Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

HijackThis Log--please help!


  • This topic is locked This topic is locked
24 replies to this topic

#1 Tennafa

Tennafa

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 11 June 2006 - 10:44 PM

My computer doesnt just freeze, it locks up completely and I cant even shut it off without unplugging the cursed thing....heres my log, is there anything at all on here that will make a computer become so unresponsive it may as well be a woman with PMS? Please help....

Logfile of HijackThis v1.99.1
Scan saved at 12:32:18 AM, on 6/12/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?131d2514a1d40529ccee0e7d32ad352
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?131d2514a1d40529ccee0e7d32ad352
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...oad/tgctlcm.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by7fd.bay7.ho...es/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://clubgames.pog...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - F:\ADVTOOLS\NPROTECT.EXE (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

I am getting very frustrated with this POS and am about ready to just start going to the library to use their pcs. Mine is fast becoming a very expensive paperweight on my desk.

Tennafa.

    Advertisements

Register to Remove


#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 12 June 2006 - 08:20 PM

Hello Tennefa and Welcome to TomCoyote,

Please do the following:

STEP 1.
======
SpySweeper

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless you are instructed to.


Download the trial version of Spy Sweeper from Here
  • Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper) You will be prompted to check for updated definitions, please do so.
    (This may take several minutes)
  • Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
  • Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
  • When the sweep has finished, click Remove. Click Select All and then Next
  • From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
  • Exit Spy Sweeper.

STEP 2.
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Empty Recycle Bin
Reboot

Please post the results from SpySweeper, ewido and a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 Tennafa

Tennafa

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 13 June 2006 - 01:02 PM

Oh crud! You are not going to believe what Ive done....I deleted the wrong file logs and BEFORE I rebooted deleted spy sweeper log. I am so sorry but I dont have that log from the scan earlier....I have the ewido scan log and the new hijackthis log. Will that be ok? I cant believe I made such a mistake....so very sorry for that. If you need that please let me know so I can scan and post that log here too. Thank you so very much for your help.

Tennafa :weee:


Ewido log:


ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:02:05 PM, 6/13/06
+ Report-Checksum: 7FB41AF8

+ Scan result:

C:\Documents and Settings\Owner\Cookies\owner@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@musicoffaith.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@e-2dj6wjmyamazkkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@msninvite.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@track-star[1].txt -> TrackingCookie.Track-star : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup


::Report End


and HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 2:55:28 PM, on 6/13/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZSYYYYYYYYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...oad/tgctlcm.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by7fd.bay7.ho...es/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://clubgames.pog...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - F:\ADVTOOLS\NPROTECT.EXE (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)


Thanks again for all your help. I still cant believe I made such a blunder..... :unsure:

#4 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 13 June 2006 - 01:27 PM

We will not worry about the SpySweeper log. Just let me know if you noticed any improvement.

STEP 1.
======
MyWay Removal
Open ‘Add/Remove Programs’ in the Control Panel.
  • Select the ‘My Search Bar’ (MySearch variant), ‘MyWay Speed Bar’ (MyWay) or ‘My Web Search Bar’ (MyWeb) entry
  • Click ‘Remove’.
  • For the MyWeb variant, be sure to also remove ‘Fun Web Products Easy Installer’
  • Open My Computer, Drive C, and double-click on the Program Files folder
  • Right-click and delete the folders for:
    FunWebProducts
    MyWebSearch

Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".
After all of the fixes are complete it is very important that you enable SpySweeper again.

Please set your system to show all files; please see here if you're unsure how to do this.

Scan with HijackThis. Place a check against each of the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZSYYYYYYYYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab

Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.

Post (reply) with the Kapersky log and a fresh HijackThis log and we will take another look.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#5 Tennafa

Tennafa

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 13 June 2006 - 02:00 PM

I see a major improvement in how my comp runs....thank you very very much. One more small test for me to do to make sure its ok now lol....I have to run WMP with an open window to make sure it doesnt freeze. Believe me, I had an awful time trying to log on here to get help and every time I tried to run my antivirus my comp froze up and I couldnt even reboot it--I had to unplug it from the wall to reboot!! I know thats not good for my pc but I didnt have much choice. Anyway, thanks again for all your help and as soon as I can, I plan to donate to tomcoyote to keep this site going......by the way, I have recommended you to all my online and offline friends :D. Have a great day, Tennafa.

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 13 June 2006 - 03:39 PM

Thank you :) and I am glad your computer is running better but please post the results from Kapersky and another hijackthis log. I want to try to be thorough and make sure your system appears to be clean.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 Tennafa

Tennafa

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 13 June 2006 - 09:14 PM

WOW, I am in some serious trouble here. Even though Im running much smoother, I still have lots of junk on here and trojans galore, so many I could have a sale lol. Heres my results from website and the hijackthis log right after....

KASPERSKY ON-LINE SCANNER REPORT
Tuesday, June 13, 2006 11:03:27 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 14/06/2006
Kaspersky Anti-Virus database records: 188312


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
H:\

Scan Statistics
Total number of scanned objects 119862
Number of viruses found 7
Number of infected objects 78
Number of suspicious objects 0
Duration of the scan process 02:05:22

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\netspry.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Default User\My Documents\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped

C:\Documents and Settings\Default User\My Documents\Data\netspry.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Family Access\My Documents\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

C:\Documents and Settings\Family Access\My Documents\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

C:\Documents and Settings\Family Access\My Documents\Data\all_files4.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Family Access\My Documents\Data\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

C:\Documents and Settings\Family Access\My Documents\Data\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

C:\Documents and Settings\Family Access\My Documents\Data\Data\all_files4.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Family Access\My Documents\Data\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped

C:\Documents and Settings\Family Access\My Documents\Data\Data\netspry.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Family Access\My Documents\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped

C:\Documents and Settings\Family Access\My Documents\Data\netspry.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM64.tmp/SETUP_POWERSEARCH.EXE/data0003 Infected: Trojan-Downloader.Win32.Keenval.k skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM64.tmp/SETUP_POWERSEARCH.EXE Infected: Trojan-Downloader.Win32.Keenval.k skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM64.tmp/SETUP_INCREDIFIND_ONLY.EXE/data0002 Infected: Trojan-Downloader.Win32.Keenval.k skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM64.tmp/SETUP_INCREDIFIND_ONLY.EXE/data0003 Infected: Trojan-Downloader.Win32.Keenval.j skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM64.tmp/SETUP_INCREDIFIND_ONLY.EXE Infected: Trojan-Downloader.Win32.Keenval.j skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM64.tmp ZIP: infected - 5 skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_POWERSEARCH.EXE/data0003 Infected: Trojan-Downloader.Win32.Keenval.k skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_POWERSEARCH.EXE Infected: Trojan-Downloader.Win32.Keenval.k skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE/data0002 Infected: Trojan-Downloader.Win32.Keenval.k skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE/data0003 Infected: Trojan-Downloader.Win32.Keenval.j skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE Infected: Trojan-Downloader.Win32.Keenval.j skipped

C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp ZIP: infected - 5 skipped

C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\all_files4.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\Data\all_files4.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped

C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\Data\netspry.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped

C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\netspry.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Owner\My Documents\Just Stuff\setup.exe/data0002 Infected: Trojan-Downloader.Win32.Wren.d skipped

C:\Documents and Settings\Owner\My Documents\Just Stuff\setup.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Owner\My Documents\My downloads\aquarium-us.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped

C:\Documents and Settings\Owner\My Documents\My downloads\aquarium-us.exe StarDust Installer: infected - 1 skipped

C:\Documents and Settings\Owner\My Documents\My downloads\halloween-us.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped

C:\Documents and Settings\Owner\My Documents\My downloads\halloween-us.exe StarDust Installer: infected - 1 skipped

C:\Documents and Settings\Owner\My Documents\My downloads\snowglobe.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped

C:\Documents and Settings\Owner\My Documents\My downloads\snowglobe.exe StarDust Installer: infected - 1 skipped

C:\Documents and Settings\Owner\My Documents\My downloads\snowing.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped

C:\Documents and Settings\Owner\My Documents\My downloads\snowing.exe StarDust Installer: infected - 1 skipped

D:\Documents and Settings\Owner\My Documents\My downloads\halloween-us.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped

D:\Documents and Settings\Owner\My Documents\My downloads\halloween-us.exe StarDust Installer: infected - 1 skipped

D:\Documents and Settings\Owner\My Documents\My downloads\snowglobe.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped

D:\Documents and Settings\Owner\My Documents\My downloads\snowglobe.exe StarDust Installer: infected - 1 skipped

D:\Documents and Settings\Owner\My Documents\My downloads\snowing.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped

D:\Documents and Settings\Owner\My Documents\My downloads\snowing.exe StarDust Installer: infected - 1 skipped

D:\Documents and Settings\Leas account\My Documents\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

D:\Documents and Settings\Leas account\My Documents\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

D:\Documents and Settings\Leas account\My Documents\Data\all_files4.exe NSIS: infected - 2 skipped

D:\Documents and Settings\Leas account\My Documents\Data\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

D:\Documents and Settings\Leas account\My Documents\Data\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

D:\Documents and Settings\Leas account\My Documents\Data\Data\all_files4.exe NSIS: infected - 2 skipped

D:\Documents and Settings\Leas account\My Documents\Data\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped

D:\Documents and Settings\Leas account\My Documents\Data\Data\netspry.exe NSIS: infected - 1 skipped

D:\Documents and Settings\Leas account\My Documents\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped

D:\Documents and Settings\Leas account\My Documents\Data\netspry.exe NSIS: infected - 1 skipped

D:\Documents and Settings\Bethany\My Documents\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

D:\Documents and Settings\Bethany\My Documents\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

D:\Documents and Settings\Bethany\My Documents\Data\all_files4.exe NSIS: infected - 2 skipped

D:\Documents and Settings\Bethany\My Documents\Data\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

D:\Documents and Settings\Bethany\My Documents\Data\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

D:\Documents and Settings\Bethany\My Documents\Data\Data\all_files4.exe NSIS: infected - 2 skipped

D:\Documents and Settings\Bethany\My Documents\Data\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped

D:\Documents and Settings\Bethany\My Documents\Data\Data\netspry.exe NSIS: infected - 1 skipped

D:\Documents and Settings\Bethany\My Documents\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped

D:\Documents and Settings\Bethany\My Documents\Data\netspry.exe NSIS: infected - 1 skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 11:08:01 PM, on 6/13/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by7fd.bay7.ho...es/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://clubgames.pog...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - F:\ADVTOOLS\NPROTECT.EXE (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)


How do I get rid of this mess? I obviously dont want it on my machine but I cant afford to buy a bunch of software right now.....are there freeware products that work good on things like this?

Edited by Tennafa, 13 June 2006 - 09:21 PM.


#8 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 14 June 2006 - 08:13 AM

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose:Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Show Hidden Files
Please show all files for your system.
You will need to reverse this process when all steps are done.


Reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').

Delete Files and Folders
Please delete the following files/folders:
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe<==file
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe<==file
C:\Documents and Settings\Default User\My Documents\Data\Data\netspry.exe<==file
C:\Documents and Settings\Default User\My Documents\Data\netspry.exe<==file
C:\Documents and Settings\Family Access\My Documents\Data\all_files4.exe<==file
C:\Documents and Settings\Family Access\My Documents\Data\Data\all_files4.exe<==file
C:\Documents and Settings\Family Access\My Documents\Data\Data\netspry.exe<==file
C:\Documents and Settings\Family Access\My Documents\Data\netspry.exe <==file
C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM64.tmp<==file
C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\all_files4.exe<==file
C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\Data\all_files4.exe <==file
C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\Data\netspry.exe<==file
C:\Documents and Settings\Owner\My Documents\J.J\My Documents\Data\netspry.exe<==file
C:\Documents and Settings\Owner\My Documents\Just Stuff\setup.exe<==file
C:\Documents and Settings\Owner\My Documents\My downloads\aquarium-us.exe<==file
C:\Documents and Settings\Owner\My Documents\My downloads\halloween-us.exe<==file
C:\Documents and Settings\Owner\My Documents\My downloads\snowglobe.exe<==file
C:\Documents and Settings\Owner\My Documents\My downloads\snowing.exe<==file
D:\Documents and Settings\Owner\My Documents\My downloads\halloween-us.exe<==file
D:\Documents and Settings\Owner\My Documents\My downloads\snowglobe.exe<==file
D:\Documents and Settings\Owner\My Documents\My downloads\snowing.exe<==file
D:\Documents and Settings\Leas account\My Documents\Data\all_files4.exe<==file
D:\Documents and Settings\Leas account\My Documents\Data\Data\all_files4.exe<==file
D:\Documents and Settings\Leas account\My Documents\Data\Data\netspry.exe<==file
D:\Documents and Settings\Leas account\My Documents\Data\netspry.exe<==file
D:\Documents and Settings\Bethany\My Documents\Data\all_files4.exe<==file
D:\Documents and Settings\Bethany\My Documents\Data\Data\all_files4.exe<==file
D:\Documents and Settings\Bethany\My Documents\Data\Data\netspry.exe<==file
D:\Documents and Settings\Bethany\My Documents\Data\netspry.exe<==file

Reboot, please run Kapersky again and post (reply) with the log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#9 Tennafa

Tennafa

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 14 June 2006 - 03:27 PM

Ok two major things I need to let you know while the kaspersky scanner is scanning....One, the folders/files "Leas Account" and "Bethany" have long since been deleted and I dont know how to call up old deleted files on my comp, although I heard that is possible to do. The second thing is...when I rebooted after following all the steps you listed above, my web browser opened up on a page called netspry. I am concerned because I just deleted a bunch of files with that in the name and I was wondering if I did everything right. Anyway, I hope this will do it for me and that I can finally have a computer that doesnt freeze up, reboots or keeps me from closing webpages or my browser. To make a long story short, I think I need to invest in a new computer and drop this one off a cliff lol. But seriously, do you have any suggestions for any free programs out there that are good to use for the monetarily challenged? Has anyone on this forum addressed this question before and if so could you direct me to the responses to this question? Thank you very very much, I really do appreciate everything you have done to help me reclaim my computer. Tennafa.

#10 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 14 June 2006 - 03:42 PM

Hi Tennafa, Don't panic. We will clean this one up. The procedure here is to clean up the computer and then at the end give recommendations. We do not ask people to buy software but do use free trials to help with cleaning of malware. There are some good free programs that are available and I use them. Please be patient. If one procedure does not work for removing certain files, we will try another.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

    Advertisements

Register to Remove


#11 Tennafa

Tennafa

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 14 June 2006 - 05:32 PM

Ok, heres the kaspersky log.... :weee: KASPERSKY ON-LINE SCANNER REPORT Wednesday, June 14, 2006 7:21:45 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 14/06/2006 Kaspersky Anti-Virus database records: 188573 Scan Settings Scan using the following antivirus database standard Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ F:\ H:\ Scan Statistics Total number of scanned objects 113150 Number of viruses found 6 Number of infected objects 33 Number of suspicious objects 0 Duration of the scan process 02:03:45 Infected Object Name Virus Name Last Action C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_POWERSEARCH.EXE/data0003 Infected: Trojan-Downloader.Win32.Keenval.k skipped C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_POWERSEARCH.EXE Infected: Trojan-Downloader.Win32.Keenval.k skipped C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE/data0002 Infected: Trojan-Downloader.Win32.Keenval.k skipped C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE/data0003 Infected: Trojan-Downloader.Win32.Keenval.j skipped C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE Infected: Trojan-Downloader.Win32.Keenval.j skipped C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp ZIP: infected - 5 skipped C:\Program Files\Homepage\WinPage.dll Infected: Trojan.Win32.StartPage.aaq skipped D:\Documents and Settings\Owner\My Documents\My downloads\halloween-us.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped D:\Documents and Settings\Owner\My Documents\My downloads\halloween-us.exe StarDust Installer: infected - 1 skipped D:\Documents and Settings\Owner\My Documents\My downloads\snowglobe.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped D:\Documents and Settings\Owner\My Documents\My downloads\snowglobe.exe StarDust Installer: infected - 1 skipped D:\Documents and Settings\Owner\My Documents\My downloads\snowing.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped D:\Documents and Settings\Owner\My Documents\My downloads\snowing.exe StarDust Installer: infected - 1 skipped D:\Documents and Settings\Leas account\My Documents\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped D:\Documents and Settings\Leas account\My Documents\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped D:\Documents and Settings\Leas account\My Documents\Data\all_files4.exe NSIS: infected - 2 skipped D:\Documents and Settings\Leas account\My Documents\Data\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped D:\Documents and Settings\Leas account\My Documents\Data\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped D:\Documents and Settings\Leas account\My Documents\Data\Data\all_files4.exe NSIS: infected - 2 skipped D:\Documents and Settings\Leas account\My Documents\Data\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped D:\Documents and Settings\Leas account\My Documents\Data\Data\netspry.exe NSIS: infected - 1 skipped D:\Documents and Settings\Leas account\My Documents\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped D:\Documents and Settings\Leas account\My Documents\Data\netspry.exe NSIS: infected - 1 skipped D:\Documents and Settings\Bethany\My Documents\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped D:\Documents and Settings\Bethany\My Documents\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped D:\Documents and Settings\Bethany\My Documents\Data\all_files4.exe NSIS: infected - 2 skipped D:\Documents and Settings\Bethany\My Documents\Data\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped D:\Documents and Settings\Bethany\My Documents\Data\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped D:\Documents and Settings\Bethany\My Documents\Data\Data\all_files4.exe NSIS: infected - 2 skipped D:\Documents and Settings\Bethany\My Documents\Data\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped D:\Documents and Settings\Bethany\My Documents\Data\Data\netspry.exe NSIS: infected - 1 skipped D:\Documents and Settings\Bethany\My Documents\Data\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped D:\Documents and Settings\Bethany\My Documents\Data\netspry.exe NSIS: infected - 1 skipped Scan process completed. This is not looking good for me is it?

#12 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 14 June 2006 - 05:59 PM

Delete Files with Killbox

Download Pocket Killbox from http://www.downloads...org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_POWERSEARCH.EXE/data0003
C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_POWERSEARCH.EXE
C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE/data0002
C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE/data0003
C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE
C:\Documents and Settings\Owner\Application Data\Iomega Automatic Backup\CacheFiles\IOM66.tmp
C:\Program Files\Homepage\WinPage.dll
D:\Documents and Settings\Owner\My Documents\My downloads\halloween-us.exe/ClrSchP048.exe
D:\Documents and Settings\Owner\My Documents\My downloads\halloween-us.exe
D:\Documents and Settings\Owner\My Documents\My downloads\snowglobe.exe/ClrSchP048.exe
D:\Documents and Settings\Owner\My Documents\My downloads\snowglobe.exe
D:\Documents and Settings\Owner\My Documents\My downloads\snowing.exe/ClrSchP048.exe
D:\Documents and Settings\Owner\My Documents\My downloads\snowing.exe
D:\Documents and Settings\Leas account\My Documents\Data\all_files4.exe/data0003
D:\Documents and Settings\Leas account\My Documents\Data\all_files4.exe/data0006
D:\Documents and Settings\Leas account\My Documents\Data\all_files4.exe
D:\Documents and Settings\Leas account\My Documents\Data\Data\all_files4.exe/data0003
D:\Documents and Settings\Leas account\My Documents\Data\Data\all_files4.exe/data0006
D:\Documents and Settings\Leas account\My Documents\Data\Data\all_files4.exe
D:\Documents and Settings\Leas account\My Documents\Data\Data\netspry.exe/data0002
D:\Documents and Settings\Leas account\My Documents\Data\Data\netspry.exe
D:\Documents and Settings\Leas account\My Documents\Data\netspry.exe/data0002
D:\Documents and Settings\Leas account\My Documents\Data\netspry.exe
D:\Documents and Settings\Bethany\My Documents\Data\all_files4.exe/data0003
D:\Documents and Settings\Bethany\My Documents\Data\all_files4.exe/data0006
D:\Documents and Settings\Bethany\My Documents\Data\all_files4.exe
D:\Documents and Settings\Bethany\My Documents\Data\Data\all_files4.exe/data0003
D:\Documents and Settings\Bethany\My Documents\Data\Data\all_files4.exe/data0006
D:\Documents and Settings\Bethany\My Documents\Data\Data\all_files4.exe
D:\Documents and Settings\Bethany\My Documents\Data\Data\netspry.exe/data0002
D:\Documents and Settings\Bethany\My Documents\Data\Data\netspry.exe
D:\Documents and Settings\Bethany\My Documents\Data\netspry.exe/data0002
D:\Documents and Settings\Bethany\My Documents\Data\netspry.exe


In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- click End Explorer Shell while Killing File
- Now click on the red button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)

Note: Killbox will let you know if a file does not exist. If that happens, just continue on.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.


Please run Kapersky again and post (reply) with the results.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#13 Tennafa

Tennafa

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 15 June 2006 - 07:18 PM

Did everything you said to do....still have junk on my computer :( . My browser still opens up to netspry.com which is nerve racking to say the very least. Anyways, heres the new log.... Tennafa. KASPERSKY ON-LINE SCANNER REPORT Thursday, June 15, 2006 5:53:52 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 15/06/2006 Kaspersky Anti-Virus database records: 188595 Scan Settings Scan using the following antivirus database standard Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ F:\ H:\ Scan Statistics Total number of scanned objects 113512 Number of viruses found 6 Number of infected objects 60 Number of suspicious objects 0 Duration of the scan process 01:56:53 Infected Object Name Virus Name Last Action C:\!KillBox\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped C:\!KillBox\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped C:\!KillBox\all_files4.exe NSIS: infected - 2 skipped C:\!KillBox\all_files4.exe( 2)/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped C:\!KillBox\all_files4.exe( 2)/data0006 Infected: Trojan.Win32.SecondThought.h skipped C:\!KillBox\all_files4.exe( 2) NSIS: infected - 2 skipped C:\!KillBox\all_files4.exe( 5)/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped C:\!KillBox\all_files4.exe( 5)/data0006 Infected: Trojan.Win32.SecondThought.h skipped C:\!KillBox\all_files4.exe( 5) NSIS: infected - 2 skipped C:\!KillBox\all_files4.exe( 6)/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped C:\!KillBox\all_files4.exe( 6)/data0006 Infected: Trojan.Win32.SecondThought.h skipped C:\!KillBox\all_files4.exe( 6) NSIS: infected - 2 skipped C:\!KillBox\halloween-us.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped C:\!KillBox\halloween-us.exe StarDust Installer: infected - 1 skipped C:\!KillBox\IOM66.tmp/SETUP_POWERSEARCH.EXE/data0003 Infected: Trojan-Downloader.Win32.Keenval.k skipped C:\!KillBox\IOM66.tmp/SETUP_POWERSEARCH.EXE Infected: Trojan-Downloader.Win32.Keenval.k skipped C:\!KillBox\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE/data0002 Infected: Trojan-Downloader.Win32.Keenval.k skipped C:\!KillBox\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE/data0003 Infected: Trojan-Downloader.Win32.Keenval.j skipped C:\!KillBox\IOM66.tmp/SETUP_INCREDIFIND_ONLY.EXE Infected: Trojan-Downloader.Win32.Keenval.j skipped C:\!KillBox\IOM66.tmp ZIP: infected - 5 skipped C:\!KillBox\netspry.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped C:\!KillBox\netspry.exe NSIS: infected - 1 skipped C:\!KillBox\netspry.exe( 1)/data0002 Infected: Trojan.Win32.StartPage.aaq skipped C:\!KillBox\netspry.exe( 1) NSIS: infected - 1 skipped C:\!KillBox\netspry.exe( 3)/data0002 Infected: Trojan.Win32.StartPage.aaq skipped C:\!KillBox\netspry.exe( 3) NSIS: infected - 1 skipped C:\!KillBox\netspry.exe( 4)/data0002 Infected: Trojan.Win32.StartPage.aaq skipped C:\!KillBox\netspry.exe( 4) NSIS: infected - 1 skipped C:\!KillBox\snowglobe.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped C:\!KillBox\snowglobe.exe StarDust Installer: infected - 1 skipped C:\!KillBox\snowing.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped C:\!KillBox\snowing.exe StarDust Installer: infected - 1 skipped C:\!KillBox\WinPage.dll Infected: Trojan.Win32.StartPage.aaq skipped C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061175.dll Infected: Trojan.Win32.StartPage.aaq skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061176.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061176.exe StarDust Installer: infected - 1 skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061177.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061177.exe StarDust Installer: infected - 1 skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061178.exe/ClrSchP048.exe Infected: Backdoor.Win32.Ruledor.c skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061178.exe StarDust Installer: infected - 1 skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061179.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061179.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061179.exe NSIS: infected - 2 skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061180.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061180.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061180.exe NSIS: infected - 2 skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061181.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061181.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061182.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061182.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061183.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061183.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061183.exe NSIS: infected - 2 skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061184.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061184.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061184.exe NSIS: infected - 2 skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061185.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061185.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061186.exe/data0002 Infected: Trojan.Win32.StartPage.aaq skipped D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP45\A0061186.exe NSIS: infected - 1 skipped Scan process completed

#14 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 16 June 2006 - 05:55 AM

Hello Tennnafa,

Why the sad face? Good work! :) Killbox quarantined those files.

Show Hidden Files
Please show all files for your system.
You will need to reverse this process when all steps are done.


STEP 1.
======
Navigate to C:\!KillBox to delete the items in the !KillBox folder
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Empty your recycle bin.

Let's run Kapersky again and save the Kapersky report.

STEP 2.
======
Hoster

Please download hoster.
  • Unzip Hoster.zip
  • Open Hoster.exe.
  • Then click on "Restore Original Hosts"
  • Close program when complete.
  • Empty Recycle Bin
Reboot and "copy/paste" a new hijackthis log file, along with the Kapersky report into this thread.
Also please describe how your computer behaves at the moment.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#15 Tennafa

Tennafa

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 16 June 2006 - 02:48 PM

While I was deleting the files from Killbox, I noticed another folder with files that I never downloaded or have seen before on my computer...I will paste the folder and files here so you can take a look at them while Im following your instructions. I just want to make double sure we are getting everything. Thank you for helping me out here. I wish I had the knowledge to do what you do here so I could not only keep my system running smoothly but also help others too. Well here are the folder and files I mentioned earlier.... $VAULT$AVG 01138516.FIL 69819313.FIL 69879922.FIL 69888360.FIL 69895797.FIL 78269235.FIL 83034703.FIL 90498453.FIL 90499750.FIL 91896281.FIL

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users