My computer is a mess - please HELP!
fmueller
Auckland, NZ Icrontian
OK, maybe about a year ago I had a major spyware and virus infestation on my machine. I downloaded a raft of anti-spyware and anti-virus software and tried to clean the mess up. I also contacted a guru in a similar forum as this one, and after a lot of hard work we cleaned the whole thing up - except for one pesky file that just would not go away but kept on changing names and cropped back up again. After a couple of weeks other things took priority over the computer trouble, and I gave up. Since I had that troublemaker on the machine anyhow, I never bothered keeping my virus and spyware protection up to date. Well, as you might expect things gradually deteriorated, and a few days ago things finally came to a grinding halt, forcing me to tackle the issue once again. I am hoping that this time up to date software will be able to fix that old problem as well as getting rid of any new bugs I might have caught - of which there seem to be many!
I have read many of the stickies in this forum, and have followed the instructions in 'Read Here First Before Posting A HijackThis Log!'.
Step 1: Clean out your temporary internet files and temp files
Done that.
Step 2: Scanning with Ad-Aware and SpyBot Search & Destroy
Done that.
Step 3: Scanning your computer for malware with online scans
Panda Active Scan:
Bit Defender Scan:
Kaspersky Scan:
Step 4: Getting a Firewall
It would seem to make more sense to do this after I get things a bit more under control, no?
Step 5: Getting an Anti-Virus program!
Same as 4?
Step 6: Protecting yourself with Windows Update
I am running Windows 2000 Professional and everything up to SP4 installed. I am reluctant to move to XP because I have lots of old harware installed (flatbed scanner, film scanner, laser printer, inkjet printer, etc) that might or might not be compatible.
Step 7: Downloading HijackThis and creating a log!
Here is the log:
Step 8: Creating your thread
Voila!
I realize that the helpers here are all volunteers, and really appreciate your guy's efforts in helping others out. If it means anything to you, I do the same on various photography and aquaristic related forums, and if any of you need advice on photography (old manual focus SLRs all the way to modern DSLRs) or various types of cichlids, I'd be happy to return the favour
Also, I can guarantee you that this isn't a request by one of those paranoid folks who really have no problem with their computer, but get a kick out of having others look through HijackThis logs. This one here is going to be a real challenge, but as the old German saying goes: 'Viel Feind, Viel Ehr!' :bigggrin:
Many thanks!
Frank
I have read many of the stickies in this forum, and have followed the instructions in 'Read Here First Before Posting A HijackThis Log!'.
Step 1: Clean out your temporary internet files and temp files
Done that.
Step 2: Scanning with Ad-Aware and SpyBot Search & Destroy
Done that.
Step 3: Scanning your computer for malware with online scans
Panda Active Scan:
Incident Status Location
Adware:Adware/ClkOptimizer Not disinfected c:\winnt\system32\yqrkwy.exe
Virus:Trojan Horse.AP3 Disinfected Operating system
Adware:Adware/ClkOptimizer Not disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwgi.exe
Adware:adware/afaenhance Not disinfected c:\winnt\system\QBUninstaller.exe
Adware:adware/cws.searchmeup Not disinfected c:\winnt\system32\bose.ico
Spyware:spyware/safesurf Not disinfected c:\winnt\system32\InstallerV3.exe
Adware:adware/weirdontheweb Not disinfected C:\Documents and Settings\Frank Mueller\Favorites\WeirdOnTheWeb.url
Adware:adware/bookedspace Not disinfected c:\winnt\cfgmgr52.ini
Spyware:spyware/apropos Not disinfected c:\program files\Aprps
Adware:adware/pacimedia Not disinfected Windows Registry
Adware:adware/neededware Not disinfected Windows Registry
Adware:adware/novo Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/elitebar Not disinfected Windows Registry
Adware:adware/xplugin Not disinfected Windows Registry
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies-1.txt[.xiti.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.com.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.belnk.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.entrepreneur.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[fe.lea.lycos.de/]
Spyware:Cookie/Netster Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[lb3.netster.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[server.iad.liveperson.net/hc/63152693]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Frank Mueller\Application Data\Mozilla\Firefox\Profiles\hwy7102z.default\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Frank Mueller\Cookies\frank [email]mueller@ad.yieldmanager[1].txt[/email]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Frank Mueller\Cookies\frank [email]mueller@burstnet[2].txt[/email]
Adware:Adware/QoolAid Not disinfected C:\Documents and Settings\Frank Mueller\Local Settings\Temp\tm37254.exe
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\CxtPls.exe
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\ProxyStub.dll
Virus:Trojan Horse.AP3 Disinfected C:\WINNT\Downloaded Program Files\cskware.exe
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINNT\system32\P2P Networking v124.cpl
Potentially unwanted tool:Application/Psexec.A Not disinfected C:\WINNT\system32\psexec.exe
Adware:Adware/ClkOptimizer Not disinfected C:\WINNT\system32\qgbvp.dat
Bit Defender Scan:
BitDefender Online Scanner - Real Time Virus Report
Generated at: Mon, Jul 10, 2006 - 16:05:56
Scan Info
Scanned Files
152553
Infected Files
4
Virus Detected
Trojan.Downloader.Qoologic.AI
3
Trojan.Qoologic.24576.DLL
1
This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.
Kaspersky Scan:
KASPERSKY ONLINE SCANNER REPORT
Monday, July 10, 2006 9:17:05 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 3 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/07/2006
Kaspersky Anti-Virus database records: 193944
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 39598
Number of viruses found: 12
Number of infected objects: 52 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:19:03
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0002.VBN Infected: Trojan-Downloader.Win32.Ani.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0003.VBN Infected: Trojan-Downloader.Win32.Ani.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0004.VBN Infected: Trojan-Downloader.Win32.Ani.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0005.VBN Infected: Trojan-Downloader.Win32.Ani.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0006.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0006.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0006.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0006.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0006.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0007.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0007.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0007.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0007.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0007.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80000.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80001.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80002.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80003.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80004.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80005.VBN.mwt Infected: Backdoor.Win32.SdBot.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04680000.VBN.mwt Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04700001.VBN.mwt Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\047C0001.VBN.mwt Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05000000.VBN.mwt Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05340000.VBN.mwt Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\055C0000.VBN.mwt Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05A40000.VBN Infected: Trojan-Downloader.JS.IstBar.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05D40000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwgi.exe Infected: Trojan-Downloader.Win32.Qoologic.ai skipped
C:\Documents and Settings\Frank Mueller\Application Data\Microsoft\Vorlagen\Normal.dot Object is locked skipped
C:\Documents and Settings\Frank Mueller\Application Data\Microsoft\Word\AutoRecovery save of Letter to Homini Ridge Lodge.asd Object is locked skipped
C:\Documents and Settings\Frank Mueller\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\History\History.IE5\MSHist012006071020060711\index.dat Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\offA.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\offB.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\tm37254.exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~DF32B4.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~DF34A2.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~DF65A5.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~DF65C2.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~DF9953.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~WRF2549.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temp\~WRS2577.tmp Object is locked skipped
C:\Documents and Settings\Frank Mueller\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frank Mueller\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Frank Mueller\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Aprps\ace.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Aprps\libexpat.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Aprps\ProxyStub.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Aprps\uninstaller.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Aprps\WinGenerics.dll Infected: Trojan.Win32.Crypt.t skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\security\logs\scepol.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\cxtpls_loader.exe Infected: Trojan-Downloader.Win32.Apropo.ae skipped
C:\WINNT\system32\kvdcfkk.exe Infected: Trojan-Downloader.Win32.Small.ctw skipped
C:\WINNT\system32\qspaeqq.dll Infected: Trojan-Downloader.Win32.Qoologic.bi skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
E:\Frank\Letter to Homini Ridge Lodge.doc Object is locked skipped
E:\Program Files\Microsoft Office\Office\Startup\PDFMaker.dot Object is locked skipped
Scan process completed.
Step 4: Getting a Firewall
It would seem to make more sense to do this after I get things a bit more under control, no?
Step 5: Getting an Anti-Virus program!
Same as 4?
Step 6: Protecting yourself with Windows Update
I am running Windows 2000 Professional and everything up to SP4 installed. I am reluctant to move to XP because I have lots of old harware installed (flatbed scanner, film scanner, laser printer, inkjet printer, etc) that might or might not be compatible.
Step 7: Downloading HijackThis and creating a log!
Here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 9:21:47 PM, on 10/07/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\csrss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
E:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\NavNT\rtvscan.exe
E:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
E:\Program Files\LiquidView\lviewj.exe
E:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\winnt\System32\MsgSys.EXE
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\WorldTime\WorldTime.exe
C:\winnt\System32\wuauclt.exe
E:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.kent.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LiquidView] E:\Program Files\LiquidView\lviewj.exe -nogui
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\winnt\System32\yqrkwy.exe reg_run
O4 - HKCU\..\Run: [X-Cleaner Freeware] "E:\PROGRA~1\X-CLEA~1\XCLEAN~3.EXE" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: World Time.lnk = E:\Program Files\WorldTime\WorldTime.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.filesharingaccess.com
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} - http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\NavNT\rtvscan.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - E:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
Step 8: Creating your thread
Voila!
I realize that the helpers here are all volunteers, and really appreciate your guy's efforts in helping others out. If it means anything to you, I do the same on various photography and aquaristic related forums, and if any of you need advice on photography (old manual focus SLRs all the way to modern DSLRs) or various types of cichlids, I'd be happy to return the favour
Also, I can guarantee you that this isn't a request by one of those paranoid folks who really have no problem with their computer, but get a kick out of having others look through HijackThis logs. This one here is going to be a real challenge, but as the old German saying goes: 'Viel Feind, Viel Ehr!' :bigggrin:
Many thanks!
Frank
0
Comments
==
Please download Look2Me-Destroyer.exe to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK.
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning[/color\ message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Finally post a new HijackThis log, the contents of the Qoofix logfile and the contents of C:\Look2Me-Destroyer.txt.
One of my Sydney night shots :ausflag:
Anyhow, here the scan reports:
Qoofix
Look2Me
Hijackthis
Again, many thanks for your help!
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to clipboard into this window by pressing (Ctrl+V).
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5.==
Can you please do the following once rebooted;
Scan with HiJackThis, then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
O4 - HKLM\..\Run: [winsync] C:\winnt\System32\yqrkwy.exe reg_run
O15 - Trusted Zone: http://www.neededware.com
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Reboot.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
HiJackThis Report
Many thanks!
Frank
===============
We'll need to unload Spybot's Teatimer before we begin. To do this can you start Spybot and go to Tools > Resident and uncheck the box next to Tea-Timer. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit". Do not forget to re-enable it when we are done .
===============
Scan with HiJackThis, then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
I was about to doubt my sanity when I eventually worked out that I had to be in the 'advanced mode' of Spybot before I can even see the tools menu :banghead:
HiJackThis Report
Please let me know how your pc is now.
Well, it sure runs a lot better than before we started - many thanks! - but Windows Media Player still autostarts after each reboot and displays some advertising garbage, which indicates that no all is clear quite yet. Also, the machine takes unusually long to shut down, and displays 'saving settings' for what seems like forever. The latter could be due to lack of space on the C: partition of my harddrive though, which is the next problem I'll have to tackle.
Perhaps 1st you should get service pack 4 for W2K. That may well fix up what problems you are still having.
That's a relief. Many thanks! Your help is really very much appreciated!
WMP could just need uninstalling then reinstalling.
Perhaps 1st you should get service pack 4 for W2K. That may well fix up what problems you are still having.
Hmm, I was under the impression that I had SP4 already, and recently did one of those automatic Windows updates. However, I can see that HiJackThis detects only SP3. When I go into the control panel, add/remove programs, it looks like a mess:
Is it supposed to look that way or what's going on?
Frank
http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.mspx
I just wated to say thanks for all your help! This forum is awesome!
As recommended by you and in the sticky thread I was following, I have installed SP4 and replaced my old anti-virus/spayware software with a combination of Zone Alarm, AVG and Ewido. I also uninstalled then reinstalled WMP9, but unfortunately it began autostarting after each boot as soon as I re-installed 9. Not a big issue though.
Currently I am working on re-partitioning my drive with help of the good guys in the storage forum (http://www.short-media.com/forum/showthread.php?t=48125).
Already my machine is running better than it has been in years!
:celebrate
==
Now that your PC is clean you need to follow these easy steps to keeping it this way:
Secure your Internet Explorer by going here and following the instructions there.
Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.
Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.
Install and keep updated, Ewido anti-malware, Ad-Aware SE and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.
Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.
Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.
Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.
Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
C:\Documents and Settings\username\Local Settings\Temp\
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Empty the Recycle Bin.
For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.
Go to Start>Run and type msconfig. Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.
Check the box labelled 'Turn off System restore'.
Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
Note that all previous restore points will be lost.
===============
If you have any more problems, post back.
-
Happy surfing,
crunchie.
I found this at: http://www.zachd.com/pss/pss.html (WMP9, question 13). It seems to deal directly with my WMP problem, but I have no idea how 'to use MSConfig to figure out where WMP is being loaded at, and turn it off'.
When you reboot you will get a popup window saying that you are in selective startup. Tick the box and click ok.
Done.
When I do this, I get an error message: "Cannot find the file 'msconfig' (or one of its components). Make sure the path and filename are correct and that all required libraries are available."
So I went ahead and did a search for msconfig in Windows Explorer. It appears to be on the desktop. Surely that's not the place where a system file like this would usually be
Not really. Here is what the Startup Tab looks like:
This Trojan messed up my machine pretty good, and I am starting to worry that there are still parts of it on there
Go here and download then run Silent Runners.vbs. It generates a log. Please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.
I am off to bed now, but I will take a quick look before I leave for work in about 7 hours time .
Many thanks for your continued assistance!
Here is the Silent Runners report:
Reboot when done and post another silent runners log. Let me know if wmp still starts at startup.
Download the Hoster.
Run it and press "Restore Original Hosts" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.
Done that and wmp still starts at startup.
Silent Runners report:
When I click on 'Restore Microsoft's Original Host File' I get an error message: ERROR: Cannot create file C:\winnt\system32\DRIVERS\ETC\hosts
I've never had a custom host file - or at least not unless the spyware created it.
You can also try this in safe mode.
All browser windows were definetely closed when I performed the recommended actions. BTW - I am using Firefox and sometimes Opera, almost never Internet Explorer, in case that matters.
OK, I just 1. booted the computer in safe mode, 2. ran fixme.rag, 3. ran Hoster.exe (received no error message this time), 4. ran Silent Runners.vbs,
Silent Runners report:
5. rebooted the machine into standard mode, 6. ran Silent Runners.vbs again.
Silent Runners report:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\ {++}
"wmplayer" = "C:\Program Files\Windows Media Player\wmplayer.exe" [MS]
"vyepp" = "C:\WINNT\System32\vyepp.exe" [file not found]
If they do and you are comfortable with fiddling in the registry, navigate to the ...\Run key and delete those two entries.
If you cannot delete them there is still something else we can do.
I think we managed to solve that problem! Getting rid of Ewido didn't help, and I was initially unsure how exactly to delete the two entries from the registry. Eventually, while looking for something else, I discovered that I had a program called Registrar Lite on my machine, which made things pretty easy. I deleted both entries, and they have not come back after a reboot. A new Silent Runners log is at the end of this post. Many thanks!
Let me ask you two more questions:
1. Ewido does not seem to be starting up automatically after a reboot, or at least there is no corresponding icon in the system tray unless I manually start it up. What's the easiest way to ensure it autostarts?
2. Windows currently can't see my DVD-RW drive. It's a NEC ND-1300A. Sorry, I only noticed this now since I very rarely use the thing, but wanted to make a system backup before re-partitioning my drive. I suspect this might have come about as part of the virus cleanup or when I installed SP4.
NEC says about the thing (http://www.de.nec.de/print_faq.php?id=1341):
The problem is, however, that not only a particular burningsoftware does not see the thing, but Windows explorer does not see the drive either, and I can't even play an audio CD in it.
I used the add/remove hardware wizard to uninstall the thing, and windows immediately found and reinstalled it upon reboot, but the problems persist.
Any suggestions what I could do?
Try the advice given here http://www.networkclue.com/os/Windows/commands/sfc.aspx to see if that repairs any corrupted files.
The SR log looks clear now. Dows WMP still auto start?
I didn't know about the Ewido 14 day trial period. Thanks for pointing that out!
WMP does no longer autostart since I manually deleted those two entries in the registry. Sorry if my earlier post was a little unclear about that.
Following your advice regarding the SFC might prove difficult - ie if I need to insert the Windows CD I am stuck, because currently I don't have a CD drive :bawling:
I have a feeling that I need to move quickly on backing up my system and attempting a re-partitioning of my drive, because after all the messing around I have only 50MB left on the C-drive, which is horribly fragmented. Processes are slowing down badly despite the absence of viruses and spyware, and I am pretty certain that's caused by this drive being too full and in a mess.
Greetings
Frank