Hi, pjruth,
Welcome to DCF. :) We are researching your log and will reply soon. Thank you for waiting patiently.
Abu Ibrahim, one of my trainees, will be helping you under my supervision.
Do you use weatherbug? It is reported that this program is bundled with spyware. Please see:
http://home.vcn.com/knowledgebase/article.php?id=351
I also notice that you have Viewpoint Manager. Viewpoint is bundled with AOL, AOL Instant Messenger, Netscape 7, etc and sometimes not mentioned in the license agreement.
Viewpoint is also bundled with Adobe Atmosphere and hardware manufacturers pre-install some of these applications
ViewPoint Toolbar will redirect your search queries and also transmits non personally identifiable information back to their servers
Viewpoint Manager is a media player often bundled with AIM software. It is not technically considered malware, but is borderline adware and is often installed without a user's knowledge.
Viewpoint Media Player is installed with AIM, AOL and a number of other products. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player.
For AOL and AIM it is needed to use their 3D icons known as Super Buddies and for customized themes, etc.
If you choose to remove it, end process on ViewManager in Task Manager.
Remove it in Add/Remove Programs via the Control Panel.
In order to get your computer cleaned up, please follow these steps carefully:
Download
ewido anti-spyware from
HERE and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right click on ewido in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc
Press "OK".
In Services, click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, manually update with the Ewido Full database installer from here.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close ewido anti-spyware Do Not run a scan yet. Click My Computer, then C:\ In the menu bar, File->New->Folder. That will create a folder named New Folder, which you can rename to "BFU"
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3.RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU).
Do not run the Uninstaller and the Remover yet.
Please reboot into Safemode: Turn on the computer. Immediately begin tapping the F8 key. Use the arrow keys to highlight Safe Mode and press the Enter key.
Lauch ewido anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
IMPORTANT! Don't save the report before you have clicked the Apply all actions button. If you do it will make it more difficult for the helper to interpret the report.
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system. Make sure to remember where you save that file.
Now close ewido anti-spyware..
Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press execute and let it do its job.
Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program.
Please run HijackThis, click Scan, and check the following: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{49A7DB4F-19FD-337E-DED9-1563711CD49B} - (no file) O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file) O4 - HKLM\..\Run: C:\\dfndrff_13.exe O4 - HKLM\..\Run: C:\\kybrdff_13.exe O4 - HKLM\..\Run: C:\WINDOWS\pop06ap2.exe O4 - HKCU\..\Run: "C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe" -vt ndrv O4 - HKCU\..\Run: C:\Program Files\Common Files\F?nts\?ervices.exe O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O20 - Winlogon Notify: policies - C:\WINDOWS\system32\l44q0eh5eh4.dll O4 - Global Startup: Internet Explorer.lnk = ? If you removed Viewpoint, also place a checkmark next to this if it still exists: O4 - HKLM\..\Run: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe Close all open windows except HijackThis, and click Fix Checked.
- Also if you have removed Viewpoint, then locate and delete the following folder: C:\Program Files\ Viewpoint\
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.
Logfile of HijackThis v1.99.1 Scan saved at 9:53:11 PM, on 9/4/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 1 minute". Click "OK"
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the "Remove L2M" button.
You will receive a "Done Scanning" message, click "OK".
When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click "OK".
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. The log can be found wherever the fix is located - if Look2Me-Destroyer is on the desktop thats where the log will be.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a
runtime error '339' please download MSWINSCK.OCX from the link below and place it in your
C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX Then you click the Remove L2M button and wait for it to give you a message. When you click OK it should shut itself down.
Second, open hijackthis and select 'do a system scan only', and then place a checkmark beside each of these entries:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) After placing all the checkmarks, close all windows (except HJT), and then hit 'Fix Checked'. When it finishes, exit HJT and reboot the computer.
Third, Go to Start > Control Panels > Add/Remove Programs and uninstall the following programs if listed:
PuritySCAN By OIN, OIN, OuterInfo or similar.
Reboot and delete this folder if found:
C:\Program Files\PurityScan\
Fourth, Copy everything inside the quote box below (starting with
dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as
findfile.bat on your Desktop.
Quote:dir C:\Program Files\Common Files\F?nts\?ervices.exe /a h > files.txt
notepad files.txt
Locate
findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log
Fifth, we need to do some follow-up scans to ensure a complete cleanup of the system. If you have not already run Ad-aware and Panda, please run these scans...
Please download
Ad-Aware SE Personal and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.
Launch Ad-Aware SE and check for updates. Next click on the gear to access the Configuration Menu. Click on Tweak > Cleaning Engine >
UNcheck "Always try to unload modules before deletion".
Run a full system scan with Ad-Aware SE
Select the objects you want to add to the ignore list in the Scan Summary, Critical Objects, or Negligible Objects lists on the Scanning Results screen.
If you are running McAfee, any McAfee entries listed need to be added to the ignore list!
Right click and select "Add selected to ignore list"
A pop-up window showing the number of objects that will be added to the ignore list opens. Click "OK" to continue.
The object is now added to the Ignore List. Run a new scan to select the remaining objects to be quarantined. * Click Next to remove the objects selected, and click OK at the prompt. * Restart the computer.
Finaly, we need to perform an online antivirus scan. Go to Panda ActiveScan. Please scan 'My computer' and then save the log produced at the end of scan.
------------------------------------------
Please post in your next reply: 1. Look2Me-Destroyer.txt 2. Panda ActiveScan log 3. files.txt from step 4 4. A new Hijackthis log
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded ----------------------------------------------------------------------------------
HiJackThis log after running Look2ME-Destroyer:
Logfile of HijackThis v1.99.1 Scan saved at 7:35:18 PM, on 9/6/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
There was no PurityScan, Oin etc. in Add remove Programs to remove.
There was no c:\Program Files\purityScan directory.
Files.txt was empty. (There is only 1 Font directory and it was empty.)
Here is the log from Panda ActiveScan
Incident Status Location
Adware:adware/dollarrevenue Not disinfected c:\windows\teller2.chk
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ucmore Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joelle\Cookies\joelle@drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joelle\Cookies\joelle@www.drivecleaner[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mark\Cookies\mark@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Mark\Cookies\mark@errorsafe[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mark\Cookies\mark@stats.drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mark\Cookies\mark@www.drivecleaner[2].txt
Logfile of HijackThis v1.99.1
Scan saved at 10:28:41 PM, on 9/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
First, turn off your PC and restart in 'safe mode'.
How to go to safe made:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.
make sure you logon into the same user account as when starting normaly.
Second, we need to display hidden files:
Start>My Computer >Tools>Folder Options> View
Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Uncheck the Hide file extensions for known file types.
Click OK
Third, - locate and delete the following files that are in bold if they exist:
c:\windows\
teller2.chk C:\\
dfndrff_13.exe C:\\
kybrdff_13.exe C:\WINDOWS\
pop06ap2.exe C:\PROGRA~1\COMMON~1\STEM~1\
javaw.exe
Once done, reboot the computer normaly
Fourth, to clean up the nasty cookies:
Download and scan withCCleaner 1. Starting with v1.27.260,
CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it,
REMOVE the checkmark when provided with the option
ORdownload the toolbarfree Basic version instead of the Standard Build.
2. Before first use,
select Options > Advanced and UNCHECK "
Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies. Clean all the entries in the "Windows Explorer" section. Clean all entries in the "System" section. Clean all entries in the "Advanced" section. Clean any others that you choose.
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it. Clean all in the Opera section if you use it. Clean Sun Java in the Internet Section. Clean any others that you choose.
4. Click the "
Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "
OK" and it will scan and clean your system.
7. click on issues in the left column > scan for issues > fix all selected issues.
8. Click "
exit" when done.
Finaly, please post a hijackthis log for a final review
Logfile of HijackThis v1.99.1 Scan saved at 10:27:55 PM, on 9/7/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
If everything is running well, you will need to flush the System Restore and create a clean Restore Point:
right-click My Computer.> select Properties. -> goto System Restore tab. -> select Turn off System Restore. ->Click Apply, and then click OK.
Reboot the computer and follow the same steps as above but this time uncheck 'turn off system restore'.
Next, please download and install service pack 2 for windows from http://update.microsoft.com . SP2 will make your computer alot more safer and stable by fixing many security holes and hotfixes.
To reduce the chance of infection in the future:
1. Install a firewall to protect your computer from hackers and intrusions. Two good ones that are freeware to download are
Kerio and
Zone Alarm Firewall (Zone Labs has a free version for home users.)
http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?dc=12bms&ctry=US&lang=en&lid=ho_za
http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads.
2. Make sure you have all the windows updates:
Make sure that you have all the Critical Updates recommended for your operating system and IE. It's important to always keep current with the latest security fixes from Microsoft on a bi-weekly basis.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
3. Keep your antivirus, antispyware and firewall software up to date.
Regularly update An Anti-Virus product is a necessity at least once a week.
In case you dont have an antivirus program, there are some very good and easy-to-use free A/V programs such as
AVG,
Avast, and
AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.
4. Download and install at least one of the following free antispyware programs:
a) Windows Defender (only windows 2k&XP): http://www.microsoft.com/athome/security/spyware/software/default.mspx
b) Javacools SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
c) SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
5. Scan your computer once a week with Spybot and/or Adware:
a) Spybot Search and Destroy: http://www.safer-networking.org/
b) Ad-aware SE Personal: http://www.lavasoft.de/software/adaware/
6.
IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
7. For more information about protecting your computer, please see
a. "So how did I get infected in the first place?" by Tony Klein http://computercops.biz/postlite7736-.html
b. http://wiki.castlecops.com/Malware_Prevention:_Prevent_Re-infection
Bugbatter
3 Apprentice
•
20.5K Posts
0
August 31st, 2006 01:00
Welcome to DCF. :) We are researching your log and will reply soon. Thank you for waiting patiently.
Abu Ibrahim, one of my trainees, will be helping you under my supervision.
Message Edited by Bugbatter on 08-30-200610:23 PM
Abu Ibrahim
5 Posts
0
August 31st, 2006 17:00
Do you use weatherbug? It is reported that this program is bundled with spyware. Please see:
http://home.vcn.com/knowledgebase/article.php?id=351
I also notice that you have Viewpoint Manager. Viewpoint is bundled with AOL, AOL Instant Messenger, Netscape 7, etc and sometimes not mentioned in the license agreement.
Viewpoint is also bundled with Adobe Atmosphere and hardware manufacturers pre-install some of these applications
ViewPoint Toolbar will redirect your search queries and also transmits non personally identifiable information back to their servers
Viewpoint Manager is a media player often bundled with AIM software. It is not technically considered malware, but is borderline adware and is often installed without a user's knowledge.
Viewpoint Media Player is installed with AIM, AOL and a number of other products. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player.
For AOL and AIM it is needed to use their 3D icons known as Super Buddies and for customized themes, etc.
If you choose to remove it, end process on ViewManager in Task Manager.
Remove it in Add/Remove Programs via the Control Panel.
In order to get your computer cleaned up, please follow these steps carefully:
Download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"
Please download Brute Force Uninstaller to your desktop.
- Right click the BFU folder on your desktop, and choose Extract All
- Click "Next"
- In the box to choose where to extract the files to,
- Click "Browse"
- Click on the + sign next to "My Computer"
- Click on "Local Disk (C:) or whatever your primary drive is
- Click "Make New Folder"
- Type in BFU
- Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU).Do not run the Uninstaller and the Remover yet.
Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.
- Lauch ewido anti-spyware by double-clicking the icon on your desktop.
- Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
- ewido will now begin the scanning process, be patient this may take a little time.
- Once the scan is complete do the following:
- If you have any infections you will prompted, then select "Apply all actions"
- Next select the "Reports" icon at the top.
- Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system. Make sure to remember where you save that file.
Now close ewido anti-spyware..IMPORTANT! Don't save the report before you have clicked the Apply all actions button. If you do it will make it more difficult for the helper to interpret the report.
Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press execute and let it do its job.
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Please run HijackThis, click Scan, and check the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{49A7DB4F-19FD-337E-DED9-1563711CD49B} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: C:\\dfndrff_13.exe
O4 - HKLM\..\Run: C:\\kybrdff_13.exe
O4 - HKLM\..\Run: C:\WINDOWS\pop06ap2.exe
O4 - HKCU\..\Run: "C:\PROGRA~1\COMMON~1\STEM~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: C:\Program Files\Common Files\F?nts\?ervices.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\l44q0eh5eh4.dll
O4 - Global Startup: Internet Explorer.lnk = ?
If you removed Viewpoint, also place a checkmark next to this if it still exists:
O4 - HKLM\..\Run: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Close all open windows except HijackThis, and click Fix Checked.
- Also if you have removed Viewpoint, then locate and delete the following folder:
C:\Program Files\ Viewpoint\
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.
Abu Ibrahim
5 Posts
0
September 2nd, 2006 12:00
pjruth
6 Posts
0
September 5th, 2006 01:00
Here is the latest HijackTHis Log:
Thank you again!
PJ
Logfile of HijackThis v1.99.1
Scan saved at 9:53:11 PM, on 9/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee\MSC\McLogCln.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Microsoft SQL Server\Mssql$MTxInstance\Binn\MSSQL$MTXINSTANCE\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frontiernet.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [McLogLch_exe] C:\Program Files\McAfee\MSC\McLogLch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Abu Ibrahim
5 Posts
0
September 5th, 2006 15:00
- Close all windows before continuing.
- Double-click "Look2Me-Destroyer.exe" to run it.
- Put a check next to "Run this program as a task."
- You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 1 minute". Click "OK"
- When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
- Once it's done scanning, click the "Remove L2M" button.
- You will receive a "Done Scanning" message, click "OK".
- When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click "OK".
- Your computer will then shutdown.
- Turn your computer back on.
- Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. The log can be found wherever the fix is located - if Look2Me-Destroyer is on the desktop thats where the log will be.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Then you click the Remove L2M button and wait for it to give you a message. When you click OK it should shut itself down.
Second, open hijackthis and select 'do a system scan only', and then place a checkmark beside each of these entries:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
After placing all the checkmarks, close all windows (except HJT), and then hit 'Fix Checked'. When it finishes, exit HJT and reboot the computer.
Third, Go to Start > Control Panels > Add/Remove Programs and uninstall the following programs if listed:
PuritySCAN By OIN, OIN, OuterInfo or similar.
Reboot and delete this folder if found:
C:\Program Files\PurityScan\
Fourth, Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.
Quote:dir C:\Program Files\Common Files\F?nts\?ervices.exe /a h > files.txt
notepad files.txt
Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log
Fifth, we need to do some follow-up scans to ensure a complete cleanup of the system. If you have not already run Ad-aware and Panda, please run these scans...
Please download Ad-Aware SE Personal and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.
Launch Ad-Aware SE and check for updates. Next click on the gear to access the Configuration Menu. Click on Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
Run a new scan to select the remaining objects to be quarantined.
* Click Next to remove the objects selected, and click OK at the prompt.
* Restart the computer.
-----------------------------------------------------------
Finaly, we need to perform an online antivirus scan. Go to Panda ActiveScan.
Please scan 'My computer' and then save the log produced at the end of scan.
------------------------------------------
Please post in your next reply:
1. Look2Me-Destroyer.txt
2. Panda ActiveScan log
3. files.txt from step 4
4. A new Hijackthis log
pjruth
6 Posts
0
September 7th, 2006 01:00
Hello,
Here are my results from running the Look2MeDestroyer.
------------------
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 9/6/2006 6:08:05 PM
Attempting to delete infected files...
Making registry repairs.
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AF38DE38-4B93-4C88-8DE3-D82F6C7B0BF2}"
HKCR\Clsid\{AF38DE38-4B93-4C88-8DE3-D82F6C7B0BF2}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{49FF9AE4-2FE0-4425-B399-2016EEC9C0EE}"
HKCR\Clsid\{49FF9AE4-2FE0-4425-B399-2016EEC9C0EE}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{794F1F90-D71C-405A-949B-24316E4C0984}"
HKCR\Clsid\{794F1F90-D71C-405A-949B-24316E4C0984}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
----------------------------------------------------------------------------------
HiJackThis log after running Look2ME-Destroyer:
Logfile of HijackThis v1.99.1
Scan saved at 7:35:18 PM, on 9/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Microsoft SQL Server\Mssql$MTxInstance\Binn\MSSQL$MTXINSTANCE\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee\MSC\McLogCln.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Dell Support\DSAgnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frontiernet.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [McLogLch_exe] C:\Program Files\McAfee\MSC\McLogLch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
pjruth
6 Posts
0
September 7th, 2006 02:00
Incident Status Location
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ucmore Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joelle\Cookies\joelle@drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joelle\Cookies\joelle@www.drivecleaner[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mark\Cookies\mark@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Mark\Cookies\mark@errorsafe[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mark\Cookies\mark@stats.drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mark\Cookies\mark@www.drivecleaner[2].txt
Scan saved at 10:28:41 PM, on 9/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\Mssql$MTxInstance\Binn\MSSQL$MTXINSTANCE\Binn\sqlservr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\PROGRA~1\McAfee\MSC\McLogCln.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frontiernet.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [McLogLch_exe] C:\Program Files\McAfee\MSC\McLogLch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Abu Ibrahim
5 Posts
0
September 7th, 2006 16:00
How to go to safe made:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.
make sure you logon into the same user account as when starting normaly.
Second, we need to display hidden files:
Start>My Computer >Tools>Folder Options> View
Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Uncheck the Hide file extensions for known file types.
Click OK
Third, - locate and delete the following files that are in bold if they exist:
c:\windows\ teller2.chk
C:\\ dfndrff_13.exe
C:\\ kybrdff_13.exe
C:\WINDOWS\ pop06ap2.exe
C:\PROGRA~1\COMMON~1\STEM~1\ javaw.exe
Once done, reboot the computer normaly
Fourth, to clean up the nasty cookies:
Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK " Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.
4. Click the " Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click " OK" and it will scan and clean your system.
7. click on issues in the left column > scan for issues > fix all selected issues.
8. Click " exit" when done.
Finaly, please post a hijackthis log for a final review
pjruth
6 Posts
0
September 8th, 2006 02:00
I appreciate your time and assistance!!!
Here is the latest Log:
PJ
----------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:27:55 PM, on 9/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Microsoft SQL Server\Mssql$MTxInstance\Binn\MSSQL$MTXINSTANCE\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\McAfee\MSC\McLogCln.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frontiernet.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [McLogLch_exe] C:\Program Files\McAfee\MSC\McLogLch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Abu Ibrahim
5 Posts
0
September 8th, 2006 08:00
Your latest logfile looks clean. Good work!
If everything is running well, you will need to flush the System Restore and create a clean Restore Point:
right-click My Computer.> select Properties. -> goto System Restore tab. -> select Turn off System Restore. ->Click Apply, and then click OK.
Reboot the computer and follow the same steps as above but this time uncheck 'turn off system restore'.
Next, please download and install service pack 2 for windows from http://update.microsoft.com . SP2 will make your computer alot more safer and stable by fixing many security holes and hotfixes.
To reduce the chance of infection in the future:
1. Install a firewall to protect your computer from hackers and intrusions. Two good ones that are freeware to download are Kerio and Zone Alarm Firewall (Zone Labs has a free version for home users.)
http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?dc=12bms&ctry=US&lang=en&lid=ho_za
http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads.
2. Make sure you have all the windows updates:
Make sure that you have all the Critical Updates recommended for your operating system and IE. It's important to always keep current with the latest security fixes from Microsoft on a bi-weekly basis.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
3. Keep your antivirus, antispyware and firewall software up to date.
Regularly update An Anti-Virus product is a necessity at least once a week.
In case you dont have an antivirus program, there are some very good and easy-to-use free A/V programs such as AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.
4. Download and install at least one of the following free antispyware programs:
a) Windows Defender (only windows 2k&XP): http://www.microsoft.com/athome/security/spyware/software/default.mspx
b) Javacools SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
c) SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
5. Scan your computer once a week with Spybot and/or Adware:
a) Spybot Search and Destroy: http://www.safer-networking.org/
b) Ad-aware SE Personal: http://www.lavasoft.de/software/adaware/
6. IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
7. For more information about protecting your computer, please see
a. "So how did I get infected in the first place?" by Tony Klein http://computercops.biz/postlite7736-.html
b. http://wiki.castlecops.com/Malware_Prevention:_Prevent_Re-infection
Happy surfing.