Logfile of HijackThis v1.99.1
Scan saved at 2:17:09 PM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dana\Desktop\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R3 - URLSearchHook: (no name) - {8DDE0A2E-7144-B9C6-11C6-7F9AFD905718} - ABCXYZ.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\tklsg.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\tklsg.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [qwe] Dest068.exe
O4 - HKLM\..\Run: [CToolBar] zxc.exe
O4 - HKLM\..\Run: [dmnqt.exe] C:\WINDOWS\system32\dmnqt.exe
O4 - HKCU\..\Run: [FLKPT] MNTP.exe
O4 - HKCU\..\Run: [PasswdMon] TorontoMail.exe
O4 - HKCU\..\Run: [iehelper] SetupExeDll.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124250857625
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AA3F2A9-5765-4A58-A256-68E560A3ACCD}: NameServer = 85.255.114.61,85.255.112.60
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBA9BADE-E69D-454A-B563-4394503271B2}: NameServer = 85.255.114.61,85.255.112.60
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
1
I had to do some "house cleaning"
Started by Dana, Jun 10 2006 09:18 PM
7 replies to this topic
#2 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 10 June 2006 - 11:17 PM
Hi Dana, Welcome to the forum
You have the Wareout Trojan on your system so we can fix that first, usually this trojan is hidden from view using Rootkit Features but its showing all its startup files on your pc which makes it easier to fix.
Please download FixWareout from one of these sites:
FixWareout Link 1
FixWareout Link 2
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
Thanks
Andy
You have the Wareout Trojan on your system so we can fix that first, usually this trojan is hidden from view using Rootkit Features but its showing all its startup files on your pc which makes it easier to fix.
Please download FixWareout from one of these sites:
FixWareout Link 1
FixWareout Link 2
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
Thanks
Andy
#3 OFFLINE
-
- Members
-
- 4 posts
Newbie
Posted 11 June 2006 - 02:02 AM
Thanks very much Andy
Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tqnmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
...
Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmnqt.exe"=-
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMNQT.EXE 44,076 2004-08-04
Logfile of HijackThis v1.99.1
Scan saved at 7:03:16 PM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dana\Desktop\HiJackThis\HijackThis.exe
R3 - URLSearchHook: (no name) - {8DDE0A2E-7144-B9C6-11C6-7F9AFD905718} - ABCXYZ.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [qwe] Dest068.exe
O4 - HKLM\..\Run: [CToolBar] zxc.exe
O4 - HKCU\..\Run: [FLKPT] MNTP.exe
O4 - HKCU\..\Run: [PasswdMon] TorontoMail.exe
O4 - HKCU\..\Run: [iehelper] SetupExeDll.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124250857625
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AA3F2A9-5765-4A58-A256-68E560A3ACCD}: NameServer = 85.255.114.61,85.255.112.60
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBA9BADE-E69D-454A-B563-4394503271B2}: NameServer = 85.255.114.61,85.255.112.60
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tqnmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
...
Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmnqt.exe"=-
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMNQT.EXE 44,076 2004-08-04
Logfile of HijackThis v1.99.1
Scan saved at 7:03:16 PM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dana\Desktop\HiJackThis\HijackThis.exe
R3 - URLSearchHook: (no name) - {8DDE0A2E-7144-B9C6-11C6-7F9AFD905718} - ABCXYZ.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [qwe] Dest068.exe
O4 - HKLM\..\Run: [CToolBar] zxc.exe
O4 - HKCU\..\Run: [FLKPT] MNTP.exe
O4 - HKCU\..\Run: [PasswdMon] TorontoMail.exe
O4 - HKCU\..\Run: [iehelper] SetupExeDll.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124250857625
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AA3F2A9-5765-4A58-A256-68E560A3ACCD}: NameServer = 85.255.114.61,85.255.112.60
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBA9BADE-E69D-454A-B563-4394503271B2}: NameServer = 85.255.114.61,85.255.112.60
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
#4 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 11 June 2006 - 02:25 AM
Hey Dana 
It looks like you might have a new variant of this Trojan as the Fixtool hasnt cleaned all of the infection. Your IE Search Requests are currently going through Belarus in the Ukraine and there still may be alot of trojan files on your system so there's quite abit of work left to do, Please let us know if you have any problems or questions when proceeding with the below steps.
First of all, you may want to print out this post or copy and paste it into Notepad (Start Menu > Run > type notepad and press ok) then save it to your desktop so that you have a hard copy of these instructions.
Run Hijack This and choose Do A System Scan then place a check next to these entries
R3 - URLSearchHook: (no name) - {8DDE0A2E-7144-B9C6-11C6-7F9AFD905718} - ABCXYZ.dll (file missing)
O4 - HKLM\..\Run: [qwe] Dest068.exe
O4 - HKLM\..\Run: [CToolBar] zxc.exe
O4 - HKCU\..\Run: [FLKPT] MNTP.exe
O4 - HKCU\..\Run: [PasswdMon] TorontoMail.exe
O4 - HKCU\..\Run: [iehelper] SetupExeDll.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AA3F2A9-5765-4A58-A256-68E560A3ACCD}: NameServer = 85.255.114.61,85.255.112.60
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBA9BADE-E69D-454A-B563-4394503271B2}: NameServer = 85.255.114.61,85.255.112.60
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Delete this file:
C:\WINDOWS\system32\dmnqt.exe
Next search for and delete these files:
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
Dest068.exe
Press Search and delete any that are found by right clicking the file in the results pane to the right and choosing delete
Repeat the search and removal steps for these files:
zxc.exe
MNTP.exe
TorontoMail.exe
SetupExeDll.exe
If you have any Internet Connection problems after fixing the entries in Hijack This please goto Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer. (This may not be needed but it needs to be mentioned incase it does happen as we are removing the Ukrainian DNS NameServer's)
After fixing the entries and removing the files Reboot the PC.
Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Next download Ewido Anti-Malware from HERE
When the scan finishes, click on Save Report. This will create a text file that you can save to the desktop and post back
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Please post the Blacklight log if it finds any hidden (Rootkit) files, The Ewido log and the Pandascan log along with a New Hijack This log.
Cheers
Andy
It looks like you might have a new variant of this Trojan as the Fixtool hasnt cleaned all of the infection. Your IE Search Requests are currently going through Belarus in the Ukraine and there still may be alot of trojan files on your system so there's quite abit of work left to do, Please let us know if you have any problems or questions when proceeding with the below steps.
First of all, you may want to print out this post or copy and paste it into Notepad (Start Menu > Run > type notepad and press ok) then save it to your desktop so that you have a hard copy of these instructions.
Run Hijack This and choose Do A System Scan then place a check next to these entries
R3 - URLSearchHook: (no name) - {8DDE0A2E-7144-B9C6-11C6-7F9AFD905718} - ABCXYZ.dll (file missing)
O4 - HKLM\..\Run: [qwe] Dest068.exe
O4 - HKLM\..\Run: [CToolBar] zxc.exe
O4 - HKCU\..\Run: [FLKPT] MNTP.exe
O4 - HKCU\..\Run: [PasswdMon] TorontoMail.exe
O4 - HKCU\..\Run: [iehelper] SetupExeDll.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AA3F2A9-5765-4A58-A256-68E560A3ACCD}: NameServer = 85.255.114.61,85.255.112.60
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBA9BADE-E69D-454A-B563-4394503271B2}: NameServer = 85.255.114.61,85.255.112.60
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Delete this file:
C:\WINDOWS\system32\dmnqt.exe
Next search for and delete these files:
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
Dest068.exe
Press Search and delete any that are found by right clicking the file in the results pane to the right and choosing delete
Repeat the search and removal steps for these files:
zxc.exe
MNTP.exe
TorontoMail.exe
SetupExeDll.exe
If you have any Internet Connection problems after fixing the entries in Hijack This please goto Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer. (This may not be needed but it needs to be mentioned incase it does happen as we are removing the Ukrainian DNS NameServer's)
After fixing the entries and removing the files Reboot the PC.
Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Next download Ewido Anti-Malware from HERE
- When installing, under "Additional Options" uncheck "Install background guard"
- From the main ewido screen, click on update in the left menu, then click the Start update button.
- After the update finishes (the status bar at the bottom will display "Update successful"),
- Click on the Scanner button in the left menu, then click Complete System Scan.
When the scan finishes, click on Save Report. This will create a text file that you can save to the desktop and post back
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Please post the Blacklight log if it finds any hidden (Rootkit) files, The Ewido log and the Pandascan log along with a New Hijack This log.
Cheers
Andy
#5 OFFLINE
-
- Members
-
- 4 posts
Newbie
Posted 11 June 2006 - 06:13 AM
Here ya go Andy:
06/10/06 20:31:47 [Info]: BlackLight Engine 1.0.37 initialized
06/10/06 20:31:47 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/10/06 20:31:48 [Note]: 7019 4
06/10/06 20:31:48 [Note]: 7005 0
06/10/06 20:31:55 [Note]: 7006 0
06/10/06 20:31:55 [Note]: 7011 1500
06/10/06 20:31:55 [Note]: 7026 0
06/10/06 20:31:55 [Note]: 7026 0
06/10/06 20:31:58 [Note]: FSRAW library version 1.7.1015
06/10/06 20:33:13 [Note]: 7007 0
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 9:30:31 PM, 6/10/2006
+ Report-Checksum: 36DF13C
+ Scan result:
C:\Documents and Settings\Dana\Cookies\dana@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\Dana\Cookies\dana@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dana\Cookies\dana@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Dana\My Documents\Downloads\crack_250095.exe -> Downloader.INService.ja : Cleaned with backup
C:\Documents and Settings\Dana\My Documents\Downloads\crack_58733.exe -> Downloader.INService.ja : Cleaned with backup
C:\RECYCLER\S-1-5-21-1757981266-413027322-839522115-1003\Dc2.exe -> Trojan.Hoster : Cleaned with backup
::Report End
Incident Status Location
Adware:adware/cws Not disinfected C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\Dana\Cookies\dana@research-int[1].txt
Logfile of HijackThis v1.99.1
Scan saved at 11:13:44 PM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dana\Desktop\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124250857625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
06/10/06 20:31:47 [Info]: BlackLight Engine 1.0.37 initialized
06/10/06 20:31:47 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/10/06 20:31:48 [Note]: 7019 4
06/10/06 20:31:48 [Note]: 7005 0
06/10/06 20:31:55 [Note]: 7006 0
06/10/06 20:31:55 [Note]: 7011 1500
06/10/06 20:31:55 [Note]: 7026 0
06/10/06 20:31:55 [Note]: 7026 0
06/10/06 20:31:58 [Note]: FSRAW library version 1.7.1015
06/10/06 20:33:13 [Note]: 7007 0
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 9:30:31 PM, 6/10/2006
+ Report-Checksum: 36DF13C
+ Scan result:
C:\Documents and Settings\Dana\Cookies\dana@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\Dana\Cookies\dana@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dana\Cookies\dana@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Dana\My Documents\Downloads\crack_250095.exe -> Downloader.INService.ja : Cleaned with backup
C:\Documents and Settings\Dana\My Documents\Downloads\crack_58733.exe -> Downloader.INService.ja : Cleaned with backup
C:\RECYCLER\S-1-5-21-1757981266-413027322-839522115-1003\Dc2.exe -> Trojan.Hoster : Cleaned with backup
::Report End
Incident Status Location
Adware:adware/cws Not disinfected C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\Dana\Cookies\dana@research-int[1].txt
Logfile of HijackThis v1.99.1
Scan saved at 11:13:44 PM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dana\Desktop\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124250857625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
#6 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 11 June 2006 - 03:41 PM
Hi Dana
Thanks for the logs, they look fine
Just remove this file
C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url
You should be able to open a IE browser window then click Favorites and remove the link (Right click and choose Delete)
The version of Java installed is abit of out date, you can update it by going to Start Menu > Control Panel > Java, click the Update Tab then click Update Now or visit Sun's website Here.
There is abit of a bug with Java where it sometimes leaves previous versions installed when it upgrades, These can be about 120MB each so after upgrading to J2SE Runtime Environment Version 5.0 update 7 check the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs) and remove any older versions listed.
I have included afew recommended steps below to help prevent future malware infections.
Keep Ewido and Ad-Aware on the system, Ewido shows its a 14 day trial but it works fine after that has expired as a "On-Demand" scanner and remover which you can manually update and use anytime.
In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware
A tutorial on using Ad-Aware to remove spyware from your computer may be found Here
Spybot Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found Here Please also enable Spybots Immunize feature.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found Here
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.
* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups or messenger programs.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust as alot of free software can bundle other software, including spyware.
Please make sure to run your Antivirus software regularly, and to keep it up-to-date.
Also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/
More information on how to prevent malware and to explain how you got infected can be found Here (By Tony Klein) and Here
By following these steps it will lower the chances of getting any more malware issues but let us know if you have any questions or problems anytime.
All The Best
Andy
Thanks for the logs, they look fine
Just remove this file
C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url
You should be able to open a IE browser window then click Favorites and remove the link (Right click and choose Delete)
The version of Java installed is abit of out date, you can update it by going to Start Menu > Control Panel > Java, click the Update Tab then click Update Now or visit Sun's website Here.
There is abit of a bug with Java where it sometimes leaves previous versions installed when it upgrades, These can be about 120MB each so after upgrading to J2SE Runtime Environment Version 5.0 update 7 check the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs) and remove any older versions listed.
I have included afew recommended steps below to help prevent future malware infections.
Keep Ewido and Ad-Aware on the system, Ewido shows its a 14 day trial but it works fine after that has expired as a "On-Demand" scanner and remover which you can manually update and use anytime.
In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware
A tutorial on using Ad-Aware to remove spyware from your computer may be found Here
Spybot Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found Here Please also enable Spybots Immunize feature.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found Here
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.
* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups or messenger programs.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust as alot of free software can bundle other software, including spyware.
Please make sure to run your Antivirus software regularly, and to keep it up-to-date.
Also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/
More information on how to prevent malware and to explain how you got infected can be found Here (By Tony Klein) and Here
By following these steps it will lower the chances of getting any more malware issues but let us know if you have any questions or problems anytime.
All The Best
Andy
#8 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 11 June 2006 - 04:54 PM
Your Welcome Dana
Happy Surfing
Happy Surfing
