Problem with 1 computer hooked to a router

Forum Rules

Greetings,

Before you post in this forum,please read and follow the instructions in this post: Guidelines for Posting in This Forum

Failure to follow these instructions will only result in delays of the cleaning and removal process.

If you ran other AntiVirus and/or AntiSpyware programs and have the logs available, please post them as well.

Our goal is to help you clean your PC and restore it to pre-infection condition wherever possible.

Thank You

Problem with 1 computer hooked to a router

Options

Grn92LX View Member Profile	Jun 7 2005, 01:50 AM Post #1
Active Member Group: Member Posts: 14 Joined: 7-June 05 Member No.: 15219	Here is my problem. I have 2 computers hooked up to a router. Lately 1 of the computers has been giving me problems. It won't connect to the internet while the other conmputer works just fine. It will sometimes work and get on the internet but after about 5 minutes I get the "page can not be displayed". I called my internet service provider and did the steps over the phone with them and its not a problem on their end. We did a ping test and it pinged yahoo so they said it sounds like a problem with the computer. I had this same problem over the weekend and called them too but somehow they fixed it by essentially resetting the modem and router. The computer i'm having problems with is a dell and I have windows XP. I am not good with computers so bare with me. I can't send a hijack log file because I have no way of sending it to this working computer. Nothing works on it. Any steps I could try? I have a few spyware remover thigns I use but that doesnt seem to fix anything. (ad aware, spybot, spysweeper and regscrubxp) Mike This post has been edited by Grn92LX: Jun 7 2005, 01:54 AM

Bobbi Flekman View Member Profile	Jun 7 2005, 05:05 AM Post #2
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	It sounds like you can run HijackThis. Can you save the log on a floppy disc and take that to the working computer? --------------------

Grn92LX View Member Profile	Jun 7 2005, 05:27 AM Post #3
Active Member Group: Member Posts: 14 Joined: 7-June 05 Member No.: 15219	Heres my logfile: Logfile of HijackThis v1.99.1 Scan saved at 1:26:24 AM, on 6/7/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\BCMSMMSG.exe C:\program files\quicktime\qttask.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\WINDOWS\system32\logon.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\AIM\aim.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\system32\cidaemon.exe C:\Documents and Settings\Mike\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stangnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stangnet.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stangnet.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ F2 - REG:system.ini: UserInit=C:\WINDOWS\\system32\userinit.exe, O2 - BHO: (no name) - {2E15E638-EE08-1381-BF26-4063E1D7BB6E} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {CD6619AD-DA37-455A-A00B-B20B8EE31B7B} - (no file) O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe O4 - HKLM\..\Run: [Windows Logon Manager] logon.exe O4 - HKLM\..\RunServices: [Windows Logon Manager] logon.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Bobbi Flekman View Member Profile	Jun 7 2005, 09:25 AM Post #4
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi Grn92LX, Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups. If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder. How do you make a permanent folder: Click "My Computer", then "C:\" and then on "Program Files". In the menu bar, "File"->"New"->"Folder". That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis". Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there. Run HijackThis, click on "Scan" and check the boxes next to all these items. F2 - REG:system.ini: UserInit=C:\WINDOWS\\system32\userinit.exe, O2 - BHO: (no name) - {2E15E638-EE08-1381-BF26-4063E1D7BB6E} - (no file) O2 - BHO: (no name) - {CD6619AD-DA37-455A-A00B-B20B8EE31B7B} - (no file) O4 - HKLM\..\Run: [Windows Logon Manager] logon.exe O4 - HKLM\..\RunServices: [Windows Logon Manager] logon.exe O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer in Safe Mode. How do I Safe Boot my computer? Show hidden files. How do I show hidden files? At the end if the fix you can return the files to hidden status if you want. Delete the following files in red (it could be that they are deleted already): C:\WINDOWS\system32\logon.exe C:\WINDOWS\wkssvc.exe Restart your computer and post a new log in this thread. --------------------

Grn92LX View Member Profile	Jun 7 2005, 05:34 PM Post #5
Active Member Group: Member Posts: 14 Joined: 7-June 05 Member No.: 15219	Here is the new Log. I beleive I followed your directions 100%. Logfile of HijackThis v1.99.1 Scan saved at 1:32:00 PM, on 6/7/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\BCMSMMSG.exe C:\program files\quicktime\qttask.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\AIM\aim.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HIjackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stangnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stangnet.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stangnet.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Bobbi Flekman View Member Profile	Jun 8 2005, 09:59 AM Post #6
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi Grn92LX, Run HijackThis, click on "Scan" and check the boxes next to all these items. O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer in Safe Mode. How do I Safe Boot my computer? Show hidden files. How do I show hidden files? At the end if the fix you can return the files to hidden status if you want. Delete the following files in red (it could be that they are deleted already): C:\WINDOWS\wkssvc.exe Restart your computer and post a new log in this thread. --------------------

Grn92LX View Member Profile	Jun 8 2005, 11:55 PM Post #7
Active Member Group: Member Posts: 14 Joined: 7-June 05 Member No.: 15219	Heres the new log: Logfile of HijackThis v1.99.1 Scan saved at 7:49:39 PM, on 6/8/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\BCMSMMSG.exe C:\program files\quicktime\qttask.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\AIM\aim.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\HIjackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stangnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stangnet.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stangnet.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Windows 32 mfp (W32mfp) - Unknown owner - C:\WINDOWS\w32mfpd.exe

Bobbi Flekman View Member Profile	Jun 9 2005, 10:48 AM Post #8
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi Grn92LX, I see the wkssvc.exe hasn't been removed. From extra research I already had gathered as much... So we'll try another way. Go to http://www.bleepingcomputer.com/submit-malware.php and submit the following file(s): C:\WINDOWS\w32mfpd.exe That way I can take a look at it, because I don't trust it. I'll leave it out of the fix for now, because I want to be sure. Please follow all instructions exactly as specified. I would advise printing them out so you're sure to follow all instructions. Copy the below instructions (until you get to the purple text). Paste them into notepad and save it for use while in Safe Mode. This is important because it has to be done exactly in order for this to work I need you to reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. use your up arrow key to highlight Safe Mode, then hit enter. After getting into Safe Mode, Go to Start > Run type in: cmd Click OK. A black window will open up. Copy the below line, exactly, and paste it into the black window: attrib -h -r -s C:\WINDOWS\system32\rdriv.sys Hit Enter. When it goes to the next line, copy the below line, exactly, and paste it into the black window: del C:\WINDOWS\system32\rdriv.sys Hit Enter. Then type exit [END OF INSTRUCTIONS TO COPY FOR SAFE MODE] Reboot into normal mode. RIGHT-CLICK HERE and Save As (in Internet Explorer, it's "Save Target As") in order to download the fixrdriv.reg file. Save it to your deskop. Locate fixrdriv.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES. After the "merged successfully" prompt, please do the following: * Download the Killbox by Option^Explicit. * Save it to your desktop. * Run Killbox.exe. * Select "Delete on Reboot". * Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C C:\WINDOWS\system32\rdriv.sys C:\WINDOWS\ItunesMusic.exe C:\WINDOWS\wkssvc.exe * Return to Killbox, go to the File menu, and choose "Paste from Clipboard". * Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually. After your computer reboots, Run HijackThis. Place a check next to the following items and click FIX CHECKED: O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe Close HiJackThis. Now, make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc. Download, install, and run CleanUp! Download Ewido Security Suite Install ewido security suite Launch ewido, there should be a big E icon on your desktop, double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. Once the updates are installed do the following: Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run Ewido. Click on scanner Make sure the following boxes are checked before scanning: Binder Crypter Archives Click on Start Scan Let the program scan the machine While the scan is in progress you will be prompted to clean files, click OK Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report Save the report to your desktop Reboot into normal mode. Then, run this online virus scan: ActiveScan Save the results from ActiveScan. I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic. --------------------

Grn92LX View Member Profile	Jun 10 2005, 12:12 AM Post #9
Active Member Group: Member Posts: 14 Joined: 7-June 05 Member No.: 15219	So i did the first part and it kept saying there was no file found. What does that mean? Is that a good thing? I tried to download Killbox but it said I didnt have permission to do so. What now? I didnt do the next steps because Id figure you would want me to do them all in the same order. This post has been edited by Grn92LX: Jun 10 2005, 12:16 AM

Bobbi Flekman View Member Profile	Jun 10 2005, 10:13 AM Post #10
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi Grn92LX, QUOTE So i did the first part and it kept saying there was no file found. What does that mean? Is that a good thing? What do you mean? Which first part? The submitting? Or the .reg-file download? QUOTE I tried to download Killbox but it said I didnt have permission to do so. What now? I didnt do the next steps because Id figure you would want me to do them all in the same order. I found another link to download Killbox from http://www.downloads.subratam.org/KillBox.zip --------------------

Grn92LX View Member Profile	Jun 10 2005, 05:49 PM Post #11
Active Member Group: Member Posts: 14 Joined: 7-June 05 Member No.: 15219	When I looked for attrib -h -r -s C:\WINDOWS\system32\rdriv.sys in the black window it said didn't find the file. I don't have an anti virus program on my pc. I had norton a long time ago but it expired. So I can't check if anythings grayed out or if it works. This post has been edited by Grn92LX: Jun 10 2005, 06:01 PM

Grn92LX View Member Profile	Jun 10 2005, 08:24 PM Post #12
Active Member Group: Member Posts: 14 Joined: 7-June 05 Member No.: 15219	Here are all the logs you requested: Logfile of HijackThis v1.99.1 Scan saved at 4:21:19 PM, on 6/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\BCMSMMSG.exe C:\program files\quicktime\qttask.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\AIM\aim.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\HIjackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stangnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stangnet.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stangnet.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe ewido security suite - Scan report --------------------------------------------------------- + Created on: 3:16:49 PM, 6/10/2005 + Report-Checksum: 5E4D72C7 + Date of database: 6/10/2005 + Version of scan engine: v3.0 + Duration: 61 min + Scanned Files: 67089 + Speed: 18.16 Files/Second + Infected files: 126 + Removed files: 126 + Files put in quarantine: 126 + Files that could not be opened: 0 + Files that could not be cleaned: 0 + Binder: Yes + Crypter: Yes + Archives: Yes + Scanned items: C:\ + Scan result: C:\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup C:\I386\NETMEET.HTM -> Worm.Nimda -> Cleaned with backup C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup C:\sakon.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP826\A0064028.exe -> Spyware.Apropos -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP826\A0064032.exe -> Spyware.Apropos.f -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP826\A0064033.exe -> Spyware.Apropos.f -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP826\A0064038.dll -> Spyware.Apropos.f -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP826\A0064039.dll -> TrojanDownloader.Rameh.b -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067262.exe -> Spyware.BargainBuddy.n -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067272.exe -> Spyware.BargainBuddy -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067275.exe/g.exe -> TrojanDownloader.IstBar.is -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067277.exe -> Spyware.PowerScan.d -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067278.exe -> TrojanDownloader.IstBar.gi -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067284.exe -> Spyware.WinAD.am -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067285.exe -> Spyware.Winad -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067286.dll -> Spyware.WinAD.ag -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067287.dll -> TrojanDownloader.IstBar.ik -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067290.exe -> TrojanDownloader.IstBar.jd -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067297.vxd/C:/WINDOWS/System32/exdl.exe -> Spyware.BargainBuddy.q -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067297.vxd/C:/WINDOWS/System32/mqexdlm.srg -> Spyware.BargainBuddy.q -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067297.vxd/C:/WINDOWS/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067297.vxd/C:/WINDOWS/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067297.vxd/C:/WINDOWS/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067297.vxd/C:/WINDOWS/System32/m-- The nicest hobby on Earth ;) --reg.exe -> Spyware.Bargainbuddy -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067297.vxd/C:/WINDOWS/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067297.vxd/C:/WINDOWS/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067299.dll -> Spyware.BargainBuddy.n -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP884\A0067303.exe -> Spyware.BargainBuddy -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E=D-BF30-83E44C588624}\RP895\A0067886.exe -> Backdoor.SdBot.xd -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP895\A0067887.exe -> Backdoor.SdBot.xd -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP896\A0067921.exe -> Spyware.WinFetcher.b -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP897\A0067982.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP898\A0068002.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP898\A0068006.exe -> Backdoor.Agent.jn -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP898\A0068018.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP903\A0068209.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP904\A0068247.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP904\A0068263.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP905\A0069263.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP906\A0069264.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP906\A0070264.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP906\A0070285.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP906\A0070291.dll -> Spyware.Apropos.e -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP906\A0070292.dll -> Spyware.Apropos.e -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP906\A0070293.dll -> Spyware.Apropos -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP906\A0070295.exe -> Spyware.Bargainbuddy -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP907\A0070324.exe -> Trojan.Agent.az -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP907\A0070325.exe -> Trojan.Agent.cp -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP907\A0070337.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0071959.exe -> Spyware.Apropos -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0071960.exe -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072334.exe -> Spyware.WinFetcher.b -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072338.dll -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072339.dll -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072340.dll -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072341.exe -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072344.dll -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072356.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072382.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072383.exe -> Spyware.WinFetcher.b -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072384.exe -> Trojan.Agent.cp -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072395.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072396.exe -> Spyware.WinFetcher.b -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072398.exe -> Spyware.Apropos -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072399.dll -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072400.exe -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072403.exe -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072404.dll -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072415.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072423.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072433.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072441.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072454.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072460.exe -> Spyware.WinFetcher.b -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072462.exe -> Trojan.Nail -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072470.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072476.dll -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072477.dll -> Trojan.Pakes -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP922\A0072487.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP923\A0072491.exe -> Spyware.WinFetcher.b -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP923\A0072492.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP923\A0072497.exe -> Spyware.WinFetcher.b -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP924\A0072504.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP925\A0072519.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP925\A0073643.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP926\A0073650.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP926\A0073673.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP926\A0073715.dll -> Spyware.Adstart.h -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP929\A0073937.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP929\A0073940.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP929\A0073969.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP929\A0073970.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP929\A0073983.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP929\A0073984.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP929\A0073992.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP929\A0073993.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP929\A0074002.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP929\A0074003.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP930\A0074195.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP930\A0074196.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP930\A0074203.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP931\A0074205.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP931\A0074209.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP932\A0074227.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP933\A0074244.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP933\A0074261.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP933\A0074274.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP933\A0074275.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP934\A0074331.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP934\A0074334.exe -> TrojanProxy.Ranky -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP934\A0074343.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP934\A0074353.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP934\A0074365.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP934\A0075369.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP934\A0075381.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP934\A0075409.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP934\A0075417.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP936\A0075499.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP936\A0075510.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP936\A0075518.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP936\A0075519.exe -> Backdoor.SdBot.xd -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP936\A0075527.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP936\A0075550.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP936\A0075576.sys -> Trojan.Rootkit.k -> Cleaned with backup C:\WINDOWS\$NtServicePackUninstall$\netmeet.htm -> Worm.Nimda -> Cleaned with backup ::Report End Incident Status Location Adware:Adware/SaveNow No disinfected Windows Registry Adware:Adware/Gator No disinfected C:\WINDOWS\gator.log Spyware:Spyware/Dyfuca No disinfected Windows Registry Adware:Adware/Apropos No disinfected C:\WINDOWS\cxtpls_loader.exe Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Mike\Application Data\tvm.dll Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.??? Adware:Adware/Delta No disinfected Windows Registry Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Mike\Application Data\tvmcwrd.dll Virus:W32/Sdbot.DVY.worm Disinfected C:\rasdkk.exe Virus:W32/Sdbot.DVY.worm Disinfected C:\repkk.exe Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini Adware:Adware/Apropos No disinfected C:\WINDOWS\cxtpls_loader.exe Adware:Adware/Gator No disinfected C:\WINDOWS\GatorPatch.log Adware:Adware/WinAD No disinfected C:\WINDOWS\l.exe Adware:Adware/NetPals No disinfected C:\WINDOWS\SYSTEM32\atiupdate5.exe Virus:Trojan Horse Disinfected C:\WINDOWS\SYSTEM32\bH.dll Adware:Adware/NetPals No disinfected C:\WINDOWS\SYSTEM32\calsdr.exe Adware:Adware/StatBlaster No disinfected C:\WINDOWS\SYSTEM32\NsM02wQ.exe Adware:Adware/Transponder No disinfected C:\WINDOWS\zigzowc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Windows 32 mfp (W32mfp) - Unknown owner - C:\WINDOWS\w32mfpd.exe (file missing)

Bobbi Flekman View Member Profile	Jun 11 2005, 12:44 PM Post #13
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi Grn92LX, Run HijackThis, click on "Scan" and check the boxes next to all these items. O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing) Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread. --------------------

Grn92LX View Member Profile	Jun 11 2005, 05:41 PM Post #14
Active Member Group: Member Posts: 14 Joined: 7-June 05 Member No.: 15219	Logfile of HijackThis v1.99.1 Scan saved at 1:40:21 PM, on 6/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\BCMSMMSG.exe C:\program files\quicktime\qttask.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\AIM\aim.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\PROGRA~1\Network Associates\Common Framework\naPrdMgr.exe C:\Program Files\HIjackThis\HijackThis.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stangnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stangnet.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stangnet.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing) O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Windows 32 mfp (W32mfp) - Unknown owner - C:\WINDOWS\w32mfpd.exe (file missing)

Bobbi Flekman View Member Profile	Jun 12 2005, 08:29 AM Post #15
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi Grn92LX, Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable SpySweeper: Open it click >Options over to the left then >program options >Uncheck "load at windows startup". Over to the left click "Shields" and uncheck all there. Uncheck "home page shield". Uncheck "automaticly restore default without notification". Run HijackThis, click on "Scan" and check the boxes next to all these items. O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing) O23 - Service: Windows 32 mfp (W32mfp) - Unknown owner - C:\WINDOWS\w32mfpd.exe (file missing) Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer in Safe Mode. How do I Safe Boot my computer? Show hidden files. How do I show hidden files? At the end if the fix you can return the files to hidden status if you want. Delete the following files in red (it could be that they are deleted already): C:\WINDOWS\wkssvc.exe C:\WINDOWS\w32mfpd.exe Restart your computer and post a new log in this thread. --------------------

« Next Oldest · HELP! Think you are Infected? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: