services32 worm HJT log - please help

mary macIlvain · 10-11-2005, 06:12 PM

Our PC got infected from clicking on a link from an IM buddy October 3rd. My son and I have been trying to clean it on our own since then and we need help. services32 is in there and won't go away, and there are popups and not sure what else. I have followed the directions here as best I could and have run multiple Ad-Aware and SpyBot scans both in Safe mode and not. And did Norton scans too. Every time we plug into the DSL router something else comes in. An online scan last night at Trend Micro ended prematurely with a bunch of pop windows for casinos etc. I am running Norton Antivirus, have a hardware firewall in the DSL router, but my SpyBot was not up to date and we obviously need more security here. Windows XP is up to date and Service Pack 2 got installed automatically when that came out last year.

I've had to clean a few viruses in the past, but simple ones I could handle and nothing like this. There was some strange stuff in my system tray tonight - 2 green squares for the task manager and that never did appear on screen, and an orange square that said SP-2 Patch and then it wouldn't let me shut down because of services32 and I had to hit the power switch. Needless to say I am on my G4 right now. I had a printout of a list of processes running on my system from when I switched from McAfee to Norton in July so that tipped me off about services32.

Your help would be greatly appreciated. Hope this isn't too much detail :-) Mary

Here is the HiJack This log from Hijack This Analyzer

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:27:00 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\etb\pokapoka75.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
C:\Program Files\Common Files\services.exe
C:\Program Files\Memento\Memento.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.easysearch4you.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.easysearch4you.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.easysearch4you.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000080.exe
O4 - Startup: Memento.lnk = C:\Program Files\Memento\Memento.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://dcon.futuremark.com/global/msc37.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

End of KRC HijackThis Analyzer Log.
====================================================================

sUBs · 10-12-2005, 09:52 AM

Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

LQFix.zip

UnHookExec.inf
Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.easysearch4you.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.easysearch4you.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.easysearch4you.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000080.exe

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Launch KillBox.exe & select the following options:

delete on Reboot

Select all the filenames listed below & then right-click & select Copy

C:\WINDOWS\etb\pokapoka75.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Common Files\services.exe
C:\Windows\system32\windir32.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:

SurfAccuracy

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Double click on LQFix.zip & Run LQFix.bat

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

C:\Program Files\SurfAccuracy\
C:\Program Files\SP2 Connection Patcher\

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis log

Online Scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

mary macIlvain · 10-12-2005, 06:16 PM

sUBs and the tech support team -
first, a big thanks. you guys are awesome! i am a bit overwhelmed but i think i can do this. i have a few questions... just want to be sure i've got this right.

1) do i install CleanUp! and UnHookExec at the beginning and KillBox and LQFix later on when those get used?

2) should i download missingfilesetup.exe first in case i need it later? every time i hook up the DSL line there's problems.

3) big question - what do i do about the popups - they appear while i am trying to do things. should i carefully click them closed? or ignore them? just want to avoid clicking in the middle of one as i did that y accident while dowloading tools on my own last week.

4) the Panda ActiveSan online - can i unplug the Internet after it downloads th ActiveX controls and starts the scan? when is it safe to turn Norton AntiVirus off? do i have to disable that before the scan starts while i am still online? same question about the popups applies here.

just wanted to say i think it is very important to solve the problem and clean the system, not format the hard drive. my son is learning about problem solving and trouble shooting from this. we tried on our own and got so frustrated and i'm glad we found help here. i will definitely be making a donation as i think this is great what you are doing here.
thanks again,
mary

sUBs · 10-12-2005, 07:06 PM

1) do i install CleanUp! and UnHookExec at the beginning and KillBox and LQFix later on when those get used?

Only CleanUp needs to be installed. The rest are stand-alone ready to use utilities that requires no installation.

2) should i download missingfilesetup.exe first in case i need it later? every time i hook up the DSL line there's problems.

You may do so. It's highly unlikely that you'll require it.

3) big question - what do i do about the popups - they appear while i am trying to do things. should i carefully click them closed? or ignore them? just want to avoid clicking in the middle of one as i did that y accident while dowloading tools on my own last week.

Close them by pressing Alt +F4 on your keyboard.

4) the Panda ActiveSan online - can i unplug the Internet after it downloads th ActiveX controls and starts the scan? when is it safe to turn Norton AntiVirus off? do i have to disable that before the scan starts while i am still online? same question about the popups applies here.

Yes, you may unplug from the internet & disable Norton the moment it starts scanning. You will need to reconnect to the internet & re-enable Norton after the scan to have Panda translate the results.

mary macIlvain · 10-14-2005, 09:08 AM

hi sUBs and the tech support team!
first, i can't thank you enough. that was some awful stuff in there. i went through the cleaning directions step by step and things are looking better but probably not perfect yet. services32 is gone from the processes list in the task manager. i had a few minor things different during the process that i wanted to note here.

1) when I ran Killbox there was no C:\WINDOWS\etb\ folder and i went back to windows explorer and clicked show hidden files etc just to be sure.
also, C:\Windows\system32\windir32.exe was not there but i checked my notes and i did delete that file myself the week before in an attempt to remove windir32

2) when i went into Safe mode to Add/Remove programs,Surf Accuracy was not in there. The SP2 Connection Patcher was in there but i did not touch it as the directions did not say to do so at this point. I did delete this where it said to, using Windows Explorer C:\Program Files\SP2 Connection Patcher\

3) when I ran the Panda Active Scan i did pull the DSL wire when it got going but i forgot to turn off the Norton antivirus program so i don't know if this messed up the report from Panda. i also noticed that there are some Norton updates waiting to be installed in the system tray but i did not do that yet as i thought i should wait till i know i have a clean system.

Please let me know what else to do to make sure my PC is clean, and then I need to address what I can do to protect my system better, or point me to which forum discusses these issues if there are general guidelines and recommendations to follow for safe computing.
Thanks!
mary

Here is the new HiJackThis log run through HiJackThis Analyzer,
followed by the Panda ActiveScan Report which did find some things.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:28:44 AM, on 10/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
C:\WINDOWS\System32\mdm.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Startup: Memento.lnk = C:\Program Files\Memento\Memento.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://dcon.futuremark.com/global/msc37.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Panda ActiveScan

Incident Status Location

Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\services.exe
Dialer:dialer.bny No disinfected C:\WINDOWS\pcconfig.dat
Adware:adware/elitebar No disinfected C:\Documents and Settings\Owner.MaryPC\Favorites\Casino & Carrers
Adware:adware/ist.istbar No disinfected Windows Registry
Possible Virus. No disinfected C:\downloads\Sorrows_Furnace_Mini-Pak.exe
Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\AIM95\mc-110-12-0000080.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\InetGet\mc-110-12-0000080.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\InetGet2\mc-110-12-0000080.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\mc-110-12-0000080.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\cwebpage.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\gui.exe
Adware:Adware/StripPlayer No disinfected C:\WINDOWS\inf\strip-player.inf
Virus:Trj/Downloader.DFM Disinfected C:\WINDOWS\system32\msCMTsrvc.exe

sUBs · 10-14-2005, 10:08 AM

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Content Monitoring Tool (msCMTSrvc)
Double-click on it to open the Properties dialog.
- Under the General tab, note down the name of "Service name". We shall need it later.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in "Service name" & then click on the OK button

Please locate & delete these files/folders:

C:\PROGRAM FILES\COMMON FILES\services.exe
C:\WINDOWS\pcconfig.dat
C:\Documents and Settings\Owner.MaryPC\Favorites\Casino & Carrers
C:\downloads\Sorrows_Furnace_Mini-Pak.exe
C:\Program Files\AIM95\mc-110-12-0000080.exe
C:\Program Files\Common Files\InetGet\
C:\Program Files\Common Files\InetGet2\
C:\Program Files\Common Files\mc-110-12-0000080.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\system32.dll
C:\Program Files\DNS\
C:\WINDOWS\inf\strip-player.inf

Let me know if you were unable to find any of those files.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Double-click the tmas-web-scan.exe icon
It will say "Loading TrendMicro definitions".
Click "Start Scan"

After it's done scanning, click "Scan Results"

Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here along with a new HJT log.

Let me know if you still have anymore issue with the computer.

mary macIlvain · 10-16-2005, 06:44 PM

hi sUBs,
i was away this weekend but tonight i did everything you said and things look good now! i did not delete C:\downloads\Sorrows_Furnace_Mini-Pak.exe because my son said it is a music expansion for Guild Wars. Let me know if there is any problem with that.

i found some info about spyware prevention on the forum and will print it out and go over it with my son. i am mostly on the G4 now and he is on the PC all the time so i need him to be on top of things here. it is great all these prevention tools that are out there for free use. the problems are only going to get worse as more people move to broadband.

thank you so much for your help. i was so upset to have our PC trashed like that. you just feel so violated. i mailed a check to the forum on friday, not a lot but what i can afford. i wish i could do more. i am way overextended right now but maybe later i can participate in some of the other forums. i am a graphic designer and do both web and print.
thanks and take care :-)
mary

here's the reports

Trend Micro found 5 things and cleaned them, and after the reboot and 2nd scan it said
Summary of Spyware Threats
No spyware found
and did not produce a log file.

Here is the new HiJackThis Analyzer log file
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:49:36 PM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
C:\Program Files\Memento\Memento.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Startup: Memento.lnk = C:\Program Files\Memento\Memento.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://dcon.futuremark.com/global/msc37.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

End of KRC HijackThis Analyzer Log.
====================================================================

sUBs · 10-16-2005, 10:46 PM

Mary,

Please visit this website - http://virusscan.jotti.org
Submit the file for a comprehensive scan:

C:\downloads\Sorrows_Furnace_Mini-Pak.exe

If you're unsure how to intepret the results, post them here so that I can advise you.

Apart from the above, your system is clean. Please follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

mary macIlvain · 10-20-2005, 04:49 PM

hi sUBs,
the system is clean :-) thank you so much!!!

i ran the jotti scan of that one file Sorrows_Furnac_Mini-Pak.exe and the scanner results all found nothing but the status box said:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised however.)
so i discussed it with my son and he said it was actually an unpacker for that Guild Wars music expansion pack and he deleted the file. the game expansion still works.

i did the first steps to secure the system: clear & reset system restore's cache, disable the viewing of system files, and securing internet explorer. work has been bad this week so i have not accomplished much at home. this weekend i will go through the rest of the security recommendations and see what i already have and what i need to download. i am also going to set up a plan or schedule so that things get done on a regular basis.

it's been great to get this kind of help and i sincerely appreciate you and the whole team.
take care,
mary

10-11-2005, 06:12 PM	#1 (permalink)
mary macIlvain Registered User Join Date: Oct 2005 Posts: 5 OS: XP	services32 worm HJT log - please help Our PC got infected from clicking on a link from an IM buddy October 3rd. My son and I have been trying to clean it on our own since then and we need help. services32 is in there and won't go away, and there are popups and not sure what else. I have followed the directions here as best I could and have run multiple Ad-Aware and SpyBot scans both in Safe mode and not. And did Norton scans too. Every time we plug into the DSL router something else comes in. An online scan last night at Trend Micro ended prematurely with a bunch of pop windows for casinos etc. I am running Norton Antivirus, have a hardware firewall in the DSL router, but my SpyBot was not up to date and we obviously need more security here. Windows XP is up to date and Service Pack 2 got installed automatically when that came out last year. I've had to clean a few viruses in the past, but simple ones I could handle and nothing like this. There was some strange stuff in my system tray tonight - 2 green squares for the task manager and that never did appear on screen, and an orange square that said SP-2 Patch and then it wouldn't let me shut down because of services32 and I had to hit the power switch. Needless to say I am on my G4 right now. I had a printout of a list of processes running on my system from when I switched from McAfee to Norton in July so that tipped me off about services32. Your help would be greatly appreciated. Hope this isn't too much detail :-) Mary Here is the HiJack This log from Hijack This Analyzer ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 8:27:00 PM, on 10/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\WINDOWS\etb\pokapoka75.exe C:\Program Files\Common Files\Windows\services32.exe C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE C:\Program Files\Common Files\services.exe C:\Program Files\Memento\Memento.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.easysearch4you.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.easysearch4you.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.easysearch4you.com/sp2.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/ O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200 O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000080.exe O4 - Startup: Memento.lnk = C:\Program Files\Memento\Memento.exe O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://dcon.futuremark.com/global/msc37.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of KRC HijackThis Analyzer Log. ====================================================================

10-12-2005, 06:16 PM	#3 (permalink)
mary macIlvain Registered User Join Date: Oct 2005 Posts: 5 OS: XP	Questions sUBs and the tech support team - first, a big thanks. you guys are awesome! i am a bit overwhelmed but i think i can do this. i have a few questions... just want to be sure i've got this right. 1) do i install CleanUp! and UnHookExec at the beginning and KillBox and LQFix later on when those get used? 2) should i download missingfilesetup.exe first in case i need it later? every time i hook up the DSL line there's problems. 3) big question - what do i do about the popups - they appear while i am trying to do things. should i carefully click them closed? or ignore them? just want to avoid clicking in the middle of one as i did that y accident while dowloading tools on my own last week. 4) the Panda ActiveSan online - can i unplug the Internet after it downloads th ActiveX controls and starts the scan? when is it safe to turn Norton AntiVirus off? do i have to disable that before the scan starts while i am still online? same question about the popups applies here. just wanted to say i think it is very important to solve the problem and clean the system, not format the hard drive. my son is learning about problem solving and trouble shooting from this. we tried on our own and got so frustrated and i'm glad we found help here. i will definitely be making a donation as i think this is great what you are doing here. thanks again, mary

10-12-2005, 07:06 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,245 OS: N/A	1) do i install CleanUp! and UnHookExec at the beginning and KillBox and LQFix later on when those get used? Only CleanUp needs to be installed. The rest are stand-alone ready to use utilities that requires no installation. 2) should i download missingfilesetup.exe first in case i need it later? every time i hook up the DSL line there's problems. You may do so. It's highly unlikely that you'll require it. 3) big question - what do i do about the popups - they appear while i am trying to do things. should i carefully click them closed? or ignore them? just want to avoid clicking in the middle of one as i did that y accident while dowloading tools on my own last week. Close them by pressing Alt +F4 on your keyboard. 4) the Panda ActiveSan online - can i unplug the Internet after it downloads th ActiveX controls and starts the scan? when is it safe to turn Norton AntiVirus off? do i have to disable that before the scan starts while i am still online? same question about the popups applies here. Yes, you may unplug from the internet & disable Norton the moment it starts scanning. You will need to reconnect to the internet & re-enable Norton after the scan to have Panda translate the results. __________________

10-14-2005, 09:08 AM	#5 (permalink)
mary macIlvain Registered User Join Date: Oct 2005 Posts: 5 OS: XP	Results of Cleaning hi sUBs and the tech support team! first, i can't thank you enough. that was some awful stuff in there. i went through the cleaning directions step by step and things are looking better but probably not perfect yet. services32 is gone from the processes list in the task manager. i had a few minor things different during the process that i wanted to note here. 1) when I ran Killbox there was no C:\WINDOWS\etb\ folder and i went back to windows explorer and clicked show hidden files etc just to be sure. also, C:\Windows\system32\windir32.exe was not there but i checked my notes and i did delete that file myself the week before in an attempt to remove windir32 2) when i went into Safe mode to Add/Remove programs,Surf Accuracy was not in there. The SP2 Connection Patcher was in there but i did not touch it as the directions did not say to do so at this point. I did delete this where it said to, using Windows Explorer C:\Program Files\SP2 Connection Patcher\ 3) when I ran the Panda Active Scan i did pull the DSL wire when it got going but i forgot to turn off the Norton antivirus program so i don't know if this messed up the report from Panda. i also noticed that there are some Norton updates waiting to be installed in the system tray but i did not do that yet as i thought i should wait till i know i have a clean system. Please let me know what else to do to make sure my PC is clean, and then I need to address what I can do to protect my system better, or point me to which forum discusses these issues if there are general guidelines and recommendations to follow for safe computing. Thanks! mary Here is the new HiJackThis log run through HiJackThis Analyzer, followed by the Panda ActiveScan Report which did find some things. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 11:28:44 AM, on 10/14/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE C:\WINDOWS\System32\mdm.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/ O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - Startup: Memento.lnk = C:\Program Files\Memento\Memento.exe O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://dcon.futuremark.com/global/msc37.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of KRC HijackThis Analyzer Log. ==================================================================== Panda ActiveScan Incident Status Location Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\services.exe Dialer:dialer.bny No disinfected C:\WINDOWS\pcconfig.dat Adware:adware/elitebar No disinfected C:\Documents and Settings\Owner.MaryPC\Favorites\Casino & Carrers Adware:adware/ist.istbar No disinfected Windows Registry Possible Virus. No disinfected C:\downloads\Sorrows_Furnace_Mini-Pak.exe Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe Adware:Adware/Maxifiles No disinfected C:\Program Files\AIM95\mc-110-12-0000080.exe Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\InetGet\mc-110-12-0000080.exe Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\InetGet2\mc-110-12-0000080.exe Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\mc-110-12-0000080.exe Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe] Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[cwebpage.dll] Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\cwebpage.dll Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\gui.exe Adware:Adware/StripPlayer No disinfected C:\WINDOWS\inf\strip-player.inf Virus:Trj/Downloader.DFM Disinfected C:\WINDOWS\system32\msCMTsrvc.exe

10-14-2005, 10:08 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,245 OS: N/A	Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Content Monitoring Tool (msCMTSrvc) Double-click on it to open the Properties dialog. Under the General tab, note down the name of "Service name". We shall need it later. Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in "Service name" & then click on the OK button Please locate & delete these files/folders: C:\PROGRAM FILES\COMMON FILES\services.exe C:\WINDOWS\pcconfig.dat C:\Documents and Settings\Owner.MaryPC\Favorites\Casino & Carrers C:\downloads\Sorrows_Furnace_Mini-Pak.exe C:\Program Files\AIM95\mc-110-12-0000080.exe C:\Program Files\Common Files\InetGet\ C:\Program Files\Common Files\InetGet2\ C:\Program Files\Common Files\mc-110-12-0000080.exe C:\Program Files\Common Files\services.exe C:\Program Files\Common Files\system32.dll C:\Program Files\DNS\ C:\WINDOWS\inf\strip-player.inf Let me know if you were unable to find any of those files. Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button). Double-click the tmas-web-scan.exe icon It will say "Loading TrendMicro definitions". Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here along with a new HJT log. Let me know if you still have anymore issue with the computer. __________________

10-16-2005, 06:44 PM	#7 (permalink)
mary macIlvain Registered User Join Date: Oct 2005 Posts: 5 OS: XP	Things look good from here :-) hi sUBs, i was away this weekend but tonight i did everything you said and things look good now! i did not delete C:\downloads\Sorrows_Furnace_Mini-Pak.exe because my son said it is a music expansion for Guild Wars. Let me know if there is any problem with that. i found some info about spyware prevention on the forum and will print it out and go over it with my son. i am mostly on the G4 now and he is on the PC all the time so i need him to be on top of things here. it is great all these prevention tools that are out there for free use. the problems are only going to get worse as more people move to broadband. thank you so much for your help. i was so upset to have our PC trashed like that. you just feel so violated. i mailed a check to the forum on friday, not a lot but what i can afford. i wish i could do more. i am way overextended right now but maybe later i can participate in some of the other forums. i am a graphic designer and do both web and print. thanks and take care :-) mary here's the reports Trend Micro found 5 things and cleaned them, and after the reboot and 2nd scan it said Summary of Spyware Threats No spyware found and did not produce a log file. Here is the new HiJackThis Analyzer log file ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 8:49:36 PM, on 10/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE C:\Program Files\Memento\Memento.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/ O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - Startup: Memento.lnk = C:\Program Files\Memento\Memento.exe O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://dcon.futuremark.com/global/msc37.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of KRC HijackThis Analyzer Log. ====================================================================

10-16-2005, 10:46 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,245 OS: N/A	Mary, Please visit this website - http://virusscan.jotti.org Submit the file for a comprehensive scan: C:\downloads\Sorrows_Furnace_Mini-Pak.exe If you're unsure how to intepret the results, post them here so that I can advise you. Apart from the above, your system is clean. Please follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here. Microsoft Windows Update Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Weather Watcher - Free taskbar weather program that is free, malware free, and resource light. Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. Google Toolbar - Get the free google toolbar to help stop pop up windows. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Last edited by sUBs; 10-16-2005 at 10:48 PM.

10-20-2005, 04:49 PM	#9 (permalink)
mary macIlvain Registered User Join Date: Oct 2005 Posts: 5 OS: XP	Thanks, Problem Resolved hi sUBs, the system is clean :-) thank you so much!!! i ran the jotti scan of that one file Sorrows_Furnac_Mini-Pak.exe and the scanner results all found nothing but the status box said: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised however.) so i discussed it with my son and he said it was actually an unpacker for that Guild Wars music expansion pack and he deleted the file. the game expansion still works. i did the first steps to secure the system: clear & reset system restore's cache, disable the viewing of system files, and securing internet explorer. work has been bad this week so i have not accomplished much at home. this weekend i will go through the rest of the security recommendations and see what i already have and what i need to download. i am also going to set up a plan or schedule so that things get done on a regular basis. it's been great to get this kind of help and i sincerely appreciate you and the whole team. take care, mary