Skip to main content

dobhar

1.1K Posts

September 11th, 2005 20:00

Hi melody29... :)

My name is dobhar and I will be looking over your log. Please give me some time to go look it over and I will post back as soon as possible.

If you have any questions please post back as a reply to this Thread\Topic and I will be advised by email so I can return and help you. Do not start another Thread\Topic.

Thank You and Safe Surfing... :)

dobhar

1.1K Posts

September 12th, 2005 03:00

Hi melody29...

Here we go...
_____________________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
_____________________________________________________

Step 1.
==========
Please download and install CCleaner from http://www.ccleaner.com/download123.asp
(Note: DO NOT run this program yet)

Step 2.
==========
Please download Ewido Security Suite from http://www.ewido.net/en/download/. It is a free version of the program.
- Install Ewido
- When installing the program, under " Additonal Options" uncheck...
* Install background guard
* Install scan via context menu
- Launch ewido, there should now be an icon on your desktop, double-click it.
- The program will now open to the main screen.
- When you run ewido for the first time, you MAY get a warning " Database could not be found!". Click OK. We will fix this in a moment.
- You will need to update ewido to the latest definition files:
* On the left hand side of the main screen click " Update".
* Then click on " Start Update".
- The update will start and a progress bar will show the updates being installed. (Note: the status bar at the bottom will display "Update successful")
- Close Ewido Security Suite

(Note: If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net/en/download/updates/)


Step 3.
==========
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup instructions => http://rstones12.geekstogo.com/adawareSE_setup.htm
(Note: Please do NOT run it yet!)

Step 4.
==========
- Download smitRem.exe from http://noahdfear.geekstogo.com/click%20counter/click.php?id=1 and save the file to your desktop.
- Double click on the file to extract it to it's own folder on the desktop.
(Note: Please do NOT run it yet!)

Step 5.
==========
- Reboot computer into " Safe Mode" Using the F8 method:
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
(Note: For additional help in booting into Safe Mode, see the following site - http://www.pchell.com/support/safemode.shtml)

Step 6.
==========
We need to make sure all Hidden Files are showing so please:
* Open " My Computer" then click on " Tools" and from the drop down menu select " Folder Options".
* Select the " View" tab.
* Under the " Hidden files and folders" heading SELECT " Show hidden files and folders".
* UNCHECK the " Hide file extensions for known types option".
* UNCHECK the " Hide protected operating system files (recommended) option".
* Click " Yes" to confirm.
* Click " OK"

Step 7.
==========
- Close all Windows and programs
- Run HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked...

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129
O2 - BHO: ohb - {22B720C7-5FA6-40A8-9F8F-8584BF669690} - C:\WINDOWS\System32\trgen.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsj35D3.dll
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\System32\ssysut3r.exe run32
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\ssysut3r.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\a.exe
O21 - SSODL: Web Event Logger - {79FB9088-19CE-715E-D900-216290C5B738} - C:\WINDOWS\System32\Akhcidlp.dll (file missing)

- Click the " Fix checked" button...

Step 8.
==========
Delete the following file(s) and folder(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
files(s)...
C:\WINDOWS\System32\ trgen.dll <<<= Delete This File
C:\WINDOWS\System32\ nsj35D3.dll <<<= Delete This File
C:\WINNT\System32\ gxlib.exe <<<= Delete This File
C:\WINDOWS\SYSTEM32\ ssysut3r.exe <<<= Delete This File
C:\Program Files\Internet Explorer\ a.exe <<<= Delete This File
C:\WINDOWS\System32\ Akhcidlp.dll <<<= Delete This File

Step 9.
==========
We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into " Options" => Select " Advanced" => Deselect\uncheck " Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the Run Cleaner button in the lower right-hand corner
- After complete close program

Step 10.
==========
- Open the SmitRem folder on your Desktop
- Double- click the RunThis.bat file to start the tool. Follow the prompts on screen.
- Wait for the tool to complete and disk cleanup to finish.
- The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.

Step 11.
==========
- Start Ad-aware SE 1.06 and do a full scan
- Remove all it finds

Step 12.
==========
- start Ewido Security Suite
- Click on " Scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
- Click on " Complete System Scan", the scan will now begin.
- While the scan is in progress you will be promted to clean files, click " OK".
- When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says " Perform action on all infections", then choose " Clean" and click " OK".
- Once the scan has completed, there will be a button located at the bottom of the screen named " Save Report".
- Click " Save Report".
- Now save the report .txt file to your desktop.
- Close Ewido Security Suite

Step 13.
==========
- Next go to " Control Panel"
- Select\click " Display"
- Select\Click " Desktop" Tab
- Select\Click " Customize Desktop" button
- Select\Click " Web" Tab
- Uncheck " Security Info" if present

Step 14.
==========
Run Panda's online virus scan from http://www.pandasoftware.com/products/activescan.htm and perform a full system scan.
- Once you are on the Panda site click the " Scan your PC" button
- A new window will open...click the big " Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on " Local Disks" to start the scan
- Post Panda scan results in your next reply

Step 15.
==========
- Reboot your computer back into " Normal Mode"
- Post back a fresh new HijackThis log
- Post back the Ewido scan log
- Post back the contents of the smitfiles.txt log
- Post back Panda ActiveScan results

Message Edited by dobhar on 09-12-2005 02:05 AM

melody29

7 Posts

September 12th, 2005 15:00

hello Dobhar.

thnks for taking time to look it over.  hopefully i can get through this without any annoying questions for you.....although the blonde moments have been known to strike at the worst times.      ~melody

melody29

7 Posts

September 12th, 2005 19:00

hey dobhar! okay. well.....i may have taken a wrong turn somewhere.... everything went smoothly until i needed to access the internet to run the panda scan. i was not able to access the internet at all in safe mode.  also....the files to delete.....only found one: .../ssysut3r.exe.

here are my new logs. .... minus the panda scan. let me know if i need to try the panda in normal mode.

thanks.

Logfile of HijackThis v1.99.1
Scan saved at 3:13:07 PM, on 9/12/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://moneycentral.msn.com/money/2002/redir.asp?mcrid=214
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 
 
 
 
+ Created on: 2:34:39 PM, 9/12/2005
+ Report-Checksum: 5C54B14A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\pop -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\pop\UpdateAgent -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg2 -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg2\eeennn -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg2\kkws -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg2\ppops -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg2\reel -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg2\ssites -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg3 -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg3\eeennn -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg3\kkws -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg3\ppops -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg3\reel -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3615762775-2035789119-2382750585-1006\Software\_rtneg3\ssites -> Spyware.Begin2Search : Cleaned with backup
[444] C:\WINDOWS\system32\OLEEXT.dll -> Trojan.Agent.ff : Cleaned with backup
[664] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
C:\HJT\backups\backup-20050912-130239-186.dll -> Spyware.Beginto : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP706\A0125670.exe -> Trojan.LowZones.cp : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0125687.dll -> Spyware.Beginto : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0125981.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0125984.dll -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\SYSTEM32\cxdxregt.exe -> Trojan.Zx.12 : Cleaned with backup
C:\WINDOWS\SYSTEM32\mevoml.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\SYSTEM32\oleext.dll -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\SYSTEM32\qsdxregr.exe -> Trojan.Zx.12 : Cleaned with backup
C:\WINDOWS\SYSTEM32\ssysut2r.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\ssysutd8.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\zxinst12.exe -> Trojan.Zx.12 : Cleaned with backup


::Report End
 
  
smitRem log file
     version 2.3

     by noahdfear

The current date is: Mon 09/12/2005 
The current time is: 13:27:36.56

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :)


 Pre-run Files Present


 ~~~ Program Files ~~~

PSGuard


 ~~~ Shortcuts ~~~



 ~~~ Favorites ~~~

shopping


 ~~~ system32 folder ~~~

intell32.exe
oleext.dll
wppp.html


 ~~~ Icons in System32 ~~~



 ~~~ Windows directory ~~~

uninstIU.exe


 ~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


   Post-run Files Present


 ~~~ Program Files ~~~



 ~~~ Shortcuts ~~~



 ~~~ Favorites ~~~



 ~~~ system32 folder ~~~

oleext.dll


 ~~~ Icons in System32 ~~~



 ~~~ Windows directory ~~~



 ~~~ Drive root ~~~



 ~~~ Wininet.dll ~~~

wininet.dll INFECTED!! :( Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

 ~~~ Replaced wininet.dll from dllcache ~~~



 ~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!


 ~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :) ~~~~

melody29

7 Posts

September 12th, 2005 19:00

did i mention......wow.

dobhar

1.1K Posts

September 13th, 2005 05:00

Hi melody...

Nice job... :D We cleaned up a fair bit... :)

I was hoping to post something for you tonight but I got paged and had to work (on call) so I only had time for one log tonight. Sorry. I will post something for you tomorrow.

Thanks,

Message Edited by dobhar on 09-13-2005 01:53 AM

dobhar

1.1K Posts

September 14th, 2005 03:00

Hi melody29...

Nice job...Your HJT log is looking pretty clean :D

Sorry on the Panda Scan...the "Reboot into Normal Mode" should have been inserted before the scan not after as you cannot surf the internet while in "Safe Mode"... My Bad sorry :(

Are you running the "Paid" version of Bearshare or the "Free" version. The "Free" version comes bundled with some "Nasties". If your not sure or if you know it the "Free" version then I recommend you uninstall (See Step #1 below). If your 100% positive that you have the "Paid" version then ignore any step to remove Bearshare.

Read this article from SpywareINfo => http://www.spywareinfo.com/articles/p2p/

_____________________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
_____________________________________________________

Step 1.
==========
We need to uninstall some programs using " Add or Remove Programs" in the Control Panel:
- Get into Control Panel.
- Double-click " Add or Remove Programs".
- Look in the Currently installed programs box for each program listed below and if it is there:
- Click on it to select it.
- Click " Change/Remove" (or " Change") button.
- If you are prompted to confirm the removal of the program, click " Yes"

Bearshare

Step 2.
==========
- Using the instructions in my other post please make sure Ewido Security Suite has been updated
(Note: Do NOT run this yet!)

Step 3.
==========
- Reboot computer into " Safe Mode" Using the F8 method:
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
(Note: For additional help in booting into Safe Mode, see the following site - http://www.pchell.com/support/safemode.shtml)

Step 4.
==========
We need to make sure all Hidden Files are showing so please:
* Open " My Computer" then click on " Tools" and from the drop down menu select " Folder Options".
* Select the " View" tab.
* Under the " Hidden files and folders" heading SELECT " Show hidden files and folders".
* UNCHECK the " Hide file extensions for known types option".
* UNCHECK the " Hide protected operating system files (recommended) option".
* Click " Yes" to confirm.
* Click " OK"

Step 5.
==========
- Close all Windows and programs
- Run HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked...

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

- Click the " Fix checked" button...

Step 6.
==========
Delete the following file(s) and folder(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
Folders(s)...
C:\Program Files\ BearShare <<<= Delete This Folder

Files(s)...
gxlib.exe <<<= Delete This File =>>> You will have to Search for this file. It is more than likely in either the C:\Windows or C:\Windows\System32 folder

Step 7.
==========
- start Ewido Security Suite
- Click on " Scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
- Click on " Complete System Scan", the scan will now begin.
- While the scan is in progress you will be promted to clean files, click " OK".
- When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says " Perform action on all infections", then choose " Clean" and click " OK".
- Once the scan has completed, there will be a button located at the bottom of the screen named " Save Report".
- Click " Save Report".
- Now save the report .txt file to your desktop.
- Close Ewido Security Suite

Step 8.
==========
- Reboot your computer back into " Normal Mode"
- Then run Panda ActiveScan's online virus scan from http://www.pandasoftware.com/products/activescan.htm and perform a full system scan.
- Once you are on the Panda site click the " Scan your PC" button
- A new window will open...click the big " Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on " Local Disks" to start the scan
- Post Panda scan results in your next reply

Step 9.
==========
- Post back a fresh new HijackThis log
- Post Ewido log
- Post back Panda ActiveScan results

Message Edited by dobhar on 09-13-2005 11:18 PM

melody29

7 Posts

September 15th, 2005 16:00

The message body contains the following prohibited content: ''  You must remove this content before submitting your post.

....this is what it is telling me when i try to post my new logs and scan reports. help. hummm.....

dobhar

1.1K Posts

September 15th, 2005 19:00

The forum is just telling you that there is a word in the logs that is prohibited...go through the logs and see what word looks bad and change a letter or remove a letter and put in an * in place of the letter.

Message Edited by dobhar on 09-15-2005 03:13 PM

melody29

7 Posts

September 16th, 2005 20:00

oky doky. i think this will work now. thanks dobhar. let me know if there is any other steps i can take to keep this clean.

Incident                      Status                        Location                                                                                                                                                                                                                                                       

Adware:Adware/PsGuard         No disinfected                C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0125982.exe                                                                                                                                                                 
Adware:Adware/SaveNow         No disinfected                C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0125983.exe                                                                                                                                                                 
Virus:W32/Smitfraud.E         Disinfected                   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0126008.old                                                                                                                                                                 
Adware:Adware/Look2Me         No disinfected                C:\WINDOWS\Downloaded Program Files\pinstall.dll                                                                                                                                                                                                               
Adware:adware/transponder     No disinfected                C:\WINDOWS\LastGood\INF\ceres.PNF                                                                                                                                                                                                                              
Adware:adware/ipinsight       No disinfected                C:\WINDOWS\LastGood\INF\farmmext.PNF                                                                                                                                                                                                                           
Spyware:spyware/smitfraud     No disinfected                C:\WINDOWS\SYSTEM32\ptainfo1.ico                                                                                                                                                                                                                               
Adware:adware/ilookup         No disinfected                C:\WINDOWS\SYSTEM32\xbox31.ico                                                                                                                                                                                                                                 

 
 
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:37:56 AM, 9/15/2005
+ Report-Checksum: BAB082E9

+ Scan result:

C:\Documents and Settings\melody\Cookies\melody@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\melody\Cookies\melody@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\melody\Cookies\melody@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\melody\Cookies\melody@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\melody\Cookies\melody@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\melody\Cookies\melody@*[2].txt -> Spyware.Cookie.* : Cleaned with backup
C:\Documents and Settings\melody\Cookies\melody@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0125992.exe -> Trojan.Zx.12 : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0125993.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0125994.exe -> Trojan.Zx.12 : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0125995.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0125996.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0125997.exe -> Trojan.Zx.12 : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP707\A0126001.dll -> Trojan.Small.ev : Cleaned with backup


::Report End
 
 
 

melody29

7 Posts

September 16th, 2005 20:00

dobhar..it wouldnt let me send it all together. heres the rest.   :smileyhappy:
 
 
 
Logfile of HijackThis v1.99.1
Scan saved at 4:49:40 PM, on 9/16/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://moneycentral.msn.com/money/2002/redir.asp?mcrid=214
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

dobhar

1.1K Posts

September 17th, 2005 21:00

Hi melody29...

Nice job again... ;) We are looking quite good. How is your computer running? Are you getting any "pop-ups", web page redirects...etc???

Let's clean up some items...
______________________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
_____________________________________________________

Step 1.
==========
- Reobbot your computer into " Safe Mode" using previous instructions...

Step 2.
==========
- Make sure "Hidden Files and Folders are still showing...

Step 3.
==========
Delete the following file(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
files(s)...
C:\WINDOWS\LastGood\INF\ ceres.PNF <<<= Delete This File
C:\WINDOWS\LastGood\INF\ farmmext.PNF <<<= Delete This File
C:\WINDOWS\System32\ ptainfo1.ico <<<= Delete This File
C:\WINDOWS\System32\ xbox31.ico <<<= Delete This File

Step 4.
==========
We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into " Options" => Select " Advanced" => Deselect\uncheck " Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the Run Cleaner button in the lower right-hand corner
- After complete close program
- Make sure your "Recycle Bin" is empty

Step 5.
==========
-Reboot into " Normal Mode"
- Run Panda's online virus scan from http://www.pandasoftware.com/products/activescan.htm and perform a full system scan.
- Once you are on the Panda site click the " Scan your PC" button
- A new window will open...click the big " Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on " Local Disks" to start the scan
- Post Panda scan results in your next reply

Step 6.
==========
- Post a fresh new HijackTHis log
- Post the Panda ActiveScan results

dobhar

1.1K Posts

September 28th, 2005 01:00

It has been 10 days since I last heard from you. I will be monitoring this thread for another 4 days. If unanswered at the end of those 4 days I will be considering this topic closed and will not be monitoring it for replies.

Thank You,

Message Edited by dobhar on 09-27-2005 09:45 PM

dobhar

1.1K Posts

October 1st, 2005 20:00

Hi...

It has been 14 days since I last heard from you so due to inactivity I have stopped monitoring this Topic. If you still require help please start a new Topic and submit a new fresh HijackThis log. One of our volunteers will be glad to help.

Thank You and Safe Surfing... :)

Was this post helpful?

View All

No Events found!

Top