First go into add/remove programs and uninstall the following if they are there.
New Dot Net Date Manager Precision Time
Then run ad-aware and remove all it finds. Then run Spybot Search & Destroy and remove all the "red" items it finds. Links to these are below my signature.
Then move hijackthis to a non temporary directory that you create and unzip it there. Run it again and post another log.
I used ad aware and spybot. In spybot, it found the Klez Worm, located at C:/Windows/System32/winkeye.exe. It said i need to use my virus scan program to remove it. But like i said i don't exactly have one right now. Anyways here is my Hijack this log.
Logfile of HijackThis v1.97.7 Scan saved at 12:32:17 AM, on 2/4/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000)
I would suggest you visit one of the online AV scanners to get rid of the virus. Look on my website - link below - AV section, and one of the online scanner sites listed.
Also look at the recommended AV's on that page.
AVG6 is free from www.grisoft.com , install that, update it for all updates, and then scan your machine (complete scan)
Yellowhammer
725 Posts
0
February 3rd, 2004 23:00
First go into add/remove programs and uninstall the following if they are there.
New Dot Net
Date Manager
Precision Time
Then run ad-aware and remove all it finds. Then run Spybot Search & Destroy and remove all the "red" items it finds. Links to these are below my signature.
Then move hijackthis to a non temporary directory that you create and unzip it there. Run it again and post another log.
YoKenny
363 Posts
0
February 4th, 2004 01:00
In adition to what Yellowhammer indicated please update your Windows operating system to Service pack 1 and ALL Critical Updates.
In Internet Explorer go to Tools then Windows Update and install all patches individually rebooting when necessary.
Then download Ad-aware then update and run to remove all that it finds. Reboot and post a new log to permit us to help you remove any remnants.
Message Edited by YoKenny on 02-03-2004 10:30 PM
rpm900
4 Posts
0
February 4th, 2004 06:00
Okay,
I
rpm900
4 Posts
0
February 4th, 2004 06:00
Okay,
I used
rpm900
4 Posts
0
February 4th, 2004 06:00
Okay,
I used ad aware and spybot. In spybot, it found the Klez Worm, located at C:/Windows/System32/winkeye.exe. It said i need to use my virus scan program to remove it. But like i said i don't exactly have one right now. Anyways here is my Hijack this log.
Logfile of HijackThis v1.97.7
Scan saved at 12:32:17 AM, on 2/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\Winkfyj.exe
C:\WINDOWS\System32\Winkye.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\BroadJump\Client Foundation\CFDhju.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Netropa\OSDksl.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\RyMac\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GLSetIT] c:\windows\system32\msiexec.exe
O4 - HKLM\..\Run: [workflo] D:\install\workflow.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [GLSetIT] c:\windows\system32\msiexec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8812BB9-8AF8-480A-809F-6C07810842CE}: NameServer = 205.188.146.146
Thanks
Ryan
ChrisRLG
3.9K Posts
0
February 5th, 2004 11:00
I would suggest you visit one of the online AV scanners to get rid of the virus. Look on my website - link below - AV section, and one of the online scanner sites listed.
Also look at the recommended AV's on that page.
AVG6 is free from www.grisoft.com , install that, update it for all updates, and then scan your machine (complete scan)