Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Mother-in-laws computer issues, PLEASE HELP!


  • This topic is locked This topic is locked
49 replies to this topic

#46 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 03 April 2006 - 10:11 AM

Looking better. Can I see anther Kapersky log please to be sure.

    Advertisements

Register to Remove


#47 dtap14

dtap14

    Authentic Member

  • Authentic Member
  • PipPip
  • 34 posts

Posted 03 April 2006 - 06:53 PM

------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Monday, April 03, 2006 20:45:17 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 4/04/2006 Kaspersky Anti-Virus database records: 185958 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 97069 Number of viruses found: 14 Number of infected objects: 53 Number of suspicious objects: 6 Duration of the scan process: 6006 sec Infected Object Name - Virus Name C:\!KillBox\microsloft.exe Infected: Backdoor.Win32.Rbot.gen C:\!KillBox\pf78.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf C:\!KillBox\pf78.exe Infected: Trojan-Clicker.Win32.Small.jf C:\!KillBox\Tagasuarus5.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw C:\!KillBox\Tagasuarus5.exe/data0003 Infected: Trojan.Win32.VB.tg C:\!KillBox\Tagasuarus5.exe/data0006 Infected: Trojan.Win32.VB.tg C:\!KillBox\Tagasuarus5.exe/data0007 Infected: Trojan.Win32.VB.tg C:\!KillBox\Tagasuarus5.exe Infected: Trojan.Win32.VB.tg C:\!KillBox\ventfe1.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e C:\!KillBox\ventfe1.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e C:\!KillBox\YazzleBundle-1119.exe/data0002 Infected: Trojan.Win32.Scapur.k C:\!KillBox\YazzleBundle-1119.exe Infected: Trojan.Win32.Scapur.k C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip/drsmartload1.exe Suspicious: Password-protected-EXE C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip Suspicious: Password-protected-EXE C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC15.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC15.zip Suspicious: Password-protected-EXE C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0A2LDW6Y\ventfe1[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0A2LDW6Y\ventfe1[1].exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{C83676A5-5069-4CC9-A83C-5A2A8069E143}\Microsoft\Outlook Express\Deleted Items.dbx/[From bledsoex@bellsouth.net][Date Sun, 9 Jan 2005 22:27:24 -0800]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{C83676A5-5069-4CC9-A83C-5A2A8069E143}\Microsoft\Outlook Express\Deleted Items.dbx/[From bledsoex@bellsouth.net][Date Sun, 9 Jan 2005 22:27:24 -0800]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{C83676A5-5069-4CC9-A83C-5A2A8069E143}\Microsoft\Outlook Express\Deleted Items.dbx/[From bledsoex@bellsouth.net][Date Sun, 9 Jan 2005 22:27:24 -0800]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{C83676A5-5069-4CC9-A83C-5A2A8069E143}\Microsoft\Outlook Express\Deleted Items.dbx/[From bledsoex@bellsouth.net][Date Sun, 9 Jan 2005 22:27:24 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{C83676A5-5069-4CC9-A83C-5A2A8069E143}\Microsoft\Outlook Express\Deleted Items.dbx/[From 3ddddavenport@velocitus.net][Date Sun, 9 Jan 2005 23:07:43 -0800]/UNNAMED/letter.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{C83676A5-5069-4CC9-A83C-5A2A8069E143}\Microsoft\Outlook Express\Deleted Items.dbx/[From 3ddddavenport@velocitus.net][Date Sun, 9 Jan 2005 23:07:43 -0800]/UNNAMED/letter.zip Infected: Email-Worm.Win32.NetSky.q C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{C83676A5-5069-4CC9-A83C-5A2A8069E143}\Microsoft\Outlook Express\Deleted Items.dbx/[From 3ddddavenport@velocitus.net][Date Sun, 9 Jan 2005 23:07:43 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{C83676A5-5069-4CC9-A83C-5A2A8069E143}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q C:\Program Files\apsi\wtta.exe Infected: Trojan-Downloader.Win32.PurityScan.br C:\Program Files\Common Files\Yazzle1119OinAdmin.exe Infected: Trojan.Win32.Scapur.k C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP809\A0047007.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP809\A0049133.exe/WISE0009.BIN Infected: not-a-virus:AdWare.Win32.Gator.2002 C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP809\A0049133.exe Infected: not-a-virus:AdWare.Win32.Gator.2002 C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP809\A0049134.exe/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.Gator.2001 C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP809\A0049134.exe Infected: not-a-virus:AdWare.Win32.Gator.2001 C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP815\A0054213.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.k C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP815\A0054213.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.k C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP815\A0054213.exe Infected: not-a-virus:AdWare.Win32.Softomate.k C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP823\A0060309.exe/data0002 Infected: Trojan.Win32.Scapur.k C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP823\A0060309.exe Infected: Trojan.Win32.Scapur.k C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP823\A0060310.exe Infected: Trojan.Win32.Scapur.k C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP825\A0060672.exe Infected: Backdoor.Win32.Rbot.gen C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP825\A0061710.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP825\A0061710.exe/data0003 Infected: Trojan.Win32.VB.tg C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP825\A0061710.exe/data0006 Infected: Trojan.Win32.VB.tg C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP825\A0061710.exe/data0007 Infected: Trojan.Win32.VB.tg C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP825\A0061710.exe Infected: Trojan.Win32.VB.tg C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091459.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091459.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091462.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091462.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091475.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091475.exe Infected: Trojan-Clicker.Win32.Small.jf C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091476.exe Infected: Backdoor.Win32.Rbot.gen C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091477.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091477.exe/data0003 Infected: Trojan.Win32.VB.tg C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091477.exe/data0006 Infected: Trojan.Win32.VB.tg C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091477.exe/data0007 Infected: Trojan.Win32.VB.tg C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091477.exe Infected: Trojan.Win32.VB.tg C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091478.exe/data0002 Infected: Trojan.Win32.Scapur.k C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP864\A0091478.exe Infected: Trojan.Win32.Scapur.k Scan process completed.

#48 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 03 April 2006 - 09:15 PM

We are almost there it looks like.

Download CCleaner from here >>>>> http://www.majorgeek...wnload4191.html

Save it to your desktop. Open CCleaner and click on "run cleaner" at the bottom right.

NEXT

Have Killbox delete these files

C:\Program Files\apsi\wtta.exe
C:\Program Files\Common Files\Yazzle1119OinAdmin.exe

Then a reboot. How is it running?

#49 dtap14

dtap14

    Authentic Member

  • Authentic Member
  • PipPip
  • 34 posts

Posted 04 April 2006 - 04:58 PM

We are almost there it looks like.


If you say so!?!?!

Seems to be running OK. CCleaner removed 268 MB & Killbox removed those 2 files. I still have Spybot & ZoneAlarm on my desktop waiting to be installed. I have been updating my AVG, Ewido, and Asquared definitions too, but I really haven't been running them. I didn't want to interfere with what we were doing.?.? Thank you so much for your help, and I am sure my Mother-in-law thanks you too. I will cherish the day I can give her machine back to her. Thanks again.
HJT log if U need it:

Logfile of HijackThis v1.99.1
Scan saved at 6:29:23 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\PeoplePC\ISP6200\Browser\PPShared.exe
C:\WINDOWS\System32\alg.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.enter.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Enter.Net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad1.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: AGSatellite.lnk = ?
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.enter.net/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1142554419825
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37680.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: wkssvc (Windows Kernel Serivce) - Unknown owner - C:\WINDOWS\AIMClient.exe (file missing)

#50 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 04 April 2006 - 05:55 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users