View Full Version : Cannot remove Smitfraud-C. NEED HELP PLEASE!!!
ncarvain
2007-02-25, 19:09
I have been working on removing smitfraud-C all weekend and have gotten nowhere. I have spent $40 on spyware removal software and nothing works. Any help anyone can give would be GREATLY appreciated!!
Nick
ncarvain
2007-02-25, 19:15
just to follow up. I have researched other forums for help on this but have had no success. I have downloaded a ton of software but am not sure I am using everything correctly, ie Hijackthis / SD Fix / AVG, etc etc
My plan is to stay on until somebody can help if possible. Again, any help would be greatly appreciated!!!
ncarvain
2007-02-25, 19:36
Just ran spybot S&D and all problems were fixed expect 1 from smitfraud-C.
C:\Windows\System 32\rpcc.dll
ncarvain
2007-02-25, 20:57
Anybody? :sad:
ncarvain
2007-02-25, 22:43
Here is my Hijackthis log file:
Logfile of HijackThis v1.99.1
Scan saved at 4:40:21 PM, on 2/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dawn\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097965784062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171466379265
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Hi ncarvain and welcome to the Forums :)
You're infected.
One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...
Disable Windows Defender's realtime protection.
Open Windows Defender
Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Exit the program.
Disable AVG Anti-Spyware guard.
Open AVG Anti-Spyware
Click Shield
Click under "resident shield is"
Change it to inactive
Close the program
Create a new folder for HijackThis and move HijackThis.exe into it.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
ncarvain
2007-02-26, 18:38
Mr. JAk_3, thanks for the response!! I am at work right now but will get home about 5 pm EST and will do everything you said in your post.
Since nobody was responding yesterday, I tried to follow other posts about this virus and ran killbox to get rid of the file rpcc.dll, which spybot was unable to remove. Computer seems to be running better, but I can tell smitfraud-C is still installed.
Again, thanks a lot and I will respond around 5ish / 6ish EST with the hijack log and SDFix log!!!!
ncarvain
2007-02-27, 00:00
OK, am listing both logs. I began getting a winlogon.exe error now.
SDFix: Version 1.68
Run by Dawn - Mon 02/26/2007 @ 17:45:18.68
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
Path:
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found...
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Documents and Settings\\Dawn\\Local Settings\\Temporary Internet Files\\Content.IE5\\35ZP4BR0\\wowclient-downloader[1].exe"="C:\\Documents and Settings\\Dawn\\Local Settings\\Temporary Internet Files\\Content.IE5\\35ZP4BR0\\wowclient-downloader[1].exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.6.6337-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.6.6337-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Checking For Files with Hidden Attributes :
C:\Documents and Settings\Dawn\Desktop\IWU\MGT 530\~WRL0867.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ca1b50c97a52c50226013e6ccfcf0626\BIT3.tmp
Add/Remove Programs List:
ECHO is off.
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 7.0
AVG Anti-Spyware 7.5
Canon Camera Access Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Conexant HSF V92 56K Data Fax PCI Modem
Canon Camera Support Core Library
Canon Utilities EOS Utility
HijackThis 1.99.1
hp deskjet 5550 series
hp instant support
hp print screen utility
MathThem3 Test Gen
MSM3 Test Gen
Java Web Start
LANBridge
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Shockwave Player
McDougal Littell Content Review
Microsoft .NET Framework (English) v1.0.3705
Canon MovieEdit Task for ZoomBrowser EX
MS Activity Generator (1.0)
MSN Toolbar
Canon Utilities PhotoStitch
QuickTime
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Adobe Flash Player 9
Sportsbook.com Poker
Spybot - Search & Destroy 1.4
Spyware Doctor 4.0
The Weather Channel Desktop
Viewpoint Media Player
Weather Services
Windows Genuine Advantage Validation Tool
Windows XP Service Pack 2
World of Warcraft
Canon Utilities ZoomBrowser EX
Macromedia Flash Player
Dell Solution Center
Dell Picture Studio - Dell Image Expert
Google Talk (remove only)
Easy Internet Sign-up
Sony USB Driver
Easy CD Creator 5 Basic
Modem Helper
Realtek RTL8139 Diagnostics Program
Intel(R) Extreme Graphics Driver
Microsoft Office XP Professional
Microsoft Office XP Media Content
Help and Support Customization
Microsoft Office XP Pro Step by Step Interactive
Windows Defender
Windows Defender Signatures
MathThem3 Test Gen
Adobe Reader 7.0.8
Java 2 Runtime Environment, SE v1.4.1_04
MSM3 Test Gen
Microsoft .NET Framework (English)
D-Link AirPlus G Wireless LAN Adapter
Norton AntiVirus Corporate Edition
MIT MathML Fonts 1.0
Paint Shop Pro 7
Classic PhoneTools
Digital Line Detect
Microsoft Plus! for Windows XP
Finished
Logfile of HijackThis v1.99.1
Scan saved at 5:56:24 PM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Documents and Settings\Dawn\Desktop\HijackThis new folder\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097965784062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171466379265
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Ok good :)
Just to be sure, rename HijackThis.exe to Scanner.exe
Post a fresh HijacKThis (scanner.exe) log to here.
ncarvain
2007-02-27, 13:29
Is that 'OK good' as in Im clear of viruses?
Also, any idea what the winlogon.exe error is?
Once I get home I will rename hijackthis and post the log.
Again, thanks for your help! :bigthumb:
Nick
No you're still infected but it is looking better now :)
Winlogon error is propably related to the infections remaining...
ncarvain
2007-02-28, 00:35
Changed the name to Scanner.exe and here is the new log file...
Any thoughts on the winlogon.exe error?
Logfile of HijackThis v1.99.1
Scan saved at 6:34:20 PM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sportsbook Poker\sbkpoker.exe
C:\Documents and Settings\Dawn\Desktop\HijackThis new folder\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097965784062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171466379265
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Open AVG Anti-Spyware:
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\SYSTEM32\instcat.dll
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
are you stll getting that winlogon error? What is the exact message?
ncarvain
2007-02-28, 17:28
Wow, awesome directions. Again, once I get home from work I will do exactly as you say and reply to this post. Thanks again for all the help Mr_JAk
ncarvain
2007-03-01, 13:59
Well, things didn't go as smooth last night. I believe I am running a free version of AVG Anti-Spyware and all the options are not available to me. I was not able to change AVG to inactive, although I believe it was inactive, since the icon in the bottom right tray was black and white vs. in color.
Ran HijackThis with no problem and checked all the entries you stated.
Went to Safe Mode.
I was UNABLE to delete C:\WINDOWS\SYSTEM32\instcat.dll, error message came up that said Access is denied. (although my AVG scan identified it as a threat)
Still in Safe Mode, started AVG. The window AVG is in takes up my entire screen and some of the words and radio buttons I cannot see, they are outside my viewing area, so I was unable to verify that all boxes were checked under How To Scan and Possibly unwanted software. Is there a way to change this???
Either way I ran the scan all night and it found around 8 items. Also, I couldnt find the Apply all Actions or the Save Report buttons. Not sure if that was because of the free version of AVG or because I just couldnt see them.
I left for work with this screen up on my computer (turned the monitor off), so if there is a way to adjust the window size, let me know, and I will continue where I left off.
Hi again :)
Sorry for the delay...
The windows size - when on AVG screen, try pressing ALT + SPACEBAR buttons at the same time and a menu should appear. You should be able to move the windows so that you can see the buttons...If it doesn't work, you may run the scan in safe mode.
:bigthumb:
ncarvain
2007-03-01, 20:23
I did run the scan in safe mode. Did you mean in normal mode?
I will try the Alt + spacebar.
Yes I meant that run the scan in normal mode if it doesn't work in safe mode...
Sorry :)
ncarvain
2007-03-02, 04:55
OK, much progress was made tonight (the Alt + space bar trick worked!!)
Finished running the AVG scan, saved the log file, see below.
Ran a spybot scan and SUCCESFULLY removed 2 issues, 1 was smitfraud!
Ran a HijackThis and saved log file, see below...
Again, thanks for the help!! :bigthumb:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 5:00:15 PM 3/1/2007
+ Scan result:
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1110\A0220296.dll -> Downloader.Nurech.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1110\A0218322.exe -> Dropper.Agent.ym : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D18M2707NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1110\A0220295.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\RGF3bg\l3Iav0.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\instcat.dll -> Worm.Locksky.aw : Cleaned with backup (quarantined).
[236] VM_3BF21000 -> Worm.Locksky.aw : Cleaned with backup (quarantined).
[564] VM_3BF21000 -> Worm.Locksky.aw : Cleaned with backup (quarantined).
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 10:47:25 PM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Dawn\Desktop\HijackThis new folder\Scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097965784062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171466379265
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Ok good work :)
Looks much better now. How is the computer running?
Please delete this folder if found:
C:\WINDOWS\RGF3bg
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
ncarvain
2007-03-03, 01:26
GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-02 19:23:57
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\SYSTEM32\svchost.exe[308] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[308] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[308] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[308] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[308] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[308] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\SYSTEM32\csrss.exe[640] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\csrss.exe[640] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\csrss.exe[640] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\csrss.exe[640] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\csrss.exe[640] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\winlogon.exe[664] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\winlogon.exe[664] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\winlogon.exe[664] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\winlogon.exe[664] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\winlogon.exe[664] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\services.exe[708] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\services.exe[708] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\services.exe[708] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\lsass.exe[720] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\lsass.exe[720] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\lsass.exe[720] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\lsass.exe[720] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\lsass.exe[720] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[860] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[860] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[860] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[860] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[860] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Canon\CAL\CALMAIN.exe[884] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Canon\CAL\CALMAIN.exe[884] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Canon\CAL\CALMAIN.exe[884] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Canon\CAL\CALMAIN.exe[884] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Canon\CAL\CALMAIN.exe[884] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Canon\CAL\CALMAIN.exe[884] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[940] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[940] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[940] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[940] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[940] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[976] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[976] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[976] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[976] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[976] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\MSGSYS.EXE[992] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\MSGSYS.EXE[992] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\MSGSYS.EXE[992] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\MSGSYS.EXE[992] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\MSGSYS.EXE[992] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\MSGSYS.EXE[992] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1020] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1020] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1068] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1068] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1156] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1156] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1156] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1156] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe[1232] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe[1232] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe[1232] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe[1232] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe[1232] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\SYSTEM32\alg.exe[1292] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\alg.exe[1292] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\alg.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\alg.exe[1292] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\alg.exe[1292] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\alg.exe[1292] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\QuickTime\qttask.exe[1384] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\QuickTime\qttask.exe[1384] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1384] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1384] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1384] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1384] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\SYSTEM32\ctfmon.exe[1392] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\ctfmon.exe[1392] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\ctfmon.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\ctfmon.exe[1392] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\ctfmon.exe[1392] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\ctfmon.exe[1392] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
ncarvain
2007-03-03, 01:28
.text C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe[1400] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe[1400] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe[1400] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe[1400] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe[1400] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Google\Google Talk\googletalk.exe[1408] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Google Talk\googletalk.exe[1408] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Google\Google Talk\googletalk.exe[1408] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Google\Google Talk\googletalk.exe[1408] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Google\Google Talk\googletalk.exe[1408] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Google\Google Talk\googletalk.exe[1408] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1432] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1432] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1432] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1432] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1432] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\WINDOWS\explorer.exe[1448] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[1448] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\explorer.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\explorer.exe[1448] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\explorer.exe[1448] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1592] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1592] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1592] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1592] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1592] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\D-Link AirPlus G\AIRPLUS.exe[1632] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\D-Link AirPlus G\AIRPLUS.exe[1632] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\D-Link AirPlus G\AIRPLUS.exe[1632] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\D-Link AirPlus G\AIRPLUS.exe[1632] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\D-Link AirPlus G\AIRPLUS.exe[1632] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\D-Link AirPlus G\AIRPLUS.exe[1632] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1688] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1688] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1688] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1688] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1688] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1756] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1756] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1756] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1756] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1756] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\NavNT\rtvscan.exe[1796] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\NavNT\rtvscan.exe[1796] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\NavNT\rtvscan.exe[1796] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\NavNT\rtvscan.exe[1796] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\NavNT\rtvscan.exe[1796] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\DOCUME~1\Dawn\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2924] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Dawn\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2924] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\DOCUME~1\Dawn\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2924] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\DOCUME~1\Dawn\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2924] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\DOCUME~1\Dawn\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2924] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\DOCUME~1\Dawn\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2924] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
---- EOF - GMER 1.0.12 ----
OK good :)
How is the computer running now? Any issues?
:bigthumb:
ncarvain
2007-03-05, 23:21
Seems pretty good. Fast too. Are the logs showing I am clean??
If so, Thanks for all your help! Not sure if you are paid for things like this but would be willing to give positive feedback for all the time spent helping me! :bigthumb:
Hi again, it is looking clean now :)
You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)