 |  |  |  |  |  |  |  |
HJT Log - Please Help. Symptoms are...
 |
sites take 4ever to open and my computer takes just as long.
Many thanks!
Logfile of HijackThis v1.98.2
Scan saved at 8:29:07 AM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Accent\WNW\Wnw.exe
C:\Program Files\Common Files\Accent Shared\agtserv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Carrie_2\Desktop\Security\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [56wlA5n] C:\documents and settings\carrie\local settings\temp\56wlA5n.exe
O4 - HKLM\..\Run: [56wlA5n.exe] C:\documents and settings\carrie\local settings\temp\56wlA5n.exe
O4 - HKLM\..\Run: [rs7Q33O] odfskrnl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [5YPC#4T4LRJR5E] C:\WINDOWS\System32\Jel377h.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [system license manager] lnsvc.exe
O4 - HKLM\..\RunServices: [system license manager] lnsvc.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system license manager] lnsvc.exe
O4 - Startup: WNW.lnk = C:\Program Files\Accent\WNW\Wnw.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.apple.com
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://*.daniweb.com
O15 - Trusted Zone: http://*.equifax.com
O15 - Trusted Zone: www.*.intuit.com
O15 - Trusted Zone: www.*.shop.intuit.com
O15 - Trusted Zone: http://www.lesbisanation.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.queens.edu
O15 - Trusted Zone: http://www.sapppho.com
O15 - Trusted Zone: http://*.target.com
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: www.*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1145067128984
Many thanks!
Logfile of HijackThis v1.98.2
Scan saved at 8:29:07 AM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Accent\WNW\Wnw.exe
C:\Program Files\Common Files\Accent Shared\agtserv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Carrie_2\Desktop\Security\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [56wlA5n] C:\documents and settings\carrie\local settings\temp\56wlA5n.exe
O4 - HKLM\..\Run: [56wlA5n.exe] C:\documents and settings\carrie\local settings\temp\56wlA5n.exe
O4 - HKLM\..\Run: [rs7Q33O] odfskrnl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [5YPC#4T4LRJR5E] C:\WINDOWS\System32\Jel377h.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [system license manager] lnsvc.exe
O4 - HKLM\..\RunServices: [system license manager] lnsvc.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system license manager] lnsvc.exe
O4 - Startup: WNW.lnk = C:\Program Files\Accent\WNW\Wnw.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.apple.com
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://*.daniweb.com
O15 - Trusted Zone: http://*.equifax.com
O15 - Trusted Zone: www.*.intuit.com
O15 - Trusted Zone: www.*.shop.intuit.com
O15 - Trusted Zone: http://www.lesbisanation.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.queens.edu
O15 - Trusted Zone: http://www.sapppho.com
O15 - Trusted Zone: http://*.target.com
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: www.*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1145067128984
•
•
•
•
Originally Posted by carriemendez 
sites take 4ever to open and my computer takes just as long.
Many thanks!
Logfile of HijackThis v1.98.2
Hi Carrie,
It looks like you have a few malware issues.
--- Your HJT is an old version and outdated. Let's kill a few birds with one stone and do this:
Please follow the steps that I have written here and get an up-to-date copy of HJT. Be sure to rename it as instructed.
Please submit the three scanlogs requested in the link to this forum and we'll get you cleaned up!
1 - Kaspersky Log
2 - AVG Anti-Spy log (remember to "quarantine" and "Apply Actions" as indicated in my instructions)
3 - Fresh HJT Log
If you have any questions, feel free to ask.
Best Luck
PP
Last edited by PhilliePhan; Jan 28th, 2007 at 4:02 pm.
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
Hi P,
Well, I finally got through most of your instructions, cleaned whatever I could find and the result is uploaded in the attachments.
Thanks so much for you help. Your instructions helped me clean up quite a bit.
If you would take a look, I think we're down to the last few baddies.
tks
Carrie
Well, I finally got through most of your instructions, cleaned whatever I could find and the result is uploaded in the attachments.
Thanks so much for you help. Your instructions helped me clean up quite a bit.
If you would take a look, I think we're down to the last few baddies.
tks
Carrie
Hi Carrie,
Looks like we have a bunch yet to do. But, we'll get there!
First and foremost, you really need to install a resident Anti-Virus app. I also suggest installing a Firewall as well.
http://free.grisoft.com/doc/2/lng/us/tpl/v5
http://dl2.zonelabs.com/bin/free/100...302_000_en.exe
Install Spyware Blaster, too!
http://www.javacoolsoftware.com/spywareblaster.html
All of the Above are FREE!!
-- You should definitely Update your Java here ---> http://www.java.com/en
-Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions! If you do not uninstall ALL older versions, you may remain at risk for a number of baddies such as Vundo.
Do this now.
Also, when we are done, we will need to Flush System Restore – Don’t let me forget!
*** The AVG AntiSpy Log was not saved properly. We’ll run it again after these steps.
*** You have a lot of backdoor Trojans showing. They may have compromised any sensitive information on your computer (banking, passwords, etc...) – You might want to keep an eye on those or change them via a clean computer!
Anyhoo, off we go!
Please do these steps in the order given. Let me know if you have any questions.
You might want to print these steps or save them locally since you will have to reboot and be in Safe Mode.
-- Please Disable SpybotSD’s Tea Timer so it doesn’t interfere with the repair process.
-- Please make sure the Viewing of Hidden Files is Enabled.
-- I suggest you look in Add/Remove Programs and Uninstall Viewpoint / Viewpoint Manager unless you really want to keep it....
--- Download ATF-Cleaner.exe by Atribune to your Desktop. Just leave it for now . . .
--- Download DelDomains and save it to your Desktop. Then, RightClick DelDomains.inf and select Install. That’s all we are going to do with this one.
NEXT:
Please Scan with HijackThis, and check the boxes for the following items if they remain:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [rs7Q33O] odfskrnl.exe
O4 - HKLM\..\Run: [system license manager] lnsvc.exe
O4 - HKLM\..\RunServices: [system license manager] lnsvc.exe
O4 - HKCU\..\Run: [system license manager] lnsvc.exe
There is no reason for anything to be in Trusted Zone – DelDomains should have addressed this. If any remain, fix them.
O15 - Trusted Zone: http://www.apple.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://*.daniweb.com
O15 - Trusted Zone: http://*.equifax.com
O15 - Trusted Zone: www.*.intuit.com
O15 - Trusted Zone: www.*.shop.intuit.com
O15 - Trusted Zone: http://www.lesbisanation.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.queens.edu
O15 - Trusted Zone: http://www.sapppho.com
O15 - Trusted Zone: http://*.target.com
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: www.*.turbotax.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
Fix this, if it remains after the Uninstall of Viewpoint
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Be sure All Browser Windows are Closed and then Click Fix Checked.
NEXT:
Please Boot to Safe Mode.
Use Windows Explorer to navigate to and DELETE these, if they remain.
Remember to ENABLE the Viewing of Hidden Files as I mentioned before.
C:\a.exe
C:\Documents and Settings\Admin\inetd.exe
C:\im.exe
C:\iMeshInst.exe
C:\WINDOWS\system32\aim.exe
C:\WINDOWS\system32\Asp5Wzh.exe
C:\WINDOWS\system32\Heh1MKe7.exe
C:\WINDOWS\system32\Ink640ww.exe
C:\WINDOWS\system32\Jel377h.exe
C:\WINDOWS\system32\KrwH5f.exe
C:\WINDOWS\system32\PlsO0A55.exe
C:\WINDOWS\system32\TktBtA.exe
C:\WINDOWS\system32\Tvi9.exe
C:\WINDOWS\system32\vsixksnw.dll
You’ll need to search for these two:
odfskrnl.exe
lnsvc.exe
NOW:
Run ATF Cleaner
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.
LASTLY: I’d like to see fresh Scanlogs from:
1- Kaspersky
2- AVG Anti-Spyware
3- HijackThis
Let me know if you ran into any problems along the way.
Best Luck
PP
Looks like we have a bunch yet to do. But, we'll get there!
First and foremost, you really need to install a resident Anti-Virus app. I also suggest installing a Firewall as well.
http://free.grisoft.com/doc/2/lng/us/tpl/v5
http://dl2.zonelabs.com/bin/free/100...302_000_en.exe
Install Spyware Blaster, too!
http://www.javacoolsoftware.com/spywareblaster.html
All of the Above are FREE!!
-- You should definitely Update your Java here ---> http://www.java.com/en
-Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions! If you do not uninstall ALL older versions, you may remain at risk for a number of baddies such as Vundo.
Do this now.
Also, when we are done, we will need to Flush System Restore – Don’t let me forget!
*** The AVG AntiSpy Log was not saved properly. We’ll run it again after these steps.
*** You have a lot of backdoor Trojans showing. They may have compromised any sensitive information on your computer (banking, passwords, etc...) – You might want to keep an eye on those or change them via a clean computer!
Anyhoo, off we go!
Please do these steps in the order given. Let me know if you have any questions.
You might want to print these steps or save them locally since you will have to reboot and be in Safe Mode.
-- Please Disable SpybotSD’s Tea Timer so it doesn’t interfere with the repair process.
-- Please make sure the Viewing of Hidden Files is Enabled.
-- I suggest you look in Add/Remove Programs and Uninstall Viewpoint / Viewpoint Manager unless you really want to keep it....
--- Download ATF-Cleaner.exe by Atribune to your Desktop. Just leave it for now . . .
--- Download DelDomains and save it to your Desktop. Then, RightClick DelDomains.inf and select Install. That’s all we are going to do with this one.
NEXT:
Please Scan with HijackThis, and check the boxes for the following items if they remain:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [rs7Q33O] odfskrnl.exe
O4 - HKLM\..\Run: [system license manager] lnsvc.exe
O4 - HKLM\..\RunServices: [system license manager] lnsvc.exe
O4 - HKCU\..\Run: [system license manager] lnsvc.exe
There is no reason for anything to be in Trusted Zone – DelDomains should have addressed this. If any remain, fix them.
O15 - Trusted Zone: http://www.apple.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://*.daniweb.com
O15 - Trusted Zone: http://*.equifax.com
O15 - Trusted Zone: www.*.intuit.com
O15 - Trusted Zone: www.*.shop.intuit.com
O15 - Trusted Zone: http://www.lesbisanation.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.queens.edu
O15 - Trusted Zone: http://www.sapppho.com
O15 - Trusted Zone: http://*.target.com
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: www.*.turbotax.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
Fix this, if it remains after the Uninstall of Viewpoint
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Be sure All Browser Windows are Closed and then Click Fix Checked.
NEXT:
Please Boot to Safe Mode.
Use Windows Explorer to navigate to and DELETE these, if they remain.
Remember to ENABLE the Viewing of Hidden Files as I mentioned before.
C:\a.exe
C:\Documents and Settings\Admin\inetd.exe
C:\im.exe
C:\iMeshInst.exe
C:\WINDOWS\system32\aim.exe
C:\WINDOWS\system32\Asp5Wzh.exe
C:\WINDOWS\system32\Heh1MKe7.exe
C:\WINDOWS\system32\Ink640ww.exe
C:\WINDOWS\system32\Jel377h.exe
C:\WINDOWS\system32\KrwH5f.exe
C:\WINDOWS\system32\PlsO0A55.exe
C:\WINDOWS\system32\TktBtA.exe
C:\WINDOWS\system32\Tvi9.exe
C:\WINDOWS\system32\vsixksnw.dll
You’ll need to search for these two:
odfskrnl.exe
lnsvc.exe
NOW:
Run ATF Cleaner
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.
LASTLY: I’d like to see fresh Scanlogs from:
1- Kaspersky
2- AVG Anti-Spyware
3- HijackThis
Let me know if you ran into any problems along the way.
Best Luck
PP
Last edited by PhilliePhan; Jan 30th, 2007 at 9:25 pm. Reason: The Usual Reasons....
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
Hey P!Managed to get through these instructions without incidence. Thanks for making them so clear. I did remove the trusted sites, but have a problem (ie links don't open) with moving around within a site if the site is not listed in trusted. Drop downs for file selection such as to upload an attachment take eons to open. Not sure if related, but cd writer software doesn't recognize that a cd is inserted. Trying to think what else...Here are the new logs. Again, many thanks. Your help is greatly appreciated.
•
•
•
•
Originally Posted by carriemendez
Hey P!Managed to get through these instructions without incidence. Thanks for making them so clear. I did remove the trusted sites, but have a problem (ie links don't open) with moving around within a site if the site is not listed in trusted. Drop downs for file selection such as to upload an attachment take eons to open. Not sure if related, but cd writer software doesn't recognize that a cd is inserted. Trying to think what else...Here are the new logs. Again, many thanks. Your help is greatly appreciated.
Those problems do not make any sense with the steps we ran.
Sites should not have to be listed in the Trusted Zone for them to work properly
What is really wierd is that I am helping somebody in a different forum with a similar problem with uploading attachments in a few forums they visit..... Sounds like a javascript issue.....
Do This:
Please Update your Java here ---> http://www.java.com/en
Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions! (jre1.5.0_04 and any others)
If you do not uninstall ALL older versions, you may remain at risk for a number of baddies.
Then, run ATF Cleaner again to flush the Java Cache.
-- You could try reinstalling the CD Writer software, but I do not think anything we did affected that....
I will double-check the logs when I get home tonight and we'll go from there.
PP
Last edited by PhilliePhan; Feb 5th, 2007 at 4:27 pm.
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
In addition to my previous post, you sould really do the following:
-- Otherwise, the new logs look OK (we'll still need to flush System Restore after we finish).
You should delete this baddie that was still found by Kaspersky:
C:\Documents and Settings\Carrie_2\inetd.exe -- Infected: Backdoor.Win32.IRCBot.gen
Or, is this something you recognize?
-- About the Trusted Zone:
Are your IE Security Settings set so high that you need to put these known sites into the Trusted Zone? Did you change those settings?
Let me know.
PP
•
•
•
•
Originally Posted by PhilliePhan
First and foremost, you really need to install a resident Anti-Virus app. I also suggest installing a Firewall as well.
http://free.grisoft.com/doc/2/lng/us/tpl/v5
http://dl2.zonelabs.com/bin/free/100...302_000_en.exe
Install Spyware Blaster, too!
http://www.javacoolsoftware.com/spywareblaster.html
-- Otherwise, the new logs look OK (we'll still need to flush System Restore after we finish).
You should delete this baddie that was still found by Kaspersky:
C:\Documents and Settings\Carrie_2\inetd.exe -- Infected: Backdoor.Win32.IRCBot.gen
Or, is this something you recognize?
-- About the Trusted Zone:
Are your IE Security Settings set so high that you need to put these known sites into the Trusted Zone? Did you change those settings?
Let me know.
PP
Last edited by PhilliePhan; Feb 5th, 2007 at 9:56 pm.
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
|
Similar Threads
- HJT Log - XP SP2, IE6 Problems (Viruses, Spyware and other Nasties)
- Unable to open some desktop icons, HJT Log. (Viruses, Spyware and other Nasties)
- help i've got a HJT log! (Viruses, Spyware and other Nasties)
- another hjt log for jkl (Viruses, Spyware and other Nasties)
- please review hjt log (Viruses, Spyware and other Nasties)
- can somebody pls. help me out with my HJT log.. (Viruses, Spyware and other Nasties)
- My HJT log, please help (about:blank, etc.) (Viruses, Spyware and other Nasties)
- HJT log file for your scrutiny please... (Concerning Bridge.dll) (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Possible virus hanging downloads
- Next Thread: HELP please daughters HJT
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio backtoschoolspeech bar blackhat botnet botnets china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia email europe exam facebook fake fancheckvirus gaming gtaiv gumblar halloween hijack internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm zeroday
