please help may have a virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

veribestteac

Thread Starter
Joined
Jun 21, 2004
Messages
67
Logfile of HijackThis v1.99.1
Scan saved at 7:30:59 AM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\scvhost.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\COMMON~1\uzrm\uzrmm.exe
C:\PROGRA~1\COMMON~1\uzrm\uzrma.exe
C:\WINDOWS\TWFyeSBFbGxlbiBQYXRl\command.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\rdso\eetu.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\SYSTEM32\?ti2evxx.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\newfrn.exe
C:\WINDOWS\system32\macromed\flash\GetFlash.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcc.net/index2.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {DC7490F9-5C1D-5CEA-1046-2950A75536C4} - C:\WINDOWS\system32\oljif.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [\SWO] C:\WINDOWS\mrjj.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 251281562
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [noC=] C:\WINDOWS\mrjj.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132578222656
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9F8B928-9CA4-41B3-8641-3101E26F7854}: NameServer = 208.6.232.10,208.6.232.12
O20 - AppInit_DLLs: repairs302972988.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFyeSBFbGxlbiBQYXRl\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
start with

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:

    • [*]Sweep Memory
      [*]Sweep Registry
      [*]Sweep Cookies
      [*]Sweep All User Accounts
      [*]Enable Direct Disk Sweeping
      [*]Sweep Contents of Compressed Files
      [*]Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
before running spysweeper

download this and if you lose internet connection after spysweeper has done it's fixes then run it

Download LSPfix here: http://www.cexx.org/lspfix.htm
run the application. Just run it, you will see a list of files in the left hand pane and possibly some in the right hand pane. Do not change any of them, just tick the"I know what i'm doing" box & press finish and the program will do anything necessary

ONLY run it if you lose internet connection though
 

veribestteac

Thread Starter
Joined
Jun 21, 2004
Messages
67
Logfile of HijackThis v1.99.1
Scan saved at 7:56:51 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\scvhost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\MsgSys.EXE
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcc.net/index2.shtml
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 251281562
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132578222656
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9F8B928-9CA4-41B3-8641-3101E26F7854}: NameServer = 208.6.232.10,208.6.232.12
O20 - Winlogon Notify: awvvt - awvvt.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



The summary session of the spy sweeper is too large to post it will not let me post it in one post i willtry it in several posts.
 

veribestteac

Thread Starter
Joined
Jun 21, 2004
Messages
67
4:39 PM: HKLM\software\microsoft\windows\currentversion\uninstall\dh\ (2 subtraces) (ID = 1057035)
4:39 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}\ (1 subtraces) (ID = 1057038)
4:39 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/winats.dll\ (2 subtraces) (ID = 1066860)
4:39 PM: Found Adware: commonname
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\internet keyword\ (9 subtraces) (ID = 106883)
4:39 PM: Found Adware: bho_sep
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\sep\ (9 subtraces) (ID = 141642)
4:39 PM: Found Adware: startpage obfuscated true-counter.com hijack
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\ || search (ID = 142635)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\ || searchurl (ID = 142636)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\main\ || default_page_url (ID = 142638)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\main\ || default_search_url (ID = 142639)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\main\ || search bar (ID = 142640)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\main\ || search page (ID = 142641)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\search\ || searchassistant (ID = 142646)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\search\ || customizesearch (ID = 142647)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\internet keyword\ (9 subtraces) (ID = 484608)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\ie config\ (17 subtraces) (ID = 105116)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\windows\currentversion\404updt\ (1 subtraces) (ID = 105129)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\windows\currentversion\updt\ (1 subtraces) (ID = 105189)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\{2cf0b992-5eeb-4143-99c0-5297ef71f444}\ (2 subtraces) (ID = 105190)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\internet keyword\ (11 subtraces) (ID = 106883)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\ist\ (1 subtraces) (ID = 129108)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\xbtb07618\ (60 subtraces) (ID = 134858)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\sep\ (9 subtraces) (ID = 141642)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\ || search (ID = 142635)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\ || searchurl (ID = 142636)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\main\ || default_page_url (ID = 142638)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\main\ || default_search_url (ID = 142639)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\search\ || searchassistant (ID = 142646)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\search\ || customizesearch (ID = 142647)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\zango\ (15 subtraces) (ID = 147919)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\internet keyword\ (11 subtraces) (ID = 484608)
4:39 PM: Found Adware: sidesearch
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\director\ || baseurl (ID = 980277)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\ie config\ (17 subtraces) (ID = 105116)
4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\windows\currentversion\404updt\ (1 subtraces) (ID = 105129)
4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\avenue media\ (ID = 128887)
4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\xbtb07618\ (61 subtraces) (ID = 134858)
4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\sep\ (9 subtraces) (ID = 141642)
4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
 

veribestteac

Thread Starter
Joined
Jun 21, 2004
Messages
67
4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\surfsidekick3\ (3 subtraces) (ID = 143412)
4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\internet explorer\urlsearchhooks\ || _{02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 165102)
4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
4:39 PM: Found Trojan Horse: 2nd-thought
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\stc\ (ID = 102020)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\ie config\ (17 subtraces) (ID = 105116)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\windows\currentversion\404updt\ (1 subtraces) (ID = 105129)
4:39 PM: Found Adware: childoleauto
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\windows\currentversion\run\ || sr64 (ID = 105492)
4:39 PM: Found Adware: clientman
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\windows\currentversion\run\ || msmc (ID = 105911)
4:39 PM: Found Adware: coolwebsearch (cws)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\windows\currentversion\run\ || systime (ID = 112413)
4:39 PM: Found Adware: cws-aboutblank
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
4:39 PM: Found Adware: elitebar
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\lq\ (10 subtraces) (ID = 125741)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\sep\ (9 subtraces) (ID = 141642)
4:39 PM: Found Adware: websearch toolbar
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\toolbar\ (1 subtraces) (ID = 146513)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\toolbar\ (1 subtraces) (ID = 646239)
4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 125237)
4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search page (ID = 125238)
4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || start page (ID = 125239)
4:39 PM: HKU\S-1-5-18\software\ptech\ (7 subtraces) (ID = 125528)
4:39 PM: HKU\S-1-5-18\software\avenue media\ (ID = 128887)
4:39 PM: HKU\S-1-5-18\software\policies\avenue media\ (ID = 128928)
4:39 PM: HKU\S-1-5-18\software\ist\ (4 subtraces) (ID = 129108)
4:39 PM: Found Adware: lopdotcom
4:39 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || aida (ID = 130496)
4:39 PM: HKU\S-1-5-18\software\xbtb07618\ (60 subtraces) (ID = 134858)
4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
4:39 PM: HKU\S-1-5-18\software\surfsidekick3\ (2 subtraces) (ID = 143412)
4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
4:39 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 654042)
4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 790268)
4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
4:39 PM: HKU\S-1-5-18\software\director\ || baseurl (ID = 980277)
4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
4:39 PM: Registry Sweep Complete, Elapsed Time:00:01:11
4:39 PM: Starting Cookie Sweep
4:39 PM: Found Spy Cookie: 2o7.net cookie
4:39 PM: emily [email protected][2].txt (ID = 1957)
4:39 PM: Found Spy Cookie: yieldmanager cookie
4:39 PM: emily [email protected][2].txt (ID = 3751)
4:39 PM: Found Spy Cookie: adknowledge cookie
4:39 PM: emily [email protected][1].txt (ID = 2072)
4:39 PM: Found Spy Cookie: adlegend cookie
4:39 PM: emily [email protected][1].txt (ID = 2074)
4:39 PM: Found Spy Cookie: adrevolver cookie
4:39 PM: emily [email protected][1].txt (ID = 2088)
4:39 PM: emily [email protected][3].txt (ID = 2088)
4:39 PM: Found Spy Cookie: ads.adsag cookie
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
That got rid of a lot so a bit more to do now

first:
download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
right click the file and select install, that will reset the zone settings that have been altered

then
go to start/run and type services.msc press OK
when the screen opens scroll down to Local Security Authority Subsystem Service right click and select properties and then on that page press stop service and then set the start up type to disabled, press ok a few times to get back to windows

be very careful to get the right one as there are several very similar named ones there and the others will be legitimate & needed

now open HJT press config/misc tools and select delete an NT service

paste this into the box & press OK

lsass

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily


Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcc.net/index2.shtml
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 251281562
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)


O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - http://a14.g.akamai.net/f/14/7141/1d...APANEL_USA.cab

O20 - Winlogon Notify: awvvt - awvvt.dll (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe


now Start killbox, go to options on the top bar and make sure remove directories is enabled and remove duplicates is UNCHECKED paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window, select delet on reboot , press the red X button, say yes to the prompt and NO to reboot now then repeat for each file in turn

[Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

c:\\drsmartloadb.exe
C:\WINDOWS\scvhost.exe
C:\WINDOWS\system32\0oqw0ct0.dll

Then on killbox top bar press tools/delete temp files, in the pop up box in the NT section select temp & temp internet & cookies only and in the 9x section select c:\windows\temp & c:\temp then on the drop down user account box, select your account, then repeat for every user account on the computer

then reboot & post a fresh HJT log
 

veribestteac

Thread Starter
Joined
Jun 21, 2004
Messages
67
Logfile of HijackThis v1.99.1
Scan saved at 7:39:10 PM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132578222656
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9F8B928-9CA4-41B3-8641-3101E26F7854}: NameServer = 208.6.232.10,208.6.232.12
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
That is looking better

If it is running OK now then

Turn off system restore by following instructions here
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.

and pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top