That's ok, we will run another tool a little later(same one showed up on little sisters account) that is a 15 day trial that is awesome for getting rid of hard to find things. Other than that the Panda log is clean except for cookies and we will get all those later, they are basically harmless.
Yeah, this is the last user account (Andrew) HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 09:34:01, on 18/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\HijackThis\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.f9.net.uk/index_nlp.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3B2E9991-0C57-426F-A5E4-784C7A5C6420} (Datasheet control) - http://alldatasheet.com/Datasheet.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbscoms.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.
Nothing open but hijackthis and click fix checked.
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Run CWShredder and click on fix
Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter at the prompts.
Then:
Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter
Reboot
Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start
Now run a Panda scan over this account and post that log please
Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them(ONLY ONE) and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\DOWNLOADED PROGRAM FILES\EGAUTH.inf
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click NO at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Hi, i have done the above and no problems arose as far as i could tell. I think the computer is running fine but i only knew there was a problem before when i tried to open a downloaded file otherwise i wouldnt have known i had problems.
I know you didnt ask for me to do a panda scan but i thought i would. I ran it on my account and it wasnt clean on the dialers, hacking tools and spyware (see attachment). But at least that previous dialer seems to be gone now. Thankyou.
That entry is left over registry clutter, everything is cookies and harmless.
Run Ewido in safe mode over each separate account, that will clean cookies.
Also download and run this tool called CounterSpy over each account and you should be good to go. I do not need to see the log from either one just let me know how it is running now after counterspy and ewido from safe mode.
Hi, i ran the ewido scan over every account. Then i did the counter spy where alot of infected files were found. When the scan finished none of the files, registry entries or cookies appeared in the quarrantine section! I couldnt erase anything. When i double clicked where the list of infected things should be a runtime error appeared: runtime error '340' control array element '1' doesnt exist. Im sorry about this, im not sure what i have done.
Anyway i though i would do it manually and deleted the infected files - they obviously looked dodgey and so i felt it was safe to do that. Then with the registry entries i thought i should check with you if it is ok to delete it manually - it all looks like they should go but it looks more risky -i dont know why .
Anyway I have made an attachment of the infected registry entries and cookies. So, shall i delete those manually?
Again thanks for your help, im sorry it is taking so long.
As i explained in my post above counterspy wont delete anything! None of the infected files show up in the quarantine/results section therefore meaning i cannot delete anything!! When i click on the blank page a runtime error occurs and shuts down the program! Thats why i was asking if i can manually delete the infected registry entries.
Basically while scannning it shows what is infected and everything is working fine then when it is finished the scan result page comes up blank (zero is put against time it took scan, how many files it scanned, how many infected files etc.). Then when i press ok the quaratine section is blank - what am i meant to do?
Shall i uninstall the program and then reinstall it?
Dedicated Member
.
