Search200 problem can you help please?

[Jim Baker]

There are five icons on the unzipped file. None of which is what you are looking for. The first is: /* FL.C -- FILE LOCATOR by Michael P. KellyThe second is the window with the blue banner on top that relaunches the same system again, followed by Fl PRJ file, Fl Dat File, Fl Obj file. I must be missing something. Can you direct me please. Jim
Just in case it is the first one you wanted here it is: * FL.C -- FILE LOCATOR by Michael P. Kelly

This program was written in Turbo C v2.0 and will search your current
disk drive (hard or floppy) for the file(s) that you request.

*/

#include <stdio.h>
#include <dos.h>
#include <dir.h>
#include <string.h>
#include <conio.h>
#include <alloc.h>
#include <stdlib.h>
#include <ctype.h>
#include <bios.h>
#include <flash.h>

#define DIRS 50 /* max number of subdirectories */
#define SIZE 13 /* filename.ext length */
#define PATHLEN 67 /* max length of path name */

struct ffblk info; /* holds file find information */
char original[PATHLEN]; /* users original directory */
char filespec[SIZE]; /* filespec user is looking for */
int matches = 0; /* matches of filespec found */
char *months[] = { "JAN","FEB","MAR","APR","MAY","JUN",
"JUL","AUG","SEP","OCT","NOV","DEC" };
char *location;
char drive[MAXDRIVE];
char dir[MAXDIR];
char file[MAXFILE];
char ext[MAXEXT];
char test[PATHLEN];

void traverse(char *subname);
int getsubdirs(char (*mike)[SIZE]);
void look(char *lostfile);
char *str_2_lower(char *str);
void file_time(unsigned t);
void file_date(unsigned t);
char *justify(char *name);
void userwait(void);
int read_key(void);
int wbuffer;

main(int argc, char *argv[])
{
/* make <filespec> global and get the original directory */
strcpy(filespec,argv[1]);
getcwd(original,PATHLEN-1);

/* if there are no arguments, display the instructions and quit. */
if(argc < 2) {
location = searchpath("FL.DAT");
fnsplit(location,drive,dir,file,ext);
if(strcmp("\\",dir) != 0)
dir[strlen(dir)-1] = '\0';
chdir(dir);
if(win_lib("FL.DAT")) {
printf("\nNo help available since FL.DAT cannot be found.\n");
printf("\nHINT: Place FL.EXE and FL.DAT in any of your PATH directories!\n");
return(0);
}
wbuffer = open_win("title",WE_CENTER_OUT,3);
read_key();
close_win(wbuffer,WE_SLIDE_DOWN,1);
wbuffer = open_win("instruct",WE_SLIDE_UP,1);
read_key();
close_win(wbuffer,WE_CURTAIN,1);
wbuffer = open_win("final",WE_CENTER_OUT,1);
chdir(original);
return(0);
}

clrscr();
printf("\nFL - File Locator by 2LT Michael P. Kelly, (c) 1988-1989.\n");

/* start at users request or the root directory */
if(argc == 3)
traverse(argv[2]);
else
traverse("\\");

/* return user to the same directory that he started in. */
chdir(original);
printf("\n\n%d files found meeting the %s criteria.\n",matches,filespec);

return(0);
}

void traverse(char *subname)
{
char (*dir)[SIZE]; /* pointer to an array of SIZE chars */
register int total; /* number of directories found */
register int index; /* counter */
char (*tmp)[SIZE];

/* allocate enough memory and initialize the pointer to it. */
dir = malloc(DIRS * SIZE + 1);
if(dir == NULL) {
printf("\nERROR: Failed memory allocation.\n");
chdir(original);
exit(1);
}
tmp = dir;

/* check to be sure that the directory change worked. */
if(chdir(subname) != 0) {
printf("\n ERROR: Directory %s does not exist.\n",subname);
chdir(original);
exit(1);
}

/* get the number & names of subdirectories and check out each one */
total = getsubdirs(dir);
for(index = 0;index < total;dir++,index++)
traverse((char *)dir);

/* check for <filespec>, free memory, go to previous subdirectory */
look(filespec);
free(tmp);
chdir("..");
}

/*
Accepts a pointer to an array of SIZE characters, fills the arrays with
the names of any subdirectories it finds and returns the number found
to the calling routine.
*/
getsubdirs(char (*ptr)[SIZE])
{
register int count = 0;

findfirst("*.*", &info, FA_DIREC); /* start looking */
if(info.ff_name[0] == '.') { /* do we have the . subdir? */
findnext(&info); /* yes, get the .. subdir too */
if(findnext(&info) != 0) /* is there another dir? */
return(0); /* no, so return 0 subdirs here */
}

if(info.ff_attrib == FA_DIREC) { /* is this a subdir? */
strcpy(*ptr++,info.ff_name); /* yes, place in array */
count++; /* increment counter */
}

while(findnext(&info) == 0) { /* go thru the rest */
if(info.ff_attrib == FA_DIREC) { /* is this a subdir? */
strcpy(*ptr++,info.ff_name); /* yes, place in array */
count++; /* increment counter */
}
}

return(count); /* return number of directories */
}

/*
Check for any file(s) that meet the <filespec> criteria in this
directory. If found, print directory, file names and increment
matches counter.
*/
void look(char *lostfile)
{
char here[PATHLEN]; /* used to hold pathname */

if(findfirst(lostfile,&info,0x00) == 0) {
getcwd(here,PATHLEN-1);
printf("\n\n%s",here);
printf("\n\t%s",justify(str_2_lower(info.ff_name)));
printf("\t%7ld bytes ",info.ff_fsize);
file_time(info.ff_ftime);
file_date(info.ff_fdate);
matches++;
while(findnext(&info) == 0) {
printf("\n\t%s",justify(str_2_lower(info.ff_name)));
printf("\t%7ld bytes ",info.ff_fsize);
file_time(info.ff_ftime);
file_date(info.ff_fdate);
matches++;
}
}
}

/*
When passed a pointer to a character string, it will convert the string
to all uppercase. It also returns a pointer to that string as well.
*/
char *str_2_lower(char *str)
{
char *tmp;

tmp = str;
while(*str != '\0')
*str++ = tolower(*str);
return(tmp);
}

/*
The unsigned number from the ffblk structure is coded as follows:

HHHHHMMM MMMSSSSS -- as unsigned int
c[1] c[0] -- as two unsigned characters
*/
void file_time(unsigned t)
{
union twobytes {
unsigned char c[2];
unsigned u;
} f;
unsigned hours;
unsigned mins;
char zone[3] = "am";

f.u = t;
hours = f.c[1] >> 3;
mins = ((f.c[1] & 7) << 3) + (f.c[0] >> 5);
if(hours > 11) {
strcpy(zone,"pm");
if(hours > 12)
hours -= 12;
}
if(hours == 0)
hours = 12;
printf(" %2u:%02u %s ",hours,mins,zone);
}

/*
The unsigned number from the ffblk structure is coded as follows:

YYYYYYYM MMMDDDDD -- as unsigned int
c[1] c[0] -- as two unsigned characters
*/
void file_date(unsigned t)
{
union twobytes {
unsigned char c[2];
unsigned u;
} f;
unsigned day;
unsigned month;
unsigned year;

f.u = t;
day = (f.c[0] & 31);
month = ((f.c[1] & 1) * 8) + (f.c[0] >> 5);
year = 1980 + (f.c[1] >> 1);
printf(" %s %2u %4u ",months[month-1],day,year);
}

/*
When passed a pointer to an array of SIZE characters, it will left-
justify the filename and extension by padding with blank spaces. It
returns a pointer to the changed array.
*/
char *justify(char *name)
{
char *tmp;
char work[SIZE];
int index;
int count;

tmp = work;
for(index = 0;index < 13;index++)
*(tmp + index) = ' ';
*(tmp + 12) = '\0';
for(index = 0;*(name + index) != '.';index++)
*(tmp + index) = *(name + index);
*(tmp + 8) = '.';
index++;
for(count = 9;*(name + index) != '\0';count++,index++)
*(tmp + count) = *(name + index);
strcpy(name,tmp);

userwait(); /* best place to check for a pause!!! */
return(name);
}

/*
This function checks for any keystroke. If found it pauses and waits
for another keystroke before returning to the caller.
*/
void userwait(void)
{
if(bioskey(1) != 0) {
bioskey(0);
while(bioskey(1) == 0);
bioskey(0);
}
Let me know where I am screwing up. Jim

[sUBs]

I dont know why you're having problem downloading that file. I just clicked on the link I provided you & was able to download the file.

There are two files contained within, jt.exe & fl.bat



let's skip the idea. We'll try a workaround instead.



Open Notepad & copy the following test into it:

if exist %systemdrive%\findlop.txt del %systemdrive%\findlop.txt
set savepath=%CD%
%systemdrive%
cd %USERPROFILE%
cd ..

FOR /F "tokens=*" %%G IN ('dir/b ^"*.^"') DO dir ^"%%G\Application Data\^" >> %systemdrive%\findlop.txt
FOR /F "tokens=*" %%G IN ('dir/b /ah ^"*.^"') DO dir /ah ^"%%G\Application Data\^" >> %systemdrive%\findlop.txt

cd %savepath%

jt /se p >>%systemdrive%\findlop.txt
notepad.exe %systemdrive%\findlop.txt


Save the file as "fl2.bat" (inclusive of quotes)
Place this file into the same folder as the Findlop folder Bob had you download.
Double-click fl2.bat to run it.

[Jim Baker]

Volume in drive C is HP_PAVILION
Volume Serial Number is D83E-DA06

Directory of C:\Documents and Settings\All Users\Application Data

09/09/2004 04:47 PM <DIR> AOL
08/18/2005 11:00 PM <DIR> BaseStyleIdolDebug
08/02/2003 08:14 PM <DIR> BVRP Software
07/09/2005 03:32 PM <DIR> Hewlett-Packard
07/09/2005 03:57 PM 2,702 hpzinstall.log
06/27/2004 05:27 PM <DIR> McAfee.com
04/20/2002 08:24 PM <DIR> Motive
09/10/2004 09:55 AM <DIR> MSN Messenger 6.2.0137
09/03/2002 07:05 PM <DIR> MSN6
08/17/2004 09:35 AM <DIR> QuickTime
04/20/2002 02:28 AM <DIR> Sbsi
09/12/2004 09:31 AM <DIR> Spybot - Search & Destroy
08/23/2005 11:34 PM <DIR> Symantec
08/06/2004 09:23 AM <DIR> Viewpoint
09/09/2004 06:58 PM <DIR> Zero Knowledge
1 File(s) 2,702 bytes
14 Dir(s) 43,839,008,768 bytes free
Volume in drive C is HP_PAVILION
Volume Serial Number is D83E-DA06

Directory of C:\Documents and Settings\Owner\Application Data

04/20/2002 02:04 AM <DIR> Adobe
09/09/2004 04:46 PM <DIR> AOL
08/09/2003 09:55 PM <DIR> ArcSoft
01/20/2003 06:14 PM <DIR> Corel
09/09/2004 07:09 PM <DIR> Freedom
07/11/2005 10:54 PM 46,360 GDIPFONTCACHEV1.DAT
08/16/2002 05:15 PM <DIR> Help
10/27/2002 01:41 PM <DIR> Identities
04/20/2002 02:04 AM <DIR> InterTrust
12/27/2003 09:17 PM <DIR> InterVideo
08/16/2005 01:51 PM <DIR> Lavasoft
08/19/2005 04:54 AM <DIR> Logo Boob
06/28/2004 05:03 AM <DIR> Macromedia
06/17/2005 10:37 AM <DIR> Motive
07/10/2005 02:40 PM <DIR> Mozilla
09/10/2004 02:15 PM <DIR> MSN6
07/11/2005 11:34 AM <DIR> MSNInstaller
08/24/2005 02:10 PM <DIR> OnlineLoad
08/23/2002 08:07 PM 12,358 PFP100JCM.{PB
08/23/2002 08:07 PM 61,678 PFP100JPR.{PB
06/15/2005 02:26 PM <DIR> Sun
04/25/2002 10:39 PM <DIR> Symantec
08/01/2002 12:47 PM <DIR> Template
07/10/2005 02:40 PM <DIR> Thunderbird
08/20/2005 12:25 PM <DIR> Trend Micro
09/12/2004 02:15 AM 33 tvmcwrd.dll
08/06/2002 12:04 PM <DIR> VERITAS
08/10/2005 06:13 PM <DIR> Webroot
08/06/2004 09:23 AM <DIR> You've Got Pictures Screensaver
09/09/2004 07:08 PM <DIR> Zero Knowledge
4 File(s) 120,429 bytes
26 Dir(s) 43,839,008,768 bytes free
Volume in drive C is HP_PAVILION
Volume Serial Number is D83E-DA06

Directory of C:\Documents and Settings\Default User\Application Data

01/05/2003 06:29 PM <DIR> .
01/05/2003 06:29 PM <DIR> ..
04/19/2002 05:08 PM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 43,839,008,768 bytes free
Volume in drive C is HP_PAVILION
Volume Serial Number is D83E-DA06

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C is HP_PAVILION
Volume Serial Number is D83E-DA06

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AAA201F095ADB9CC.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\owner\applic~1\online~1\Up acid debug.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Owner'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 08/24/2005 14:00:00
NextRun: 08/24/2005 15:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/21/1997
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Owner'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 08/24/2005 13:53:00
NextRun: 08/24/2005 17:53:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 08/24/2005
EndDate: 00/00/0000
StartTime: 17:53
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


Bob I removed the files from: c:\documents and settings\owner\application data\online~1 I COULDN'T FIND THE 1 BUT I FOUND online and removed all. No difficulty, I couldn't find them manually so I ran search and they poped up. It did not find the suagglie thing and the number 1. Jim

[tetonbob]

OK, I'm getting a little frustrated here...we've tried to delete the same job and folders several times now....are you getting any error messages when you attempt to delete the job or folders? You are trying to delete the entire folder, yes?

Quote:

I removed the files from: c:\documents and settings\owner\application data\online~1 I COULDN'T FIND THE 1 BUT I FOUND online and removed all. No difficulty, I couldn't find them manually so I ran search and they poped up. It did not find the suagglie thing and the number 1.

Not sure I follow you here, if hidden files are set to be viewed, you should be able to navigate to all these folders....but let's do this now:

If you cannot complete any of these instructions, please stop and report what it is that you cannot complete.

Make sure you can view hidden files.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Please do the following:


Go to Control Panel>Scheduled Tasks

Find this job there and delete it:

AAA201F095ADB9CC.job

Find and Delete the following folders:

C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug
C:\Documents and Settings\Owner\Application Data\Logo Boob
C:\Documents and Settings\Owner\Application Data\OnlineLoad

Please run the FL.bat file again, and run a new scan with HJT. Post the results from both logs here.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

[tetonbob]

Jim's latest logs.....

VOLUME IN DRIVE C IS HP_PAVILION
VOLUME SERIAL NUMBER IS D83E-DA06

DIRECTORY OF C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA

09/09/2004 04:47 PM <DIR> AOL
08/02/2003 08:14 PM <DIR> BVRP SOFTWARE
07/09/2005 03:32 PM <DIR> HEWLETT-PACKARD
07/09/2005 03:57 PM 2,702 HPZINSTALL.LOG
06/27/2004 05:27 PM <DIR> MCAFEE.COM
04/20/2002 08:24 PM <DIR> MOTIVE
09/10/2004 09:55 AM <DIR> MSN MESSENGER 6.2.0137
09/03/2002 07:05 PM <DIR> MSN6
08/17/2004 09:35 AM <DIR> QUICKTIME
04/20/2002 02:28 AM <DIR> SBSI
09/12/2004 09:31 AM <DIR> SPYBOT - SEARCH & DESTROY
08/23/2005 11:34 PM <DIR> SYMANTEC
08/06/2004 09:23 AM <DIR> VIEWPOINT
09/09/2004 06:58 PM <DIR> ZERO KNOWLEDGE
1 FILE(S) 2,702 BYTES
13 DIR(S) 43,845,615,616 BYTES FREE
VOLUME IN DRIVE C IS HP_PAVILION
VOLUME SERIAL NUMBER IS D83E-DA06

DIRECTORY OF C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA

04/20/2002 02:04 AM <DIR> ADOBE
09/09/2004 04:46 PM <DIR> AOL
08/09/2003 09:55 PM <DIR> ARCSOFT
01/20/2003 06:14 PM <DIR> COREL
09/09/2004 07:09 PM <DIR> FREEDOM
07/11/2005 10:54 PM 46,360 GDIPFONTCACHEV1.DAT
08/16/2002 05:15 PM <DIR> HELP
10/27/2002 01:41 PM <DIR> IDENTITIES
04/20/2002 02:04 AM <DIR> INTERTRUST
12/27/2003 09:17 PM <DIR> INTERVIDEO
08/16/2005 01:51 PM <DIR> LAVASOFT
06/28/2004 05:03 AM <DIR> MACROMEDIA
06/17/2005 10:37 AM <DIR> MOTIVE
07/10/2005 02:40 PM <DIR> MOZILLA
09/10/2004 02:15 PM <DIR> MSN6
07/11/2005 11:34 AM <DIR> MSNINSTALLER
08/23/2002 08:07 PM 12,358 PFP100JCM.{PB
08/23/2002 08:07 PM 61,678 PFP100JPR.{PB
06/15/2005 02:26 PM <DIR> SUN
04/25/2002 10:39 PM <DIR> SYMANTEC
08/01/2002 12:47 PM <DIR> TEMPLATE
07/10/2005 02:40 PM <DIR> THUNDERBIRD
08/20/2005 12:25 PM <DIR> TREND MICRO
09/12/2004 02:15 AM 33 TVMCWRD.DLL
08/06/2002 12:04 PM <DIR> VERITAS
08/10/2005 06:13 PM <DIR> WEBROOT
08/06/2004 09:23 AM <DIR> YOU'VE GOT PICTURES SCREENSAVER
09/09/2004 07:08 PM <DIR> ZERO KNOWLEDGE
4 FILE(S) 120,429 BYTES
24 DIR(S) 43,845,615,616 BYTES FREE
VOLUME IN DRIVE C IS HP_PAVILION
VOLUME SERIAL NUMBER IS D83E-DA06

DIRECTORY OF C:\DOCUMENTS AND SETTINGS\DEFAULT USER\APPLICATION DATA

01/05/2003 06:29 PM <DIR> .
01/05/2003 06:29 PM <DIR> ..
04/19/2002 05:08 PM 62 DESKTOP.INI
1 FILE(S) 62 BYTES
2 DIR(S) 43,845,615,616 BYTES FREE
VOLUME IN DRIVE C IS HP_PAVILION
VOLUME SERIAL NUMBER IS D83E-DA06

DIRECTORY OF C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA

VOLUME IN DRIVE C IS HP_PAVILION
VOLUME SERIAL NUMBER IS D83E-DA06

DIRECTORY OF C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA

[TRACE] ENUMERATING JOBS AND QUEUES
[TRACE] ACTIVATING JOB 'SYMANTEC NETDETECT.JOB'
[TRACE] PRINTING ALL JOB PROPERTIES

APPLICATIONNAME: 'C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE'
PARAMETERS: ''
WORKINGDIRECTORY: 'C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE'
COMMENT: 'SYMANTEC NETDETECT'
CREATOR: 'OWNER'
PRIORITY: NORMAL
MAXRUNTIME: 259200000 (3D 0:00:00)
IDLEWAIT: 10
IDLEDEADLINE: 60
MOSTRECENTRUN: 08/24/2005 21:53:00
NEXTRUN: 08/25/2005 1:53:00
STARTERROR: S_OK
EXITCODE: 0
STATUS: SCHED_S_TASK_READY
SCHEDULEDWORKITEM FLAGS:
DELETEWHENDONE = 0
SUSPEND = 0
STARTONLYIFIDLE = 0
KILLONIDLEEND = 0
RESTARTONIDLERESUME = 0
DONTSTARTIFONBATTERIES = 0
KILLIFGOINGONBATTERIES = 0
RUNONLYIFLOGGEDON = 1
SYSTEMREQUIRED = 0
HIDDEN = 0
TASKFLAGS: 0

1 TRIGGER

TRIGGER 0:
TYPE: DAILY
DAYSINTERVAL: 1
STARTDATE: 08/25/2005
ENDDATE: 00/00/0000
STARTTIME: 01:53
MINUTESDURATION: 1440
MINUTESINTERVAL: 240
FLAGS:
HASENDDATE = 0
KILLATDURATION = 0
DISABLED = 0

Logfile of HijackThis v1.99.1
Scan saved at 11:48:27 PM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Documents and Settings\Owner\Desktop\Cleanup.exe /WindowsRestart
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[tetonbob]

OK, Jim...look like we got it on the run....good work!

Let's run another Panda Scan to see if anything is left.....

[Jim Baker]

Incident Status Location

Adware:adware/tvmedia No disinfected C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\tvmcwrd.dll
Security Risk:application/eblasterNo disinfected C:\WINDOWS\SYSTEM32\ocxdrv32.dll
Adware:adware/sidestep No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe027.inf
Adware:adware/blazefind No disinfected Windows Registry
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\appdata.variant1124730417.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124646088.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124648228.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124660526.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124660627.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124678100.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124726600.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124727489.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124727584.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124727635.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124727680.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124727706.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124727794.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124727800.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124727884.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124727955.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124727996.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124728061.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124728107.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124728109.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124728154.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124728156.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124728195.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124728197.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124730409.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124765733.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124806487.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124809776.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124859832.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124894424.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\backup\file1124907862.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124382184.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124382188.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124382190.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124442309.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124442312.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124636616.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\appdata.variant1124636619.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\downloader.hc1124382181.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\downloader.hc1124441665.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124379851.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381039.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381116.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381194.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124381336.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382181.dl_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382181.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382188.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124382190.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124395468.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441665.dl_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441665.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441832.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441937.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124441998.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442043.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442073.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442119.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442164.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442212.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442255.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442299.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442349.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442392.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442438.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442487.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442528.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442586.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442630.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442669.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442710.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442750.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442788.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442825.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442883.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442926.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124442973.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124443008.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124476265.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124478043.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124511888.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124512668.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124553375.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124553937.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124578333.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124589970.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124597326.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636217.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636442.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636488.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636514.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636541.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636550.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636574.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636604.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636656.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636682.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636731.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636781.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636840.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636898.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636945.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124636985.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124637466.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124637492.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124637567.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124637732.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124637759.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124637807.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124637878.ex_
Adware:Adware/Lop No disinfected C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup\file1124637929.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\downloader.hc1124334090.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124334090.dl_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124334090.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124341340.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124341399.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124346308.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124348736.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124348957.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349021.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349033.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349045.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349057.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349069.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349083.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349095.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349107.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349120.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349132.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349143.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349155.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349206.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349218.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349228.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349256.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349266.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349277.ex_
Adware:Adware/Lop No disinfected C:\Program Files\OmegaKiller1[1].2\backup\file1124349657.ex_
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-96703917-4210259494-4108073714-1003\Dc1.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-96703917-4210259494-4108073714-1003\Dc7\AXIS COMP.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-96703917-4210259494-4108073714-1003\Dc7\film fork.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-96703917-4210259494-4108073714-1003\Dc7\mealhope.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-96703917-4210259494-4108073714-1003\Dc7\Setup Byte.exe
Security Risk:Application/EblasterNo disinfected C:\WINDOWS\system32\msrac32.dll
Thanks so much for your help Bob. I await your reply. Jim Baker

[tetonbob]

Jim, please take your time, and do this one step at a time. Most of the items Panda is finding are backups created by OmegaKiller, or it would appear, by you?.....as those other locations are unusual for the tools we've used. Let's get rid of all those bad files......

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Make sure you can still view hidden files:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Please configure CleanUp with the following settings:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Download Killbox from one of these locations:

http://www.greyknight17.com/spy/KillBox.exe
http://www.downloads.subratam.org/KillBox.zip
http://www.atribune.org/downloads/KillBox.exe

Reboot into safe mode.

Navigate to the following folders, and delete the contents of the folders, but not the folders themselves:

C:\Documents and Settings\Owner\Desktop\backup
C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\backup
C:\Program Files\OmegaKiller1[1].2\backup

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

• C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\tvmcwrd.dll
  C:\WINDOWS\SYSTEM32\ocxdrv32.dll
  C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe027.inf
  C:\WINDOWS\system32\msrac32.dll

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.

Reboot into normal windows now.

Run the TrendMicro AntiSpyware tool again. Post the log if there are any findings, please.

Run Panda ActiveScan again, and post that log here.

[Jim Baker]

Incident Status Location

Adware:adware/sidestep No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe027.inf
Security Risk:application/eblasterNo disinfected C:\WINDOWS\SYSTEM32\iase
Adware:adware/blazefind No disinfected Windows Registry Bob do I need to remove EBlaster or are we happy? Are the Karnesans Dead?

[tetonbob]

Hi Jim -

That's looking much better. The scans are showing only remnants of eblaster, meaning it was on your system at one time, but may have been uncompletely uninstalled. If it is still in Add/Remove Programs (I don't think it will be), uninstall it. Here's why:

What this program does:

eBlaster records emails, chats, instant messages, key strokes, and websites visited. It then intermittently sends this information to a remote server.

I'd like you to run the following files through the Killbox again, as one has returned unscathed:

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.


C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe027.inf
C:\WINDOWS\SYSTEM32\iase

You may have to try it twice. Then navigate to those locations and see if the files are actually gone. This file C:\WINDOWS\SYSTEM32\iase is the default location for eblaster logs, nothing more.

Other than that..........*drumroll*

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.

Happy computing, and Safe Surfing to you!

[tetonbob]

This member and I have been in contact via IM. This issue is resolved.