how to get to the point where I can run through st

Author	All Replies
richb2 Wooliewillie join:2001-12-31 Montvale, NJ	how to get to the point where I can run through st My pc is infected. I have Process guard running and also a program that requires me to login to get access to my machine. I don't know what this one is called, but I'd love to turn it off. Anyway, when my machione comes up, Process Guard keeps popping up alerts that variuos exe's are attempting to start. I keep saying OK, hoping to get to my desktop, but at one point that program that requires me to login comes up and locks the mouse. Quickly then process guard opens up so I can't get to the mouse and the cursor is in the incorrect field and can't be moved. I tried to boot ino safe mode, but a blue "screen of death" comes up saying that my machine may be infected with a virus, reboot. What do I do? I would like to step through the steps leading up to posting a log.
	to forum · permalink · 2005-02-04 08:29:55 ·
Cudni La Merma - Vigilado Premium,MVM join:2003-12-20 Someshire kudos:13	reply to richb2 Re: how to get to the point where I can run throug Try Public AntiVirus CD v.3.81 »Public AntiVirus 3.81 - Updated Week of 2005-01-30 once done go through »Security »I think my computer is infected or hijacked. What should I do? Cudni
	to forum · permalink · 2005-02-04 08:54:20 ·
richb2 Wooliewillie join:2001-12-31 Montvale, NJ	I guess I didn't explain myself well. I can't even get to the point where I can stop Process Guard. If I could somehow turn off process guard, matbe I could run Public anti-virus.
	to forum · permalink · 2005-02-04 18:02:39 ·
Snowy mIRC unix.ro UnderNet Premium join:2003-04-05 Kailua, HI kudos:5	What OS is it?
	to forum · permalink · 2005-02-04 18:30:48 ·
richb2 Wooliewillie join:2001-12-31 Montvale, NJ 2 edits	win 2000. I seems like the mouse is frozen in a small box in the middle of the screen so I can't get the the buttons to fool with Process Guard. Can I somehow boot with a startup disk and then somehow turn off process guard so I can continue?
	to forum · permalink · 2005-02-04 18:32:22 ·
Snowy mIRC unix.ro UnderNet Premium join:2003-04-05 Kailua, HI kudos:5	In W98 it's very simple. I don't know Windows 2000, but here's what I could find »www.pcworld.com/howto/article/0,···9,00.asp
	to forum · permalink · 2005-02-04 18:51:14 ·
TerryMiller Premium join:2003-10-23	reply to richb2 The public anti-virus CD is bootable. Put the disc in the drive and Reboot. If it doesn't start from the CD then go into the Bios on the next reboot and move the CD ahead of the hard disk. -- Michelle Graduates
	to forum · permalink · 2005-02-04 18:57:18 ·
richb2 Wooliewillie join:2001-12-31 Montvale, NJ	I know it is just a deatil, but the machine that is down is the one with the CD burner. Will it fit on a floppy?
	to forum · permalink · 2005-02-04 19:13:24 ·
Snowy mIRC unix.ro UnderNet Premium join:2003-04-05 Kailua, HI kudos:5	No, not even close to fitting. You can use a floppy for an emergency start floppy;) -- Houoli Makahiki Hou
	to forum · permalink · 2005-02-04 19:23:06 ·
TerryMiller Premium join:2003-10-23	reply to richb2 I believe McAfee's stinger is small enough to fit on a floppy, that and a boot disk may get you started. I'd really try to get a friend to burn the CD so that you can follow Cudni 's suggestions. -- Michelle Graduates
	to forum · permalink · 2005-02-04 19:26:06 ·
richb2 Wooliewillie join:2001-12-31 Montvale, NJ 1 edit	I am at the point where I need some really basic help. Like how to get this going from a windows boot diskette. I have been outsmarted by a trojan ^%$^%$&^% and I am really starting to get mad.
	to forum · permalink · 2005-02-04 20:14:12 ·
darkstar2778 Premium join:2004-01-20 Florida	I found this via google...hope it helps »www.computerhope.com/boot.htm
	to forum · permalink · 2005-02-04 20:22:29 ·
richb2 Wooliewillie join:2001-12-31 Montvale, NJ	OK. I managed to get Process Guard to turn off. One strange issue: I am following the "attention: all the hijackthis logs..." links. It seems whatever I click on, for example "3. Download, install, update and run all 4 of the following free anti-hijacking and anti-spyware (AS) products. Be sure to both download and install the latest version of the program, and then update each products database." seems to link to »www.securityiguard.com/?wm=paxan&sub=none. Is this correct or has the link been compromised?
	to forum · permalink · 2005-02-04 22:00:40 ·
TerryMiller Premium join:2003-10-23	reply to richb2 The links work fine for me.
	to forum · permalink · 2005-02-04 22:10:05 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL kudos:8 1 edit	reply to richb2 said by richb2: It seems whatever I click on, for example "3. Download, install, update and run all 4 of the following free anti-hijacking and anti-spyware (AS) products. Be sure to both download and install the latest version of the program, and then update each products database." seems to link to »www.securityiguard.com/?wm=paxan&sub=none. Is this correct or has the link been compromised? No, that's not a link in our FAQ. Your browser has been hijacked. Can you just post a HijackThis log now? Hopefully you have a version of HJT aready and can do that. You're not going to get anywhere until we can get your browser freed up where you can get to the right links -- It takes a disaster to make a woman out of a female Gladiator Security Forum Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · 2005-02-04 22:12:57 ·
richb2 Wooliewillie join:2001-12-31 Montvale, NJ	Logfile of HijackThis v1.98.0 Scan saved at 10:22:11 PM, on 2/4/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\NMS\bin\ctdaemon.exe C:\Program Files\ProcessGuard Free\dcsuserprot.exe C:\WINNT\System32\svchost.exe C:\Program Files\FSI\F-Prot\fpavupdm.exe C:\WINNT\System32\nslsvice.exe C:\WINNT\system32\nsl.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\System32\mnmsrvc.exe C:\Program Files\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\soft.exe C:\Program Files\FSI\F-Prot\F-StopW.EXE C:\WINNT\system32\BESCH.EXE C:\Program Files\Winamp3\winampa.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\FSI\F-Prot\F-Sched.exe C:\WINNT\system32\addbe.exe C:\WINNT\system32\Yfkadl.exe C:\WINNT\isrvs\desktop.exe C:\WINNT\system32\jdbtil.exe C:\Program Files\Yahoo!\Messenger\ypager.exe C:\WINNT\system32\ipm64k.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe C:\Program Files\ProcessGuard Free\procguard.exe C:\NMS\bin\cfbm.exe C:\WINNT\system32\iepy32.exe C:\WINNT\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\dddd.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.120.8.147:80 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FF6CEB78-7A00-7429-9ADF-26C4F74E4655} - C:\WINNT\d3xp.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\Fix-It\MemCheck.exe O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE O4 - HKLM\..\Run: [BackupExecScheduler] BESCH.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP O4 - HKLM\..\Run: [addbe.exe] C:\WINNT\system32\addbe.exe O4 - HKLM\..\Run: [tibs5] C:\WINNT\system32\tibs5.exe O4 - HKLM\..\Run: [12C.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12C.tmp.exe 0 10001 O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe O4 - HKLM\..\Run: [12C.tmp.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12C.tmp.exe 0 10001 O4 - HKLM\..\Run: [version] C:\WINNT\system32\Mthnzl.exe O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Yfkadl.exe O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe O4 - HKLM\..\Run: [15E.tmp] C:\WINNT\TEMP\15E.tmp.exe 3 10001 O4 - HKLM\..\Run: [15E.tmp.exe] C:\WINNT\TEMP\15E.tmp.exe 3 10001 O4 - HKLM\..\Run: [4.tmp] C:\WINNT\TEMP\4.tmp.exe 0 10001 O4 - HKLM\..\Run: [4.tmp.exe] C:\WINNT\TEMP\4.tmp.exe 0 10001 O4 - HKLM\..\Run: [rE4W37i] jdbtil.exe O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe O4 - HKLM\..\RunOnce: [iepy32.exe] C:\WINNT\system32\iepy32.exe O4 - HKLM\..\RunOnce: [apimh32.exe] C:\WINNT\apimh32.exe O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\sm.exe O4 - HKCU\..\Run: [apv6RXGme] ipm64k.exe O4 - Startup: Process Guard Free.lnk = C:\Program Files\ProcessGuard Free\procguard.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll O9 - Extra button: (no name) - {CA1694AD-6CEA-4BBE-A00E-A09C1D589938} - (no file) O15 - Trusted Zone: .05p.com O15 - Trusted Zone: .addictivetechnologies.com O15 - Trusted Zone: .addictivetechnologies.net O15 - Trusted Zone: .admin2cash.biz O15 - Trusted Zone: .awmdabest.com O15 - Trusted Zone: .bettersearch.biz O15 - Trusted Zone: .blazefind.com O15 - Trusted Zone: .c4tdownload.com O15 - Trusted Zone: .clickspring.net O15 - Trusted Zone: .f1organizer.com O15 - Trusted Zone: .finefind.nettraffic2cash.biz O15 - Trusted Zone: .flingstone.com O15 - Trusted Zone: .iframe.biz O15 - Trusted Zone: .megapornix.com O15 - Trusted Zone: .mt-download.com O15 - Trusted Zone: .my-internet.info O15 - Trusted Zone: .newiframe.biz O15 - Trusted Zone: .overpro.com O15 - Trusted Zone: .pizdato.biz O15 - Trusted Zone: .private-dialer.biz O15 - Trusted Zone: .private-iframe.biz O15 - Trusted Zone: .scoobidoo.com O15 - Trusted Zone: .searchbarcash.com O15 - Trusted Zone: .searchmiracle.com O15 - Trusted Zone: .slotch.com O15 - Trusted Zone: .sp2admin.biz O15 - Trusted Zone: .sp2fucked.biz O15 - Trusted Zone: .vse-moe.biz O15 - Trusted Zone: .windupdates.com O15 - Trusted Zone: .xxxtoolbar.com O15 - Trusted Zone: *.ysbweb.com O16 - DPF: PlaceWare Console: PWS-CC2K-4-0-2-1-2-k4r1l0 - http://www27.placeware.com/etc/pwb/test/lib/cc-full.cab O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab O16 - DPF: {0369528B-3082-11D2-9997-00A0C9B7A242} (PlaceWare Presentation-Upload Control) - http://pwt.ops.placeware.com/etc/pwa/frspart/placeware.aud.ieupload/UploadControl.cab O16 - DPF: {148003F8-883A-4321-9045-AD4EE1B10B85} (Genesys Outlook Contacts Control) - http://209.225.30.147/gcc_installer/OutlookCtrl/ie/astOutlookCtrl.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {2F81F21D-5EF4-4316-A06C-BD41E70B765C} (ImgXPrint6.ImgXPrint) - http://www.atalasoft.com/Components/imgxcontrols/cabs/ImgXPrint61.CAB O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwga.ops.placeware.com/etc/place/GOLF/SCGpws-a2/5.1.5.222/lib/quicksilver.cab O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - http://www.atalasoft.com/Components/imgxcontrols/cabs/ImgXDialog61.CAB O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} (GigexCtrl ActiveX) - http://www.gigex.com/tv/igor/gigexagent.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.242.62.38/activex/AxisCamControl.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D5ECB16F-D4B2-4636-95E3-DA7E30DC1D99} (Softfront EnvDiag Class) - http://www2.softfront.co.jp/CallWindow/1.0/us/cab/KCPDiag.cab O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://msevents.webex.com/client/latest/webex/ieatgpc.cab O16 - DPF: {E9DDEC2F-13DF-4C22-BC48-0284AA5B8E45} (Spotlife Player) - http://yahoo.spotlife.net/install/pobi/SLPlayer/1.3.0.39/SLPlayer.cab O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} (Genesys Webtour Control) - http://209.225.30.147/gcc_installer/WebTour/astBrowserQuery.cab O16 - DPF: {FBE37597-190E-4A06-978F-E39037999049} (Genesys Component Installer) - http://gmccontent.astound.com/gcc_installer/gmcinstaller.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - C:\Program Files\Internet Researcher\sspNG.dll O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
	to forum · permalink · 2005-02-04 22:22:05 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL kudos:8	Great. Give me a few minutes to write this up. It's a lenghty fix but I think we can get you going. I'll be right back in a few.
	to forum · permalink · 2005-02-04 22:24:08 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL kudos:8	reply to richb2 This, believe it or not is the "quick & dirty" fix. It will not completely clean your computer, but may give you back enough control to go back through the FAQ and get the programs you need to fully clean it. First, go to your control panel and look in Add/Remove programs. Look for this program and if found, click on it to highlight and choose remove Security iGuard --Remove program if listed. 1. Download this tool called AboutBuster »www.downloads.subratam.org/AboutBuster.zip or here: »malwarebytes.biz/AboutBuster.zip Unzip it to your desktop. Open it and click on check for updates. If any are found download and install them. Then close the program. We'll run it through a scan in Safe Mode later to make sure it is able to fix everything 2. Print out these instructions so you have them handy as most of the steps need to be done in safe mode with IE closed. Stay offline! 3. Reboot to Safe Mode How to start the computer in Safe mode »service1.symantec.com/SUPPORT/ts···_doc_nam 4. Scan with Hijack This and put checks next to all the following, then click "Fix Checked" R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\sidaj.dll/sp.html#12345 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {FF6CEB78-7A00-7429-9ADF-26C4F74E4655} - C:\WINNT\d3xp.dll O4 - HKLM\..\Run: [addbe.exe] C:\WINNT\system32\addbe.exe O4 - HKLM\..\Run: [tibs5] C:\WINNT\system32\tibs5.exe O4 - HKLM\..\Run: [12C.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12C.tmp.exe 0 10001 O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe O4 - HKLM\..\Run: [12C.tmp.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12C.tmp.exe 0 10001 O4 - HKLM\..\Run: [version] C:\WINNT\system32\Mthnzl.exe O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Yfkadl.exe O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe O4 - HKLM\..\Run: [15E.tmp] C:\WINNT\TEMP\15E.tmp.exe 3 10001 O4 - HKLM\..\Run: [15E.tmp.exe] C:\WINNT\TEMP\15E.tmp.exe 3 10001 O4 - HKLM\..\Run: [4.tmp] C:\WINNT\TEMP\4.tmp.exe 0 10001 O4 - HKLM\..\Run: [4.tmp.exe] C:\WINNT\TEMP\4.tmp.exe 0 10001 O4 - HKLM\..\Run: [rE4W37i] jdbtil.exe O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe O4 - HKLM\..\RunOnce: [iepy32.exe] C:\WINNT\system32\iepy32.exe O4 - HKLM\..\RunOnce: [apimh32.exe] C:\WINNT\apimh32.exe O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\sm.exe O4 - HKCU\..\Run: [apv6RXGme] ipm64k.exe (All of these) O15 - Trusted Zone: .05p.com O15 - Trusted Zone: .addictivetechnologies.com O15 - Trusted Zone: .addictivetechnologies.net O15 - Trusted Zone: .admin2cash.biz O15 - Trusted Zone: .awmdabest.com O15 - Trusted Zone: .bettersearch.biz O15 - Trusted Zone: .blazefind.com O15 - Trusted Zone: .c4tdownload.com O15 - Trusted Zone: .clickspring.net O15 - Trusted Zone: .f1organizer.com O15 - Trusted Zone: .finefind.nettraffic2cash.biz O15 - Trusted Zone: .flingstone.com O15 - Trusted Zone: .iframe.biz O15 - Trusted Zone: .megapornix.com O15 - Trusted Zone: .mt-download.com O15 - Trusted Zone: .my-internet.info O15 - Trusted Zone: .newiframe.biz O15 - Trusted Zone: .overpro.com O15 - Trusted Zone: .pizdato.biz O15 - Trusted Zone: .private-dialer.biz O15 - Trusted Zone: .private-iframe.biz O15 - Trusted Zone: .scoobidoo.com O15 - Trusted Zone: .searchbarcash.com O15 - Trusted Zone: .searchmiracle.com O15 - Trusted Zone: .slotch.com O15 - Trusted Zone: .sp2admin.biz O15 - Trusted Zone: .sp2fucked.biz O15 - Trusted Zone: .vse-moe.biz O15 - Trusted Zone: .windupdates.com O15 - Trusted Zone: .xxxtoolbar.com O15 - Trusted Zone: .ysbweb.com O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - »static.topconverting.com/activex/loade.. O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file) Make sure you press the fix checked* button after checkmarking all of the above. Close HijackThis and delete the following files and/or folders if present. C:\WINNT\system32\addbe.exe C:\WINNT\system32\tibs5.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12C.tmp.exe (plus all other files in that Temp folder) C:\WINNT\system32\sm.exe C:\WINNT\system32\Mthnzl.exe C:\WINNT\system32\Yfkadl.exe C:\WINNT\isrvs (folder) C:\WINNT\TEMP\15E.tmp.exe (plus all files in that Temp folder) C:\WINNT\TEMP\4.tmp.exe jdbtil.exe C:\Program Files\Security iGuard (folder) C:\WINNT\system32\iepy32.exe C:\WINNT\apimh32.exe C:\WINNT\system32\sm.exe ipm64k.exe 5. Double click AboutBuster.exe that you downloaded earlier. Follow the directions that popup. Then click on the Start button and then OK to start the scan.. This will scan your computer for the bad files and delete them. Save the report using the Save Log button and post a copy back here when you are done with all the steps. 6. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press ok to remove: Temporary Files Temporary Internet Files Recycle Bin 7 Reboot to normal mode, 8. Download the newest version of HijackThis here: http://castlecops.com/downloads-file-328.html 9. Scan again with Hijack This and post a new log here. 10. NOTE:Two possibly three files may have been deleted from your computer by the hijacker and may need to be replaced. Control.exe hosts (with no extension) SDHelper.dll (if you are using Spybot Search & Destroy) If control. exe is missing Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. For Windows XP, copy it to c:\windows\system32. Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip Press 'Restore Original Hosts' and press 'OK' Exit Program. Note: if you were using a custom Hosts file you will need to replace any of those entries yourself If you have Spybot S&D installed and SDHelper.dll is missing, replace it here: http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button ........................................................ 11. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended. quote: ActiveX controls and plug-ins * Download signed ActiveX controls (Prompt) * Download unsigned ActiveX controls (Disable) * Initialize and script ActiveX controls not marked as safe (Disable) * Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX) * Script ActiveX controls marked safe for scripting (Prompt) 12. Finally, do an online scan at the following site. Let it remove any infected files found. Trend Micro (PC-cillin) - Free on-line Scan http://housecall.antivirus.com 13. Post a fresh HijackThis log and the AboutBuster report back here please. -- It takes a disaster to make a woman out of a female Gladiator Security Forum Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · 2005-02-04 22:52:18 ·
richb2 Wooliewillie join:2001-12-31 Montvale, NJ 1 edit	Thanks. It won't boot into safe mode. I have tried F8 twice, and it just sits at Starting Windows.... Can I go ahead with step4 w/o being in safe mode? BTW, I am running F-Prot and it found JS/Winshow.E, but said that it is unable to disinfect this type of virus. Do you know what will?
	to forum · permalink · 2005-02-04 23:16:04 ·

Broadband Tech > Security > Security > how to get to the point where I can run through st

Re: how to get to the point where I can run throug