steve2000
2006-08-03, 23:24
Got some Malware here... methinks. The only thing I can recognize as being a problem is dfndrfg_7.exe. I'm sure there is more. Here's the HJT text:
Logfile of HijackThis v1.99.1
Scan saved at 5:02:53 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\rundll.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Arcade\PCMService.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\F-Group\Absolute StartUp\StartUp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Papa\Desktop\Intellicast.exe
C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
C:\Documents and Settings\Papa\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - (no file)
O4 - HKLM\..\Run: [Absolute StartUp monitor] C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe " /STARTUP
O4 - HKLM\..\Run: [defender] "C:\\dfndrfg_7.exe"
O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\Monitor.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [keyboard] "C:\\kybrdfg_7.exe"
O4 - HKLM\..\Run: [LaunchApp] "Alaunch"
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe " /SYNC
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName"
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC"
O4 - HKLM\..\Run: [SiS Windows KeyHook] "C:\WINDOWS\system32\keyhook.exe"
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe " SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] "SOUNDMAN.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\jt0m07d1e.dll (file missing)
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
steve2000
2006-08-03, 23:47
oops...here's the Bitdefender results:
BitDefender Online Scanner
Scan report generated at: Thu, Aug 03, 2006 - 13:58:27
Scan path: C:\;D:\;E:\;
Statistics
Time
00:24:56
Files
167497
Folders
2332
Boot Sectors
4
Archives
6709
Packed Files
11595
Results
Identified Viruses
9
Infected Files
30
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
30
Engines Info
Virus Definitions
426548
Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
Scan plugins
13
Archive plugins
39
Unpack plugins
5
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\WINDOWS\icont.exe
Infected with: Trojan.Qurl.3
C:\WINDOWS\icont.exe
Disinfection failed
C:\WINDOWS\icont.exe
Deleted
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QXPIR38Y\loader[1].exe
Infected with: Trojan.Downloader.Adload.CT
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QXPIR38Y\loader[1].exe
Disinfection failed
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QXPIR38Y\loader[1].exe
Deleted
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QXPIR38Y\Installer[1].exe
Infected with: Trojan.Canbede.L
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QXPIR38Y\Installer[1].exe
Disinfection failed
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QXPIR38Y\Installer[1].exe
Deleted
C:\Documents and Settings\Sarah Robbins\Local Settings\Temporary Internet Files\Content.IE5\O9A3CP6B\ad-sp2-fastclick[1].swf=>[SWF command]
Infected with: Trojan.SwfDL.A
C:\Documents and Settings\Sarah Robbins\Local Settings\Temporary Internet Files\Content.IE5\O9A3CP6B\ad-sp2-fastclick[1].swf=>[SWF command]
Disinfection failed
C:\Documents and Settings\Sarah Robbins\Local Settings\Temporary Internet Files\Content.IE5\O9A3CP6B\ad-sp2-fastclick[1].swf=>[SWF command]
Deleted
C:\Documents and Settings\Sarah Robbins\Local Settings\Temporary Internet Files\Content.IE5\O9A3CP6B\ad-sp2-fastclick[1].swf
Update failed
C:\Documents and Settings\Sarah Robbins\Local Settings\Temporary Internet Files\Content.IE5\S9Y70TQ3\AppWrap[1].exe
Infected with: Trojan.Qurl.3
C:\Documents and Settings\Sarah Robbins\Local Settings\Temporary Internet Files\Content.IE5\S9Y70TQ3\AppWrap[1].exe
Disinfection failed
C:\Documents and Settings\Sarah Robbins\Local Settings\Temporary Internet Files\Content.IE5\S9Y70TQ3\AppWrap[1].exe
Deleted
C:\Program Files\TBONBin\TBONWnd.EXE
Infected with: MemScan:Trojan.Clicker.Agent.GV
C:\Program Files\TBONBin\TBONWnd.EXE
Disinfection failed
C:\Program Files\TBONBin\TBONWnd.EXE
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP24\A0001857.exe
Infected with: Trojan.Clicker.Agent.AM
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP24\A0001857.exe
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP24\A0001857.exe
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP24\A0001858.exe
Infected with: Trojan.Clicker.Agent.AM
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP24\A0001858.exe
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP24\A0001858.exe
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP28\A0008323.exe
Infected with: Trojan.Downloader.Adload.CT
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP28\A0008323.exe
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP28\A0008323.exe
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP28\A0008413.exe
Infected with: Trojan.Downloader.Adload.CT
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP28\A0008413.exe
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP28\A0008413.exe
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP28\A0008428.exe
Infected with: Trojan.Downloader.Adload.CT
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP28\A0008428.exe
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP28\A0008428.exe
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008439.exe
Infected with: Trojan.Downloader.Adload.CT
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008439.exe
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008439.exe
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008454.exe
Infected with: Trojan.Canbede.L
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008454.exe
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008454.exe
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008455.exe
Infected with: Trojan.Canbede.L
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008455.exe
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008455.exe
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008458.dll
Infected with: Trojan.Candebe.CZ
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008458.dll
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0008458.dll
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009465.dll
Infected with: Trojan.Candebe.CZ
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009465.dll
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009465.dll
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009468.dll
Infected with: Trojan.Candebe.CZ
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009468.dll
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009468.dll
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009495.pif
Infected with: Trojan.Downloader.Small.BBQ
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009495.pif
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009495.pif
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009515.dll
Infected with: Trojan.Candebe.CZ
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009515.dll
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0009515.dll
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0010519.exe
Infected with: Trojan.Downloader.Adload.CT
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0010519.exe
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0010519.exe
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0010521.dll
Infected with: Trojan.Candebe.CZ
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0010521.dll
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0010521.dll
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011525.exe
Infected with: Trojan.Downloader.Adload.CT
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011525.exe
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011525.exe
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011526.dll
Infected with: Trojan.Candebe.CZ
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011526.dll
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011526.dll
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011641.dll
Infected with: Trojan.Candebe.CZ
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011641.dll
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011641.dll
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011642.dll
Infected with: Trojan.Candebe.CZ
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011642.dll
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011642.dll
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011700.exe
Infected with: Trojan.Qurl.3
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011700.exe
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011700.exe
Deleted
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011701.EXE
Infected with: MemScan:Trojan.Clicker.Agent.GV
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011701.EXE
Disinfection failed
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP29\A0011701.EXE
Deleted
C:\$VAULT$.AVG\01141531.FIL
Infected with: Trojan.Downloader.Small.BCB
C:\$VAULT$.AVG\01141531.FIL
Disinfection failed
C:\$VAULT$.AVG\01141531.FIL
Deleted
C:\$VAULT$.AVG\34260500.FIL
Infected with: Trojan.Downloader.Small.BCB
C:\$VAULT$.AVG\34260500.FIL
Disinfection failed
C:\$VAULT$.AVG\34260500.FIL
Deleted
C:\Installer3.exe
Infected with: Trojan.Canbede.L
C:\Installer3.exe
Disinfection failed
C:\Installer3.exe
Deleted
LonnyRJones
2006-08-08, 04:13
Hi steve2000
Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
(Echo %DATE% %TIME%
sc config rundll.exe start= disabled
sc stop rundll.exe
sc query rundll.exe
)>logit.txt 2>&1
Run check.bat then post the logit.txt file
Next: Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
steve2000
2006-08-08, 08:11
Here's the logit log:
Tue 08/08/2006 2:08:15.03
[SC] ChangeServiceConfig SUCCESS
[SC] ControlService FAILED 1052:
The requested control is not valid for this service.
SERVICE_NAME: rundll.exe
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
steve2000
2006-08-08, 16:19
I had to run combofix twice. Not sure what happened. (I didn't touch anything though! :) . When i was running combofix, both times, avg started a scan and zone alarm was very interested in what was going on. Anyway.....here's the combofix log:
Start Time= Tue 08/08/2006 10:04:13.79
Running from: C:\Documents and Settings\Papa\Desktop
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\clsid\{0A4E15F9-F873-4E98-9220-1D6A8E2A2E45}]
@=""
[HKEY_CLASSES_ROOT\clsid\{0A4E15F9-F873-4E98-9220-1D6A8E2A2E45}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{0A4E15F9-F873-4E98-9220-1D6A8E2A2E45}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{0A4E15F9-F873-4E98-9220-1D6A8E2A2E45}\InprocServer32]
@="C:\\WINDOWS\\system32\\wfnipsec.dll"
"ThreadingModel"="Apartment"
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
FILES REMOVED:
C:\WINDOWS\SYSTEM32\hr8205loe.dll
Granting sedebugprivilege to Administrators ... successful
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\nwnmff_7.exe
C:\kybrdff_7.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\B7K51QHK\dfndrff_7[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\03FXJEB2\drsmartload292a[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OJ56YQU1\drsmartload849a[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OJ56YQU1\nwnmff_7[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OJ56YQU1\kybrdff_7[1].exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-08-06 18:15:42 ( .D... ) "C:\Documents and Settings\Papa\Application Data\Viewpoint"
2006-08-06 02:35:44 ( .D... ) "C:\Program Files\Advanced Sound Recorder"
2006-08-03 17:28:22 ( .D... ) "C:\Program Files\Zone Labs"
2006-08-03 12:41:46 ( .D... ) "C:\Program Files\F-Group"
2006-08-03 12:26:20 ( .D... ) "C:\Program Files\Advanced StartUp Manager"
2006-07-31 17:49:04 ( .D... ) "C:\Documents and Settings\Papa\Application Data\AdobeUM"
2006-07-31 17:48:44 ( .D... ) "C:\Documents and Settings\Papa\Application Data\Adobe"
2006-07-31 13:45:06 58116 ( A.... ) "C:\cas.exe"
2006-07-31 11:18:24 ( .D... ) "C:\Documents and Settings\Papa\Application Data\Lavasoft"
2006-07-31 11:17:38 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-30 22:00:26 ( .D... ) "C:\Program Files\Common Files\{320D180E-0708-1033-0220-060330050001}"
2006-07-30 08:31:58 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-30 08:06:12 10 ( A.... ) "C:\WINDOWS\smdat32m.sys"
2006-07-25 21:00:58 ( .D... ) "C:\Program Files\AIM+"
2006-07-25 16:56:14 ( .D... ) "C:\Program Files\AIM"
2006-07-21 18:13:36 ( .D... ) "C:\Program Files\TBONBin"
2006-07-21 18:10:04 ( .D... ) "C:\Program Files\Kazaa"
2006-07-21 15:09:12 1200640 ( ..SHR ) "C:\WINDOWS\rundll.exe"
2006-07-21 00:00:44 ( .D... ) "C:\Program Files\Serif"
2006-07-18 15:31:54 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-07-18 15:21:26 ( .D... ) "C:\Program Files\Java"
2006-07-18 15:21:10 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-17 19:36:16 ( .D... ) "C:\Program Files\AOD"
2006-07-17 19:36:12 ( .D... ) "C:\Program Files\Viewpoint"
2006-07-17 19:36:08 ( .D... ) "C:\Program Files\Common Files\Nullsoft"
2006-07-17 19:35:54 ( .D... ) "C:\Program Files\Common Files\aolshare"
2006-07-17 19:35:54 ( .D... ) "C:\Program Files\Common Files\AOL"
2006-07-17 19:35:46 ( .D... ) "C:\Program Files\AOL"
2006-07-15 14:42:32 702535 ( A.... ) "C:\WINDOWS\system32\Fight Club Soap.Scr"
2006-07-13 11:43:52 ( .D... ) "C:\Program Files\MsnMusic"
2006-07-13 10:07:46 1453401 ( A.... ) "C:\WINDOWS\system32\Tears in Heaven.scr"
2006-07-13 09:59:16 593103 ( A.... ) "C:\WINDOWS\system32\Morning Star.scr"
2006-07-13 09:56:50 ( .D... ) "C:\Program Files\Plus!"
2006-07-13 09:06:24 ( .D... ) "C:\Documents and Settings\Papa\Application Data\Cyberlink"
2006-07-13 08:50:28 ( .D... ) "C:\Documents and Settings\Papa\Application Data\AVG7"
2006-07-13 08:50:08 ( .D... ) "C:\Program Files\Grisoft"
2006-07-13 08:47:28 ( .D... ) "C:\Program Files\Yahoo!"
2006-07-13 08:47:26 ( .D... ) "C:\Program Files\CCleaner"
2006-07-13 07:26:58 ( .D... ) "C:\Program Files\RealVNC"
2006-07-13 07:25:50 ( .D... ) "C:\Documents and Settings\Papa\Application Data\Macromedia"
2006-07-13 07:20:16 ( .D... ) "C:\Documents and Settings\Papa\Application Data\Mozilla"
2006-07-13 07:20:14 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-07-13 07:16:10 ( .DS.. ) "C:\Documents and Settings\Papa\Application Data\Microsoft"
2006-07-13 07:16:10 ( .D... ) "C:\Documents and Settings\Papa\Application Data\Identities"
2006-07-13 07:13:08 1024 ( ...HR ) "C:\WINDOWS\system32\NTIBUN4.dll"
2006-07-13 07:12:40 1024 ( ...HR ) "C:\WINDOWS\system32\NTIMPEG2.dll"
2006-07-13 07:12:40 1024 ( ...HR ) "C:\WINDOWS\system32\NTIMP3.dll"
2006-07-13 07:12:40 1024 ( ...HR ) "C:\WINDOWS\system32\NTIFCD3.dll"
2006-07-13 07:12:40 1024 ( ...HR ) "C:\WINDOWS\system32\NTICDMK7.dll"
2006-07-13 07:11:36 ( .D... ) "C:\Program Files\SiS VGA Utilities V3.65f"
2006-07-09 13:42:44 392824 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-07-09 13:42:44 392824 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-07-09 13:42:14 83960 ( A.... ) "C:\WINDOWS\system32\zlcomm.dll"
2006-07-09 13:42:14 71672 ( A.... ) "C:\WINDOWS\system32\zlcommdb.dll"
2006-07-09 13:42:12 100344 ( A.... ) "C:\WINDOWS\system32\vsxml.dll"
2006-07-09 13:42:12 59384 ( A.... ) "C:\WINDOWS\system32\vswmi.dll"
2006-07-09 13:42:10 440312 ( A.... ) "C:\WINDOWS\system32\vsutil.dll"
2006-07-09 13:42:10 71672 ( A.... ) "C:\WINDOWS\system32\vsregexp.dll"
2006-07-09 13:42:08 268280 ( A.... ) "C:\WINDOWS\system32\vspubapi.dll"
2006-07-09 13:42:08 157688 ( A.... ) "C:\WINDOWS\system32\vsinit.dll"
2006-07-09 13:42:08 104440 ( A.... ) "C:\WINDOWS\system32\vsmonapi.dll"
2006-07-09 13:42:06 83960 ( A.... ) "C:\WINDOWS\system32\vsdata.dll"
2006-07-09 13:41:58 796584 ( A.... ) "C:\WINDOWS\system32\libeay32_0.9.6l.dll"
2006-05-25 01:22:06 53248 ( A.... ) "C:\WINDOWS\bdoscandel.exe"
2006-05-19 08:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))
2006-08-06 02:13 468,242,432 C:\hiberfil.sys
2006-08-03 17:28 83,960 C:\WINDOWS\system32\zlcomm.dll
2006-08-03 17:28 796,584 C:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-08-03 17:28 71,672 C:\WINDOWS\system32\zlcommdb.dll
2006-08-03 17:28 71,672 C:\WINDOWS\system32\vsregexp.dll
2006-08-03 17:28 59,384 C:\WINDOWS\system32\vswmi.dll
2006-08-03 17:28 392,824 C:\WINDOWS\system32\vsdatant.sys
2006-08-03 17:28 268,280 C:\WINDOWS\system32\vspubapi.dll
2006-08-03 17:28 104,440 C:\WINDOWS\system32\vsmonapi.dll
2006-08-03 17:28 100,344 C:\WINDOWS\system32\vsxml.dll
2006-08-03 17:27 83,960 C:\WINDOWS\system32\vsdata.dll
2006-08-03 17:27 440,312 C:\WINDOWS\system32\vsutil.dll
2006-08-03 17:27 157,688 C:\WINDOWS\system32\vsinit.dll
2006-07-31 17:44 266,360 C:\WINDOWS\system32\TweakUI.exe
2006-07-31 13:44 58,116 C:\cas.exe
2006-07-29 22:37 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-29 22:37 49,248 C:\WINDOWS\system32\java.exe
2006-07-29 22:37 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-21 18:10 10 C:\WINDOWS\smdat32m.sys
2006-07-21 15:09 1,200,640 C:\WINDOWS\rundll.exe
2006-07-21 00:00 212,480 C:\WINDOWS\pcdlib32.dll
2006-07-15 14:42 702,535 C:\WINDOWS\system32\Fight
2006-07-13 11:43 245,408 C:\WINDOWS\system32\unicows.dll
2006-07-13 10:07 1,453,401 C:\WINDOWS\system32\Tears
2006-07-13 09:59 593,103 C:\WINDOWS\system32\Morning
2006-07-13 07:32 22,752 C:\WINDOWS\system32\spupdsvc.exe
2006-07-13 07:14 258,048 C:\WINDOWS\system32\Uninstall_eRecovery.exe
2006-07-13 07:14 147,456 C:\WINDOWS\UNINST32.EXE
2006-07-13 04:03 704,643,072 C:\pagefile.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Absolute StartUp monitor"="C:\\Program Files\\F-Group\\Absolute StartUp\\ASMon.exe"
"AGRSMMSG"="\"AGRSMMSG.exe\""
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe \" /STARTUP"
"eRecoveryService"="\"C:\\Acer\\Empowering Technology\\eRecovery\\Monitor.exe\""
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"LaunchApp"="\"Alaunch\""
"MSPY2002"="\"C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe \" /SYNC"
"PCMService"="\"C:\\Program Files\\Arcade\\PCMService.exe\""
"PHIME2002A"="\"C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName\""
"PHIME2002ASync"="\"C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC\""
"SiS Windows KeyHook"="\"C:\\WINDOWS\\system32\\keyhook.exe\""
"SiSPower"="\"Rundll32.exe \" SiSPower.dll,ModeAgent"
"SoundMan"="\"SOUNDMAN.EXE\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\""
"SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\""
"SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\""
"ViewMgr"="\"C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e1,00,00,00,00,00,00,00,1f,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{320D180E-0708-1033-0220-060330050001}"="\"C:\\Program Files\\Common Files\\{320D180E-0708-1033-0220-060330050001}\\Update.exe\" mc-110-12-0000107"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{320D180E-0708-1033-0220-060330050001}"="\"C:\\Program Files\\Common Files\\{320D180E-0708-1033-0220-060330050001}\\Update.exe\" mc-110-12-0000107"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SemanticInsight"
"hkey"="HKLM"
"command"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"inimapping"="0"
Contents of the 'Scheduled Tasks' folder
Completion time: Tue 08/08/2006 10:10:58.50
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt
ComboFix.2006-08-08.100413.txt
LonnyRJones
2006-08-09, 01:08
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
;
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
[-HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
;
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Restart your PC.
C:\Program Files\Common Files\{320D180E-0708-1033-0220-060330050001}
C:\Program Files\TBONBin
C:\Program Files\Kazaa < uninstall the program then delete folder
Zip up copies of both these send them to me and delete the originals
C:\WINDOWS\rundll.exe < delete but only at that location
C:\cas.exe
Send it to submitlonny AT subratam.org
Replace AT with @ and remove spaces, then include a link back to this thread.
Or you could attach it here http://www.thespykiller.co.uk/forum/index.php?board=1.0
steve2000
2006-08-09, 03:55
I completed the first part of your instructions. But, I am unclear about the second part. After the restart, do I delete the first 2 folders you have listed? Also, I think I already uninstalled Kazaa. I will zip the rundll and cas files and email them to you.
Restart your PC.
C:\Program Files\Common Files\{320D180E-0708-1033-0220-060330050001}
C:\Program Files\TBONBin
C:\Program Files\Kazaa < uninstall the program then delete folder
Zip up copies of both these send them to me and delete the originals
C:\WINDOWS\rundll.exe < delete but only at that location
C:\cas.exe
Send it to submitlonny AT subratam.org
Replace AT with @ and remove spaces, then include a link back to this thread.
Or you could attach it here http://www.thespykiller.co.uk/forum/index.php?board=1.0
__________________
LonnyRJones
2006-08-09, 04:47
Yes delete all three folder's and the two files after sending them
Thanks
steve2000
2006-08-09, 06:14
OK...all done except there is no rundll in the windows folder so all I sent wasthe cas file.
LonnyRJones
2006-08-09, 06:25
Its definatly there, Set windows to show hidden extensions file's and folder's. click for> instructions<. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) and try again please.
steve2000
2006-08-09, 06:52
Sorry... I did find the rundll...it's on it's way.
LonnyRJones
2006-08-13, 06:02
steve2000 Hows the PC acting ? any problems ?
steve2000
2006-08-13, 08:35
I am still experiencing problems. Sometimes when I boot not everything boots and Firefox and IE will not open. This does not occur on every booot though. AVG keeps finding viruses but doesn't heal them. Spybot still keeps finding stuff. For somereason it takes forever to get my Juno email. I have another puter on the same network that does not have a problem logging on to Juno. Not sure I have listed all the problems but these are the major ones.
Hope this helps.
LonnyRJones
2006-08-13, 08:41
List the files/names and locations that avg keeps finding
Post a results report from spybot
Post a SpyBot results report. I dont need to see tracts,
Run SpyBot check for problems, when its finished right click and choose copy results (not full report)
to clipboard and past that back here please.
steve2000
2006-08-13, 09:35
AVG keeps finding:
c:\documentsandsettings\sarahrobbins\localsettings\temporaryinternetfiles\contentie5\nh5drllr\lamer[1].exe
plus bout 50 files located in:
c:\systemvolumeinformation\_restore{plus a whole bunch of numbers and letters that I am too lazy to type:) }\rp(24-34) \ A00*****.(either dll or exe)
I hope that makes sense.
The spybot results are: (i did later delete them but they still come back when i rerun spybot)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2006-08-01 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2004-11-29 Includes\LSP.sbi (*)
2006-08-11 Includes\Cookies.sbi (*)
2006-08-11 Includes\Dialer.sbi (*)
2006-08-11 Includes\Hijackers.sbi (*)
2006-08-11 Includes\Keyloggers.sbi (*)
2006-08-11 Includes\Malware.sbi (*)
2006-08-11 Includes\Revision.sbi (*)
2006-08-11 Includes\Security.sbi (*)
2006-08-11 Includes\Spybots.sbi (*)
2006-08-11 Includes\Trojans.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-08-11 Includes\PUPS.sbi (*)
LonnyRJones
2006-08-13, 13:58
You can have avg delete those
or empty temporary internet files via internet options, another tool
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
REBOOT afterwards!
c:\systemvolumeinformation < Item here are windows system restore
you can purge it by doing the fallowing
Purge System Restore
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
Those items in the SpyBot report are just cookies, continue to fix them when they show up.
steve2000
2006-08-13, 21:45
I did as instructed except when I righ clicked on My Computer there was no system restore tab. I had to go to Control Panel / System / System Restore. When I rebooted as you instructed Icould not open the System icon nor would any web browser open. Also, Zone Alarm and AVG did not load. I could not shut down normally and had to use the switch to reboot. It seems about every other reboot this happens.
LonnyRJones
2006-08-14, 02:32
Do a full system scan with your Updated antivius then Ewido then SpyBot while the pc is in safe mode.
http://www.ewido.net/en/download/
How to Reboot into safe mode Click here if needed (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx) For instructions.
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.
Applies only to the original topic starter.