I have windows 2000 professional and a project 1 program keeps interrupting everything I do, and I have tried several actions trying to remove and always comes back, here is my hijackthis post
Logfile of HijackThis v1.99.1 Scan saved at 03:27:03 p.m., on 01/09/2006 Platform: Windows 2000 SP2 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Archivos de programa\BullGuard Software\BullGuard\BullGuardUpdate.exe C:\WINNT\System32\svchost.exe C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe C:\WINNT\Cpqdiag\Cpqdfwag.exe C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe C:\WINNT\System32\svchost.exe C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE C:\WINNT\System32\mnmsrvc.exe C:\Archivos de programa\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\NMSSvc.exe C:\WINNT\system32\MSTask.exe C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe C:\WINNT\system32\lsiss.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe C:\WINNT\system32\rundll32.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\taskmgr.exe C:\Archivos de programa\Analog Devices\SoundMAX\Smtray.exe C:\WINNT\system32\Promon.exe C:\ARCHIV~1\Compaq\COMPAQ~2\CHKADMIN.EXE C:\WINNT\loadqm.exe C:\Documents and Settings\isaura_corula\Escritorio\win\winampa.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe C:\Archivos de programa\BullGuard Software\BullGuard\bullguard.exe C:\Archivos de programa\Hijackthis\HijackThis.exe
Install Ewido Anti-Malware Launch Ewido, there should be an icon on your desktop, double-click it. The program will now open to the main screen. When you run Ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido. ewido manual updates
Click My Computer, then C:\ In the menu bar, File->New->Folder. That will create a folder named New Folder, which you can rename to "BFU"
Rightclick - http://metallica.geekstogo.com/alcanshorty.bfuand choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).
Do not run the Uninstaller and the Remover yet.
Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only
Please reboot into Safemode: Turn on the computer. Immediately begin tapping the F8 key (or F5 on some computers) Use the arrow keys to highlight Safe Mode and press the Enter key.
Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button.
Run full scan with Ewido
Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine
Then click Apply all actions
Once finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again (like on the Desktop). Close ewido security suite.
Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu Press execute and let it do its job.
Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program.
It appears as though you are running 2 anti-virus programs at the same time. That can cause conflicts on a system, andtaking up system resources. You should remove one of them from add/remove programs in controlpanel.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
Thank you Touch! Sorry I delayed, I just followed all steps and it seems the project 1 is still there, I couldn't run ewido in safe mode without a LAN connection, so I run it connected in safe mode, and I don't know if that might be the reason the bug is still alive, here are my ewido and hijackthis logs: --------------------------------------------------------- ewido anti-spyware - Scan Report ---------------------------------------------------------
+ Created at: 10:07:00 a.m. 08/09/2006
+ Scan result:
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\ENY5I0L1\dfndrff_15.exe -> Adware.DollarRevenue : Cleaned with backup (quarantined). C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\dfndrff_15.exe -> Adware.DollarRevenue : Cleaned with backup (quarantined). C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\35JUXZIG\Installer.exe -> Adware.Look2Me : Cleaned with backup (quarantined). C:\Documents and Settings\isaura_corula\Configuración local\Temp\temp.fr0721 -> Adware.Look2Me : Cleaned with backup (quarantined). C:\Documents and Settings\isaura_corula\Configuración local\Temp\temp.frAB15 -> Adware.Look2Me : Cleaned with backup (quarantined). C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\aafsipc.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\gp6ql3j51.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\gpr8l39u1.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\hrjs0517e.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\hrlm0531e.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\ir28l5fu1.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\ir48l5hu1.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\jt2s07f7e.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\jt6o07j3e.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\k626lgfs1626.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\ktnol7531.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\lv4009hme.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\nmlanman.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\t2r80c9uef.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\vrrsion.dll -> Adware.Look2Me : Cleaned with backup (quarantined). C:\Archivos de programa\Deskbar\deskbar.dll -> Adware.Softomate : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_03745.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_06002.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_15720.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_17602.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_22138.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_27688.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_28604.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_31733.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_37274.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_44182.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_45075.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_48477.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_48745.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_50674.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_51103.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_54016.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_54780.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_65107.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_70078.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_71066.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_71081.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_75887.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\WINNT\SYSTEM32\setup_84576.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined). C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\35JUXZIG\drsmartload1022a.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\35JUXZIG\drsmartload849a.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\JX0FWABN\drsmartload195a.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\JX0FWABN\drsmartload849a.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\O81Z6292\drsmartload45a.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\O81Z6292\drsmartload46a.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\doc.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\drsmartload45a45n.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\drsmartload45a45o.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\drsmartload45a45p.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\drsmartload46a46n.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\drsmartload46a46o.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\drsmartload46a46p.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\drsmartload849a849n.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\drsmartload849a849o.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\drsmartload849a849p.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\winde.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined). C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\O81Z6292\loader.exe -> Downloader.VB.agk : Cleaned with backup (quarantined). C:\drsmartload.exe -> Downloader.VB.agk : Cleaned with backup (quarantined). C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\35JUXZIG\kybrdff_15.exe -> Downloader.VB.alg : Cleaned with backup (quarantined). C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\kybrdff_15.exe -> Downloader.VB.alg : Cleaned with backup (quarantined). C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\ENY5I0L1\nwnmff_14.exe -> Downloader.VB.als : Cleaned with backup (quarantined). C:\nwnmff_14.exe -> Downloader.VB.als : Cleaned with backup (quarantined). C:\drsmartload45a45k.exe -> Downloader.VB.alt : Cleaned with backup (quarantined). C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\JX0FWABN\kybrdff_16.exe -> Downloader.VB.amb : Cleaned with backup (quarantined). C:\kybrdff_16.exe -> Downloader.VB.amb : Cleaned with backup (quarantined). C:\Documents and Settings\Administrador\Configuración local\Temp\ImInstaller\IncrediMail\imloader.exe -> Not-A-Virus.Downloader.Win32.ImLoader.b : Cleaned with backup (quarantined). C:\Documents and Settings\isaura_corula\Configuración local\Archivos temporales de Internet\Content.IE5\81MF65SL\send_exe2.htm.mwt -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined). C:\Documents and Settings\isaura_corula\Configuración local\Archivos temporales de Internet\Content.IE5\81MF65SL\send_exe2.htm.mwt -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
::Report end
Logfile of HijackThis v1.99.1 Scan saved at 10:20:14 a.m., on 08/09/2006 Platform: Windows 2000 SP2 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe C:\WINNT\Cpqdiag\Cpqdfwag.exe C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe C:\WINNT\System32\svchost.exe C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE C:\WINNT\System32\mnmsrvc.exe C:\Archivos de programa\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\NMSSvc.exe C:\WINNT\system32\MSTask.exe C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe C:\WINNT\system32\lviss.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe C:\Archivos de programa\Analog Devices\SoundMAX\Smtray.exe C:\WINNT\system32\Promon.exe C:\ARCHIV~1\Compaq\COMPAQ~2\CHKADMIN.EXE C:\WINNT\loadqm.exe C:\Documents and Settings\isaura_corula\Escritorio\win\winampa.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe C:\dfndrff_16.exe C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe C:\WINNT\explorer.exe C:\Archivos de programa\Network Monitor\netmon.exe C:\WINNT\QXBveW8gRW1wcmVzYXJpYWw\command.exe C:\WINNT\system32\taskmgr.exe C:\Archivos de programa\Hijackthis\HijackThis.exe
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.
close the program
Download and install: http://www.filehippo.com/download_ccleaner/ For a basic version of CCleaner with no Yahoo Toolbar, select the second or third install option as follows: Even if you selected Option 2 or 3, if you do not want the Yahoo Toolbar installed: Uncheck "Add CCleaner Yahoo! Toolbar", as it is checked by default during CCleaner Setup
1. Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours". 2. A pop up box will appear advising this process will permanently delete files from your system. 3. Then select the items you wish to clean up. In the Windows Tab: Clean all entries in the "Internet Explorer". Deleting cookies will require re-entry of user names and passwords on next visit to sites that require users log in. Clean all the entries in the "Windows Explorer" section. Clean all entries in the "System" section. Clean all entries in the "Advanced" section. Clean any others that you choose.
In the Applications Tab: Clean all (optionally, except cookies) in the Firefox/Mozilla section if you use it. Clean all in the Opera section if you use it. Clean Sun Java in the Internet Section. Clean any others that you choose. 4. Then click the "Run Cleaner" button and it will scan and clean your system. Click exit.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now". It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver- Uncheck –Heurestic analysis Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select –Move Remove checkmark from – Prompt on action
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all When the scan has finished, look if you can click next icon next to the files found If so, click it and then click the next icon right below and select Move incurable This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Start Superantispyware/rightclick on the black/yellow bug in tray.
Hit - Scan Your Computer - button
Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next
it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, let it Reboot
Next go to Start- Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click. Be sure the first three boxes are selected: Search System folders Search Hidden Files and folders Search SubFolders And Find: superantispyware log
Post this log along with fresh hijackthis log and tell how things are running
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
Thank you again Touch! I followed all steps and it seems the virus has been affected this time, because the project 1 window at start up did not showed up, but I'm not sure if its completely gone since after a while after I rebooted an advertising pup up window appeared, here are my Hijackthis and Superantispyware logs:
Logfile of HijackThis v1.99.1 Scan saved at 02:48:51 p.m., on 14/09/2006 Platform: Windows 2000 SP2 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe C:\WINNT\Cpqdiag\Cpqdfwag.exe C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe C:\WINNT\System32\svchost.exe C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE C:\WINNT\System32\mnmsrvc.exe C:\Archivos de programa\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\NMSSvc.exe C:\WINNT\system32\MSTask.exe C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe C:\WINNT\Explorer.EXE C:\dfndrff_e1.exe C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINNT\system32\NOTEPAD.EXE C:\Archivos de programa\Hijackthis\HijackThis.exe
Adware.NicTech Networks C:\WINNT\SYSTEM32\O8ROLI9318.DLL C:\WINNT\SYSTEM32\O8ROLI9318.DLL Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\Uninstall C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\e8jmli1118.dll C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\fpns0357e.dll C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\guard.tmp C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\GUARD.TMP.VIR C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\guard__0.tmp C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\h60qlgd5160.dll C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\Installer3.exe C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\Installer[10.exe C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\k2620cjoefoc0.dll C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\lv6809jue.dll C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\lvp8097ue.dll C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\mfltus40.dll C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\q6ps0g77e6.dll C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\RNOCURS.DLL C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\SH2EVNT1.DLL C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\wqnstrm.dll
Adware.Tracking Cookie C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@cpvfeed[2].txt C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@ad.cs102175[1].txt C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@cassava[1].txt C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@stats1.reliablestats[1].txt C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@888[1].txt C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@partygaming.122.2o7[1].txt C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@i.screensavers[2].txt C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@www.globaladvertisingservices[1].txt C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@dsml.clickexperts[1].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@ads.esmas[1].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@ads.monster[1].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@ads.yupimsn[1].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@ads4.clearchannel[1].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@adserver.terra[2].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@dealtime[1].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@freebannertrade[1].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@gostats[2].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@jackpotmadness[1].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@satelite.com[1].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@serve.thisbanner[2].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@servedby.clickexperts[2].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@stats.klsoft[1].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@stats[2].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@tripod.com[1].txt C:\Documents and Settings\apoyo8\Cookies\apoyo8@www.clickxchange[2].txt C:\Documents and Settings\isaura_corula\Configuración local\Temp\Cookies\isaura_corula@cpvfeed[2].txt C:\WINNT\Temp\Cookies\isaura_corula@ad.cs102175[2].txt C:\WINNT\Temp\Cookies\isaura_corula@ad.yieldmanager[1].txt C:\WINNT\Temp\Cookies\isaura_corula@cassava[1].txt C:\WINNT\Temp\Cookies\isaura_corula@cpvfeed[2].txt C:\WINNT\Temp\Cookies\isaura_corula@dsml.clickexperts[1].txt C:\WINNT\Temp\Cookies\isaura_corula@partygaming.122.2o7[1].txt
Trojan.Unknown Origin C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\installer[11.exe C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\installer[1].exe C:\WINNT\QXBveW8gRW1wcmVzYXJpYWw\kr1Syqf0lqYTwApWsrLDsqT.vbs C:\WINNT\uninstall_nmon.vbs
Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT. Click fix checked. R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Archivos de programa\Deskbar\deskbar.dll (file missing) O4 - HKLM\..\Run: [defender] C:\\dfndrff_e1.exe O23 - Service: Windows PE Debugger - Unknown owner - C:\WINNT\system32\lviss.exe (file missing)
Reboot into Safe Mode by tapping F8 after the BIOS has loaded. The Windows Advanced Options Menu appears. Ensure that the Safe mode option is selected. Press Enter. The computer then begins to start in Safe mode.
Delete the following files or folders (delete item in bold). Please do not be concerned if any of the items are not found as they may have been automatically removed by actions I had you take earlier in the cleaning process.
Delete Files: C:\\dfndrff_e1.exe
Reboot and post (hopefully) last hijackthis log
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
I really really thank you Touch! It seems like the bug has been terminated I shall recommend your advice. Cheers!
Here is my last Hijackthis log:
Logfile of HijackThis v1.99.1 Scan saved at 08:19:38 a.m., on 19/09/2006 Platform: Windows 2000 SP2 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe C:\WINNT\Cpqdiag\Cpqdfwag.exe C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe C:\WINNT\System32\svchost.exe C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE C:\WINNT\System32\mnmsrvc.exe C:\Archivos de programa\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\NMSSvc.exe C:\WINNT\system32\MSTask.exe C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe C:\WINNT\Explorer.EXE C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINNT\System32\MsiExec.exe C:\Archivos de programa\MSN Messenger\msnmsgr.exe C:\Archivos de programa\Hijackthis\HijackThis.exe
Currently it is Friday, November 21, 2008 12:35 AM (GMT +1) There are a total of 63.950 posts in 15.824 threads. In the last 3 days there were 33 new threads and 166 reply posts. View Active Threads
Who's Online
This forum has 27181 registered members. Please welcome our newest member, DilbertCube. 26 Guest(s), 1 Registered Member(s) are currently online. Details bmullenix
I really really thank you Touch! It seems like the bug has been terminated 
I shall recommend your advice. Cheers!
|