Please help me, I had trojan-spy.html.smitfraud.c, I looked at a forum and I think I got rid of it, but I was also having something that came up with a black screen that said that I was in danger. I had a program that installed itself called Security I gaurd. the forum said to try to unistall it but for some reason I could not find it even though it was on my desk top. So I still don' t know if it is there or not. also I have this x in my tray that pops up with Your computer is Infected. Please help me. I really want to get rid of all this junk on my cpu.
Here is my hijack file:
Logfile of HijackThis v1.99.1
Scan saved at 4:58:55 PM, on 5/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\winnook.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP RecordNow\mycd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kavee.dll/sp.html#29126
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {42C21F01-F6DE-4B57-9CA9-ECDBD48392AD} - C:\WINDOWS\system32\iptk32.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [apiee32.exe] C:\WINDOWS\apiee32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
Thank you
Major Help needed
Started by
Drack
, May 28 2005 10:07 PM
5 replies to this topic
#2
LoPhatPhuud
-
- General Admin
-
- 15,731 posts
Master of Disaster Recovery
Posted 29 May 2005 - 01:34 AM
First:
1. Download AboutBuster here:
http://www.malwareby...AboutBuster.zip
Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.
2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.
3. Make sure your PC is configured to show hidden files
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
4. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...001052409420406
5. Scan with Hijack This (current version is 198.2) and put checks next to all the following, then click "Fix Checked".
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kavee.dll/sp.html#29126
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {42C21F01-F6DE-4B57-9CA9-ECDBD48392AD} - C:\WINDOWS\system32\iptk32.dll (file missing)
O4 - HKLM\..\Run: [apiee32.exe] C:\WINDOWS\apiee32.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
Delete the following files/folders:
C:\WINDOWS\System32\winnook.exe
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\apiee32.exe
6. Double click on the AboutBuster tool I had you download earlier. Follow the instruction prompts to use the program and let do two scans (it will ask). When finished, press the *Save log* button. I will want a copy of that log after all steps are completed here.
7. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
8.Reboot to normal mode, scan again with Hijack This and post a new log here.
9. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Quote:
ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)
10. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review
1. Download AboutBuster here:
http://www.malwareby...AboutBuster.zip
Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.
2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.
3. Make sure your PC is configured to show hidden files
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
4. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...001052409420406
5. Scan with Hijack This (current version is 198.2) and put checks next to all the following, then click "Fix Checked".
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kavee.dll/sp.html#29126
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {42C21F01-F6DE-4B57-9CA9-ECDBD48392AD} - C:\WINDOWS\system32\iptk32.dll (file missing)
O4 - HKLM\..\Run: [apiee32.exe] C:\WINDOWS\apiee32.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
Delete the following files/folders:
C:\WINDOWS\System32\winnook.exe
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\apiee32.exe
6. Double click on the AboutBuster tool I had you download earlier. Follow the instruction prompts to use the program and let do two scans (it will ask). When finished, press the *Save log* button. I will want a copy of that log after all steps are completed here.
7. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
8.Reboot to normal mode, scan again with Hijack This and post a new log here.
9. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Quote:
ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)
10. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review
#3
Drack
-
- Member
-
- 4 posts
New Member
Posted 29 May 2005 - 02:09 AM
I will do everything I can thanks for your help, I will post the hijack soon, but I can't get the .zip file, it comes out and says that it is corroup when I try to unzip it says nothing to unzip???
#4
LoPhatPhuud
-
- General Admin
-
- 15,731 posts
Master of Disaster Recovery
Posted 29 May 2005 - 02:30 AM
Try the Zip attached to this post. I know this one is good.
#5
Drack
-
- Member
-
- 4 posts
New Member
Posted 29 May 2005 - 02:44 AM
That link still had 0 files to extract. Also did everything else I could. Could not find winnok actually could not find any of the files that you wanted me to delete until I used search...deleted msmsgs files that were not my ms messenger, also deleted apiee32 from documents and settings (not from windows/) also from the search window. it had some issues with doing that, deleted what I could, I then restared my cpu, I still have the black screen but no x in the sys tray annoying me :) so part way there I guess...I want to make sure my cpu is safe to send emails out to people and for me to use without more damage being done. Here is the hijack file from a scan done after I finished fixing the porbs you told me to. I thank you very very very much for your help.
Logfile of HijackThis v1.99.1
Scan saved at 9:17:51 PM, on 5/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.marshall....AV9/webinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Thanks again
Logfile of HijackThis v1.99.1
Scan saved at 9:17:51 PM, on 5/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.marshall....AV9/webinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Thanks again
#6
Drack
-
- Member
-
- 4 posts
New Member
Posted 29 May 2005 - 05:03 AM
ok, so before I was directed to put my hijack list up here I read another posting (from your site) that said how to get rid of the black background. So I did that and I also read how to see hidden system operatoin programs or something like that...I did that and then saw the winnok...I deleted it (not in safe mode I'm afraid) but it did work. I was running trend.micro, it found a virius and some spyware that it got rid of. I was able to (don't know how) download that .zip this time around :)
so I went back to safe mode after trend finished and ran as you said, below is the log. Some of these seem important...like winhelp ??? I am going to run pandasofware virius scan overnight, do you have anyother suggestions to make sure that my cpu is clean? also I was currius if that active script prompt will remember my answers somehow...it keeps popping up on some sites that i trust and it is a little annoying...so I was wondering if there is a way to protect me without the annoyance. Thank you soooooooooo much for all your help. Again please let me know if you think my cpu is safe and clean for now at least...and I will run trend and my nortain and spybot, adaware, and panda once a week from now on. and anything else you suggest to ensure securety. Thank you so much
Scanned at: 11:47:02 PM on: 5/28/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25
Removed Data Streams:
C:\WINDOWS\BcdSetup.log:zlttq
C:\WINDOWS\cdplayer.ini:tkcku
C:\WINDOWS\cdplayer.ini:tkcku
C:\WINDOWS\Coffee Bean.bmp:xunzu
C:\WINDOWS\crafy.log:qvgno
C:\WINDOWS\EReg077.dat:jutbl
C:\WINDOWS\fxlvr.txt:nppzb
C:\WINDOWS\hh.exe:fpaev
C:\WINDOWS\HTWT7771.bin:tzonf
C:\WINDOWS\HTWT7771.bin:tzonf
C:\WINDOWS\ICG32.DLL:yqsjx
C:\WINDOWS\msgsocm.log:uyogm
C:\WINDOWS\nsw.log:dhjjt
C:\WINDOWS\ntdtcsetup.log:mlaap
C:\WINDOWS\orun32.ini:vazmc
C:\WINDOWS\Prairie Wind.bmp:gbkez
C:\WINDOWS\presntr.ini:oakch
C:\WINDOWS\Q307271.log:ycckb
C:\WINDOWS\Q308677.log:rcnxv
C:\WINDOWS\Q308677.log:rcnxv
C:\WINDOWS\Q311889.log:jroam
C:\WINDOWS\Q314862.log:vjcur
C:\WINDOWS\Q315403.log:vxbyw
C:\WINDOWS\Q318138.log:fymdq
C:\WINDOWS\Q328940.log:xyejk
C:\WINDOWS\Q329834.log:qzxwm
C:\WINDOWS\Q329834.log:qzxwm
C:\WINDOWS\QUICKEN.INI:ezbzh
C:\WINDOWS\Rhododendron.bmp:bmgjp
C:\WINDOWS\SchedLgU.Txt:clciz
C:\WINDOWS\setdebug.exe:pvlqt
C:\WINDOWS\setupact.log:ynqlk
C:\WINDOWS\setupact.log:ynqlk
C:\WINDOWS\smscfg.ini:okvui
C:\WINDOWS\Sti_Trace.log:glohc
C:\WINDOWS\syseg32.dll:rmzne
C:\WINDOWS\TASKMAN.EXE:jfrsy
C:\WINDOWS\TASKMAN.EXE:jfrsy
C:\WINDOWS\UNINST32.EXE:sihsl
C:\WINDOWS\vminst.log:adcpd
C:\WINDOWS\winhelp.exe:rdlhs
C:\WINDOWS\winhlp32.exe:qhuar
C:\WINDOWS\winnt256.bmp:keeum
C:\WINDOWS\xuxbj.txt:zrluv
C:\WINDOWS\xuxbj.txt:zrluv
C:\WINDOWS\Zapotec.bmp:vxhfi
C:\WINDOWS\_default.pif:nodbz
Removed! : C:\WINDOWS\ghpfx.dat
Removed! : C:\WINDOWS\jnytn.dat
Removed! : C:\WINDOWS\xwikv.dat
Removed! : C:\WINDOWS\System32\ujjtl.dat
Removed! : C:\WINDOWS\System32\zrbok.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25
Removed Data Streams:
C:\WINDOWS\BcdSetup.log:zlttq
C:\WINDOWS\cdplayer.ini:tkcku
C:\WINDOWS\cdplayer.ini:tkcku
C:\WINDOWS\Coffee Bean.bmp:xunzu
C:\WINDOWS\crafy.log:qvgno
C:\WINDOWS\EReg077.dat:jutbl
C:\WINDOWS\fxlvr.txt:nppzb
C:\WINDOWS\hh.exe:fpaev
C:\WINDOWS\HTWT7771.bin:tzonf
C:\WINDOWS\HTWT7771.bin:tzonf
C:\WINDOWS\ICG32.DLL:yqsjx
C:\WINDOWS\msgsocm.log:uyogm
C:\WINDOWS\nsw.log:dhjjt
C:\WINDOWS\ntdtcsetup.log:mlaap
C:\WINDOWS\orun32.ini:vazmc
C:\WINDOWS\Prairie Wind.bmp:gbkez
C:\WINDOWS\presntr.ini:oakch
C:\WINDOWS\Q307271.log:ycckb
C:\WINDOWS\Q308677.log:rcnxv
C:\WINDOWS\Q308677.log:rcnxv
C:\WINDOWS\Q311889.log:jroam
C:\WINDOWS\Q314862.log:vjcur
C:\WINDOWS\Q315403.log:vxbyw
C:\WINDOWS\Q318138.log:fymdq
C:\WINDOWS\Q328940.log:xyejk
C:\WINDOWS\Q329834.log:qzxwm
C:\WINDOWS\Q329834.log:qzxwm
C:\WINDOWS\QUICKEN.INI:ezbzh
C:\WINDOWS\Rhododendron.bmp:bmgjp
C:\WINDOWS\SchedLgU.Txt:clciz
C:\WINDOWS\setdebug.exe:pvlqt
C:\WINDOWS\setupact.log:ynqlk
C:\WINDOWS\setupact.log:ynqlk
C:\WINDOWS\smscfg.ini:okvui
C:\WINDOWS\Sti_Trace.log:glohc
C:\WINDOWS\syseg32.dll:rmzne
C:\WINDOWS\TASKMAN.EXE:jfrsy
C:\WINDOWS\TASKMAN.EXE:jfrsy
C:\WINDOWS\UNINST32.EXE:sihsl
C:\WINDOWS\vminst.log:adcpd
C:\WINDOWS\winhelp.exe:rdlhs
C:\WINDOWS\winhlp32.exe:qhuar
C:\WINDOWS\winnt256.bmp:keeum
C:\WINDOWS\xuxbj.txt:zrluv
C:\WINDOWS\xuxbj.txt:zrluv
C:\WINDOWS\Zapotec.bmp:vxhfi
C:\WINDOWS\_default.pif:nodbz
Attempted Clean Of Temp folder.
Pages Reset... Done!
oh after I ran the AB I did the cleanmrg thing again before returing to normal mode. I hope that is everything. thanks again
so I went back to safe mode after trend finished and ran as you said, below is the log. Some of these seem important...like winhelp ??? I am going to run pandasofware virius scan overnight, do you have anyother suggestions to make sure that my cpu is clean? also I was currius if that active script prompt will remember my answers somehow...it keeps popping up on some sites that i trust and it is a little annoying...so I was wondering if there is a way to protect me without the annoyance. Thank you soooooooooo much for all your help. Again please let me know if you think my cpu is safe and clean for now at least...and I will run trend and my nortain and spybot, adaware, and panda once a week from now on. and anything else you suggest to ensure securety. Thank you so much
Scanned at: 11:47:02 PM on: 5/28/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25
Removed Data Streams:
C:\WINDOWS\BcdSetup.log:zlttq
C:\WINDOWS\cdplayer.ini:tkcku
C:\WINDOWS\cdplayer.ini:tkcku
C:\WINDOWS\Coffee Bean.bmp:xunzu
C:\WINDOWS\crafy.log:qvgno
C:\WINDOWS\EReg077.dat:jutbl
C:\WINDOWS\fxlvr.txt:nppzb
C:\WINDOWS\hh.exe:fpaev
C:\WINDOWS\HTWT7771.bin:tzonf
C:\WINDOWS\HTWT7771.bin:tzonf
C:\WINDOWS\ICG32.DLL:yqsjx
C:\WINDOWS\msgsocm.log:uyogm
C:\WINDOWS\nsw.log:dhjjt
C:\WINDOWS\ntdtcsetup.log:mlaap
C:\WINDOWS\orun32.ini:vazmc
C:\WINDOWS\Prairie Wind.bmp:gbkez
C:\WINDOWS\presntr.ini:oakch
C:\WINDOWS\Q307271.log:ycckb
C:\WINDOWS\Q308677.log:rcnxv
C:\WINDOWS\Q308677.log:rcnxv
C:\WINDOWS\Q311889.log:jroam
C:\WINDOWS\Q314862.log:vjcur
C:\WINDOWS\Q315403.log:vxbyw
C:\WINDOWS\Q318138.log:fymdq
C:\WINDOWS\Q328940.log:xyejk
C:\WINDOWS\Q329834.log:qzxwm
C:\WINDOWS\Q329834.log:qzxwm
C:\WINDOWS\QUICKEN.INI:ezbzh
C:\WINDOWS\Rhododendron.bmp:bmgjp
C:\WINDOWS\SchedLgU.Txt:clciz
C:\WINDOWS\setdebug.exe:pvlqt
C:\WINDOWS\setupact.log:ynqlk
C:\WINDOWS\setupact.log:ynqlk
C:\WINDOWS\smscfg.ini:okvui
C:\WINDOWS\Sti_Trace.log:glohc
C:\WINDOWS\syseg32.dll:rmzne
C:\WINDOWS\TASKMAN.EXE:jfrsy
C:\WINDOWS\TASKMAN.EXE:jfrsy
C:\WINDOWS\UNINST32.EXE:sihsl
C:\WINDOWS\vminst.log:adcpd
C:\WINDOWS\winhelp.exe:rdlhs
C:\WINDOWS\winhlp32.exe:qhuar
C:\WINDOWS\winnt256.bmp:keeum
C:\WINDOWS\xuxbj.txt:zrluv
C:\WINDOWS\xuxbj.txt:zrluv
C:\WINDOWS\Zapotec.bmp:vxhfi
C:\WINDOWS\_default.pif:nodbz
Removed! : C:\WINDOWS\ghpfx.dat
Removed! : C:\WINDOWS\jnytn.dat
Removed! : C:\WINDOWS\xwikv.dat
Removed! : C:\WINDOWS\System32\ujjtl.dat
Removed! : C:\WINDOWS\System32\zrbok.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25
Removed Data Streams:
C:\WINDOWS\BcdSetup.log:zlttq
C:\WINDOWS\cdplayer.ini:tkcku
C:\WINDOWS\cdplayer.ini:tkcku
C:\WINDOWS\Coffee Bean.bmp:xunzu
C:\WINDOWS\crafy.log:qvgno
C:\WINDOWS\EReg077.dat:jutbl
C:\WINDOWS\fxlvr.txt:nppzb
C:\WINDOWS\hh.exe:fpaev
C:\WINDOWS\HTWT7771.bin:tzonf
C:\WINDOWS\HTWT7771.bin:tzonf
C:\WINDOWS\ICG32.DLL:yqsjx
C:\WINDOWS\msgsocm.log:uyogm
C:\WINDOWS\nsw.log:dhjjt
C:\WINDOWS\ntdtcsetup.log:mlaap
C:\WINDOWS\orun32.ini:vazmc
C:\WINDOWS\Prairie Wind.bmp:gbkez
C:\WINDOWS\presntr.ini:oakch
C:\WINDOWS\Q307271.log:ycckb
C:\WINDOWS\Q308677.log:rcnxv
C:\WINDOWS\Q308677.log:rcnxv
C:\WINDOWS\Q311889.log:jroam
C:\WINDOWS\Q314862.log:vjcur
C:\WINDOWS\Q315403.log:vxbyw
C:\WINDOWS\Q318138.log:fymdq
C:\WINDOWS\Q328940.log:xyejk
C:\WINDOWS\Q329834.log:qzxwm
C:\WINDOWS\Q329834.log:qzxwm
C:\WINDOWS\QUICKEN.INI:ezbzh
C:\WINDOWS\Rhododendron.bmp:bmgjp
C:\WINDOWS\SchedLgU.Txt:clciz
C:\WINDOWS\setdebug.exe:pvlqt
C:\WINDOWS\setupact.log:ynqlk
C:\WINDOWS\setupact.log:ynqlk
C:\WINDOWS\smscfg.ini:okvui
C:\WINDOWS\Sti_Trace.log:glohc
C:\WINDOWS\syseg32.dll:rmzne
C:\WINDOWS\TASKMAN.EXE:jfrsy
C:\WINDOWS\TASKMAN.EXE:jfrsy
C:\WINDOWS\UNINST32.EXE:sihsl
C:\WINDOWS\vminst.log:adcpd
C:\WINDOWS\winhelp.exe:rdlhs
C:\WINDOWS\winhlp32.exe:qhuar
C:\WINDOWS\winnt256.bmp:keeum
C:\WINDOWS\xuxbj.txt:zrluv
C:\WINDOWS\xuxbj.txt:zrluv
C:\WINDOWS\Zapotec.bmp:vxhfi
C:\WINDOWS\_default.pif:nodbz
Attempted Clean Of Temp folder.
Pages Reset... Done!
oh after I ran the AB I did the cleanmrg thing again before returing to normal mode. I hope that is everything. thanks again
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
