|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-28-2006, 09:01 AM
|
#1 (permalink) | |
|
Registered User
Join Date: Sep 2006
Posts: 15
OS: XP
|
Hijacthis log
I've ran the programs in safe-mode and deleted a lot of spyware; however, I am still having some problems so here's a log, hopefully you guys can help.
Quote:
|
|
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-28-2006, 01:44 PM
|
#2 (permalink) | |
|
Registered User
Join Date: Sep 2006
Posts: 15
OS: XP
|
Update:
I rerolled back to fix a few drivers, I also re-ran every program out there possible after updating it. Hope this has cleaned it up a bit: Quote:
|
|
|
|
|
|
10-30-2006, 11:43 PM
|
#3 (permalink) |
|
Mentor, Analyst - Security Team
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows
|
Hello, and welcome to the HijackThis Help Forum.
Apologies for any delay in replying, but we have been rather busy lately. Since it has been a few days since you first posted, please post a fresh HijackThis Log if you still need assistance. Thank you.
__________________
The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all.  UNITE/ASAP: Proud member since 2006 |
|
|
|
|
10-31-2006, 06:10 AM
|
#4 (permalink) | |
|
Registered User
Join Date: Sep 2006
Posts: 15
OS: XP
|
No problem, Deckard. Take your time. Here's a new log. Hope your day is going well.
Quote:
|
|
|
|
|
|
10-31-2006, 08:25 PM
|
#5 (permalink) |
|
Mentor, Analyst - Security Team
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows
|
Hello, Rrruff. I didn't see obvious in your latest log, but let's see what some scans turn up. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any. Download CleanUp! Download and install CleanUp! but do not run it yet. WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp! WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it. Update AVG Anti-Spyware Load AVG Anti-Spyware and click the Update tab at the top:
Download ComboFix Download ComboFix from one of the following links:
Uninstall Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): accoonaPlease let me know if any of these were unable to uninstall. Ewido has been replaced by AVG Anti-Spyware, which you already have installed. Reboot Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows. HijackThis Fixes Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = accoona | SuperTarget Your SearchPlease remember to close all other windows, including browsers then click Fix checked. Close HijackThis. Deletions Delete the following folders indicated in BLUE if they still exist. C:\Program Files\accoona Run CleanUp! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
Run AVG Anti-Spyware
Reboot Reboot your system to Normal Mode. Online Scan Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Run ComboFix Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply. With Your Next Post... Please paste the following with your next reply (in this order please):
__________________
The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006 |
|
|
|
|
11-01-2006, 12:08 AM
|
#7 (permalink) |
|
Mentor, Analyst - Security Team
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows
|
No problem; I'm subscribed to this thread so I will see your reply when you make it.
__________________
The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006 |
|
|
|
|
11-06-2006, 08:58 PM
|
#8 (permalink) | ||||
|
Registered User
Join Date: Sep 2006
Posts: 15
OS: XP
|
Quote:
Quote:
Quote:
Quote:
|
||||
|
|
|
|
11-07-2006, 10:56 PM
|
#10 (permalink) |
|
Mentor, Analyst - Security Team
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows
|
Please don't quote your logs - it makes it harder for me to read and also work on them. Just post them inline -- I'll be able to tell the difference between them. Thanks.
 Could you copy the exact name (and filename if you have it) that Norton is telling you about? Also, did you set AVG to quarantine, because some of the files showed up on the second scan when they shouldn't have? Please delete these folders and files: C:\Documents and Settings\Darken Wolf\My Documents\DESKTOP\Firefox Downloads\79703(2).exeNow, C:\Program Files\WoWglider\Shadow.sys appears to be a rootkit of some sort, and from what I can tell it's a way to bot in WoW. We are not here to pass judgment on botting as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. My suggestion is to uninstall it. Future anti-malware scans may remove it anyway. HijackThis Fixes Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com/Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis. Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan.
Generate An Uninstall List
With Your Next Post... Please paste the following with your next reply (in this order please):
__________________
The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006 |
|
|
|
|
11-08-2006, 05:37 AM
|
#11 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 15
OS: XP
|
Hello and thank you for all your help. My computer seems to be running a lot smoother than it has before; however, still quirky a bit.
The virus that Symantec found is called Hacktool.Rookit - Filename: A0041065.sys -- It was located in C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP160\ Action Taken: Quarantined, Status: Infected, Current Location: Quarantine The folder no longer exist in my C folder. As for the logs... Incident Status Location Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.gostats.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.atdmt.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.2o7.net/] Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.bluestreak.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.hitbox.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.com.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[statse.webtrendslive.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Darken Wolf\Application Data\Mozilla\Firefox\Profiles\g7rn6nep.default\cookies.txt[.atwola.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Darken Wolf\Cookies\darken wolf@advertising[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Darken Wolf\Cookies\darken wolf@atdmt[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Darken Wolf\Cookies\darken wolf@atwola[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Darken Wolf\Cookies\darken wolf@doubleclick[2].txt Adware:Adware/SaveNow Not disinfected C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\sporder.dll Ad-Aware SE Personal Adobe Acrobat 5.0 Adobe Photoshop 7.0 Adobe Reader 7.0.7 Adobe® Photoshop® Album Starter Edition 3.0 Adobe® Photoshop® Album Starter Edition 3.0.1 Ahead Nero Burning ROM ALPS Touch Pad Driver AOL Instant Messenger AOL Uninstaller (Choose which Products to Remove) AOLIcon AVG Anti-Spyware 7.5 BitTornado 0.3.7 CCleaner (remove only) CEP v1.52 CleanUp! Conexant D110 MDC V.9x Modem Diablo II DivX DivX Player DogProxy II Enchantement of Wolfs by DF DESIGNS Eye Candy 4000 Fraps (remove only) Google Video Player HijackThis 1.99.1 HLSW v1.0.0.45 HOTLLAMA Media Player HOTLLAMA Media Player - Update Intel A/V Codecs V2.0 Intel(R) Create & Share(TM) Software Intel(R) PROSet/Wireless Software InterActual Player Internal Network Card Power Management Internet Explorer Default Page J2SE Development Kit 5.0 Update 4 J2SE Runtime Environment 5.0 Update 4 Jasc Paint Shop Pro Studio, Dell Editon Java 2 Runtime Environment, SE v1.4.2_03 Java 2 Runtime Environment, SE v1.4.2_09 JD Secure 3.1 Kaspersky Online Scanner LiveUpdate 1.80 (Symantec Corporation) Lock Folder XP 3.6 Macromedia Flash Player Macromedia Flash Player 8 Macromedia Shockwave Player MagicCube5D MAIET Gunz mCore mDrWiFi mHlpDell Microsoft .NET Framework 1.0 Hotfix (KB887998) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB886903) Microsoft .NET Framework 2.0 Microsoft Office Professional Edition 2003 Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Microsoft Windows Journal Viewer mIRC mIWA mIWCA mLogView mMHouse Mozilla Firefox (2.0) mPfMgr mPfWiz mProSafe mSSO MSXML 4.0 SP2 Parser and SDK mToolkit mWlsSafe mXML mZConfig NetBeans IDE 4.1 NetWaiting Neverwinter Nights Neverwinter Nights 2 NVIDIA Drivers Otto Panda ActiveScan PaperPort Poser 6 PowerDVD 5.5 QUAKE QuickTime RealPlayer Security Update for Microsoft .NET Framework 2.0 (KB917283) Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893066) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911280) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Skype 2.5 Sonic DLA Sonic Encoders Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sonic Update Manager Spybot - Search & Destroy 1.4 Starcraft Steam(TM) StyleXP (remove only) Swiff Player 1.1 Symantec AntiVirus Client TeamSpeak 2 RC2 Themexp.org File Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB910437) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Ventrilo Client VideoLAN VLC media player 0.8.2 Viewpoint Media Player Winamp (remove only) Windows Driver Package - MSN (usbccgp) USB (04/19/2006 1.1.0.2) Windows Genuine Advantage v1.3.0254.0 Windows Installer 3.1 (KB893803) Windows Live Messenger Windows Live Sign-in Assistant Windows Media Player 10 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB893086 WinRAR archiver Xfire (remove only) Logfile of HijackThis v1.99.1 Scan saved at 7:37:02 AM, on 11/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\LxrJD31s.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Common Files\AOL\1147579655\ee\AOLSoftware.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AIM\aim.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147579655\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdcc...d/tgctlins.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.apple.com.edgesuite....eInstaller.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137536352890 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe |
|
|
|
|
11-08-2006, 08:37 PM
|
#12 (permalink) |
|
Mentor, Analyst - Security Team
Join Date: May 2006
Location: Oregon
Posts: 2,503
OS: MacOS X, Debian, OpenBSD, Windows
|
Just a few more things to do. That rootkit was locked away in your System Restore and wasn't active, and we'll be flushing the rest of System Restore here soon.
Clear Cookies Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General. Under Temporary Internet Files, click on Delete Cookies. Then click Delete Files. Clear your Firefox cookies. From the open browser, go to Tools>Options>Privacy>Cookies>Clear. Uninstall Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): Viewpoint Media PlayerIf it refuses to uninstall, please follow these directions:
Deletions Delete the following Files indicated in RED if they still exist: C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll Well done, your logs are clean! Any more issues? If not, you should be good to go but we still have a few items we'd like to address. Reset System Restore
Re-enable Protection Turn back on any malware prevention tools we might have had you switch off. Microsoft Updates It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection. Please ensure that you have already patched your system against these recent critical exploits: Enable Windows Auto Update:
Update Java You need to update your Java as it is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Malware Prevention This is a good time to set up protection against further attacks. You might want to read Tony Klein's "How Did I Get Infected In The First Place?". At the minimum, you need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard to prevent spyware intrusions. I also recommend IE-Spyad, which places over 4,000 websites and domains in the IE Restricted list, thus helping prevent attempts to re-infect your system. All of these have no-strings-attached free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use but often have malware in them. Two more articles you may want to read at your leisure are "KRC Anti-Spyware Tutorial" and "Making Internet Explorer Safer". The following is a list of free software we recommend: Antivirus AV software should be updated at least once a week for optimum protection. Here are some free AV programs available for personal use. NOTE: Do not install more than one AV program because they will conflict with each other. Only pick one.
Firewalls A good firewall is the first-line of defense for your computer and will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you are unfamiliar with how a firewall works, you can read "Understanding and Using Firewalls". Here are some free firewalls available for personal use:
These programs actively watch your computer for possible malware-related changes and help prevent them. You can run more than one of these at a time.Passive Malware Prevention Tools These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.
Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.Alternative Miscellaneous Here are some alternatives that are worth looking into if you use their features:
Please respond to this thread one more time so we can mark this thread as resolved.
__________________
The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting.
Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006 |
|
|
|
| Thread Tools | |
|
|
