lots of problems!!!hijackthis log help.

Unknown
edited May 2006 in Spyware & Virus Removal
hello!
My brother in law has all kinds of problems on his computer.Most of the time he can't go on the net or email won't work, jams etc...I was finaly able to send him hijack this (lives 500 miles away and also a newbie)and got him to take a couple of logs to post here.(i got him to delete all cookies)I got a hijack log and a startup log.I'll send him the required clean up tools on another computer so he can burn a cd and run any tools needed)
Logfile of HijackThis v1.99.1
Scan saved at 19:14:36, on 2006-05-24
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\anvshell.exe
C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
C:\WINDOWS\System32\filereg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\eSafe\Protect\SERVNT.EXE
C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\usaplug.exe
C:\PROGRA~1\RXTOOL~1\SEMANT~1\SEMANT~1.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\guy et sonia\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EspIEObj Class - {2F4F8CC3-FF89-11D1-9F63-0020182D7E20} - C:\PROGRA~1\eSafe\Protect\espie.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [eSafe Protect] "C:\Program Files\eSafe\Protect\ESPWatch.exe" /delay=5
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [spoolsv] C:\DOCUME~1\fred\LOCALS~1\Temp\spooolsv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Microsoft USA Plug] usaplug.exe
O4 - HKLM\..\RunServices: [Microsoft USA Plug] usaplug.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Microsoft USA Plug] usaplug.exe
O4 - HKCU\..\RunServices: [Microsoft USA Plug] usaplug.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://ko.bar.need2find.com/KO/menusearch.html?p=KO
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F2B67FC-D2BD-4177-B91A-C7CF7B29074A}: NameServer = 67.69.184.91 206.47.244.102
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F2B67FC-D2BD-4177-B91A-C7CF7B29074A}: NameServer = 67.69.184.91 206.47.244.102
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: eSafe Protect - Aladdin Knowledge Systems Ltd. - C:\Program Files\eSafe\Protect\SERVNT.EXE
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

here is the startup log. I'll attach it cause i'm not sure if you need it or not but figured i'd include it.Thanks very much for the help

Comments

  • SpywareShooterSpywareShooter 127.0.0.1
    edited May 2006
    [STEP 1] A quick favor:
    Before we begin removing malware I would like to ask you a small favor. Please go to http://virusscan.jotti.org and submit the file below for analysis and post the log here. This will help complete SpywareShooter.com's HijackThis entry database.

    usaplug.exe

    [STEP 2] Fix HijackThis Entries:
    Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
    O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll
    O4 - HKLM\..\Run: [Microsoft USA Plug] usaplug.exe
    O4 - HKLM\..\RunServices: [Microsoft USA Plug] usaplug.exe
    O4 - HKLM\..\Run: [spoolsv] C:\DOCUME~1\fred\LOCALS~1\Temp\spooolsv.exe
    O4 - HKCU\..\Run: [Microsoft USA Plug] usaplug.exe
    O4 - HKCU\..\RunServices: [Microsoft USA Plug] usaplug.exe
    O8 - Extra context menu item: &Search - http://ko.bar.need2find.com/KO/menusearch.html?p=KO

    [STEP 3] Remove Malicious Files:
    Locate the following files using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    usaplug.exe
    C:\DOCUME~1\fred\LOCALS~1\Temp\spooolsv.exe

    [STEP 4] Remove Malicious Folders:
    Locate the following folders using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    C:\Program Files\Need2Find\
    C:\Program Files\RXToolBar\

    [STEP 5]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • ibanez7
    edited May 2006
    thanks very much for the help.
    I'll be able to submit that file and follow of all your instructions tomorrow night when i talk with him on the phone.Just to be sure the file to upload is the
    usaplug.exe
    C:\DOCUME~1\fred\LOCALS~1\Temp\spooolsv.exe correct.?Again thank you very much.
  • ibanez7
    edited May 2006
    hello!i've completed the steps you gave me.I've been trying to upload the file to the adress given but server is too busy.Will keep trying until i succeed.Here is a log of hijack that i took.He told me that he's noticed a very big improvement up to now.I had also run a spybot , lavasoft, before doing all this.Thanks again for the help.

    Logfile of HijackThis v1.99.1
    Scan saved at 16:36:14, on 2006-05-26
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\anvshell.exe
    C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\System32\usaplug.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\eSafe\Protect\SERVNT.EXE
    C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Documents and Settings\guy et sonia\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: EspIEObj Class - {2F4F8CC3-FF89-11D1-9F63-0020182D7E20} - C:\PROGRA~1\eSafe\Protect\espie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [LiveNote] livenote.exe
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    O4 - HKLM\..\Run: [eSafe Protect] "C:\Program Files\eSafe\Protect\ESPWatch.exe" /delay=5
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
    O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: eSafe Protect - Aladdin Knowledge Systems Ltd. - C:\Program Files\eSafe\Protect\SERVNT.EXE
    O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • ibanez7
    edited May 2006
    I've just completed uploading the file and scanned with all antivirus and none of them have found anything.In other words none of those antivirus can detect that particular virus correct?Thanks again for the help
  • SpywareShooterSpywareShooter 127.0.0.1
    edited May 2006
    That is correct. Can you please send the file (preferablly in a .zip compressed folder) to my email address at spywareshooter@yahoo.com ? I would like to be able to continue performing research on this file as it appears to be suspicious, but after it is sent I am going to ask that you delete the file.

    [STEP 1] Fix HijackThis Entries:
    Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
    O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll

    [STEP 2] Remove Malicious Folders:
    Locate the following folders using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    C:\Program Files\RXToolBar\

    [STEP 3]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • ibanez7
    edited May 2006
    hello!
    I'm sorry but it's too late after i uploaded the file to thae specified adress i deleted it so i'm unable to send it to that email.I will get him to delete the other entries and will repost back in when done.Just wanted to add that the RX toolbar entry came back by itself cause i deleted it before;but this time i'll try deleting the folder in safe mode and see if it'll stay gone.Thanks again for your help.When completed above steps i'll post back his hijack log.
  • ibanez7
    edited May 2006
    ok above steps completed here is the new log:

    Logfile of HijackThis v1.99.1
    Scan saved at 08:16:40, on 2006-05-27
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\anvshell.exe
    C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\eSafe\Protect\SERVNT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\guy et sonia\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: EspIEObj Class - {2F4F8CC3-FF89-11D1-9F63-0020182D7E20} - C:\PROGRA~1\eSafe\Protect\espie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [LiveNote] livenote.exe
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    O4 - HKLM\..\Run: [eSafe Protect] "C:\Program Files\eSafe\Protect\ESPWatch.exe" /delay=5
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0F2B67FC-D2BD-4177-B91A-C7CF7B29074A}: NameServer = 67.69.184.91 206.47.244.102
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0F2B67FC-D2BD-4177-B91A-C7CF7B29074A}: NameServer = 67.69.184.91 206.47.244.102
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: eSafe Protect - Aladdin Knowledge Systems Ltd. - C:\Program Files\eSafe\Protect\SERVNT.EXE
    O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

    thanks very much again for the help.
  • SpywareShooterSpywareShooter 127.0.0.1
    edited May 2006
    [STEP 1]Run Additional Tools:
    Your HijackThis log shows no more signs of executable malware. However, this does not mean that your system is completely clean. In order to make sure that all remaining pieces of this malware have been removed, it is reccomended that you download and scan with Ewido Anti-Malware. Please do an Ewido scan and post the log here.:

    Download Ewido

    [STEP 2]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • ibanez7
    edited May 2006
    here are the logs.I ran spybot and lavasoft and ewido again and they all found stuff again.I included the ewido and hijack scan.I believe that the spoool file is back and was taken out by Ewido by looking at the scan or it took out the last traces of it.It would be a backdoor.Sdbot.567 i think from the log.Tomorrow i'll verify if that file is back and run xoftspy to see if it finds anything.(i did a google search and came up with xoftspy to remove)so i'll try that until i hear from you again.Thanks very much and waiting for further instructions.
  • SpywareShooterSpywareShooter 127.0.0.1
    edited May 2006
    [STEP 1]Run Additional Tools:
    Your HijackThis log shows no more signs of executable malware. However, this does not mean that your system is completely clean. In order to make sure that all remaining pieces of this malware have been removed, it is reccomended that you download and scan with Ewido Anti-Malware. Please do an Ewido scan and post the log here.:

    Download Ewido

    [STEP 2]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • ibanez7
    edited May 2006
    Hello again
    Ran Ewido and found nothing this time then took another hijack scan which i'll attach.All system is much quicker now and seems to work good except for windows updates which don't seem to want to download.He says it says downloads complete he restarts goes back to verify his updates and has to start all over again.Would this be because something may have been deleted regarding the windows updates and will now have to reinstall windows xp?Thanks again
  • SpywareShooterSpywareShooter 127.0.0.1
    edited May 2006
    I have this problem on one of my old computers running Windows ME. I am not sure of the cause of this, but I do not believe that it is spyware related. You may have better luck getting help with that in the Windows Operating System forum.
  • SpywareShooterSpywareShooter 127.0.0.1
    edited May 2006
    Your log is now clean!

    As precaution measures for the future, please follow these steps to ensure that your computer stays clean and secure:
    1. Always have AntiVirus software running - Having an AntiVirus is very important and can protect you in the future from all kinds of viruses, spyware and other malicious software.

    2. Keep your AntiVirus program updated - Without having an updated AntiVirus program you will be susceptible to any form of new malware as it is released. If your AntiVirus software has the option of Automatic Updates you should enable it. If not, visit the producer's website at least once a week and download any updates for the product.

    3. Use a Firewall - Using a firewall is essential in the Internet today. Having one at default settings will block intruders from accessing your computer and can block new programs from installing without your consent.

    4. WindowsUpdate - Make sure that you keep your computer updated by visiting [link=http://www.windowsupdate.com]windowsupdate.com[/link] weekly, and downloading any critical updates. Many of these updates are against hackers and malware installations. Without all critical updates you will be susceptible to many of the spyware creator's tricks to get you to install their software. Download and install all critical updates and reboot your computer. Continue this until all critical updates have been installed.

    5. Anti-Spyware Software - Spybot - Search & Destroy and Ad-Aware SE

      Both of these programs are free and reccomended by many anti-spyware professionals. You should download them from the links below, keep them updated, and scan weekly.

      Spybot - Search & Destroy
      Ad-Aware SE Personal Edition 1.06
      *Note: Please read my article here about false positives in Spybot - Search & Destroy.

    6. Secure Internet Explorer - Spyware Shooter is a free program which I developed for the cause of blocking malicious websites from installing spyware onto your computer. Please check for updates weekly and download any new releases to make sure that you are safe against newly-disovered websites.

      Spyware Shooter home page



    How to say "thanks":
    1. Donations are not accepted - At Short-Media we do not accept donations. If you have found this website helpful, you can contribute in the following ways.
    2. Stick Around - Without users like you, Short-Media would not be as successful as it is today. One way you can thank us is to stick around the forums. Even if you are not a computer professional you can learn by reading past topics in the forums, or if you do not feel comfortable helping, there are a few forums for non-computer-related topics.
    3. Refer Friends - If you know anyone who is having problems with their computers, or just needs a place to chill online, they would make a great addition to the Short-Media community.
    4. Fold! - Folding is a safe and easy way to help find a cure for fatal diseases such as Alzheimer's. You can learn more about folding at the topic "[link=http://www.short-media.com/forum/showthread.php?t=3"]Everything About Folding@Home[/link]"
  • ibanez7
    edited May 2006
    Thanks very much for all the help in cleaning this.He's been having a real hard time with it for a long time.As for the windows problems i've been reading on it and will try those fixes tomorrow and see what happens.If not i'll get him to do a windows repair and if not format that's all.I'll get it going either way.But i appreciate all the help received.My hat's off to you all.Thanks:canflag:
This discussion has been closed.