Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Desperate, not finding the solution(RESOLVED)

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
giraf
Newbie


Joined: 30 Dec 2004
Last Visit: 05 Apr 2005
Posts: 6
Location: belgium
PostPosted: Mon Apr 04, 2005 7:21 am    Post subject: Desperate, not finding the solution(RESOLVED) Reply with quote
On a friend's pc I have installed, updated and run in safe mode:
AdAwareProSE, Spybot 1.3. I have run NAV2005. I had cleared all suspicious entries in HiJackThis (also in Safe Mode). Still I get this report from HiJackThis.
The problem also is that there are 4 users (with admin.rights) and each one gets a different log?
Can you help me solve the problem please?

user: emmah
Logfile of HijackThis v1.99.1
Scan saved at 17:14:31, on 04/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Dkm.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ontrack\PowerDesk\PDExplo.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://misc.skynet.be/index.html?new_lang=nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Belgacom Skynet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Ivt] C:\WINDOWS\Dkm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Qda] C:\WINDOWS\System32\Eqq.exe
O4 - HKLM\..\Run: [Sts] C:\WINDOWS\Gho.exe
O4 - HKLM\..\Run: [Ano] C:\WINDOWS\Dkq.exe
O4 - HKLM\..\Run: [Gfb] C:\WINDOWS\Kcl.exe
O4 - HKLM\..\Run: [Uko] C:\WINDOWS\Taf.exe
O4 - HKLM\..\Run: [Vai] C:\WINDOWS\System32\Cua.exe
O4 - HKLM\..\Run: [Mil] C:\WINDOWS\Sat.exe
O4 - HKLM\..\Run: [Kcf] C:\WINDOWS\Ftr.exe
O4 - HKCU\..\Run: [Uko] C:\WINDOWS\Taf.exe
O4 - HKCU\..\Run: [Kcf] C:\WINDOWS\Ftr.exe
O4 - Startup: winupdate66133563[1].exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O15 - Trusted IP range: 64.62.171.156
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101492176984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPxySvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


user: elysah

Logfile of HijackThis v1.99.1
Scan saved at 17:03:43, on 04/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\Dkm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mhadrd.t.muxa.cc/s.php?aid=420 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mhadrd.t.muxa.cc/s.php?aid=420 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://mhadrd.t.muxa.cc/h.php?aid=420 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.worldonline.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Ivt] C:\WINDOWS\Dkm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Qda] C:\WINDOWS\System32\Eqq.exe
O4 - HKLM\..\Run: [Sts] C:\WINDOWS\Gho.exe
O4 - HKLM\..\Run: [Ano] C:\WINDOWS\Dkq.exe
O4 - HKLM\..\Run: [Gfb] C:\WINDOWS\Kcl.exe
O4 - HKLM\..\Run: [Uko] C:\WINDOWS\Taf.exe
O4 - HKLM\..\Run: [Vai] C:\WINDOWS\System32\Cua.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [virtual-machine] wini.exe
O4 - HKCU\..\Run: [Shu] C:\WINDOWS\Tft.exe
O4 - HKCU\..\Run: [Tcd] C:\WINDOWS\System32\Bha.exe
O4 - HKCU\..\Run: [Dgi] C:\WINDOWS\Dlf.exe
O4 - HKCU\..\Run: [Nki] C:\WINDOWS\System32\Gkc.exe
O4 - HKCU\..\Run: [Njo] C:\WINDOWS\Pjc.exe
O4 - HKCU\..\Run: [Gav] C:\WINDOWS\System32\Rrg.exe
O4 - HKCU\..\Run: [Qsa] C:\WINDOWS\System32\Sta.exe
O4 - HKCU\..\Run: [Vpq] C:\WINDOWS\System32\Uml.exe
O4 - HKCU\..\Run: [Sbu] C:\WINDOWS\Buu.exe
O4 - HKCU\..\Run: [Uov] C:\WINDOWS\Oul.exe
O4 - HKCU\..\Run: [Bdn] C:\WINDOWS\System32\Fdh.exe
O4 - HKCU\..\Run: [Hmr] C:\WINDOWS\Uhk.exe
O4 - HKCU\..\Run: [Ksp] C:\WINDOWS\System32\Dam.exe
O4 - HKCU\..\Run: [Irr] C:\WINDOWS\Cdb.exe
O4 - HKCU\..\Run: [Kot] C:\WINDOWS\Btd.exe
O4 - HKCU\..\Run: [Jup] C:\WINDOWS\System32\Uik.exe
O4 - HKCU\..\Run: [Hro] C:\WINDOWS\System32\Rgs.exe
O4 - HKCU\..\Run: [Dmv] C:\WINDOWS\Fvc.exe
O4 - HKCU\..\Run: [Tmf] C:\WINDOWS\Gml.exe
O4 - HKCU\..\Run: [Tse] C:\WINDOWS\Sue.exe
O4 - HKCU\..\Run: [Fpf] C:\WINDOWS\System32\Cqv.exe
O4 - HKCU\..\Run: [Mti] C:\WINDOWS\System32\Jos.exe
O4 - HKCU\..\Run: [Heh] C:\WINDOWS\Bah.exe
O4 - HKCU\..\Run: [Njp] C:\WINDOWS\Pqm.exe
O4 - HKCU\..\Run: [Crq] C:\WINDOWS\System32\Chb.exe
O4 - HKCU\..\Run: [Puu] C:\WINDOWS\System32\Bqk.exe
O4 - HKCU\..\Run: [Uvr] C:\WINDOWS\System32\Nmf.exe
O4 - HKCU\..\Run: [Mgq] C:\WINDOWS\Qna.exe
O4 - HKCU\..\Run: [Mdt] C:\WINDOWS\System32\Ned.exe
O4 - HKCU\..\Run: [Ttr] C:\WINDOWS\Ead.exe
O4 - HKCU\..\Run: [Eft] C:\WINDOWS\System32\Ujd.exe
O4 - HKCU\..\Run: [Lki] C:\WINDOWS\Avf.exe
O4 - HKCU\..\Run: [Pkl] C:\WINDOWS\System32\Khr.exe
O4 - HKCU\..\Run: [Dun] C:\WINDOWS\System32\Ano.exe
O4 - HKCU\..\Run: [Thm] C:\WINDOWS\System32\Ehq.exe
O4 - HKCU\..\Run: [Aok] C:\WINDOWS\System32\Use.exe
O4 - HKCU\..\Run: [Nku] C:\WINDOWS\System32\Chr.exe
O4 - HKCU\..\Run: [Irt] C:\WINDOWS\Jjh.exe
O4 - HKCU\..\Run: [Ght] C:\WINDOWS\Ova.exe
O4 - HKCU\..\Run: [Sec] C:\WINDOWS\Htj.exe
O4 - HKCU\..\Run: [Gvl] C:\WINDOWS\Pah.exe
O4 - HKCU\..\Run: [Sba] C:\WINDOWS\Tuo.exe
O4 - HKCU\..\Run: [Oqu] C:\WINDOWS\Gtj.exe
O4 - HKCU\..\Run: [Sdg] C:\WINDOWS\System32\Rut.exe
O4 - HKCU\..\Run: [Lbq] C:\WINDOWS\Eld.exe
O4 - HKCU\..\Run: [Qfg] C:\WINDOWS\System32\Pij.exe
O4 - HKCU\..\Run: [Fkp] C:\WINDOWS\System32\Dua.exe
O4 - HKCU\..\Run: [Kma] C:\WINDOWS\System32\Tum.exe
O4 - HKCU\..\Run: [Mhd] C:\WINDOWS\System32\Dte.exe
O4 - HKCU\..\Run: [Ejp] C:\WINDOWS\System32\Vgq.exe
O4 - HKCU\..\Run: [Gbo] C:\WINDOWS\Hbf.exe
O4 - HKCU\..\Run: [Tct] C:\WINDOWS\Miu.exe
O4 - HKCU\..\Run: [Nac] C:\WINDOWS\System32\Ila.exe
O4 - HKCU\..\Run: [Vqk] C:\WINDOWS\System32\Fgs.exe
O4 - HKCU\..\Run: [Lpj] C:\WINDOWS\System32\Dqd.exe
O4 - HKCU\..\Run: [Ugb] C:\WINDOWS\Uvi.exe
O4 - HKCU\..\Run: [Osc] C:\WINDOWS\System32\Rll.exe
O4 - HKCU\..\Run: [Gjq] C:\WINDOWS\System32\Vfo.exe
O4 - HKCU\..\Run: [Sac] C:\WINDOWS\System32\Qaj.exe
O4 - HKCU\..\Run: [Lhq] C:\WINDOWS\System32\Mls.exe
O4 - HKCU\..\Run: [Kdd] C:\WINDOWS\Gbt.exe
O4 - HKCU\..\Run: [Gjj] C:\WINDOWS\Hck.exe
O4 - HKCU\..\Run: [Ivt] C:\WINDOWS\Dkm.exe
O4 - HKCU\..\Run: [Qda] C:\WINDOWS\System32\Eqq.exe
O4 - HKCU\..\Run: [Ano] C:\WINDOWS\Dkq.exe
O4 - HKCU\..\Run: [Vai] C:\WINDOWS\System32\Cua.exe
O4 - HKCU\..\RunServices: [virtual-machine] wini.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101492176984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPxySvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

user : frank
Logfile of HijackThis v1.99.1
Scan saved at 16:38:08, on 04/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Apps\ActivBoard\OSD.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://misc.skynet.be/index.html?new_lang=nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Belgacom Skynet
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: winupdate66133563[1].exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O15 - Trusted IP range: 64.62.171.156
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101492176984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPxySvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

user: sarah

Logfile of HijackThis v1.99.1
Scan saved at 17:08:55, on 04/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Dkm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=157983
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=157983
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldonline.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=157983
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://mhadrd.t.muxa.cc/h.php?aid=420 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.worldonline.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door World Online Belgium
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.worldonline.be:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Ivt] C:\WINDOWS\Dkm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Qda] C:\WINDOWS\System32\Eqq.exe
O4 - HKLM\..\Run: [Sts] C:\WINDOWS\Gho.exe
O4 - HKLM\..\Run: [Ano] C:\WINDOWS\Dkq.exe
O4 - HKLM\..\Run: [Gfb] C:\WINDOWS\Kcl.exe
O4 - HKLM\..\Run: [Uko] C:\WINDOWS\Taf.exe
O4 - HKLM\..\Run: [Vai] C:\WINDOWS\System32\Cua.exe
O4 - HKLM\..\Run: [Mil] C:\WINDOWS\Sat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [virtual-machine] wini.exe
O4 - HKCU\..\Run: [Bhg] C:\WINDOWS\System32\Ken.exe
O4 - HKCU\..\Run: [Gfb] C:\WINDOWS\Kcl.exe
O4 - HKCU\..\Run: [Mil] C:\WINDOWS\Sat.exe
O4 - HKCU\..\RunServices: [virtual-machine] wini.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101492176984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPxySvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
_________________
dendzjing
Back to top
View user's profile Send private message Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Mon Apr 04, 2005 8:23 am    Post subject: Reply with quote
OK, with this infection there is only one way to rid the files in a manner to prevent re-infection, as this will keep regenerating as you keep rebooting.

You need to do a search for files by date created, they should all be on the bottom of the list, all files will be 3 letters in name, and always the first letter a capital. Size of exe is 7.5kb in size.

Look in system32 and windows folders.

Be sure and check the properties of each file, as there are many legit MS files.

There will also be some html files located in the windows folder as well, they can also be deleted.

Size will be 2-3 kb.
DESKTOP HIJACK
Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK. That should get rid of it.

Once you have searched for all the files, and think they have been deleted, post a new HJT log and we will see whats left over if anything.

***EACH ACCOUNT MUST BE GONE THRU FOR THIS INFECTION.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
giraf
Newbie


Joined: 30 Dec 2004
Last Visit: 05 Apr 2005
Posts: 6
Location: belgium
PostPosted: Mon Apr 04, 2005 9:15 am    Post subject: Reply with quote
I Have deleted all the appropriate files; rebooted and this is the log with the 'Elisah' user login:

Logfile of HijackThis v1.99.1
Scan saved at 19:10:58, on 04/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Dkm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ontrack\PowerDesk\pdexplo.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mhadrd.t.muxa.cc/s.php?aid=420 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mhadrd.t.muxa.cc/s.php?aid=420 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://mhadrd.t.muxa.cc/h.php?aid=420 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.worldonline.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Ivt] C:\WINDOWS\Dkm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Qda] C:\WINDOWS\System32\Eqq.exe
O4 - HKLM\..\Run: [Sts] C:\WINDOWS\Gho.exe
O4 - HKLM\..\Run: [Ano] C:\WINDOWS\Dkq.exe
O4 - HKLM\..\Run: [Gfb] C:\WINDOWS\Kcl.exe
O4 - HKLM\..\Run: [Uko] C:\WINDOWS\Taf.exe
O4 - HKLM\..\Run: [Vai] C:\WINDOWS\System32\Cua.exe
O4 - HKLM\..\Run: [Mil] C:\WINDOWS\Sat.exe
O4 - HKLM\..\Run: [Kcf] C:\WINDOWS\Ftr.exe
O4 - HKLM\..\Run: [Hjv] C:\WINDOWS\System32\Muh.exe
O4 - HKLM\..\Run: [Pra] C:\WINDOWS\Mda.exe
O4 - HKLM\..\Run: [Lmb] C:\WINDOWS\Pdg.exe
O4 - HKLM\..\Run: [Tev] C:\WINDOWS\Bri.exe
O4 - HKLM\..\Run: [Svo] C:\WINDOWS\System32\Gao.exe
O4 - HKLM\..\Run: [Pkn] C:\WINDOWS\Uiv.exe
O4 - HKLM\..\Run: [Tib] C:\WINDOWS\Hmb.exe
O4 - HKLM\..\Run: [Lrs] C:\WINDOWS\System32\Fit.exe
O4 - HKLM\..\Run: [Tli] C:\WINDOWS\Afg.exe
O4 - HKLM\..\Run: [Ijs] C:\WINDOWS\System32\Ncm.exe
O4 - HKLM\..\Run: [Tkj] C:\WINDOWS\Ptq.exe
O4 - HKLM\..\Run: [Ahd] C:\WINDOWS\Fco.exe
O4 - HKLM\..\Run: [Osd] C:\WINDOWS\Rct.exe
O4 - HKLM\..\Run: [Ofg] C:\WINDOWS\System32\Lll.exe
O4 - HKLM\..\Run: [Prp] C:\WINDOWS\Pne.exe
O4 - HKLM\..\Run: [Kvm] C:\WINDOWS\Ngv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [virtual-machine] wini.exe
O4 - HKCU\..\Run: [Shu] C:\WINDOWS\Tft.exe
O4 - HKCU\..\Run: [Tcd] C:\WINDOWS\System32\Bha.exe
O4 - HKCU\..\Run: [Dgi] C:\WINDOWS\Dlf.exe
O4 - HKCU\..\Run: [Nki] C:\WINDOWS\System32\Gkc.exe
O4 - HKCU\..\Run: [Njo] C:\WINDOWS\Pjc.exe
O4 - HKCU\..\Run: [Gav] C:\WINDOWS\System32\Rrg.exe
O4 - HKCU\..\Run: [Qsa] C:\WINDOWS\System32\Sta.exe
O4 - HKCU\..\Run: [Vpq] C:\WINDOWS\System32\Uml.exe
O4 - HKCU\..\Run: [Sbu] C:\WINDOWS\Buu.exe
O4 - HKCU\..\Run: [Uov] C:\WINDOWS\Oul.exe
O4 - HKCU\..\Run: [Bdn] C:\WINDOWS\System32\Fdh.exe
O4 - HKCU\..\Run: [Hmr] C:\WINDOWS\Uhk.exe
O4 - HKCU\..\Run: [Ksp] C:\WINDOWS\System32\Dam.exe
O4 - HKCU\..\Run: [Irr] C:\WINDOWS\Cdb.exe
O4 - HKCU\..\Run: [Kot] C:\WINDOWS\Btd.exe
O4 - HKCU\..\Run: [Jup] C:\WINDOWS\System32\Uik.exe
O4 - HKCU\..\Run: [Hro] C:\WINDOWS\System32\Rgs.exe
O4 - HKCU\..\Run: [Dmv] C:\WINDOWS\Fvc.exe
O4 - HKCU\..\Run: [Tmf] C:\WINDOWS\Gml.exe
O4 - HKCU\..\Run: [Tse] C:\WINDOWS\Sue.exe
O4 - HKCU\..\Run: [Fpf] C:\WINDOWS\System32\Cqv.exe
O4 - HKCU\..\Run: [Mti] C:\WINDOWS\System32\Jos.exe
O4 - HKCU\..\Run: [Heh] C:\WINDOWS\Bah.exe
O4 - HKCU\..\Run: [Njp] C:\WINDOWS\Pqm.exe
O4 - HKCU\..\Run: [Crq] C:\WINDOWS\System32\Chb.exe
O4 - HKCU\..\Run: [Puu] C:\WINDOWS\System32\Bqk.exe
O4 - HKCU\..\Run: [Uvr] C:\WINDOWS\System32\Nmf.exe
O4 - HKCU\..\Run: [Mgq] C:\WINDOWS\Qna.exe
O4 - HKCU\..\Run: [Mdt] C:\WINDOWS\System32\Ned.exe
O4 - HKCU\..\Run: [Ttr] C:\WINDOWS\Ead.exe
O4 - HKCU\..\Run: [Eft] C:\WINDOWS\System32\Ujd.exe
O4 - HKCU\..\Run: [Lki] C:\WINDOWS\Avf.exe
O4 - HKCU\..\Run: [Pkl] C:\WINDOWS\System32\Khr.exe
O4 - HKCU\..\Run: [Dun] C:\WINDOWS\System32\Ano.exe
O4 - HKCU\..\Run: [Thm] C:\WINDOWS\System32\Ehq.exe
O4 - HKCU\..\Run: [Aok] C:\WINDOWS\System32\Use.exe
O4 - HKCU\..\Run: [Nku] C:\WINDOWS\System32\Chr.exe
O4 - HKCU\..\Run: [Irt] C:\WINDOWS\Jjh.exe
O4 - HKCU\..\Run: [Ght] C:\WINDOWS\Ova.exe
O4 - HKCU\..\Run: [Sec] C:\WINDOWS\Htj.exe
O4 - HKCU\..\Run: [Gvl] C:\WINDOWS\Pah.exe
O4 - HKCU\..\Run: [Sba] C:\WINDOWS\Tuo.exe
O4 - HKCU\..\Run: [Oqu] C:\WINDOWS\Gtj.exe
O4 - HKCU\..\Run: [Sdg] C:\WINDOWS\System32\Rut.exe
O4 - HKCU\..\Run: [Lbq] C:\WINDOWS\Eld.exe
O4 - HKCU\..\Run: [Qfg] C:\WINDOWS\System32\Pij.exe
O4 - HKCU\..\Run: [Fkp] C:\WINDOWS\System32\Dua.exe
O4 - HKCU\..\Run: [Kma] C:\WINDOWS\System32\Tum.exe
O4 - HKCU\..\Run: [Mhd] C:\WINDOWS\System32\Dte.exe
O4 - HKCU\..\Run: [Ejp] C:\WINDOWS\System32\Vgq.exe
O4 - HKCU\..\Run: [Gbo] C:\WINDOWS\Hbf.exe
O4 - HKCU\..\Run: [Tct] C:\WINDOWS\Miu.exe
O4 - HKCU\..\Run: [Nac] C:\WINDOWS\System32\Ila.exe
O4 - HKCU\..\Run: [Vqk] C:\WINDOWS\System32\Fgs.exe
O4 - HKCU\..\Run: [Lpj] C:\WINDOWS\System32\Dqd.exe
O4 - HKCU\..\Run: [Ugb] C:\WINDOWS\Uvi.exe
O4 - HKCU\..\Run: [Osc] C:\WINDOWS\System32\Rll.exe
O4 - HKCU\..\Run: [Gjq] C:\WINDOWS\System32\Vfo.exe
O4 - HKCU\..\Run: [Sac] C:\WINDOWS\System32\Qaj.exe
O4 - HKCU\..\Run: [Lhq] C:\WINDOWS\System32\Mls.exe
O4 - HKCU\..\Run: [Kdd] C:\WINDOWS\Gbt.exe
O4 - HKCU\..\Run: [Gjj] C:\WINDOWS\Hck.exe
O4 - HKCU\..\Run: [Ivt] C:\WINDOWS\Dkm.exe
O4 - HKCU\..\Run: [Qda] C:\WINDOWS\System32\Eqq.exe
O4 - HKCU\..\Run: [Ano] C:\WINDOWS\Dkq.exe
O4 - HKCU\..\Run: [Vai] C:\WINDOWS\System32\Cua.exe
O4 - HKCU\..\Run: [Hjv] C:\WINDOWS\System32\Muh.exe
O4 - HKCU\..\Run: [Tev] C:\WINDOWS\Bri.exe
O4 - HKCU\..\Run: [Tib] C:\WINDOWS\Hmb.exe
O4 - HKCU\..\Run: [Ijs] C:\WINDOWS\System32\Ncm.exe
O4 - HKCU\..\Run: [Osd] C:\WINDOWS\Rct.exe
O4 - HKCU\..\Run: [Kvm] C:\WINDOWS\Ngv.exe
O4 - HKCU\..\RunServices: [virtual-machine] wini.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Microsoft AntiSpyware helper - {30524A06-CA1F-4251-BAF9-4D50EE559F66} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {30524A06-CA1F-4251-BAF9-4D50EE559F66} - C:\WINDOWS\System32\wldr.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101492176984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O21 - SSODL: NTDBGTOOL - {86C77422-01AA-4D93-901C-BCBE5EB459BA} - C:\WINDOWS\System32\c_20qcd.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPxySvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
_________________
dendzjing
Back to top
View user's profile Send private message Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Mon Apr 04, 2005 10:02 am    Post subject: Reply with quote
OK, very good, however, I see that there is one 3 letter file running in the process list, this leads me to beleive there are still files being generated, please go back and be sure you ahve searched for all of them and deleted them, if one remains, we will be chasing our tails.


Exclamation You have a variant of CoolWebSearch infection. Please follow the link below, to CWShredder DL the app, then run, and FIX ALL VARIANTS IT FINDS.

CWShredder
Run it in 'Safe Mode' please.

Arrow Please go to 'Task Manager' by hitting Ctrl+Alt+Delete and 'End Task' on the following process(es):
C:\WINDOWS\Dkm.exe

Arrow Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mhadrd.t.muxa.cc/s.php?aid=420 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mhadrd.t.muxa.cc/s.php?aid=420 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://mhadrd.t.muxa.cc/h.php?aid=420 (obfuscated)



O4 - HKLM\..\Run: [Ivt] C:\WINDOWS\Dkm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Qda] C:\WINDOWS\System32\Eqq.exe
O4 - HKLM\..\Run: [Sts] C:\WINDOWS\Gho.exe
O4 - HKLM\..\Run: [Ano] C:\WINDOWS\Dkq.exe
O4 - HKLM\..\Run: [Gfb] C:\WINDOWS\Kcl.exe
O4 - HKLM\..\Run: [Uko] C:\WINDOWS\Taf.exe
O4 - HKLM\..\Run: [Vai] C:\WINDOWS\System32\Cua.exe
O4 - HKLM\..\Run: [Mil] C:\WINDOWS\Sat.exe
O4 - HKLM\..\Run: [Kcf] C:\WINDOWS\Ftr.exe
O4 - HKLM\..\Run: [Hjv] C:\WINDOWS\System32\Muh.exe
O4 - HKLM\..\Run: [Pra] C:\WINDOWS\Mda.exe
O4 - HKLM\..\Run: [Lmb] C:\WINDOWS\Pdg.exe
O4 - HKLM\..\Run: [Tev] C:\WINDOWS\Bri.exe
O4 - HKLM\..\Run: [Svo] C:\WINDOWS\System32\Gao.exe
O4 - HKLM\..\Run: [Pkn] C:\WINDOWS\Uiv.exe
O4 - HKLM\..\Run: [Tib] C:\WINDOWS\Hmb.exe
O4 - HKLM\..\Run: [Lrs] C:\WINDOWS\System32\Fit.exe
O4 - HKLM\..\Run: [Tli] C:\WINDOWS\Afg.exe
O4 - HKLM\..\Run: [Ijs] C:\WINDOWS\System32\Ncm.exe
O4 - HKLM\..\Run: [Tkj] C:\WINDOWS\Ptq.exe
O4 - HKLM\..\Run: [Ahd] C:\WINDOWS\Fco.exe
O4 - HKLM\..\Run: [Osd] C:\WINDOWS\Rct.exe
O4 - HKLM\..\Run: [Ofg] C:\WINDOWS\System32\Lll.exe
O4 - HKLM\..\Run: [Prp] C:\WINDOWS\Pne.exe
O4 - HKLM\..\Run: [Kvm] C:\WINDOWS\Ngv.exe

O4 - HKCU\..\Run: [virtual-machine] wini.exe

O4 - HKCU\..\Run: [Shu] C:\WINDOWS\Tft.exe
O4 - HKCU\..\Run: [Tcd] C:\WINDOWS\System32\Bha.exe
O4 - HKCU\..\Run: [Dgi] C:\WINDOWS\Dlf.exe
O4 - HKCU\..\Run: [Nki] C:\WINDOWS\System32\Gkc.exe
O4 - HKCU\..\Run: [Njo] C:\WINDOWS\Pjc.exe
O4 - HKCU\..\Run: [Gav] C:\WINDOWS\System32\Rrg.exe
O4 - HKCU\..\Run: [Qsa] C:\WINDOWS\System32\Sta.exe
O4 - HKCU\..\Run: [Vpq] C:\WINDOWS\System32\Uml.exe
O4 - HKCU\..\Run: [Sbu] C:\WINDOWS\Buu.exe
O4 - HKCU\..\Run: [Uov] C:\WINDOWS\Oul.exe
O4 - HKCU\..\Run: [Bdn] C:\WINDOWS\System32\Fdh.exe
O4 - HKCU\..\Run: [Hmr] C:\WINDOWS\Uhk.exe
O4 - HKCU\..\Run: [Ksp] C:\WINDOWS\System32\Dam.exe
O4 - HKCU\..\Run: [Irr] C:\WINDOWS\Cdb.exe
O4 - HKCU\..\Run: [Kot] C:\WINDOWS\Btd.exe
O4 - HKCU\..\Run: [Jup] C:\WINDOWS\System32\Uik.exe
O4 - HKCU\..\Run: [Hro] C:\WINDOWS\System32\Rgs.exe
O4 - HKCU\..\Run: [Dmv] C:\WINDOWS\Fvc.exe
O4 - HKCU\..\Run: [Tmf] C:\WINDOWS\Gml.exe
O4 - HKCU\..\Run: [Tse] C:\WINDOWS\Sue.exe
O4 - HKCU\..\Run: [Fpf] C:\WINDOWS\System32\Cqv.exe
O4 - HKCU\..\Run: [Mti] C:\WINDOWS\System32\Jos.exe
O4 - HKCU\..\Run: [Heh] C:\WINDOWS\Bah.exe
O4 - HKCU\..\Run: [Njp] C:\WINDOWS\Pqm.exe
O4 - HKCU\..\Run: [Crq] C:\WINDOWS\System32\Chb.exe
O4 - HKCU\..\Run: [Puu] C:\WINDOWS\System32\Bqk.exe
O4 - HKCU\..\Run: [Uvr] C:\WINDOWS\System32\Nmf.exe
O4 - HKCU\..\Run: [Mgq] C:\WINDOWS\Qna.exe
O4 - HKCU\..\Run: [Mdt] C:\WINDOWS\System32\Ned.exe
O4 - HKCU\..\Run: [Ttr] C:\WINDOWS\Ead.exe
O4 - HKCU\..\Run: [Eft] C:\WINDOWS\System32\Ujd.exe
O4 - HKCU\..\Run: [Lki] C:\WINDOWS\Avf.exe
O4 - HKCU\..\Run: [Pkl] C:\WINDOWS\System32\Khr.exe
O4 - HKCU\..\Run: [Dun] C:\WINDOWS\System32\Ano.exe
O4 - HKCU\..\Run: [Thm] C:\WINDOWS\System32\Ehq.exe
O4 - HKCU\..\Run: [Aok] C:\WINDOWS\System32\Use.exe
O4 - HKCU\..\Run: [Nku] C:\WINDOWS\System32\Chr.exe
O4 - HKCU\..\Run: [Irt] C:\WINDOWS\Jjh.exe
O4 - HKCU\..\Run: [Ght] C:\WINDOWS\Ova.exe
O4 - HKCU\..\Run: [Sec] C:\WINDOWS\Htj.exe
O4 - HKCU\..\Run: [Gvl] C:\WINDOWS\Pah.exe
O4 - HKCU\..\Run: [Sba] C:\WINDOWS\Tuo.exe
O4 - HKCU\..\Run: [Oqu] C:\WINDOWS\Gtj.exe
O4 - HKCU\..\Run: [Sdg] C:\WINDOWS\System32\Rut.exe
O4 - HKCU\..\Run: [Lbq] C:\WINDOWS\Eld.exe
O4 - HKCU\..\Run: [Qfg] C:\WINDOWS\System32\Pij.exe
O4 - HKCU\..\Run: [Fkp] C:\WINDOWS\System32\Dua.exe
O4 - HKCU\..\Run: [Kma] C:\WINDOWS\System32\Tum.exe
O4 - HKCU\..\Run: [Mhd] C:\WINDOWS\System32\Dte.exe
O4 - HKCU\..\Run: [Ejp] C:\WINDOWS\System32\Vgq.exe
O4 - HKCU\..\Run: [Gbo] C:\WINDOWS\Hbf.exe
O4 - HKCU\..\Run: [Tct] C:\WINDOWS\Miu.exe
O4 - HKCU\..\Run: [Nac] C:\WINDOWS\System32\Ila.exe
O4 - HKCU\..\Run: [Vqk] C:\WINDOWS\System32\Fgs.exe
O4 - HKCU\..\Run: [Lpj] C:\WINDOWS\System32\Dqd.exe
O4 - HKCU\..\Run: [Ugb] C:\WINDOWS\Uvi.exe
O4 - HKCU\..\Run: [Osc] C:\WINDOWS\System32\Rll.exe
O4 - HKCU\..\Run: [Gjq] C:\WINDOWS\System32\Vfo.exe
O4 - HKCU\..\Run: [Sac] C:\WINDOWS\System32\Qaj.exe
O4 - HKCU\..\Run: [Lhq] C:\WINDOWS\System32\Mls.exe
O4 - HKCU\..\Run: [Kdd] C:\WINDOWS\Gbt.exe
O4 - HKCU\..\Run: [Gjj] C:\WINDOWS\Hck.exe
O4 - HKCU\..\Run: [Ivt] C:\WINDOWS\Dkm.exe
O4 - HKCU\..\Run: [Qda] C:\WINDOWS\System32\Eqq.exe
O4 - HKCU\..\Run: [Ano] C:\WINDOWS\Dkq.exe
O4 - HKCU\..\Run: [Vai] C:\WINDOWS\System32\Cua.exe
O4 - HKCU\..\Run: [Hjv] C:\WINDOWS\System32\Muh.exe
O4 - HKCU\..\Run: [Tev] C:\WINDOWS\Bri.exe
O4 - HKCU\..\Run: [Tib] C:\WINDOWS\Hmb.exe
O4 - HKCU\..\Run: [Ijs] C:\WINDOWS\System32\Ncm.exe
O4 - HKCU\..\Run: [Osd] C:\WINDOWS\Rct.exe
O4 - HKCU\..\Run: [Kvm] C:\WINDOWS\Ngv.exe

O4 - HKCU\..\RunServices: [virtual-machine] wini.exe


O9 - Extra button: Microsoft AntiSpyware helper - {30524A06-CA1F-4251-BAF9-4D50EE559F66} - C:\WINDOWS\System32\wldr.dll

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {30524A06-CA1F-4251-BAF9-4D50EE559F66} - C:\WINDOWS\System32\wldr.dll



O21 - SSODL: NTDBGTOOL - {86C77422-01AA-4D93-901C-BCBE5EB459BA} - C:\WINDOWS\System32\c_20qcd.dll

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
***ALL THE 3 LETTER FILES
C:\WINDOWS\System32\c_20qcd.dll <<<--file
C:\WINDOWS\System32\wldr.dll <<<--file
wini.exe <<<--file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log please.

Also, please, lets do one user account at a time, it will make things easier that way, thankas.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
giraf
Newbie


Joined: 30 Dec 2004
Last Visit: 05 Apr 2005
Posts: 6
Location: belgium
PostPosted: Tue Apr 05, 2005 12:17 am    Post subject: elysah account cleaned? Reply with quote
This is the log after I did what you suggested (in safe mode in the Elysah account)
I shall try the same now on the second account
Logfile of HijackThis v1.99.1
Scan saved at 10:12:01, on 04/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Ontrack\PowerDesk\pdexplo.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101492176984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Application Layer Gateway-service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPxySvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
_________________
dendzjing
Back to top
View user's profile Send private message Visit poster's website
giraf
Newbie


Joined: 30 Dec 2004
Last Visit: 05 Apr 2005
Posts: 6
Location: belgium
PostPosted: Tue Apr 05, 2005 12:44 am    Post subject: CW Shredder Reply with quote
CW Shredder keeps asking me about a 'smcfg.exe' file. I think it is not a random name file, but can't find any suggestions in the startup files folders pages. Any idea?
_________________
dendzjing
Back to top
View user's profile Send private message Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Tue Apr 05, 2005 7:23 am    Post subject: Reply with quote
OK, the last log is clear of infection, we can move onto the next one.

The file that Shredder is squaking about is legit, you can ignore it.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
giraf
Newbie


Joined: 30 Dec 2004
Last Visit: 05 Apr 2005
Posts: 6
Location: belgium
PostPosted: Tue Apr 05, 2005 8:54 am    Post subject: alas Reply with quote
I followed the same procedure with the second account, but something got wrong somewhere, but I don't know what. Fact is that after deleting the 3digit files and the others indicated, the OS did boot, but did not want to log someone on. The same thing in Safe Boot! So I restored a backup (True Image) from one year ago, and have now just finished removing all the trash.
Still thanks for the help and support; I will call again when needed.
Bye and thanks again.
_________________
dendzjing
Back to top
View user's profile Send private message Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Tue Apr 05, 2005 9:57 am    Post subject: Reply with quote
OK, sorry things didn't work out as planned. Be sure and get some more protection to avoid future infections.

Click on the two links below in my sig titled: Malware Countermeasures I Use\Tutorials For Themfor the apps we recommend to keep your PC secure as possible. All are free, and have no conflicts with any other apps, and are time tested to be some of the leading apps in the security field.

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for the most popular security apps here.

Happy surfing!!
Tom Very Happy
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group