]
- Doubleclick qooFix.bat, Close all browsers and explorer folders.
- Choose option 1 (Qoolfix autofix) and follow the prompts.
- Please be patient, it will take about five minutes.
- After the PC has restarted please post another hijackthis log.
Post by: Ryugata on May 25, 2006, 10:18:30 PM
Logfile of HijackThis v1.99.1
Scan saved at 8:14:47 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\bmdv\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\defender22.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win32097-45512001.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\XPAgent.exe
C:\WINDOWS\system32\kbdth3.exe
C:\WINDOWS\system32\msvbvm50.exe
C:\WINDOWS\system32\ntvdmd.exe
C:\WINDOWS\system32\hotplug.exe
C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\system32\twinpqez.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30848B2D-18F3-4DAE-8C1A-6DFD7503DDDA} - \
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7F82BC50-AB36-41CE-899E-A22084FCCA87} - \
O2 - BHO: (no name) - {AFAADE19-A460-E700-9A96-FABD204885D2} - C:\Program Files\cdmagent\knerdlxewb.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [defender] C:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard22.exe
O4 - HKLM\..\Run: [newname] C:\\newname22.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32097-45512001] C:\WINDOWS\win32097-45512001.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinpqez.exe GID003
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [expsrv] "C:\Documents and Settings\ngo\expsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [kbdth3] "C:\WINDOWS\system32\kbdth3.exe"
O4 - HKCU\..\Run: [icaapi] "C:\WINDOWS\system32\icaapi.exe"
O4 - HKCU\..\Run: [netmsg] "C:\WINDOWS\system32\netmsg.exe"
O4 - HKCU\..\Run: [untfs] "C:\WINDOWS\system32\untfs.exe"
O4 - HKCU\..\Run: [wmstream] "C:\WINDOWS\system32\wmstream.exe"
O4 - HKCU\..\Run: [encdec] "C:\WINDOWS\system32\encdec.exe"
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [vmmanager] C:\WINDOWS\system32\vmmanager.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [msvbvm50] C:\WINDOWS\system32\msvbvm50.exe
O4 - HKCU\..\Run: [ntvdmd] C:\WINDOWS\system32\ntvdmd.exe
O4 - HKCU\..\Run: [hotplug] C:\WINDOWS\system32\hotplug.exe
O4 - HKCU\..\Run: [Waio] "C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [mrmi] C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinpqez.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab (http://\"http://static.windupdates.com/cab/MusicAccess/ie/bridge-c8.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bmdv\command.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on May 25, 2006, 10:44:59 PM
But first
[color=\"#CC0000\"]RIGHT CLICK HERE[/color] (http://\"http://metallica.geekstogo.com/alcanshorty.bfu\")
and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"#3333FF\"]Alcanshorty.bfu[/color].
Save it in the folder you made earlier (C:\BFU)
So you now have C:\Bfu\alcanshorty.bfu
==Download and install Windows CleanUp! 4.5.1 (http://\"http://www.stevengould.org/downloads/cleanup/CleanUp451.exe\")
Don't run this yet
Download and Install Spybot 1.4 from
HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Close it as we will need it later
NOTE: If you get a bad checksum error when updating, try a different download location from the top dropdown menubar
==Download and then Install
Ewido anti-malware 3.5 (http://\"http://www.ewido.net/en/download/\")
When installing, under "Additional Options" UNCHECK
- "Install background guard"
"Install scan via context menu".
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the auto updater won't work
Please manually update from this link
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!
If you have trouble getting into safe mode, let me know, if you don't have any problems carry on with the below
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu
In safe mode
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
NOTE: When you first run cleanup, it may prompt to run in demo mode, decline it as we want to run the actual cleanup on your computer
When it's done>>Click Close
DECLINE to Log off or Restart the computer
=Open the C:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to alcanshorty.bfu in the C:\BFU folder
Right click alcanshorty.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.
==Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED
Remain in safe mode
==Open Ewido Anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to the desktop or someplace you will remember
Exit Ewido
NOTE: When Ewido is running, don't open any other windows, let it run uninterrupted
Do a "System scan only" with Hijackthis and put a check next to these entries:
Not all below may show, but put a check beside the ones that you see from the below list
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: (no name) - {30848B2D-18F3-4DAE-8C1A-6DFD7503DDDA} - \
O2 - BHO: (no name) - {7F82BC50-AB36-41CE-899E-A22084FCCA87} - \
O2 - BHO: (no name) - {AFAADE19-A460-E700-9A96-FABD204885D2} - C:\Program Files\cdmagent\knerdlxewb.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [defender] C:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard22.exe
O4 - HKLM\..\Run: [newname] C:\\newname22.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32097-45512001] C:\WINDOWS\win32097-45512001.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinpqez.exe GID003
O4 - HKCU\..\Run: [expsrv] "C:\Documents and Settings\ngo\expsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [kbdth3] "C:\WINDOWS\system32\kbdth3.exe"
O4 - HKCU\..\Run: [icaapi] "C:\WINDOWS\system32\icaapi.exe"
O4 - HKCU\..\Run: [untfs] "C:\WINDOWS\system32\untfs.exe"
O4 - HKCU\..\Run: [wmstream] "C:\WINDOWS\system32\wmstream.exe"
O4 - HKCU\..\Run: [encdec] "C:\WINDOWS\system32\encdec.exe"
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [vmmanager] C:\WINDOWS\system32\vmmanager.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [msvbvm50] C:\WINDOWS\system32\msvbvm50.exe
O4 - HKCU\..\Run: [ntvdmd] C:\WINDOWS\system32\ntvdmd.exe
O4 - HKCU\..\Run: [hotplug] C:\WINDOWS\system32\hotplug.exe
O4 - HKCU\..\Run: [Waio] "C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [mrmi] C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinpqez.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
If you didn't manually add these entries to your trusted zones, check them too
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
Carry on with these ones if found
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab (http://\"http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab\")
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bmdv\command.exe
After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot back to Normal mode
I need to see the following
1. Run a Scan and save logfile with Hijackthis and post a fresh log
2. Post the whole report from Ewidos'
Post by: Ryugata on May 26, 2006, 12:34:58 AM
But first
[color=\"#CC0000\"]RIGHT CLICK HERE[/color] (http://\"http://metallica.geekstogo.com/alcanshorty.bfu\")
and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"#3333FF\"]Alcanshorty.bfu[/color].
Save it in the folder you made earlier (C:\BFU)
So you now have C:\Bfu\alcanshorty.bfu
==Download and install Windows CleanUp! 4.5.1 (http://\"http://www.stevengould.org/downloads/cleanup/CleanUp451.exe\")
Don't run this yet
Download and Install Spybot 1.4 from
HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Close it as we will need it later
NOTE: If you get a bad checksum error when updating, try a different download location from the top dropdown menubar
==Download and then Install
Ewido anti-malware 3.5 (http://\"http://www.ewido.net/en/download/\")
When installing, under "Additional Options" UNCHECK
- "Install background guard"
"Install scan via context menu".
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the auto updater won't work
Please manually update from this link
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!
If you have trouble getting into safe mode, let me know, if you don't have any problems carry on with the below
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu
In safe mode
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
NOTE: When you first run cleanup, it may prompt to run in demo mode, decline it as we want to run the actual cleanup on your computer
When it's done>>Click Close
DECLINE to Log off or Restart the computer
=Open the C:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to alcanshorty.bfu in the C:\BFU folder
Right click alcanshorty.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.
==Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED
Remain in safe mode
==Open Ewido Anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to the desktop or someplace you will remember
Exit Ewido
NOTE: When Ewido is running, don't open any other windows, let it run uninterrupted
Do a "System scan only" with Hijackthis and put a check next to these entries:
Not all below may show, but put a check beside the ones that you see from the below list
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: (no name) - {30848B2D-18F3-4DAE-8C1A-6DFD7503DDDA} - \
O2 - BHO: (no name) - {7F82BC50-AB36-41CE-899E-A22084FCCA87} - \
O2 - BHO: (no name) - {AFAADE19-A460-E700-9A96-FABD204885D2} - C:\Program Files\cdmagent\knerdlxewb.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [defender] C:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard22.exe
O4 - HKLM\..\Run: [newname] C:\\newname22.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32097-45512001] C:\WINDOWS\win32097-45512001.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\twinpqez.exe GID003
O4 - HKCU\..\Run: [expsrv] "C:\Documents and Settings\ngo\expsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XPAgent] C:\WINDOWS\system32\XPAgent.exe
O4 - HKCU\..\Run: [kbdth3] "C:\WINDOWS\system32\kbdth3.exe"
O4 - HKCU\..\Run: [icaapi] "C:\WINDOWS\system32\icaapi.exe"
O4 - HKCU\..\Run: [untfs] "C:\WINDOWS\system32\untfs.exe"
O4 - HKCU\..\Run: [wmstream] "C:\WINDOWS\system32\wmstream.exe"
O4 - HKCU\..\Run: [encdec] "C:\WINDOWS\system32\encdec.exe"
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [vmmanager] C:\WINDOWS\system32\vmmanager.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [msvbvm50] C:\WINDOWS\system32\msvbvm50.exe
O4 - HKCU\..\Run: [ntvdmd] C:\WINDOWS\system32\ntvdmd.exe
O4 - HKCU\..\Run: [hotplug] C:\WINDOWS\system32\hotplug.exe
O4 - HKCU\..\Run: [Waio] "C:\PROGRA~1\COMMON~1\RACLE~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [mrmi] C:\PROGRA~1\COMMON~1\mrmi\mrmim.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinpqez.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
If you didn't manually add these entries to your trusted zones, check them too
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
Carry on with these ones if found
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab (http://\"http://static.windupdates.com/cab/MusicAcc...e/bridge-c8.cab\")
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\bmdv\command.exe
After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot back to Normal mode
I need to see the following
1. Run a Scan and save logfile with Hijackthis and post a fresh log
2. Post the whole report from Ewidos'[/quote]
I'm sorry this is taking so long but my computer is really lagging right now. For the cleanup! part, will it delete all the files on my computer?
Post by: Ryugata on May 26, 2006, 02:47:31 AM
Logfile of HijackThis v1.99.1
Scan saved at 12:15:24 AM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
And the Ewido's list:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 12:03:27 AM, 5/26/2006
+ Report-Checksum: 4DB4B078
+ Scan result:
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup
C:\bintheredunthat\comscore.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\ngo\atl70.exe -> Downloader.Agent.am : Cleaned with backup
C:\Documents and Settings\ngo\dpnhupnp.exe -> Downloader.Agent.am : Cleaned with backup
C:\Documents and Settings\ngo\expsrv.exe -> Downloader.Small : Cleaned with backup
C:\Documents and Settings\ngo\My Documents\Downloads\Fastmp3_Setup.exe -> Downloader.Agent.am : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Amazing CD & DVD Burner\Partner\installer_NPS.exe -> Downloader.Adload.a : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup
C:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\Program Files\Common Files\Оracle\alg.exe -> Downloader.PurityScan.cl : Cleaned with backup
C:\Program Files\se -> Adware.WindowEnhancer : Cleaned with backup
C:\Program Files\se\Data -> Adware.WindowEnhancer : Cleaned with backup
C:\Program Files\se\Data\app.dat -> Adware.WindowEnhancer : Cleaned with backup
C:\Program Files\se\Data\bm.dat -> Adware.WindowEnhancer : Cleaned with backup
C:\Program Files\se\v11 -> Adware.WindowEnhancer : Cleaned with backup
C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : Cleaned with backup
C:\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\VSL.dl_ -> Downloader.Small.ctp : Cleaned with backup
C:\warebundle.exe -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\bmdv\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\bmdv\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\WINDOWS\system32\catsrvut.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\diskcopy.exe -> Downloader.Agent.am : Cleaned with backup
C:\WINDOWS\system32\encdec.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\expsrv.exe -> Downloader.Agent.am : Cleaned with backup
C:\WINDOWS\system32\fmifs.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\hid.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\hnetwiz.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\icaapi.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\ieakeng.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\ifsutil.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\ir50_qcx.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\jit.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\kbdth3.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\mfc42enu.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\MSAgentXP.exe -> Downloader.Reqlook.c : Cleaned with backup
C:\WINDOWS\system32\msftedit.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\msoeacct.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\msvcp70.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\mtxlegih.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\netmsg.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\ntmsdba.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\pautoenr.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\rasmans.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\sfcfiles.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\sqlwoa.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\srvsvc.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\sysinv.exe -> Downloader.Agent.am : Cleaned with backup
C:\WINDOWS\system32\test.bmp -> Downloader.Reqlook.d : Cleaned with backup
C:\WINDOWS\system32\twnlib20.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\untfs.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\vbajet32.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\wiaservc.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\wmstream.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\wshisn.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\wshtcpip.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\XPAgent.exe -> Downloader.Agent.acr : Cleaned with backup
C:\WINDOWS\system32\xvidcore.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\xvidvfw.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\win32097-45512001.exe -> Adware.Enbrow : Cleaned with backup
C:\ZIGID003.exe -> Adware.ZenoSearch : Cleaned with backup
::Report End
Post by: guestolo on May 26, 2006, 08:57:00 AM
Go to START>>RUN>>copy and paste the next command into the open field then hit OK
sc delete cmdService
Can you do the following please
Do a "Scan only" with Hijackthis and put a check next to these entries:
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [test1] C:\WINDOWS\system32\test1.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer
Back in Windows
Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Left click to Highlight Command if found and click the Delete This Entry button
Ok the prompt
Exit Hijackthis
Your Java is way out of date, we need to update it
Access your add/remove programs and remove
Java 2 Runtime Environment Standard Edition v1.3.1_04
Afterwards, go to the following link to update Java
http://www.java.com/en/download/manual.jsp (http://\"http://www.java.com/en/download/manual.jsp\")
I find the Windows OFFLINE installation the best
Save the installer to desktop
Double click to install, follow the prompts
Use Internet Explorer and go to this website
Panda ActiveScan (http://\"http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan.htm&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest\")
Before running the online virus scan, you may want to disable Norton's autoprotect
* Once you are on the Panda site click the Scan your PC button.
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on MyComputer to start the scan.
When the scan is complete
click See Report, then click Save Report and save it to your Desktop.
Reboot the computer
Come back here
Post a fresh hijackthis log and the whole report from Panda's please
Post by: Ryugata on May 26, 2006, 11:06:51 PM
Incident Status Location
Adware:adware/commad Not disinfected c:\windows\system32\atmtd.dll
Adware:adware/swimsuitnetwork Not disinfected c:\windows\system32\MYDLL.dll
Adware:adware/spywareno Not disinfected c:\windows\system32\sysmon.exe
Adware:adware/portalscan Not disinfected c:\program files\common files\Slmss
Adware:adware/novo Not disinfected c:\program files\cdmagent
Adware:adware/sidesearch Not disinfected c:\program files\Lycos
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:Adware/Deskwizz Not disinfected C:\bintheredunthat\VSL02.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\cookies.txt[.fastclick.net/]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[²èÇ]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[exdl.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[exul.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[ahadp.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[ahadp.exe][angelex.exe]
Hacktool:HackTool/SRunner.B Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[ahadp.exe][instsrv.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[ahadp.exe][msexreg.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[adp8035_NPS.exe][bargains.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[adp8035_NPS.exe][adv.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[adp8035_NPS.exe][adx.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[adp8035_NPS.exe][²èÇ]
Adware:Adware/Exact.SearchBar Not disinfected C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe[exclean.exe]
Virus:JS/Clicker.JS Disinfected C:\Program Files\cdmagent\knerdlxewb.log
Virus:Trj/Clicker.QE Disinfected C:\Program Files\Common Files\simtest\sysstall.exe
Adware:Adware/PurityScan Not disinfected C:\Trelew.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\bmdv\vAxS.vbs
Virus:Trj/Downloader.HPZ Not disinfected C:\WINDOWS\pf78.exe[pms111x.exe]
Virus:Trj/VB.MC Not disinfected C:\WINDOWS\pf78.exe[SYSC00.exe]
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\drsmartload815a.exe
Virus:Trj/Downloader.IUB Disinfected C:\WINDOWS\system32\msvbvm50.exe
Virus:Trj/Downloader.IUB Disinfected C:\WINDOWS\system32\ntvdmd.exe
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\VSL03.exe[VSL.dl_]
And a new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:02:53 PM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on May 26, 2006, 11:32:11 PM
Exact file or folder names in the correct locations please
FILES
C:\Trelew.exe
C:\WINDOWS\pf78.exe
c:\windows\system32\atmtd.dll
c:\windows\system32\MYDLL.dll
c:\windows\system32\sysmon.exe
C:\Program Files\Amazing CD & DVD Burner\Partner\package_adp_NPS.exe
C:\Program Files\Common Files\simtest\sysstall.exe
C:\WINDOWS\system32\drsmartload815a.exe
C:\WINDOWS\system32\VSL03.exe
FOLDERS
c:\program files\common files\Slmss
C:\WINDOWS\bmdv
C:\bintheredunthat
c:\program files\Lycos
Reboot the computer
Come back here and let me know how things are running and if you were able to remove all of the above
Did you manually add these entries to your trusted zones, or do you trust the sites?
O15 - Trusted Zone: http://*.kcp.co.kr
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
O15 - Trusted Zone: http://*.telec.co.kr
O15 - Trusted Zone: http://*.vpay.co.kr
Post by: Ryugata on May 27, 2006, 02:01:44 AM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> thank you so much for your help! Oh, and there were 2 things I din't see:C:\Program Files\Common Files\simtest\sysstall.exe
and
C:\WINDOWS\bmdv
About those sites, I addded just these:
O15 - Trusted Zone: http://*.morningglory.co.kr
O15 - Trusted Zone: http://*.mybizmall.co.kr
I don't know where the others came from but I deleted them all in the "Trusted Sites" in IE. Are they harmful or something?
Post by: guestolo on May 27, 2006, 11:11:43 AM
Quote
I don't know where the others came from but I deleted them all in the "Trusted Sites" in IE. Are they harmful or something?Not sure, that's why I asked if you recognized them or added manually, if not, you did the right thing and removed them
If I knew them as bad, I would of had you fix them right away
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Look for that folder and files and remove if found
Folder
C:\WINDOWS\bmdv
Files
C:\Program Files\Common Files\simtest\sysstall.exe
C:\WINDOWS\system32\test.exe
C:\WINDOWS\system32\test1.exe
You can then go back and rehide hidden files and folders
I would leave Hide Extensions for known file types unchecked however
If everything is running better
We should flush all your restore points to ensure you don't restore any nasties that may be sitting idle
- Go to START>>RUN>>In the open field
Type in
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point
[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
*Make sure your Anti-Virus software is always kept up to date and actively running in the background
You don't want to run more than one AV on your computer
But getting a second opinion from an Online scanner every couple months is not a bad idea
You can use Panda's or any of the others in my signature below
Update and do scan's with your Anti-Spyware programs on a regular basis
In addition: Open Spybot 1.4
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Immunize after every update
+I would opt to hold onto CleanUp! and Ewido
Ewido will become a limited free version after a couple of weeks
Still, a great scanner to update and run on a monthly basis
If you haven't ran the Disk Defragmenter on your computer in some time, now would be a good time
START>>All Programs>>Accessories>>System Tools>>Disk Defragmenter
Let it run uninterrupted
I find it best ran in safe mode
Stay safe
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: Ryugata on May 27, 2006, 04:20:22 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> I'm so glad I found this forum. You're very good at this ^^Thank you for everything, I'll try to keep my computer safe now
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on May 27, 2006, 04:24:39 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> If your version of Symantec's doesn't have a Firewall
Can you
Access your Windows control panel and double check to make sure the Windows built in Firewall is running please
I'll lock this topic as your problems appear resolved
Take care