|
Answer» Part 2
[1].txt
C:\Documents and Settings\Owner\COOKIES\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
[1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
[2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][4].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][5].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\INSTALL.DAT
C:\DOCUMENTS AND SETTINGS\TEMP\APPLICATION DATA\INSTALL.DAT
Adware.OneStepSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0449909.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450905.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450906.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450907.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450912.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450927.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450928.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP956\A0450929.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP959\A0479739.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP959\A0480729.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP959\A0480730.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP959\A0480731.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP962\A0487820.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP962\A0487824.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP962\A0487825.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP962\A0487826.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP963\A0503147.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP963\A0503149.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP963\A0503150.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP963\A0503151.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP967\A0517594.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP967\A0517835.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP967\A0517836.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP967\A0517837.EXE
Adware.eZula
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP974\A0526011.EXE
Trojan.Downloader-CREW
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP974\A0526525.DLL
Adware.Unknown Origin
C:\WINDOWS\SHOPPING.ICO
Adware.TrustInCash
C:\WINDOWS\SPYWAREREMOVAL.ICO
Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\HGJLM.BAK2
C:\WINDOWS\SYSTEM32\HGJLM.INI
C:\WINDOWS\SYSTEM32\LNNMP.INI2
C:\WINDOWS\SYSTEM32\PQTSS.BAK1
C:\WINDOWS\SYSTEM32\PQTSS.BAK2
C:\WINDOWS\SYSTEM32\PQTSS.INI
Trace.Known THREAT Sources
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7ERMBC7\upgrade[3].cab
On an aditional note the Anti-Virus program I downloaded was Avira AntiVir and it kept finding many copies of viruses in a directory called C:\System Volume Information\_restore(then some .dll or exe file) Antivir most were called "Dldr.ConHook.Gen
Thanks again for the helpLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:52 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Quote it kept finding many copies of viruses in a directory called C:\System Volume Information\_restore
I think that Dr Web and SAS took care of all of those.
Open Hijackthis and select Do a system scan only.
Place a check mark next to the following entries: (if there)
O2 - BHO: (no name) - {505E4416-251E-403D-91D8-0ACD8A79BAE7} - (no file)
Important: Close all windows except for Hijackthis and then click Fix checked.
Exit Hijackthis.
The HJT log looks fin enow except for the Java needs to be updated.
How is everything now?I updated the Java and fixed that log in HJT, when I restarted I double checked to make sure it wasn't there again in HJT and it wasn't. The only problem is after all of this nothing seems fixed, things just run a bit more smoothly.Lets finish up with the malware removal steps. There will be more at the bottom of this post that you can try.
This is a good time to clear your infected system restore points and establish a new clean restore point:- Go to Start > All Programs > Accessories > System Tools > System Restore
- Select Create a restore point, and click Next.
- Next, go to Start > Run and type in cleanmgr
- Select the More options tab
- Next to System Restore click Clean up...
This will remove all restore points except the new one you just created.
Here are some great tools to help you keep from getting infected again.
Spybot SEARCH & Destroy - A safe and effective spyware scanner.
* Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
AVG Anti-Spyware Free Edition - Very reliable with a high detection rate.
* AVG Anti-Spyware User Manual
SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also STOP certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
Comodo BOClean - Stops trojans and many more malicious attacks.
Use a Firewall - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over.
* Click here for a list of free firewalls.
* Why would I consider a third party firewall?
* Understanding and Using Firewalls
UPDATE!!! UPDATE!!! UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
* Help with Windows updates
Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?
Do you have an XP CD?
If so, place it in your CD ROM drive and follow the instructions below:- Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
- Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
If you want to see what was replaced, right-click My Computer and click on Manage. In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.
|
