PDA

View Full Version : Don't know what to do.



Nunyobiznes
2007-01-14, 17:58
I am new to this forum and this is my first post. I hope I have understood the rules and that I am posting in the correct forum. Here's my problem. I have used Zone Alarm Internet Security for some time with out problem. My pc is a dual athlon mp1900 w/1gbecc 80gb main hd and 200+gb hd for storage. Running Zone Alarm slowed everything down to a crawl when browsing the internet. I thought that this was because ZA is very resource intensive. I decided to switch to Norton. After installing Norton I started browsing and ended up clicking on a link that infected my pc with all sorts of stuff. I have tried spybot and it scans and fixes then it restarts the pc and everything is still there. I've also tried spyware doctor which is highly recomended so I thought it would work, but same problem. It scans and removes then restarts and everything is still there. I used hijack without knowing what to do and deleted some stuff and now i get the error message about msvcrl.dll being missing and IE doesn't load. I am completely out of my league with this issue. Please help. Here is the log file for HiJack:


Logfile of HijackThis v1.99.1
Scan saved at 10:41:15 AM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Opera\Opera.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1EE21E98-16A0-475B-A911-0C9C3A9DD383} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D737CD2D-00CF-401D-9ED4-CC0FE953CB76} - (no file)
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)



Thanks for your help and I look forward to fixing this issue.

Nunyobiznes
2007-01-14, 21:11
I have attatched the log file from spybot. I hope this also helps.

Mr_JAk3
2007-01-19, 08:45
Hi Nunyobiznes and welcome to the Forums :)

Sorry for the delay....

Sounds like a backdoor infection. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

Nunyobiznes
2007-01-20, 07:23
OK. I did what you said to do and here are the logs.

Logfile of HijackThis v1.99.1
Scan saved at 12:19:37 AM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1EE21E98-16A0-475B-A911-0C9C3A9DD383} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D737CD2D-00CF-401D-9ED4-CC0FE953CB76} - (no file)
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

and the other log

ppwebcap.exe;c:\program files\scansoft\paperport;Probably DLOADER.Trojan;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Administrator\Desktop\MY DOWNLOADZ\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Administrator\Desktop\MY DOWNLOADZ\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
backup-20070113-171212-215.dll;C:\hijackthis\backups;Trojan.Juan;Deleted.;
backup-20070113-171212-391.dll;C:\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070113-171212-486.dll;C:\hijackthis\backups;Trojan.Virtumod;Deleted.;
PPWEBCAP.EXE;C:\Program Files\ScanSoft\PaperPort;Probably DLOADER.Trojan;;
system.dll;C:\RECYCLER\S-1-5-18\Dc1;Trojan.DownLoader.17039;Deleted.;
A0036906.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP309;Trojan.Virtumod;Deleted.;
A0036930.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP309;Adware.TopSearch;Incurable.Moved.;
A0036982.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP312;Adware.TopSearch;Incurable.Moved.;
A0036983.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP312;Adware.TopSearch;Incurable.Moved.;
A0037497.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP314;Adware.TopSearch;Incurable.Moved.;
A0037515.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP315;Adware.TopSearch;Incurable.Moved.;
A0037599.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP318;Adware.Macfa;Incurable.Moved.;
A0037650.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP319;Trojan.DownLoader.17039;Deleted.;
A0037652.exe\data001;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP319\A0037652.exe;Adware.ClickSpring;;
A0037652.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP319;Archive contains infected objects;Moved.;
A0037657.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP319;Trojan.Virtumod;Deleted.;
A0037688.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP321;Adware.TopSearch;Incurable.Moved.;
A0037689.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP321;Adware.TopSearch;Incurable.Moved.;
A0037725.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP323;Adware.TopSearch;Incurable.Moved.;
A0037726.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP323;Adware.TopSearch;Incurable.Moved.;
A0039747.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP323;Adware.TopSearch;Incurable.Moved.;
A0039758.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP323;Trojan.Virtumod;Deleted.;
A0039807.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP324;Adware.TopSearch;Incurable.Moved.;
A0039847.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP325;Adware.TopSearch;Incurable.Moved.;
A0039887.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP326;Adware.TopSearch;Incurable.Moved.;
A0039927.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP327;Adware.TopSearch;Incurable.Moved.;
A0039967.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP328;Adware.TopSearch;Incurable.Moved.;
A0040010.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP329;Adware.TopSearch;Incurable.Moved.;
A0040052.exe;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP330;Adware.TopSearch;Incurable.Moved.;
A0040360.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP341;Trojan.Juan;Deleted.;
A0040361.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP341;Trojan.Virtumod;Deleted.;
A0040362.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP341;Trojan.Virtumod;Deleted.;
A0040363.dll;C:\System Volume Information\_restore{ABF99149-FAAD-4836-9EBE-131BF24186F7}\RP341;Trojan.DownLoader.17039;Deleted.;
jibjnw.exe;C:\WINDOWS;BackDoor.Mailbot;Deleted.;
wdehtrh.exe;C:\WINDOWS;Trojan.Spambot;Deleted.;
atllsimm.exe;C:\WINDOWS\system32;BackDoor.Mailbot;Deleted.;
hliwbocf.dll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
hmoxoayl.exe;C:\WINDOWS\system32;Adware.TopSearch;Incurable.Moved.;
iifebbb.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
iifedcy.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
kkdtagle.exe;C:\WINDOWS\system32;Adware.TopSearch;Incurable.Moved.;
lbybnkfe.exe;C:\WINDOWS\system32;Adware.TopSearch;Incurable.Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
sdmvdlxe.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
vssmnptc.exe;C:\WINDOWS\system32;BackDoor.Mailbot;Incurable.Moved.;

Nunyobiznes
2007-01-20, 07:26
Thanks for your help. I hope that we can resolve this. Eventhough I think Internet Exploiter is a piece of crap, there are some websites that just don't display right unless you use it. So I guess I need it.

Mr_JAk3
2007-01-20, 10:59
Hi again :)

DrWeb cleaned some backdoors and bots.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Go to your

C:\Windows\system32\dllcache

Find iexplore.exe and double click on it. Does it start?
If so, make a copy and put that copy in the Program Files\Internet Explorer folder and overwrite if prompted.

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Nunyobiznes
2007-01-20, 17:34
Thank you for the quick reply. I ran the app and here is the log.

"Administrator" - 07-01-20 10:12:21 Service Pack 2
ComboFix 07-01-18 - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\ie-hook.txt
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\SKS~1
C:\qoobox\purity\Program Files\SKS~1\??sks
C:\qoobox\purity\WINDOWS\FNTS~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-20 to 2007-01-20 ))))))))))))))))))))))))))))))))))


2007-01-19 22:38 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-01-14 15:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\WinZip
2007-01-14 10:40 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-14 10:40 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-14 10:40 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-14 10:40 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-14 10:40 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-13 17:39 <DIR> d-------- C:\Program Files\Registry Mechanic
2007-01-13 17:35 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-01-13 17:35 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-01-13 17:35 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-13 17:35 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-01-13 17:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\PC Tools
2007-01-13 12:58 <DIR> d-------- C:\hijackthis
2007-01-11 23:59 1,021,504 --a------ C:\WINDOWS\system32\vete.dll
2007-01-11 23:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\MailFrontier
2007-01-11 23:28 77,824 --a------ C:\WINDOWS\system32\driverif.dll
2007-01-11 23:28 75,776 --a------ C:\WINDOWS\zllsputility.exe
2007-01-11 23:28 645,904 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-01-11 23:28 21,605 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-01-11 23:28 15,668 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-01-11 23:28 12,288 --a------ C:\WINDOWS\system32\vetntmsg.dll
2007-01-11 23:28 115,088 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-01-11 07:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-01-11 07:32 2,560 --a------ C:\WINDOWS\system32\unsvchosts.exe
2007-01-11 07:32 2 --a------ C:\WINDOWS\system32\wnscptr.exe
2007-01-10 22:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-01-10 22:08 814,809 ---hs---- C:\WINDOWS\system32\mpqss.ini2
2007-01-10 21:50 <DIR> d-------- C:\Program Files\Symantec
2007-01-10 21:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-01-10 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Symantec
2007-01-10 21:48 3,072 ---hs---- C:\WINDOWS\system32\porumnss.exe
2007-01-10 21:42 3,072 ---hs---- C:\WINDOWS\system32\lsmwinlpv.exe
2007-01-10 21:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Agnitum


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-18 21:32 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\ati mmc
2007-01-17 23:23 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\utorrent
2007-01-13 17:53 -------- d-------- C:\Program Files\online services
2007-01-10 21:25 -------- d--h----- C:\Program Files\installshield installation information
2006-12-19 19:35 -------- d-------- C:\Program Files\avisynth 2.5
2006-12-19 19:34 -------- d-------- C:\Program Files\the filmmachine
2006-12-18 19:59 -------- d-------- C:\Program Files\opera
2006-12-17 14:04 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\adobe
2006-12-09 21:37 836 --a------ C:\DOCUME~1\ADMINI~1\Application Data\viewerapp.dat
2006-12-09 13:30 -------- d-------- C:\Program Files\Common Files\adobe
2006-11-01 22:00 952 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2006-10-27 15:09 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
@=""
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"
"ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"OneTouch Monitor"="C:\\PROGRA~1\\VISION~1\\ONETOU~2.EXE"
"ezShieldProtector for Px"="C:\\WINDOWS\\system32\\ezSP_Px.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"DllRunning"=""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"EPSON Stylus Photo R200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P39 \"EPSON Stylus Photo R200 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus Photo R200\""
"RegistryMechanic"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /S"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Warning: do not remove it!"="fpplock.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"system"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070113-171215-542
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
backup-20070113-171215-279
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
backup-20070113-171214-904
O20 - Winlogon Notify: winjvd32 - C:\WINDOWS\SYSTEM32\winjvd32.dll
backup-20070113-171215-788
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
backup-20070113-171214-867
O20 - Winlogon Notify: ssqpm - C:\WINDOWS\system32\ssqpm.dll
backup-20070113-171214-852
O20 - Winlogon Notify: iifedcy - C:\WINDOWS\SYSTEM32\iifedcy.dll
backup-20070113-171213-194
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
backup-20070113-171213-751
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
backup-20070113-171212-486
O2 - BHO: (no name) - {BEE42B8C-3844-4412-8B81-200DD8FE7DF1} - C:\WINDOWS\system32\iifedcy.dll
backup-20070113-171212-215
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\hliwbocf.dll
backup-20070113-171212-747
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20070113-171212-391
O2 - BHO: (no name) - {1EE21E98-16A0-475B-A911-0C9C3A9DD383} - C:\WINDOWS\system32\ssqpm.dll
backup-20070113-171025-668
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
backup-20070113-171007-843
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
backup-20070113-171008-323
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
backup-20070113-171006-288
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com
Completion time: 07-01-20 10:23:16


Thanks again for your help.

Mr_JAk3
2007-01-20, 22:02
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :


REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DllRunning"=-



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {1EE21E98-16A0-475B-A911-0C9C3A9DD383} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - (no file)
O2 - BHO: (no name) - {D737CD2D-00CF-401D-9ED4-CC0FE953CB76} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\unsvchosts.exe
C:\WINDOWS\system32\wnscptr.exe
C:\WINDOWS\system32\mpqss.ini2
C:\WINDOWS\system32\porumnss.exe
C:\WINDOWS\system32\lsmwinlpv.exe

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

Nunyobiznes
2007-01-23, 03:37
I have done as you instructed & I have attatched the logs. I am noticing in my Zone Alarm scans that Dcomrpc!exploit and Win32.Mydoom!generic keep poping up in the scans. They aren't goiing away. just thought I should share that.

Mr_JAk3
2007-01-23, 21:45
Ok we'll run one more scanner...

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Nunyobiznes
2007-01-24, 06:58
I completed the scan and here is the log.

Mr_JAk3
2007-01-25, 11:55
Hi :)


I:\APPZ\Windows.XP.Pro.SP2.2006-02-04.DVD\winxpsp2\Windows.XP.Pro.SP2.2006-02-04.DVD.iso/$OEM$/$$/SYSTEM32/CMDOW.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
You're not using an illegal version of windows, right ? :sick: :fear:

Is Internet Explorer working now ? How is the computer running ?

Nunyobiznes
2007-01-25, 14:15
I downloaded some images for friends to install after a bad crash. IE is working OK now. Everytime I scan with AVG it shows 3 or 4 hits with some sort of trojan or tracker. What would be the best security software that I could install to keep me protected?

Mr_JAk3
2007-01-25, 19:01
Ok it doesn't sound legal...:fear:

Hi again, it is looking clean now :)
I have some protection tips in the end of this message.

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Then you should update your Java to the latest version (6.0) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 9
Download the latest version of Java Runtime Environment (JRE) 6.0 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

Nunyobiznes
2007-01-26, 05:35
Just did a scan with spybot and I'm clean. Thank you for your help. I would like to point out that in my previous post I said that I had downloaded an image so that a friend can use to redo her system after a major crash. She didn't have a restore cd so I tried to help her. I can see that maybe that wasn't a good idea aftre reading the articles you listed. Thanks again for your help.

Mr_JAk3
2007-01-26, 08:12
You're very welcome :D:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: