spyware?

Hi there
My first posting...

Have encountered several problems as follows:
1. Dial up connection pops up several times repeatedly after having started up the computer
2. My internet explorer home page default changes without my consent
3. When closing down computer, message about closing the programme "Win Min" pops up
4. Following messages appear regularly:
"ALERT! Your computer clock may be inaccurate "
"IEeng.exe has encountered a problem and needs to close "
"winlgn.exe has encountered a problem and needs to close "

Logfile of HijackThis v1.97.7
Scan saved at 19:47:20, on 06/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\inetdata\services.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\dllhlp.exe
C:\Program Files\DR_S\DR_S.exe
C:\WINDOWS\SYSsfitb.exe
C:\Program Files\ClockSync\Sync.exe
C:\PROGRA~1\ezula\mmod.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://quick-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://quick-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe "
F1 - win.ini: run=C:\WINDOWS\inetdata\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetdata\1.00.03.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEeng.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [SYSsfitb] C:\WINDOWS\SYSsfitb.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: www.mt-download.com
O15 - Trusted Zone: install.xxxtoolbar.com
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56171456-2CC0-4BA8-B47B-7B394FC247B2}: NameServer = 195.67.199.39 195.67.199.40


Would be grateful for help!
thanks

 

The top portion of your hijackthis log reads

If you ran it yesterday or today, that may point to a problem. What time/date does your system clock show and what time zone are you in (GMT-x or GMT+x).

 

Hi Newt

Thanks for replying. I'm in Western Europe time zone and my system clock is set accurately (date & time).

cheers

 

I can see at least two problems in the log. IEeng.exe and Inetdata. I'm sure there are more though. I had these two plus more on my PC last week.
I would open the quick links in Newt's post and download / run Ad-Aware, CWShedder, Spybot and do a eTrust online scan. I'm sure one of the security pros will be along to help you from there.
BTW, I highlighted the IEeng.exe to copy and do a Google search and Norton's Quarantined it as a virus.

 

There has been a small update, hijackthis 1.98, download the newer version and Post another log

BUT first make a new folder then download the exe form of the file from here, in the future never run any program from inside a zipped file
http://radiosplace.com/

In addremove program uninstall
ClockSync
and ezula to please, we can link you to a better program later


before you post anther log
Download cwsredder.exe, (1.59.1) from the same site, run it and click fix, then restart the PC come back,once back here make/post a log from hijackthis.

 

Ah so.

You folks do dates differently than we do in the US so when I saw yours I thought it was reporting the 7th of June as the date rather than the 6th of July.

That's one large point in favor of indicating at least your approximate location as part of the displayed user information. Really helps in figuring out about what your local date/time might be.

I still might have been confused though.

 

Lonny,
How does one learn to read the HJ logs as to what is good and what is bad?
Also how does one put links in the signature area for Ad-Aware, HJ, etc,?

 

Hi there Lonny and/or Newt

Thanks for advice.
I've downloaded and run cwshredder.exe (1.59.1). Had problems removing clocksync and ezula ( "disk full or write-protected "??)

Here's my latest hijackthis (1.98) log:

Logfile of HijackThis v1.98.0
Scan saved at 02:27:13, on 07/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\inetdata\services.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DR_S\DR_S.exe
C:\WINDOWS\SYSsfitb.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VW3ZN0PH\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://quick-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quick-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://quick-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe "
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [SYSsfitb] C:\WINDOWS\SYSsfitb.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: www.mt-download.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{56171456-2CC0-4BA8-B47B-7B394FC247B2}: NameServer = 195.67.199.39 195.67.199.40

Once again, am grateful for your support!

 

Make a new folder an put hijackthis there,, very important
C:\Documents and Settings\Administrator\Anti spyware for example

Start Hijackthis and place a check next to these items, then
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders) Then Hit fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://quick-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quick-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://quick-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://quick-searcher.com/index.htm

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [SYSsfitb] C:\WINDOWS\SYSsfitb.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - Global Startup: winlgn.exe
O15 - Trusted Zone: www.mt-download.com

============
Restart PC find and delete (ONLY THESE EXACT) files and folder's,
Be very carefull if your unsure leave them be.
Set windows to show hidden file's, folder and extensions
click here fir instructions<<.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\ClockSync
C:\Program Files\DR_S\DR_S.exe
C:\WINDOWS\SYSsfitb.exe
C:\WINDOWS\inetdata

HUM,, You might have to right click on the file and untick read only., if you still have problem boot the PC into safe mode.
How to start in safe mode Usualy by tapping the f8 key just before windows starts to load.(it may help if you print this out)

Important Clear IE's cache via control panel internet options [delete files] button and mark the popup to also delete offline content
Provided you have just restarted, delete the contents of all your
temp folders, as in. Open C:\ then >
C:\documents and settings\(all your pc users)\local settings\temp
and the contents of the C:\windows\temp folder

Then surf a few hours and post a new log, theres a possiblity it will come back, if so we will try another tactic.

 

Hi there Lonny

Sorry for the delay in replying. Had to sleep a few hours.
Have followed instructions but not sure I've been successful.
The Fix Checked through hijackthis worked out well, but then when deleting files and folders, I could not locate
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
even though I had set windows to show hidden files etc.

Have noted that my internet explorer still has unwanted home pages as default.

Thanks for your continuous help, buddy!

My latest log is as follows:

Logfile of HijackThis v1.98.0
Scan saved at 12:55:59, on 07/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\inetdata\services.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ezula\mmod.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Anti spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe "
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\System32\SYSsfitb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{56171456-2CC0-4BA8-B47B-7B394FC247B2}: NameServer = 195.67.199.39 195.67.199.40

 

======1:
Please download The Killbox from here: http://downloads.subratam.org/KillBox.zip

Unzip the file to that Anti Spyware folder, Find and open the killbox folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following: One at a time.

C:\WINDOWS\inetdata
C:\Program Files\ezula
Might as well do this file also
C:\WINDOWS\System32\SYSsfitb.dll

Hit the "action menu" > "delete on reboot" click on the File menu and choose "Add File ".
In the regular killbox window backspace out the previous file path and paste in the next one, repeat that untill all these files are added to the "pendingfilerenameOperations" window. If that's successful, choose the Action menu and select "Process and Reboot ". You'll be prompted to reboot, do so.
Ive made a help page here
http://forums.subratam.org/index.php?act=ST&f=29&t=801&hl=&view=findpost&p=6647


====2
Start Hijackthis and place a check next to these items, then
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders) Then Hit fix checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\System32\SYSsfitb.dll
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
=====================

Use the pc for a few hours then post another log

 

Hi there Lonny
Implemented your instructions successfully, have used the pc+surfed for an hour or two and several things have improved.
However, when starting up now I noticed following:
1. Takes longer time between desktop icons appear and the windows "opening up melody" than previously.
2. The 'dial up connection' appeared once automatically.
3. There is still an unwanted webpage as home page default on my internet explorer.
Would highly appreciate further help...

Latest log:

Logfile of HijackThis v1.98.0
Scan saved at 12:05:25, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\inetdata\services.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Anti spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe "
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{56171456-2CC0-4BA8-B47B-7B394FC247B2}: NameServer = 195.67.199.39 195.67.199.40

 

Hello

That's odd where you able to use killbox successfully ?

Run hijackthis Hit "config" then "msic tools" > "open proccess manager'
select and KILL this Proccess from this folder only >inetdata<
C:\WINDOWS\inetdata\services.exe


Hit refresh and see if it came back,Did it ? wheather or not it did move on to the next steps. (items in blue are optional)
Hit >back< then Scan and fix these
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [//0websearch.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe "
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
=============
Restart the PC and delete
C:\WINDOWS\inetdata
then run cwsredder.exe, (1.59.1) again

Use the pc for a few hours then post another log

 

Hi Lonny

Succeeded in first part.
Second part, after restart, I encountered a problem in deleting C:\WINDOWS\inetdata
(now, the only way I know of how to delete this is to type it into "Run" and then delete the various components. Is there any other way?) I managed to delete all components except "services.exe ", where this message popped up about file being in use/write-protected or in use.
Because of this problem, I did not proceed with the cwsredder but first want to hear your comments/advice...

 

Hello

I will be back later tonight, in the meantime our forum members might have a suggestion or two.
plus if you would go submit the services file and any other files in the inetdata folder here
Online malware scan-Submit a file: http://virusscan.jotti.dhs.org/

was using killbox to confusing ?

 

Hi Lonny

No, it was not too confusing using the killbox.

Have just completed a run on all the content in the inetdata folder, with following results:

File: services.exe
Status: INFECTED/MALWARE

AntiVir TR/Dldr.Krepper.G.2
BitDefender Trojan.Downloader.Kreeper.G
ClamAV No viruses found
F-Prot Antivirus No viruses found
F-Secure Anti-Virus TrojanDownloader.Win32.Krepper.g
Kaspersky Anti-Virus TrojanDownloader.Win32.Krepper.g
McAfee VirusScan No viruses found
Norman Virus Control No viruses found

File: 1.00.03.dll
Status: INFECTED/MALWARE

AntiVir No viruses found
BitDefender No viruses found
ClamAV No viruses found
F-Prot Antivirus No viruses found
F-Secure Anti-Virus TrojanClicker.Win32.Agent.g
Kaspersky Anti-Virus TrojanClicker.Win32.Agent.g
McAfee VirusScan No viruses found
Norman Virus Control No viruses found

File: crontab.ini
Status: OK

File: keywords.ini
Status: OK

File: sl.ini
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

File: titles.ini
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

Hope there are cures...

 

Hello

Apparently Something outside the folder is putting it back.
Is your PC networked ? if so I would disconnect it and since
Bit defender see's something go get there free online, let it delete whatever it finds,, save there report and post it back here
http://www.bitdefender.com/scan/licence.php
You know where the files are but have it scan the at-least whole windows folder.
Try Etrusts to
eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx

Let us know

 

Hi Lonny

No, my PC is not networked.
Have not been able to run neither BitDefender nor ETrust.

At Bitdefender there is no "Start Scan" button available, and I get following status report:
"Please wait to update the virus definitions... "
Have waited for 15 minutes, but nothing changes...

At ETrust I get the following message/report:
"Starting signature update. Please wait ...
Connecting to FTP server: connected.
Updating vete.dll (712k): failed to create file.
Updating vet.dat (2514k): "
and when I click "Start Scan ", I get a message reading:
"Please wait for signature update to finish ".
Have waited at least 15 minutes, but nothing happens...

How do I get these two to work?

Thanks for your continous help!
andreas

 

At Bitdefender it takes quite awhile. you don't want to be at both at the same time if thats what your doing, at etrusts, I had to temporarily allow all with our firewall. once you get a failed there disable protections for a moment then try again hit back or just use the original URL.
the ref files are coming from an ftp server and firewalls sometimes inadvertently block them.

I'm unfamiliar with Norton,, do you even have a firewall ?