Originally Posted by gerbil

I must say that i find your pc's inability to connect to the web a bit ironic, cos you have amongst other pests a backdoor trojan [ an IRC bot in this case], and that one would most definitely want to connect. A backdoor trojan?- it means that you have a trojan implanted which allows someone to control your computer. After this is over you will want to change passwords, esp any banking or other critical passwords...you have been keylogged.

Okay let's get started. It's going to be a pest but copy these downloads into the pc. They fit on a floppy. But first you must delete the instance of hijackthis you have used, and download a fresh copy from http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files. Rename the hijackthis.exe to imabunny.exe.
-when next you run it first close ALL other applications and any open windows including the explorer window containing HijackThis.

===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1

===Download SDFix from here: http://downloads.andymanchesta.com/R...ools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

===ATF- Dclick ATF-Cleaner .exe to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Close ATF.

===Restart you computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.

===Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Post the contents of the file Report.txt here.

Okay here is the file log for SDfix


SDFix: Version 1.62
23/01/2007 - 19:42:51.31
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
MsaSvc
Path:
C:\WINDOWS\system32\msasvc.exe
MsaSvc Deleted
Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...
Normal Mode:
Checking Files:
No Files Found..


Alternate Streams Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Rootkit PE386 Found!
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:Enabled:AOL"
"C:\\Program Files\\AOL 9.0a\\waol.exe"="C:\\Program Files\\AOL 9.0a\\waol.exe:Enabled:AOL"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:Enabled:mIRC"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:Enabled:AOL"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:Enabled:Kazaa"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:Enabled:Windows Messenger"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:Enabled:AOL Instant Messenger"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:Enabled:BitLord"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:Enabled:Internet Explorer"
"C:\\Program Files\\SecondLife\\SecondLife.exe"="C:\\Program Files\\SecondLife\\SecondLife.exe:Enabledecond Life"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:Enabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exeisabled:Windows Explorer"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:Enabledxpsp3res.dll,-20000"

Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :
C:\NTDETECT.COM
C:\Program Files\BitLord\Downloads\Lady.In.The.Water.XViD.TS-maVen.[www.torrentfive.com]\Thumbs.db
C:\Program Files\BitLord\Downloads\Lady.In.The.Water.XViD.TS-maVen.[www.torrentfive.com]\Sample\Thumbs.db
C:\Program Files\BitLord\Downloads\VA - Now Thats What i Call Music Vol.65 (2006) - Pop [www.torrentazos.com]\Thumbs.db
C:\Program Files\AOL 9.0\aolphx.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\AOL 9.0\RBM.exe
C:\Program Files\AOL 9.0a\aolphx.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\AOL 9.0a\RBM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Temp\aol\AOL_Broadband_Installer.exe
C:\Temp\aol\connect.exe
C:\Temp\aol\tasklist.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\Shaun Thomas\Application Data\Roxio\Dragon\DiscInfoCache\_NEC_____DVD_RW_ND-2510A__2.0T_300_DICV018_DRGV2050108.TMP
C:\Documents and Settings\Shaun Thomas\Local Settings\Temp\$b17a2e8.tmp
C:\Documents and Settings\Shaun Thomas\My Documents\~WRL0004.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\4b34878aafc0e683f0fb70226fb76c67\BIT1E4.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT27B.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7cecb3d5275aec8daa3b904c6773634d\BIT1E2.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b2015ee99ba786b3c88682eb169aa4eb\BIT1E1.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\be06a3356aefaf00a717740989d18dcc\BIT1E5.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e1c8fbe36dac425bca58003e33655c65\BIT1E3.tmp
C:\WINDOWS\Temp\$_2341233.TMP
C:\WINDOWS\Temp\$_2341235.TMP
Finished


Restart the pc in normal mode. If you can now get on the net....
===GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and update it.

Now start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply all actions. Post the log file.

Here is the log file

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 20:57:32 23/01/2007
+ Scan result:

HKU\S-1-5-21-2211359908-1112116776-1192396834-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56F1D444-11BF-4879-A12B-79CF0177F038} -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP659\A0147959.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP659\A0147960.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP659\A0147961.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP659\A0147962.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP659\A0147964.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP659\A0147965.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP659\A0147966.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP659\A0147968.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP659\A0147969.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP659\A0147970.exe -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159043.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159044.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159045.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159046.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159047.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159048.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159050.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159051.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159056.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159057.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159058.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP631\A0143676.dll -> Adware.Solution : Cleaned with backup (quarantined).
C:\Documents and Settings\Shaun Thomas\My Documents\ChickenInvaders2Setup-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Shaun Thomas\My Documents\MahJongSetup-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\CakeManiaSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\PuppyluvNB-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\WinterChallengeSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\WordKrispies-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\supergrannyam-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP659\A0147971.exe -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\Documents and Settings\Shaun Thomas\Local Settings\Application Data\hrcopul.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP679\A0168369.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@aoluk.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINDOWS\system32\out.dll -> Trojan.Agent.adl : Cleaned with backup (quarantined).
C:\kennwokd.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP671\A0159042.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

::Report end


Whether or not you got on the net re-run Hijackthis [as imabunny.exe] and check the following [if they exist] for fixing, and press Fix Selected.

C:\WINDOWS\TEMP\1E2D5597.exe
O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - C:\WINDOWS\system32\nweipeg.dll
O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [hrcopul.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Shaun Thomas\Local Settings\Application Data\hrcopul.dll",vuljcec

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE ==this one is benign, but a time waster.

O4 - HKLM\..\Run: [fwewwqwe3] C:\WINDOWS\TEMP\1E2D5597.exe
O4 - HKCU\..\Run: [icasServ] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [hkgaqge] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdPopup] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [acenotes] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [4bysw3l3aemdj#] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

If you could not get on the net before, restart now and try again, and if it works download and run AVG as above.

Post those logs.

Originally Posted by gerbil

A few things to clean up yet... fix them with iamabunny... as before [you didn't have to call it that, almost any name would have done; i was pulling your leg a bit..]
First off, and VERY IMPORTANTLY, we gotta go after that rootkit pe386. Note that SDFix found it, but it cannot remove it. Possibly the best thing I can do is to send you to this page http://www.geekstogo.com/forum/How_t...s-t140682.html -- read down [note the SDfix report..] until you come to RustockB [pe386] removal instructions. Download the file from that link... ah, just follow the instructions! Post the log[s] it produces here. Immediately!!!
[honesty bit... I have not used this tool cos i do not have a rootkit to play with, but i trust the site implicitly...]

Done that, posted the log... now move onto these fixes:


okay pelog as follows

************************* Rustock.b-fix -- By ejvindh *************************
25/01/2007 18:31:33.50
******************* Pre-run Status of system *******************
Rootkit driver PE386 is found. Starting the unload-procedure....
Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 70816
Total size: 70816 bytes.
Attempting to remove ADS...
system32: deleted 70816 bytes in 1 streams.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile ********************************

avenger as follows

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qkhuadvq
*******************
Script file located at: \??\C:\WINDOWS\pbhkprhg.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
-------------------------------------------

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [network administration] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B57F951-2E37-448B-A41D-EEB095D9108B}: NameServer = 205.188.146.145

==you have an internet reset entry to wanadoo.... which is now orange. If you don't wish to keep this as a homepage fix this:
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
==if your relplayer is working fine then you could remove this new hardware detector:
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
==do you want boontybox to start every time? If not, stop it via its options, or just uninstall it via add/remove pgms.

==Start AVG antispyware again and change recommended action to Delete. Go into the infections/quarantine and remove all those files in there.

===Next try an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-the link to the scan is just above the padlock pic.... free online virus scan.. enter a valid? email and follow through, choosing My Computer for a full system scan. Run a cleaner, either ATF or CCleaner [see below] first.
Post the log it produces here.

pandasoftware log


Incident Status Location
Virus:trj/torpig.a Disinfected Operating system
Potentially unwanted tool:application/need2find Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Need2FindBar Uninstall
Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/baidubar Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@2o7[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@bs.serving-sys[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@doubleclick[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@serving-sys[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@tribalfusion[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Shaun Thomas\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected I:\SDFix.exe[SDFix\apps\Process.exe]


You now have AVG Antispyware installed. Kept updated [after 30 days you do this manually if you keep it as a free service, and i recommend that you do - it is one of the best scanners out there..] so you could stop the AOL spyware service. After 30 days run an AVG scan any time you get an adware problem, just remember to update it immediately before you scan.

To speed up your sys... hmmm.. well, you have a mass of programs that startup when you turn on your computer, and surely some/many of those you will not use in a session, and some that you will use you can start manually from an icon. I suggest that you use the list of O4 entries in the HT log as a base to work from, and open every program and stop autoupdate checks [how often does new software get released anyway?], and stop pgms that you rarely use. How often do you adjust the Realplayer settings? Or use the logitech camera -it's sitting in your tray and blocking kB of RAM. Be sensible about these things. If Nero works well you do not need the nerocheck running just in case it finds a problem.... Java updater - it just does not work, yet every so often it looks for an update, but even when it is not looking a bit of it stays resident in RAM.
I do not know your computing habits so I cannot advise you what to stop, but there is stuff there that I would clear... how often do you use HP to scan etc?

Get these three pgms:
===Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it. Explore what settings you can change in it [via the cogwheel icon up top, if you are comfortable with that... you won't hurt anything, but for the present please keep the default settings]. Put an icon on your desktop for regular use.
Run Adaware, doing a full system scan and finally remove all that it finds [rclick in the scan results window and select all, go next..]. If Adaware finds anything apart from cookies or your MRU list then, after removing those items you should repeat the scan [and removal] and so on until it comes up clean.

It is best to run a cleaner before you use either Adaware or AVG - it makes the logs easier to read.... I gave you ATF earlier, but another I use more often is this one:

===Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.
Run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Now select the Applications tab and Run Cleaner.
For future quick temp file cleaning select the options you wish to use. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is a furphy, much loved on some websites, but cleaning it is unnecessary because windows dumps old unused entries anyway, and if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it.

===Get Spywareblaster here http://www.javacoolsoftware.com/downloads.html -- install it, put an icon on your desktop grouped with AVG and Adaware.... And every so often [fortnightly?] update them all and run them.
Finally..
===Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.5.0.10 is current....
[see what i mean? the auto java update is a waste of RAM and time - kill it via control panel > java, and do it whenever you update the antispyware stuff.]

Do all this stuff, and then you could be clear.
Cheers.
And post that new log... panda.. just to be sure.

Originally Posted by gerbil

Great work! The rootkit pe386 is toast.

Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip unzip it onto your desktop.
Dclick killbox to start it. Select "Delete on reboot", click the "all files" button.
Highlight these three files below and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\WINDOWS\TEMP\1E2D5597.exe
C:\WINDOWS\system32\nweipeg.dll
C:\Documents and Settings\Shaun Thomas\Local Settings\Application Data\hrcopul.dll,vuljcec

In killbox, go File menu, choose Paste from clipboard. Click the red and white button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]

On restart, go into Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account. Password is probably blank...
Open an explorer window, go Tools > folder options > view tab and select the button Show hidden files and folders, Apply and OK.
Now in that window navigate to and locate the three above files and delete them.

Okay couldn't find any of the above mentioned 3 files using this method. Does this mean they are not present on the system?

----------------------------------------------------------------------
Now we MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again and uncheck that box, Apply and OK.
[[another quick way in is Start > run, type sysdm.cpl and OK]]
Now make a fresh clean? restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!

Done - No problems!

==ctfmon.exe coming back [being called] like it is now is okay, it's a valid process; it was also being called earlier by some other keys which i wished removed - they are gone now.
==Panda removed a virus for us, but in the free scan they leave the spyware to us to remove.
==Panda found NEED2FIND [came with kazaa?, which is a DOG], but i cannot see it running anywhere... check Add/remove pgms - if it is there, uninstall it. Check C:\program files - if the folder need2find is there, delete it... [its contents first, if needs be].

When I followed the process below using Regedit I found the NEED2FIND folder but didn't like to delete it until you advised so left it there at the moment.

==Panda refers to a dialler reg key, but before we delete it i would like to check it, so please export it: Go Start > Run, type regedit and hit OK. Expand the tree and locate the following key:
hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch -lclick switch to highlight it, go files, export, name the file dialersu, file type .txt and save it somewhere handy.
Altnet, Myway : uninstall these via add/remove pgms if there, and delete their folders.
---------------------
Right, send that regkey in... dialersu.txt.