Solved: Want To Fully Clean My Comp!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

stupid moron

Thread Starter
Joined
Nov 5, 2004
Messages
71
Could someone please help me do a FULL cleanup on my comp so its working almost like new? I want to basically start over on my comp without having to like reinstall windows and things because I did stupid things on my comp when I first got it so now its affecting me now. Thanks if someone would like to take on this huge job!!! Step by step instructions would be awesome. THANKS!
 

stupid moron

Thread Starter
Joined
Nov 5, 2004
Messages
71
Logfile of HijackThis v1.99.1
Scan saved at 11:15:40 AM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\winsupdater\winsupdater.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijack this\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [AOL Messenger Optimized] AOLOpt.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\RunServices: [AOL Messenger Optimized] AOLOpt.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.welshco.com/emp/wfica.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126559575796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126559564609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
Joined
Feb 15, 2004
Messages
12,302
go to add/remove and uninstall limewire and delete its folder from C:\program files


you don't have an anti virus download this one below, install it, update it and then run a full system scan !


Anti-vir

http://www.free-av.com/


Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php



* Download the trial version of Ewido Security Suite here


http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.


*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html



* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET



* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.



R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab



Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


C:\Program Files\winsupdater\winsupdater.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\LimeWire\LimeWire.exe



* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop


* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.



reboot to normal mode and run a few online scans!


Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!


Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido and active scan logs


http://www.ewido.net/en/onlinescan/run/
 
Joined
Dec 2, 2005
Messages
586
stupid moron said:
Here are all the files u asked for PLUS one that I wasnt sure if you wanted or not. I did not remove limewire however as this is my music download source and only want to remove if I ABSOLUTLY need to. Thanks for your help!!
to get your computer clean, limewire needs to be removed as it is known to contain spyware. copied the rest from your post. makes it easier to help you.:)

Logfile of HijackThis v1.99.1
Scan saved at 8:41:35 PM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [AOL Messenger Optimized] AOLOpt.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\RunServices: [AOL Messenger Optimized] AOLOpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.welshco.com/emp/wfica.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126559575796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126559564609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Incident Status Location

Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\mscornet.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload.dat
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 29, 2005 20:07:56
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/12/2005
Kaspersky Anti-Virus database records: 168254
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 51519
Number of viruses found: 20
Number of infected objects: 64
Number of suspicious objects: 7
Duration of the scan process: 2397 sec

Infected Object Name - Virus Name
C:\!KillBox\all_files2.exe/data0002 Infected: not-a-virus:AdWare.Win32.GigatechSuperBar
C:\!KillBox\all_files2.exe/data0003 Infected: not-a-virus:AdWare.Win32.180Solutions
C:\!KillBox\all_files2.exe/data0004/data0003 Infected: not-a-virus:AdWare.Win32.Connector
C:\!KillBox\all_files2.exe/data0004/data0004 Infected: not-a-virus:AdWare.Win32.Connector
C:\!KillBox\all_files2.exe/data0004 Infected: not-a-virus:AdWare.Win32.Connector
C:\!KillBox\all_files2.exe/data0005 Infected: Trojan-Downloader.Win32.Keenval.m
C:\!KillBox\all_files2.exe/data0007/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t
C:\!KillBox\all_files2.exe/data0007/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af
C:\!KillBox\all_files2.exe/data0007/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af
C:\!KillBox\all_files2.exe/data0007/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v
C:\!KillBox\all_files2.exe/data0007/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v
C:\!KillBox\all_files2.exe/data0007/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v
C:\!KillBox\all_files2.exe/data0007 Infected: not-a-virus:AdWare.Win32.SaveNow.v
C:\!KillBox\all_files2.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v
C:\!KillBox\dist.exe/uptodate.exe Infected: Trojan-Downloader.Win32.Braidupdate.c
C:\!KillBox\dist.exe Infected: Trojan-Downloader.Win32.Braidupdate.c
C:\!KillBox\memorywatcher.exe/data0004 Infected: Trojan-Downloader.Win32.VB.q
C:\!KillBox\memorywatcher.exe Infected: Trojan-Downloader.Win32.VB.q
C:\!KillBox\td.exe Infected: Trojan-Downloader.Win32.Turown.j
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader1.zip/stcloader.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader1.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip/msexreg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy4.zip/msexreg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy4.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Default User\My Documents\Data\all_files2b.exe/data0002 Infected: Backdoor.Win32.Ruledor.c
C:\Documents and Settings\Default User\My Documents\Data\all_files2b.exe/data0003 Infected: Trojan-Downloader.Win32.Poplite.a
C:\Documents and Settings\Default User\My Documents\Data\all_files2b.exe Infected: Trojan-Downloader.Win32.Poplite.a
C:\Documents and Settings\Default User\My Documents\Data\all_files2_at.exe/data0002 Infected: Trojan-Downloader.Win32.VB.q
C:\Documents and Settings\Default User\My Documents\Data\all_files2_at.exe Infected: Trojan-Downloader.Win32.VB.q
C:\Documents and Settings\Default User\My Documents\Data\all_files_sjb_2.exe/data0003/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a
C:\Documents and Settings\Default User\My Documents\Data\all_files_sjb_2.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a
C:\Documents and Settings\Default User\My Documents\Data\all_files_sjb_2.exe/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a
C:\Documents and Settings\Default User\My Documents\Data\all_files_sjb_2.exe/data0008 Infected: not-a-virus:AdWare.Win32.EZula.a
C:\Documents and Settings\Default User\My Documents\Data\all_files_sjb_2.exe Infected: not-a-virus:AdWare.Win32.EZula.a
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0002 Infected: not-a-virus:AdWare.Win32.GigatechSuperBar
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0003 Infected: not-a-virus:AdWare.Win32.180Solutions
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0004/data0003 Infected: not-a-virus:AdWare.Win32.Connector
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0004/data0004 Infected: not-a-virus:AdWare.Win32.Connector
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0004 Infected: not-a-virus:AdWare.Win32.Connector
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0005 Infected: Trojan-Downloader.Win32.Keenval.m
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0007/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0007/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0007/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0007/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0007/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0007/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0007 Infected: not-a-virus:AdWare.Win32.SaveNow.v
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2b.exe/data0002 Infected: Backdoor.Win32.Ruledor.c
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2b.exe/data0003 Infected: Trojan-Downloader.Win32.Poplite.a
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2b.exe Infected: Trojan-Downloader.Win32.Poplite.a
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2_at.exe/data0002 Infected: Trojan-Downloader.Win32.VB.q
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2_at.exe Infected: Trojan-Downloader.Win32.VB.q
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files_sjb_2.exe/data0003/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files_sjb_2.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files_sjb_2.exe/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files_sjb_2.exe/data0008 Infected: not-a-virus:AdWare.Win32.EZula.a
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files_sjb_2.exe Infected: not-a-virus:AdWare.Win32.EZula.a
C:\Documents and Settings\Default User\My Documents\Data\memorywatcher.exe/data0004 Infected: Trojan-Downloader.Win32.VB.q
C:\Documents and Settings\Default User\My Documents\Data\memorywatcher.exe Infected: Trojan-Downloader.Win32.VB.q
C:\Documents and Settings\Justin\Application Data\xckfgstr.exe Suspicious: not-a-virus:AdWare.Win32.Lop
C:\KeenValueInstall_with_track_117.exe Infected: Trojan-Downloader.Win32.Keenval.m
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP356\A0037016.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ab
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP380\A0038318.exe Infected: not-a-virus:RiskTool.Win32.PsKill.a
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP380\A0038385.exe/uptodate.exe Infected: Trojan-Downloader.Win32.Braidupdate.c
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP380\A0038385.exe Infected: Trojan-Downloader.Win32.Braidupdate.c
C:\WINDOWS\SYSTEM32\mscornet.exe Infected: Trojan-Downloader.Win32.Zlob.cy
C:\WINDOWS\SYSTEM32\PMTInstaller.exe/PMTSetup.exe Infected: not-a-virus:AdWare.Win32.MDH.e
C:\WINDOWS\SYSTEM32\PMTInstaller.exe/QLSetup.exe Infected: not-a-virus:AdWare.Win32.MDH.e
C:\WINDOWS\SYSTEM32\PMTInstaller.exe Infected: not-a-virus:AdWare.Win32.MDH.e

Scan process completed.


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:48:23 PM, 12/29/2005
+ Report-Checksum: 3288B13A

+ Scan result:

C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\winlog.VIR -> Backdoor.Rbot.adx : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\winlog.VIR00 -> Backdoor.Rbot.adx : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\winsupdater.VIR -> Worm.VB.an : Cleaned with backup
C:\Program Files\winsupdater\a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP351\A0036969.DLL -> Adware.IWon : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP356\A0037013.DLL -> Adware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP356\A0037015.DLL -> Adware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP380\A0038323.hta -> Dropper.Inor.cj : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP380\A0038324.hta -> Dropper.Inor.cj : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP380\A0038325.hta -> Dropper.Inor.cj : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP380\A0038326.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP386\A0038512.exe -> Spyware.NavExcel : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP388\A0039406.exe -> Spyware.NavExcel : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP388\A0039407.dll -> Spyware.NavExcel : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP395\A0041169.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP395\A0041185.exe -> Backdoor.Agent.rk : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP395\A0041201.exe -> Backdoor.Agent.rk : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP395\A0042365.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP402\A0043187.exe -> Worm.VB.an : Cleaned with backup
C:\System Volume Information\_restore{EC862AB6-3CC6-4197-8ECD-FACA8F6A13BF}\RP402\A0043188.exe -> Backdoor.Rbot.adx : Cleaned with backup


::Report End
 
Joined
Feb 15, 2004
Messages
12,302
thx imidiot for posting the logs!


go here and empty out these folders, delte all the contents of these folders.


C:\Documents and Settings\Justin\Application Data\
C:\Documents and Settings\Default User\My Documents\Data


boot to safe mode and run these through the killbox.


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


C:\KeenValueInstall_with_track_117.exe
C:\WINDOWS\SYSTEM32\mscornet.exe
C:\WINDOWS\drsmartload.dat
C:\WINDOWS\kwv2.dat
C:\WINDOWS\SYSTEM32\PMTInstaller.exe/PMTSetup.exe
C:\WINDOWS\SYSTEM32\PMTInstaller.exe/QLSetup.exe
C:\WINDOWS\SYSTEM32\PMTInstaller.exe


then reboot to normal mode.


Go to c:\submit and empty this folder's contents!




go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.

reboot again


With CWshredder close all browsers and programmes and select the FIX button.



Go here and download Microsoft Antispyware Beta. First in the top menu click
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick
Scan Now" and click Spyware scan options. In that window put a tick by Run a
full system scan and then put a check by all three options below that then
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it
quarantine the items that have that option rather than delete just in case.
It is a beta program and there may be false positives)

Restart your computer.


All tools can be downloaded at the link below and found on that page!



. Microsoft® Windows AntiSpyware
. Trend micro CWShredder
. SpyBot search and destroy
. AdAware SE personal


http://www.majorgeeks.com/downloads31.html


post another log.
 

stupid moron

Thread Starter
Joined
Nov 5, 2004
Messages
71
Logfile of HijackThis v1.99.1
Scan saved at 10:13:27 AM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Hijack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [AOL Messenger Optimized] AOLOpt.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [AOL Messenger Optimized] AOLOpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.welshco.com/emp/wfica.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126559575796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126559564609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


here is a log after all the things you told me to do.
 
Joined
Feb 15, 2004
Messages
12,302
clean log.


how's your computer running now any better?



you should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.


How to turn off system restore

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


http://support.microsoft.com/default.aspx?scid=kb;[LN];310405




here's some free tools to keep you from getting infected in the future.


to stop reinfection get these two tools, spywareguard and spywareblaster
from


http://www.javacoolsoftware.com/downloads.html


get the hosts file from here.



http://www.mvps.org/winhelp2002/hosts.htm


put it into :


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS



ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm



http://www.winpatrol.com/winpatrol.html



Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it.



I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
e-mail client.

http://www.mozilla.org/


Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html


A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm



you can mark your own thread solved through thread tools at the top of
the page.
 

stupid moron

Thread Starter
Joined
Nov 5, 2004
Messages
71
Thank you it is working MUCH!! better. One of my questions is however... which of the programs that you told me to install can i now uninstall? Thanks a bunch for your time and patients and I will marked solved once I get your response. Thanks again.
 
Joined
Feb 15, 2004
Messages
12,302
keep all of the tools as they are all good and use them regualrly as they find aad clean different threats!

You can however delete the c:\submit folder and you can delete the killbox if you wish!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top