Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91698 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Baseline - 2nd post, more info


  • This topic is locked This topic is locked
30 replies to this topic

#16 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 02 March 2007 - 09:49 AM

more info on 1st step please: run "uninstall" on Ad-Aware SE, then search directory and delete its folder? I do not have a backup disc for this software - how will I be able to reinstall? Will uninstall Ad-Aware also uninstall Ad-Watch?

    Advertisements

Register to Remove


#17 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 02 March 2007 - 06:21 PM

Can you post a new log from hijackthis when done.

#18 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 02 March 2007 - 09:11 PM

Little Eagle, I will post a new hijackthis log when done, but before I do the next step I need those questions answered from post #16! Thanks

#19 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 02 March 2007 - 09:18 PM

Ad-Aware should have given you a licence key when you bought it. You will be able to use it again.

You can ask them about it here. Customer Care Center
http://www.lavasoftsupport.com/

Edited by little eagle, 02 March 2007 - 09:18 PM.


#20 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 03 March 2007 - 12:12 AM

-Uninstalled Ad-Aware. Could not find a folder to delete.
- could not find any of the files listed
- could not connect to the internet in safe mode, so rebooted in normal before downloading killbox
- text in killbox command box all scrambled (common problem?). Ran in "normal" mode rather than "safe" - is that correct? did not feel right - header at top of box never changed from "0 files, 0 folders". When entered the last file path and hit "reboot", an error box came up reading "pending filename operations registry data has been removed by external process"
- never did reboot

hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:00:12 pm, on 03/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...rf?lc=1033&id=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138728641538
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


files not there, but they've been gone before ... shoot, I've been feeling so confident until now ...

#21 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 03 March 2007 - 06:10 AM

Be sure to keep SunJava, updated

In Add/Remove programs click on these and press *remove* if listed:
J2SE Runtime Environment 5.0 - 97.99Mb
J2SE Runtime Environment 5.0 Update 2 - 143.00Mb
J2SE Runtime Environment 5.0 Update 4 - 144.00Mb
J2SE Runtime Environment 5.0 Update 5- 151.00Mb
Java 2 Runtime Environment, SE v1.4.2_04 - 130.00Mb
Or any other outdated J2SE


It is important to remove older versions as these are the ones with the holes in them. You will be surprised when you go to add/remove to see all of the versions sitting there.

Download Newest >>>> http://www.java.com/...nload/index.jsp

Once installed you can test to see that it is in fact installed >>>>

Sun Java Test

-------------------------------------------

Run - ATF Cleaner instructions here.

-------------------------------------------------

Scan with AVG anti-spyware. Post the log here. Then Run this online scan and post the results here.

#22 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 03 March 2007 - 02:29 PM

had java updates 10, 11(current), 6, and 9 - deleted all except 11, ran Sun Java test & passed ran ATF ran AVG: Adware.SpySheriff again!!!: --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 11:20:59 am 03/03/2007 + Scan result: C:\System Volume Information\_restore{716138DA-8E27-4406-92AD-BCEFA82BA021}\RP182\A0014706.exe -> Adware.SpySheriff : Cleaned. ::Report end :thumbdown: on Panda Activescan! 3x I had to click on install Active-X control, each time a pop-up to buy their product before I could run the scan without an "error on page". Finally ran on "my computer", found 1 "hacking tool / rootkit" - HA! : Incident Status Location Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe While search C: root directory for Activescan log I came a cross an unfamiliar folder (248468f90bd937e37) with a text file of suspicious programming. Do you want to see it?

#23 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 03 March 2007 - 04:11 PM

One of the best features of Windows XP is the System Restore option, however if a virus or spyware infection. There can be backups made in the System Restore folder. Therefore, clearing the restore points is necessary after a virus or spyware removal. To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK.

#24 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 05 March 2007 - 07:12 AM

OK - done - what about folder mentioned at end of post #22?

#25 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 05 March 2007 - 08:10 PM

Right click on the file and select Send To and Compressed (zipped) Folder.
This makes a copy it does not delete it.
Please zip the file and upload it here
Or email it here

Please include a link to this thread.

    Advertisements

Register to Remove


#26 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 05 March 2007 - 08:48 PM

thanks - just zipped & posted it (hope I did it right) not sure it needed to be zipped, it was just a text file, just wanted to know if I should delete it or not

#27 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 05 March 2007 - 08:58 PM

http://blogs.msdn.co.../14/550941.aspx ;)

#28 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 05 March 2007 - 09:07 PM

thanks - just zipped & posted it (hope I did it right)

not sure it needed to be zipped, it was just a text file, just wanted to know if I should delete it or not

You can delete it if you like.

#29 JIMMY99

JIMMY99

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 05 March 2007 - 10:28 PM

So, are you done with me? I've checked out the "what to do after an attack" posts (but haven't done anything). Need to re-install Ad-Aware, etc. Have just a couple of more questions before you cut me loose! 1- As I noted in my first post of this thread, I created a backup registry file using ERUNT before we made any changes. Should I delete that file now? 2- I noticed a line (016) from Symantec in my HijackThis logs. Since I've uninstalled Norton Anti-Virus, should I have HijackThis remove that line? 3- Should I keep HijackThis, fixwareout, and Avenger on this computer? Thanks for all your help!

#30 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 06 March 2007 - 05:24 AM

So, are you done with me? I've checked out the "what to do after an attack" posts (but haven't done anything). Need to re-install Ad-Aware, etc. Have just a couple of more questions before you cut me loose!

1- As I noted in my first post of this thread, I created a backup registry file using ERUNT before we made any changes. Should I delete that file now? YES

2- I noticed a line (016) from Symantec in my HijackThis logs. Since I've uninstalled Norton Anti-Virus, should I have HijackThis remove that line? YES

3- Should I keep HijackThis YES , fixwareout NO, and Avenger NOon this computer?

Thanks for all your help!


You can keep hijackthis but I hope we don't need it again. :wavey:

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users