When the installation completes successfully, reboot the computer.
Please update your on board Avast Antivirus scanner. Do not scan with it yet, just run the update and close the application.
Download
CCleaner. Double click on the set up file and allow it to install to the default location. At the Cclean setup screen & Install options Uncheck the Add Ccleaner Yahoo Tool bar unless you want it.
Run CCleaner
Before first use, check under Options, Settings, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.
Then open it and select the items you wish to clean up.
In the Windows Tab:
I recommend cleaning all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section
Clean all entries in the "Advanced" section.
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section if you have it.
Clean any others that you choose.
Then click the "Run Cleaner" button. When finished, close the application.
After download, double click on the file to launch the install process.
During installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido by double-clicking the
"e" icon on your desktop.
The program will prompt you to update - click the "OK" button.
On the left side of the main screen, click on "Update" and then click "Start Update". The update will start and a progress bar will show the updates being installed.
After the updates are installed, you will see "Update Successful" in the lower left corner.
Once the updates are installed do the following:
Click on "Scanner" and choose "Settings".
Under the bottom section "What to Scan?" make sure "Scan every file" is selected.
Select "OK" and you will return to scanning options.
Boot the computer into
safe mode.
Once in safe mode, continue with the instructions below:
On the main screen click on "Complete System Scan" to start the scan.
While the scan is in progress, you will be prompted to clean the first infected file it finds. Put a check next to "Perform action on all infections" in the lower left corner.
Then choose "Clean" and click "OK".
When the scan has completed, Ewido will create a report.txt file.
Click the "Save Report" button on the bottom of the screen and save the log to your desktop.
Exit Ewido when done.
Please run a complete system scan with your on board Avast Antivirus scanner. Use the software to remove anything it finds, then close the application.
Please run HijackThis again and put a check in the box next to these entries that may still exist:
Do you use a proxy server? If not, then put a check in the box next to these too:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;
Close all windows except for HijackThis then click
Fix Checked.
Using
Windows Explorer, locate and delete the following files/folders in
Bold black text:
C:\Program Files\
ipwins\ipwins.exe C:\DOCUMENTS AND SETTINGS\L\MYDOCUMENTS\
SMANTE~1\RNDLL~1.EXENote: the name of the folder here will start with SMANTE, delete that folder C:\WINDOWS\
PPPATC~1\cmd.exeNote: this is not the legitimate file named cmd.exe which is located in the C:\Windows\System32 folder C:\Program Files\
TClock\tclock_install.exe C:\Program Files\
GreatMemo\GreatMemo.exe C:\Program Files\
GreatMemo\wGreatMemo.exe C:\Program Files\
TrueAssistant\TrueAssistant.exe C:\PROGRAM FILES\
RXTOOL~1\sfcont.dll C:\WINDOWS\system32\
msdtc.dll
Reboot normally and post back a new HijackThis log along with the log from the Ewido scan. Thanks!
Need to submit Ewido log on another post. Thank you very much for your help. I really appreciate it.
Logfile of HijackThis v1.99.1 Scan saved at 7:43:27 PM, on 6/14/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
You've already picked up another virus since your last hjt log.
Navigate to:
C:\Program Files\CCleaner\winreg.exe
Delete the file
winreg.exe note: winreg.ini is a legitimate file in the CCleaner folder. winreg.exe is a virus file added by an unidentified worm or trojan.
I posted the Ewido log yesterday but it doesn't show here. I will try it again tonight.
You've already picked up another virus since your last hjt log. Navigate to: C:\Program Files\CCleaner\winreg.exe
Delete the file winreg.exe note: winreg.ini is a legitimate file in the CCleaner folder. winreg.exe is a virus file added by an unidentified worm or trojan.
Can you please tell me the steps to follow to do this. Thank you.
Just curious, can you tell me how you deleted these files?:
Using
Windows Explorer, locate and delete the following files/folders in
Bold black text:
C:\Program Files\
ipwins\ipwins.exe C:\DOCUMENTS AND SETTINGS\L\MYDOCUMENTS\
SMANTE~1\RNDLL~1.EXENote: the name of the folder here will start with SMANTE, delete that folder C:\WINDOWS\
PPPATC~1\cmd.exeNote: this is not the legitimate file named cmd.exe which is located in the C:\Windows\System32 folder C:\Program Files\
TClock\tclock_install.exe C:\Program Files\
GreatMemo\GreatMemo.exe C:\Program Files\
GreatMemo\wGreatMemo.exe C:\Program Files\
TrueAssistant\TrueAssistant.exe C:\PROGRAM
No, not yet. I was referring to this question below. I am still at work. I will do it as soon as I get home. Thank you again.
Just curious, can you tell me how you deleted these files?: Using Windows Explorer, locate and delete the following files/folders in Bold black text: C:\Program Files\ipwins\ipwins.exe C:\DOCUMENTS AND SETTINGS\L\MYDOCUMENTS\SMANTE~1\RNDLL~1.EXENote: the name of the folder here will start with SMANTE, delete that folder C:\WINDOWS\PPPATC~1\cmd.exeNote: this is not the legitimate file named cmd.exe which is located in the C:\Windows\System32 folder
Please help! I don't think I am posting the Ewido report correctly. Can you please give me instructions on how to send it? Thanks. I know I am not good at this but I am still trying.
Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied.
I got this message when I tried to post this message.
C:\Documents and Settings\G\Cookies\g@com[1].txt -> TrackingCookie.Com : Cleaned with backup C:\Documents and Settings\G\Cookies\g@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup C:\Documents and Settings\G\Local Settings\Temp\__unin__.exe -> Adware.Altnet : Cleaned with backup C:\Documents and Settings\L\Cookies\l@ford.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\L\Shared\( ( ( (((( counter strike full veresion.rar/Setup_toolBar.exe -> Downloader.IstBar.nj : Cleaned with backup C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup C:\Documents and Settings\LocalService\Cookies\system@search.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup C:\Documents and Settings\LocalService\Cookies\system@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup C:\Program Files\Acoustica MP3 Audio Mixer\utilities.exe -> Adware.Agent : Cleaned with backup
Now that your system is clean, let's create a new restore point.
Please click "Start > Programs > Accessories > System Tools > System Restore"
In the new window, check the 'Create a restore point' in the right pane and click "Next".
In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean)
Click "Create" and reboot your computer.
In the future, there are some things you can do to prevent spyware infections:
Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox from
http://www.mozilla.org
If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.
Run
CCleaner often
or Disk Cleanup ("Start > Programs > Accessories > System Tools > Disk Cleanup") and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files
Logfile of HijackThis v1.99.1 Scan saved at 11:32:02 PM, on 6/15/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
1972vet
3.3K Posts
0
June 9th, 2006 05:00
1972vet
3.3K Posts
0
June 9th, 2006 05:00
ZoneAlarm Free Version
Outpost Free
Kerio
When the installation completes successfully, reboot the computer.
Please update your on board Avast Antivirus scanner. Do not scan with it yet, just run the update and close the application.
Download CCleaner. Double click on the set up file and allow it to install to the default location. At the Cclean setup screen & Install options Uncheck the Add Ccleaner Yahoo Tool bar unless you want it.
Run CCleaner
Before first use, check under Options, Settings, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.
Then open it and select the items you wish to clean up.
In the Windows Tab:
I recommend cleaning all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section
Clean all entries in the "Advanced" section.
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section if you have it.
Clean any others that you choose.
Then click the "Run Cleaner" button. When finished, close the application.
Please download Ewido Security suite.
After download, double click on the file to launch the install process.
During installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido by double-clicking the "e" icon on your desktop.
The program will prompt you to update - click the "OK" button.
On the left side of the main screen, click on "Update" and then click "Start Update". The update will start and a progress bar will show the updates being installed.
After the updates are installed, you will see "Update Successful" in the lower left corner.
Once the updates are installed do the following:
Click on "Scanner" and choose "Settings".
Under the bottom section "What to Scan?" make sure "Scan every file" is selected.
Select "OK" and you will return to scanning options.
Boot the computer into safe mode.
Once in safe mode, continue with the instructions below:
On the main screen click on "Complete System Scan" to start the scan.
While the scan is in progress, you will be prompted to clean the first infected file it finds. Put a check next to "Perform action on all infections" in the lower left corner.
Then choose "Clean" and click "OK".
When the scan has completed, Ewido will create a report.txt file.
Click the "Save Report" button on the bottom of the screen and save the log to your desktop.
Exit Ewido when done.
Please run a complete system scan with your on board Avast Antivirus scanner. Use the software to remove anything it finds, then close the application.
Please run HijackThis again and put a check in the box next to these entries that may still exist:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yah oo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yah oo.com/search/ie.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yah oo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
Do you use a proxy server? If not, then put a check in the box next to these too:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;
R3 - Default URLSearchHook is missing
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_04\bin\ssv.dll (file missing)
O4 - HKCU\..\Run: C:\DOCUME~1\L\MYDOCU~1\SMANTE~1\RNDLL~1.EXE
O4 - HKCU\..\Run: "C:\WINDOWS\PPPATC~1\cmd.exe" -vt ndrv
O4 - HKCU\..\Run: C:\Program Files\TClock\tclock_install.exe
O4 - Startup: GreatMemo.lnk = C:\Program Files\GreatMemo\GreatMemo.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540004} - http://freepcscan.com/spyware/Install.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\PROGRA~1\RXTOOL~1\sfcont.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\msdtc.dll
Close all windows except for HijackThis then click Fix Checked.
Using Windows Explorer, locate and delete the following files/folders in Bold black text:
C:\Program Files\ ipwins\ipwins.exe
C:\DOCUMENTS AND SETTINGS\L\MYDOCUMENTS\ SMANTE~1\RNDLL~1.EXE Note: the name of the folder here will start with SMANTE, delete that folder
C:\WINDOWS\ PPPATC~1\cmd.exe Note: this is not the legitimate file named cmd.exe which is located in the C:\Windows\System32 folder
C:\Program Files\ TClock\tclock_install.exe
C:\Program Files\ GreatMemo\GreatMemo.exe
C:\Program Files\ GreatMemo\wGreatMemo.exe
C:\Program Files\ TrueAssistant\TrueAssistant.exe
C:\PROGRAM FILES\ RXTOOL~1\sfcont.dll
C:\WINDOWS\system32\ msdtc.dll
Reboot normally and post back a new HijackThis log along with the log from the Ewido scan. Thanks!
princessa
12 Posts
0
June 15th, 2006 00:00
Need to submit Ewido log on another post. Thank you very much for your help. I really appreciate it.
Logfile of HijackThis v1.99.1
Scan saved at 7:43:27 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\CCleaner\winreg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\L\Desktop\HijackThis.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
1972vet
3.3K Posts
0
June 15th, 2006 01:00
Navigate to:
C:\Program Files\CCleaner\winreg.exe
Delete the file winreg.exe
note: winreg.ini is a legitimate file in the CCleaner folder. winreg.exe is a virus file added by an unidentified worm or trojan.
princessa
12 Posts
0
June 15th, 2006 13:00
I posted the Ewido log yesterday but it doesn't show here. I will try it again tonight.
You've already picked up another virus since your last hjt log.
Navigate to:
C:\Program Files\CCleaner\winreg.exe
Delete the file winreg.exe
note: winreg.ini is a legitimate file in the CCleaner folder. winreg.exe is a virus file added by an unidentified worm or trojan.
Can you please tell me the steps to follow to do this. Thank you.
1972vet
3.3K Posts
0
June 15th, 2006 14:00
Using Windows Explorer, locate and delete the following files/folders in Bold black text:
C:\Program Files\ ipwins\ipwins.exe
C:\DOCUMENTS AND SETTINGS\L\MYDOCUMENTS\ SMANTE~1\RNDLL~1.EXE Note: the name of the folder here will start with SMANTE, delete that folder
C:\WINDOWS\ PPPATC~1\cmd.exe Note: this is not the legitimate file named cmd.exe which is located in the C:\Windows\System32 folder
C:\Program Files\ TClock\tclock_install.exe
C:\Program Files\ GreatMemo\GreatMemo.exe
C:\Program Files\ GreatMemo\wGreatMemo.exe
C:\Program Files\ TrueAssistant\TrueAssistant.exe
C:\PROGRAM
1972vet
3.3K Posts
0
June 15th, 2006 14:00
Click:
My Computer, then click:
Local Disk C:, then click:
Program Files, then click:
CCleaner
Inside the CCleaner folder should appear this file:
winreg.exe
Right click on that file and select Delete.
princessa
12 Posts
0
June 15th, 2006 15:00
Thank you for your patience Vet72. This is quiet a task for me. Well, this is what I did.
I open Windows Explorer and deleted the folders. I could not find the text.
1972vet
3.3K Posts
0
June 15th, 2006 19:00
What "text" are you referring to?
Did you delete this file?:
winreg.exe
princessa
12 Posts
0
June 15th, 2006 21:00
What "text" are you referring to?
Did you delete this file?:
winreg.exe
No, not yet. I was referring to this question below. I am still at work. I will do it as soon as I get home. Thank you again.
Just curious, can you tell me how you deleted these files?:
Using Windows Explorer, locate and delete the following files/folders in Bold black text:
C:\Program Files\ipwins\ipwins.exe
C:\DOCUMENTS AND SETTINGS\L\MYDOCUMENTS\SMANTE~1\RNDLL~1.EXE Note: the name of the folder here will start with SMANTE, delete that folder
C:\WINDOWS\PPPATC~1\cmd.exe Note: this is not the legitimate file named cmd.exe which is located in the C:\Windows\System32 folder
princessa
12 Posts
0
June 16th, 2006 00:00
ewido anti-malware - Scan report
---------------------------------------------------------
+ Report-Checksum: FFB66ECE
HKLM\SOFTWARE\Classes\IExplorr24.clsDW -> Adware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Classes\IExplorr24.clsDW\Clsid -> Adware.InetSpeak : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\PerfectNav\BHO -> Adware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\PerfectNav\BHO\HomePage -> Adware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\PerfectNav\BHO\RedirectURLS -> Adware.KeenValue : Cleaned with backup
[208] C:\WINDOWS\system32\msdtc.dll -> Adware.PurityScan : Cleaned with backup
[256] C:\WINDOWS\system32\msdtc.dll -> Adware.PurityScan : Error during cleaning
[268] C:\WINDOWS\system32\msdtc.dll -> Adware.PurityScan : Error during cleaning
[428] C:\WINDOWS\system32\msdtc.dll -> Adware.PurityScan : Error during cleaning
[496] C:\WINDOWS\system32\msdtc.dll -> Adware.PurityScan : Error during cleaning
[556] C:\WINDOWS\system32\msdtc.dll -> Adware.PurityScan : Error during cleaning
[784] C:\WINDOWS\system32\msdtc.dll -> Adware.PurityScan : Error during cleaning
princessa
12 Posts
0
June 16th, 2006 00:00
princessa
12 Posts
0
June 16th, 2006 00:00
more ewido report--
C:\Documents and Settings\G\Cookies\g@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\G\Cookies\g@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\G\Local Settings\Temp\__unin__.exe -> Adware.Altnet : Cleaned with backup
C:\Documents and Settings\L\Cookies\l@ford.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\L\Shared\( ( ( (((( counter strike full veresion.rar/Setup_toolBar.exe -> Downloader.IstBar.nj : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@search.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Program Files\Acoustica MP3 Audio Mixer\utilities.exe -> Adware.Agent : Cleaned with backup
1972vet
3.3K Posts
0
June 16th, 2006 03:00
Now that your system is clean, let's create a new restore point.
Please click "Start > Programs > Accessories > System Tools > System Restore"
In the new window, check the 'Create a restore point' in the right pane and click "Next".
In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean)
Click "Create" and reboot your computer.
In the future, there are some things you can do to prevent spyware infections:
Install the following freeware programs:
SpywareGuard
Spywareblaster
Keep your anti-virus and spyware definitions up to date. Be sure to scan often.
Stay updated with the most recent Windows patches using
Microsoft's Windows Update.
Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox from http://www.mozilla.org
If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.
Run CCleaner often
or Disk Cleanup ("Start > Programs > Accessories > System Tools > Disk Cleanup") and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files
So how did I get infected in the first place?
Regards, and Happy Surfing!
princessa
12 Posts
0
June 16th, 2006 03:00
Here's a new HJT logfile. Thank you again Vet72.
Logfile of HijackThis v1.99.1
Scan saved at 11:32:02 PM, on 6/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\YCOMMON.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE