View Full Version : Can't get Spybot to remove Command Service
Even when running spybot in safe mode it cannot clear the command service. There are always 2 or 3 registry entries that it cannot clear.
Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 12:27:17 AM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\{54D74892-0AEA-1033-1108-040416200001}\Update.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\vimvu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hetyfjn.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Glwcick Class - {BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F} - C:\WINDOWS\system32\lqe2z.dll (file missing)
O4 - HKLM\..\Run: [{54D74892-0AEA-1033-1108-040416200001}] "C:\Program Files\Common Files\{54D74892-0AEA-1033-1108-040416200001}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [{54D74892-0AE9-1033-1108-040416200001}] "C:\Program Files\Common Files\{54D74892-0AE9-1033-1108-040416200001}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [windows] C:\\windows_e58.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinroed.exe GEN001
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\oqdsregm.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\mwinroed.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {8660A526-27A4-4FBD-85B2-857E82A25971} - C:\WINDOWS\system32\lqe2z.dll
O20 - AppInit_DLLs: imclfkcb.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\aediosrv.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000137 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
Panda Software Activescan log:
Incident Status Location
Adware:Adware/Maxifiles Not disinfected c:\program files\common files\{54d74892-0aea-1033-1108-040416200001}\update.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{54D74892-0AEA-1033-1108-040416200001}\System.dll
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\lgvrlly.dll
Adware:Adware/NewAds Not disinfected C:\WINDOWS\system32\imclfkcb.dll
Adware:adware/mirar Not disinfected c:\windows\system32\WinNB58.dll
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Stephanie Johnson\Local Settings\Temporary Internet Files\Ssk.log
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Stephanie Johnson\Desktop\Click to Find and Fix Errors.url
Adware:adware/commad Not disinfected Windows Registry
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e34.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e34.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e37.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e37.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e41.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e41.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e44.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e44.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e45.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e45.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e53.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e53.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e58.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e58.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e59.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e59.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e63.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\deskbar_e63.exe[deskbar.exe][deskbar.dll]
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt[c.enhance.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt[.findwhat.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\LocalService\Cookies\system@adultfriendfinder[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\LocalService\Cookies\system@atwola[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.enhance[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.goclick[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\LocalService\Cookies\system@ccbill[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\LocalService\Cookies\system@did-it[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\LocalService\Cookies\system@go[2].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\LocalService\Cookies\system@www48.seeq[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@atwola[1].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@banners.searchingbooth[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@belnk[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@cgi-bin[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@dist.belnk[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@drivecleaner[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@searchportal.information[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@stats1.reliablestats[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@www.winantivirus[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@2o7[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@belnk[1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@c.goclick[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@com[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@ct.360i[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@dist.belnk[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@go[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@searchportal.information[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Stephanie Johnson\Cookies\stephanie johnson@com[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Stephanie Johnson\Cookies\stephanie johnson@searchportal.information[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Stephanie Johnson\Cookies\stephanie johnson@www.drivecleaner[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Stephanie Johnson\Desktop\SmitfraudFix\Process.exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Stephanie Johnson\install.exe
Adware:Adware/ISearch Not disinfected C:\Documents and Settings\Stephanie Johnson\Local Settings\Temp\b104.exe[MTE3MTk6ODoxNg.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Stephanie Johnson\Local Settings\Temp\b116.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Stephanie Johnson\Local Settings\Temporary Internet Files\Content.IE5\9K4711WP\116[1].net
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\steve$\Cookies\steve$@ad.yieldmanager[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\steve$\Cookies\steve$@kmpads[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tre\Cookies\tre@atwola[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\Cookies\tre@ad.yieldmanager[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\Cookies\tre@atwola[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\Cookies\tre@drivecleaner[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\Cookies\tre@errorsafe[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\Cookies\tre@go[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\Cookies\tre@searchportal.information[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\Cookies\tre@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\Cookies\tre@stats1.reliablestats[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\Cookies\tre@www.drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\Cookies\tre@www.errorsafe[1].txt
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\nsf7.tmp\nsProcess.dll
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Tre\Local Settings\Temp\nsu53.tmp\nsProcess.dll
Adware:Adware/DollarRevenue Not disinfected C:\nwnmff_e44.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{34D74892-0AE9-1033-1108-040416200001}\Bar888.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{34D74892-0AE9-1033-1108-040416200001}\UnInstall.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{54D74892-0AE9-1033-1108-040416200001}\system.dll
Spyware:Cookie/Searchportal Not disinfected C:\Program Files\EarthLink 5.0\1qtstef@earthlink.net\Cookies\stephanie johnson@searchportal.information[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Program Files\EarthLink 5.0\EarthLink stef9999@earthlink.net\Cookies\stephanie johnson@atwola[2].txt
Adware:Adware/Mirar Not disinfected C:\WINDOWS\876056.exe
Adware:Adware/Popper Not disinfected C:\WINDOWS\jbjmmla.exe
Spyware:Spyware/7r7t Not disinfected C:\WINDOWS\srvwbbpaon.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\system32\install.exe
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\lwkug.dat
Adware:Adware/Startpage.JY Not disinfected C:\WINDOWS\system32\tbiu5xkb.exe
Adware:Adware/Mirar Not disinfected C:\WINDOWS\Temp\mit7F.tmp[NNBar_VCSetup_876056.exe]
Adware:Adware/Mirar Not disinfected C:\WINDOWS\Temp\mit7F.tmp.cab[NNBar_VCSetup_876056.exe]
Adware:Adware/Mirar Not disinfected C:\WINDOWS\Temp\NNBar_VCSetup_876056.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\nsa74.tmp\nsProcess.dll
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\nscD3.tmp\nsProcess.dll
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\nsd140.tmp\nsProcess.dll
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\nsdCC.tmp\nsProcess.dll
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\nsh1AC.tmp\nsProcess.dll
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\nsj67.tmp\nsProcess.dll
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\nspCD.tmp\nsProcess.dll
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\nsr67.tmp\nsProcess.dll
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\nsr83.tmp\nsProcess.dll
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\nsrCF.tmp\nsProcess.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\U3RlcGhhbmllIEpvaG5zb24\oal5w311vA55KHDSu3cWvZb.vbs
I think I need to go into the registry and delete the keys however i wanted to check first to see if thats neccesary.
Thanks in advance
Hi Itoao and welcome to the Forums :)
Sorry for the long wait....
Ok you got a nice collection of pests there.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Thanks for the reply I ran it and here is the log.
Stephanie Johnson - 07-01-05 2:26:07.50 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Stephanie Johnson\Desktop"
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\clsid\{CB5FFFB5-0310-4D8E-AF24-3F922F7CA1B6}]
@=""
[HKEY_CLASSES_ROOT\clsid\{CB5FFFB5-0310-4D8E-AF24-3F922F7CA1B6}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{CB5FFFB5-0310-4D8E-AF24-3F922F7CA1B6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{CB5FFFB5-0310-4D8E-AF24-3F922F7CA1B6}\InprocServer32]
@="C:\\WINDOWS\\system32\\gakrsrc.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{FC8FFB50-956A-4FCC-942D-F121394F8DA1}]
@=""
[HKEY_CLASSES_ROOT\clsid\{FC8FFB50-956A-4FCC-942D-F121394F8DA1}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{FC8FFB50-956A-4FCC-942D-F121394F8DA1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{FC8FFB50-956A-4FCC-942D-F121394F8DA1}\InprocServer32]
@="C:\\WINDOWS\\system32\\IbtelCci.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{4D142B5C-B8C0-48D1-B0AC-420A866ECA08}]
@=""
[HKEY_CLASSES_ROOT\clsid\{4D142B5C-B8C0-48D1-B0AC-420A866ECA08}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{4D142B5C-B8C0-48D1-B0AC-420A866ECA08}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{4D142B5C-B8C0-48D1-B0AC-420A866ECA08}\InprocServer32]
@="C:\\WINDOWS\\system32\\irxsap.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{5087BC54-70AA-4C0F-876E-1C0A1BD0D071}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\clsid\{5087BC54-70AA-4C0F-876E-1C0A1BD0D071}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{5087BC54-70AA-4C0F-876E-1C0A1BD0D071}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{5087BC54-70AA-4C0F-876E-1C0A1BD0D071}\InprocServer32]
@="C:\\WINDOWS\\system32\\aediosrv.dll"
"ThreadingModel"="Apartment"
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Granting sedebugprivilege to Administrators ... successful
((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))
* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *
O4 - HKCU\...\Run C:\WINDOWS\system32\FYVRUD.EXE
O4 - HKLM\...\Run C:\WINDOWS\system32\fyvrud.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\vimvu.exe
* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *
C:\WINDOWS\system32\FYVRUD.EXE
C:\WINDOWS\system32\lgvrlly.dll
C:\WINDOWS\system32\hetyfjn.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xgisb.exe
C:\WINDOWS\eucxl.dll
C:\WINDOWS\system32\lwkug.dat
C:\WINDOWS\system32\vimvu.exe
* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *
07-01-04 16:25 361 eucxl.dll.qoo
06-11-10 09:36 53 vpbnne.dat.qoo
DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO
((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\steve$\Application Data\Sskcwrd.dll
C:\Documents and Settings\steve$\Application Data\Sskdmns.dll
C:\Documents and Settings\steve$\Application Data\Sskknwrd.dll
C:\Documents and Settings\steve$\Application Data\Sskuknwrd.dll
C:\Documents and Settings\Stephanie Johnson\Application Data\Dxccwrd.dll
C:\Documents and Settings\Stephanie Johnson\Application Data\Dxcdmns.dll
C:\Documents and Settings\Stephanie Johnson\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Stephanie Johnson\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\Tre\Application Data\Dxccwrd.dll
C:\Documents and Settings\Tre\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Tre\Application Data\Dxcuknwrd.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\deskbar_e34.exe
C:\deskbar_e37.exe
C:\deskbar_e41.exe
C:\deskbar_e44.exe
C:\deskbar_e45.exe
C:\deskbar_e53.exe
C:\deskbar_e58.exe
C:\deskbar_e59.exe
C:\deskbar_e63.exe
C:\nwnmff_e33.exe
C:\nwnmff_e41.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\setup.exe.tmp
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\WinNB58.dll
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\cmfibula
C:\Program Files\outlook
C:\Program Files\windows
C:\Program Files\Common Files\{34D74892-0AE9-1033-1108-040416200001}
C:\Program Files\Common Files\{34D74892-0AEA-1033-1108-040416200001}
C:\Program Files\Common Files\{54D74892-0AE9-1033-1108-040416200001}
C:\Program Files\Common Files\{54D74892-0AEA-1033-1108-040416200001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Stephanie Johnson\Application Data\YSTEM~1
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\Common Files\SKS~1
C:\QooBox\Purity\WINDOWS\system32\SMBOLS~1
((((((((((((((((((((((((((((((( Files Created from 2006-12-05 to 2007-01-05 ))))))))))))))))))))))))))))))))))
2007-01-05 02:43 24 --a------ C:\WINDOWS\eucxl.dll
2007-01-04 16:21 56,432 --a------ C:\WINDOWS\system32\drivers\ADSFilter.sys
2007-01-04 16:21 <DIR> d-------- C:\Program Files\Common Files\EarthLink
2007-01-04 16:20 <DIR> d-------- C:\Program Files\EarthLink
2006-12-31 18:24 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-31 17:03 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-31 11:43 <DIR> d-------- C:\Program Files\hijackthis
2006-12-30 21:46 4,760 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-30 18:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-30 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-30 18:39 184,450 --a------ C:\WINDOWS\system32\mwinroed.exe
2006-12-30 18:14 65,536 --a------ C:\WINDOWS\system32\ASE.dll
2006-12-30 18:14 65,536 --a------ C:\WINDOWS\system32\AluriaReg.dll
2006-12-30 18:14 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2006-12-30 18:14 119,808 --a------ C:\WINDOWS\system32\Msstdfmt.dll
2006-12-30 18:14 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2006-12-30 18:14 <DIR> d-------- C:\Program Files\Common Files\Command Software
2006-12-30 15:40 93,509 --a------ C:\Documents and Settings\Stephanie Johnson\install.exe
2006-12-30 15:00 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2006-12-30 15:00 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2006-12-30 15:00 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2006-12-30 15:00 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2006-12-27 08:41 <DIR> d-------- C:\Documents and Settings\Stephanie Johnson\Application Data\ądobe
2006-12-27 08:40 931 --a------ C:\WINDOWS\system32\winpfz32.sys
2006-12-27 08:40 184,390 --a------ C:\WINDOWS\system32\swinrped.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-05 02:43 -------- d-a------ C:\Program Files\Common Files
2007-01-04 16:21 -------- d---s---- C:\Documents and Settings\Stephanie Johnson\Application Data\Microsoft
2006-12-31 20:37 -------- d-------- C:\Program Files\Internet Explorer
2006-12-31 18:43 -------- d-------- C:\Program Files\Microsoft Plus! Digital Media Edition
2006-12-31 18:43 -------- d-------- C:\Program Files\ComPlus Applications
2006-12-31 18:24 -------- d-------- C:\Documents and Settings\Stephanie Johnson\Application Data\Lavasoft
2006-12-31 18:01 -------- d-------- C:\Program Files\TClock
2006-12-30 17:32 -------- d-------- C:\Program Files\McAfee.com
2006-12-30 16:27 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-12-30 16:27 -------- d-------- C:\Program Files\MSN
2006-12-30 16:05 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-30 16:05 -------- d-------- C:\Program Files\iPod
2006-12-30 15:12 2 --a------ C:\WINDOWS\system32\wnstssv.exe
2006-12-29 12:32 93509 --a------ C:\WINDOWS\system32\install.exe
2006-12-27 08:58 -------- d-------- C:\Program Files\Outlook Express
2006-12-27 08:58 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 01:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-18 16:52 204 --a------ C:\WINDOWS\system32\jdkfjdskfjkdsjf.bat
2006-11-18 16:51 32768 --a------ C:\WINDOWS\system32\dr.exe
2006-11-18 13:43 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-16 14:55 -------- d-------- C:\Program Files\Microsoft Agent
2006-11-16 14:16 -------- d-------- C:\Program Files\NoAdware4
2006-11-15 16:58 1067 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-11-10 09:37 8704 --a------ C:\WINDOWS\pvfUninstall.exe
2006-11-10 09:36 430080 --a------ C:\windows_e53.exe
2006-11-10 09:36 383488 --a------ C:\ac3_0003.exe
2006-11-08 08:10 143360 --a------ C:\yz02.exe
2006-11-08 08:09 434176 --a------ C:\mpnaaq7.exe
2006-11-08 08:09 28672 --a------ C:\WINDOWS\system32\gcij1cu.exe
2006-11-08 08:09 24576 --a------ C:\WINDOWS\system32\ilxeoss3d.exe
2006-11-08 02:52 24576 --a------ C:\WINDOWS\system32\tbiu5xkb.exe
2006-11-08 02:52 1122304 --a------ C:\WINDOWS\system32\rnnypbw.exe
2006-11-08 02:51 135168 --a------ C:\WINDOWS\system32\e0pnii5i6.exe
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-06 07:47 69632 --a------ C:\WINDOWS\system32\imclfkcb.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-25 13:04 16384 --a------ C:\mc44a37.exe
2006-10-23 11:00 1259 --a------ C:\WINDOWS\system32\zla0b171.sys
2006-10-19 17:29 658432 --a------ C:\WINDOWS\is-DFC6A.exe
2006-10-19 17:09 704 --a--c--- C:\Documents and Settings\Stephanie Johnson\Application Data\update.log
2006-10-19 13:30 51712 --------- C:\WINDOWS\system32\lgvrlly.dll
2006-10-19 13:30 45056 --a------ C:\WINDOWS\jbjmmla.exe
2006-10-19 13:30 28672 --a------ C:\WINDOWS\system32drei.exe
2006-10-19 13:30 28672 --a------ C:\WINDOWS\system32\vimvu.exe
2006-10-19 13:30 28672 --a------ C:\WINDOWS\system32\lkyaekrrr.exe
2006-10-19 13:30 28672 --a------ C:\WINDOWS\system32\drei.exe
2006-10-19 13:30 24576 --a------ C:\WINDOWS\system32vypqj.exe
2006-10-19 13:30 24576 --a------ C:\WINDOWS\system32\vypqj.exe
2006-10-19 13:30 183478 --a------ C:\WINDOWS\srvwbbpaon.exe
2006-10-19 13:30 127488 --a------ C:\WINDOWS\system32\FYVRUD.EXE
2006-10-19 13:30 0 --a--c--- C:\WINDOWS\system32uaw5wah6a.exe
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-06 17:11 65536 --a------ C:\WINDOWS\system32\Winwcd.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"CMFibula"="\"C:\\Program Files\\CMFibula\\CMFibula.exe\""
"bnhkv"="C:\\WINDOWS\\system32\\fyvrud.exe reg_run"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"{54D74892-0AEA-1033-1108-040416200001}"="\"C:\\Program Files\\Common Files\\{54D74892-0AEA-1033-1108-040416200001}\\Update.exe\" mc-110-12-0000137"
"{54D74892-0AE9-1033-1108-040416200001}"="\"C:\\Program Files\\Common Files\\{54D74892-0AE9-1033-1108-040416200001}\\Update.exe\" mc-110-12-0000137"
"windows"="C:\\\\windows_e58.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"OSCD_Creator"="c:\\Dell\\PreODM.EXE"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"ConMgr.exe"="\"C:\\Program Files\\EarthLink 5.0\\ConMgr.exe\""
"Earthlink Protection Control Center"="C:\\Program Files\\EarthLink\\Protection Control Center\\elnk_pcc.exe /scan"
"fqajub"="C:\\WINDOWS\\system32\\fyvrud.exe reg_run"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"OSCD_Creator"="C:\\Dell\\PreODM.EXE /2"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EarthLink ToolBar 5.0.lnk]
"backup"="C:\\WINDOWS\\pss\\EarthLink ToolBar 5.0.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EARTHL~1.0\\etoolbar.exe "
"item"="EarthLink ToolBar 5.0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (1) (STEPHANIE-Stephanie Johnson).job
Completion time: 07-01-05 2:44:11.48
C:\ComboFix.txt ... 07-01-05 02:44
I also have the earthlink proection center and it keeps saying it has found the virus LGVRLLY.DLL W32/Downloader.skh but it does not remove it.
Hi again, we'll continue :)
You seem to have this SpywareBot software installed.It has a suspicious reputation and Irecommend that you remove it via Control Panel, Add/Remove programs. More info here (http://spywarewarrior.com/rogue_anti-spyware.htm)
This is the folder to delete, C:\Program Files\SpywareBot
This is the line to fix with HijackThis, O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
Same applies to this NoAdware4.
This is the folder to delete: C:\Program Files\NoAdware4
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
==================
Disable bad services
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to COM+ Messages
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; COM+ Messages
Answer Yes
Close HIjackThis
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 lines too if you haven't locked Internet Explorer settings with eg Spybot.
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\vimvu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hetyfjn.exe
O2 - BHO: Glwcick Class - {BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F} - C:\WINDOWS\system32\lqe2z.dll (file missing)
O4 - HKLM\..\Run: [{54D74892-0AEA-1033-1108-040416200001}] "C:\Program Files\Common Files\{54D74892-0AEA-1033-1108-040416200001}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [{54D74892-0AE9-1033-1108-040416200001}] "C:\Program Files\Common Files\{54D74892-0AE9-1033-1108-040416200001}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [windows] C:\\windows_e58.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinroed.exe GEN001
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\oqdsregm.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\mwinroed.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O18 - Filter: text/html - {8660A526-27A4-4FBD-85B2-857E82A25971} - C:\WINDOWS\system32\lqe2z.dll
O20 - AppInit_DLLs: imclfkcb.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\aediosrv.dll (file missing)
Please run Killbox.
Select "Delete on Reboot".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\eucxl.dll
C:\WINDOWS\system32\mwinroed.exe
C:\Documents and Settings\Stephanie Johnson\install.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\swinrped.exe
C:\WINDOWS\system32\wnstssv.exe
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\jdkfjdskfjkdsjf.bat
C:\WINDOWS\system32\dr.exe
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\pvfUninstall.exe
C:\windows_e53.exe
C:\ac3_0003.exe
C:\yz02.exe
C:\mpnaaq7.exe
C:\WINDOWS\system32\gcij1cu.exe
C:\WINDOWS\system32\ilxeoss3d.exe
C:\WINDOWS\system32\tbiu5xkb.exe
C:\WINDOWS\system32\rnnypbw.exe
C:\WINDOWS\system32\e0pnii5i6.exe
C:\WINDOWS\system32\imclfkcb.dll
C:\mc44a37.exe
C:\WINDOWS\system32\zla0b171.sys
C:\WINDOWS\is-DFC6A.exe
C:\WINDOWS\system32\lgvrlly.dll
C:\WINDOWS\jbjmmla.exe
C:\WINDOWS\system32drei.exe
C:\WINDOWS\system32\vimvu.exe
C:\WINDOWS\system32\lkyaekrrr.exe
C:\WINDOWS\system32\drei.exe
C:\WINDOWS\system32vypqj.exe
C:\WINDOWS\system32\vypqj.exe
C:\WINDOWS\srvwbbpaon.exe
C:\WINDOWS\system32\FYVRUD.EXE
C:\WINDOWS\system32uaw5wah6a.exe
C:\WINDOWS\system32\Winwcd.dll
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\aediosrv.dll
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Select "All Files".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do its job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Please remove the following folder:
C:\Documents and Settings\Stephanie Johnson\Application Data\ądobe Notice the odd "ą" !
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
Here is the New Hijack this log: I think I may have done something incorrectly. I ran killbox then rebooted directly into safe mode. Was I supposed to run killbox reboot normally then reboot into safe mode. Other than that your instructions were excellent. I was just confused by that step.
Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 5:42:56 PM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\vimvu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,hetyfjn.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
Here is the AVG log:
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 5:35:00 PM 1/5/2007
+ Scan result:
C:\!KillBox\imclfkcb.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\Documents and Settings\Tre\Local Settings\Temp\Temporary Internet Files\Content.IE5\OH6FG1M3\cmfibula[1].exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup (quarantined).
C:\!KillBox\ac3_0003.exe -> Adware.DollarRevenu : Cleaned with backup (quarantined).
C:\!KillBox\mpnaaq7.exe -> Adware.DollarRevenu : Cleaned with backup (quarantined).
C:\!KillBox\install.exe -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\!KillBox\install.exe( 4) -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\!KillBox\yz02.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\876056.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\!KillBox\drei.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\!KillBox\system32drei.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\!KillBox\lkyaekrrr.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\!KillBox\rnnypbw.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\!KillBox\mwinroed.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\!KillBox\swinrped.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\!KillBox\mc44a37.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\!KillBox\windows_e53.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\!KillBox\( 1) -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\!KillBox\( 2) -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\!KillBox\( 3) -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lwkug.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[1092] C:\WINDOWS\system32\lgvrlly.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\Documents and Settings\Tre\Local Settings\Temp\Temporary Internet Files\Content.IE5\45YV416J\loader[1].exe -> Downloader.VB.afl : Cleaned with backup (quarantined).
C:\!KillBox\dr.exe -> Downloader.VB.aqb : Cleaned with backup (quarantined).
C:\!KillBox\jbjmmla.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\Program Files\MSN Gaming Zone\pojo.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\MSN\megewu.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.25:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.26:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.27:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.29:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.30:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.28:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.14:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.21:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.20:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stephanielj24@earthlink.net\Cookies\stephanie johnson@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Program Files\EarthLink 5.0\1qtstef@earthlink.net\Cookies\stephanie johnson@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Program Files\EarthLink 5.0\EarthLink stef9999@earthlink.net\Cookies\stephanie johnson@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.19:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Program Files\EarthLink 5.0\1qtstef@earthlink.net\Cookies\stephanie johnson@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.22:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
:mozilla.16:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.17:C:\Documents and Settings\LocalService\Application Data\Netscape\NSB\Profiles\kvxw8jq7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Program Files\EarthLink 5.0\EarthLink stef9999@earthlink.net\Cookies\stephanie johnson@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Stephanie Johnson\Application Data\Earthlink\6.0\stef9999@earthlink.net\Cookies\stephanie johnson@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\!KillBox\ilxeoss3d.exe -> Trojan.Runner.j : Cleaned with backup (quarantined).
C:\!KillBox\system32vypqj.exe -> Trojan.Runner.j : Cleaned with backup (quarantined).
C:\!KillBox\tbiu5xkb.exe -> Trojan.Runner.j : Cleaned with backup (quarantined).
C:\!KillBox\vypqj.exe -> Trojan.Runner.j : Cleaned with backup (quarantined).
C:\!KillBox\wnstssv.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\U3RlcGhhbmllIEpvaG5zb24\oal5w311vA55KHDSu3cWvZb.vbs -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
Hi, looks much better but we still have work to do.
Killbox seems to have deleted the files correctly :)
Please download Qoofix by RubbeR DuckY from one of the following locations:
http://www.malwarebytes.org/Qoofix.zip or
http://www.besttechie.net/tools/Qoofix.zip
Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.
Finally post a new Hijack This log and the contents of the Qoofix logfile.
:bigthumb:
Ok Here is the new log:
I am thinking about going to the Malware University in your signature. I am an A+ Certified Tech and this would be great info to have so I can help others and help myslef.
Logfile of HijackThis v1.99.1
Scan saved at 3:18:35 AM, on 1/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
Looks good :)
Nice to hear that you're interested in the university :)
Please post the Qoofix logfile too. (Qoofix Logfile inside the C:\Qoofix folder)
:bigthumb:
Sorry forgot that log file.
Qoofix v1.04 by http://www.malwarebytes.org
Scan started on [1/6/2007] at [3:11:41 AM]
-------------------------------------------------------------
Terminated module: lgvrlly.dll found in Qoofix.exe (2660)
Terminated module: lgvrlly.dll found in wscntfy.exe (672)
Terminated module: lgvrlly.dll found in fyvrud.exe (1144)
Terminated module: lgvrlly.dll found in explorer.exe (1176)
Terminated module: lgvrlly.dll found in vimvu.exe (1204)
Terminated module: lgvrlly.dll found in vimvu.exe (1296)
Terminated module: lgvrlly.dll found in vimvu.exe (1336)
Terminated module: lgvrlly.dll found in smax4pnp.exe (1848)
Terminated module: lgvrlly.dll found in realplay.exe (1688)
Terminated module: lgvrlly.dll found in IntelMEM.exe (1364)
Terminated module: lgvrlly.dll found in igfxpers.exe (172)
Terminated module: lgvrlly.dll found in hkcmd.exe (160)
Terminated module: lgvrlly.dll found in hpztsb09.exe (1200)
Terminated module: lgvrlly.dll found in hpwuSchd.exe (1604)
Terminated module: lgvrlly.dll found in hpcmpmgr.exe (304)
Terminated module: lgvrlly.dll found in DVDLauncher.exe (368)
Terminated module: lgvrlly.dll found in wuauclt.exe (760)
-------------------------------------------------------------
C:\WINDOWS\system32\fyvrud.exe will be deleted on reboot!
C:\WINDOWS\system32\hetyfjn.exe will be deleted on reboot!
C:\WINDOWS\system32\lgvrlly.dll will be deleted on reboot!
C:\WINDOWS\system32\lwkug.dat will be deleted on reboot!
C:\WINDOWS\system32\vimvu.exe will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xgisb.exe will be deleted on reboot!
User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [1/6/2007] at [3:14:42 AM]
Note: Some registry keys may have been removed.
Ok good :)
You don't seem to a firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus. Otherwise you'll get infected again.
These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)
Since you were very infected, it is best to run a one more scanner.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Kapersky Scan
Saturday, January 06, 2007 11:47:50 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/01/2007
Kaspersky Anti-Virus database records: 256394
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 62349
Number of viruses found 5
Number of infected objects 12 / 0
Number of suspicious objects 2
Duration of the scan process 00:38:51
Infected Object Name Virus Name Last Action
C:\!KillBox\gcij1cu.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\!KillBox\jdkfjdskfjkdsjf.bat Infected: Trojan.BAT.DelFiles.be skipped
C:\!KillBox\srvwbbpaon.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ew skipped
C:\!KillBox\srvwbbpaon.exe NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos.zip/stub_sca4.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\removal tools Dont Touch!\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\removal tools Dont Touch!\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\removal tools Dont Touch!\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Stephanie Johnson\jdkfjdskfjkdsjf.bat Infected: Trojan.BAT.DelFiles.be skipped
C:\Documents and Settings\Stephanie Johnson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\RECYCLER\S-1-5-21-3775689361-1539287093-405260182-1006\Dc1\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DD4931E7-276D-4552-87C6-4980F63CBFE3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi again, it is looking clean now :)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
You may delete the following backup folders:
C:\!KillBox
C:\QooBox
Then you should update your Java to the latest version (6.0) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 6
Download the latest version of Java Runtime Environment (JRE) 6.0 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
I have followed your directions. I really appreciate all your help. I will be looking into the University. :bigthumb:
That's great news and you're very welcome :D:
Welcome to the University ;)
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: