Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Member
    Join Date
    Apr 2006
    Posts
    8
    Points
    0

    Default Panda ActiveScan Results

    Hello, I recently joined because I have a big problem with my Explorer.exe file

    It was working fine Friday, then I turned the computer off and went out of town, when I arrived back today and turned my computer on I noticed the mouse skipped around, so I opened procexp.exe and double clicked Explorer.exe

    On the performance graph it shows Explorer.exe as using 501 MB, everytime I restart my computer the amount varies, earlier it was 750 MB and when I turned the computer on in safe mode it was at 1.2 GB

    I've ran ad aware and it showed nothing, and my antivirus scan wont run anymore... what can I do to fix this?

    Scan Results:
    94 Viruses
    284 Spywares
    11 Hacking Tools and potentially unwanted tools
    1 Dialers

    Attached is the log of all of the items found and their location

  2. #2
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    Please download and run these :-

    Download CCleaner from :-

    http://www.filehippo.com/download_ccleaner/ (click the download tab)

    During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

    doubleclick the ccsetup.exe file and install the program...

    After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

    Make sure the "windows" tab is selected

    Under "internet explorer" tick...

    Temporary internet files
    Cookies* > see Note below
    History
    Recently typed URL's
    (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
    Delete index.dat files
    Last download location
    Autocomplete form history


    under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

    Other explorer MRU's
    (leave this unticked if you DON'T want to clear lists such as the start\run list)

    under "System"

    Tick ALL these ...


    under "Advanced"

    no need to tick any of these (but you can if you want, and realise what they do)


    Applications tab...

    These will mostly clean out old log files for these applications...

    Clean:- (if you use them)

    Firefox/Mozilla (optional - leave the cookies - see note)
    Opera
    Sun Java
    ZoneAlarm

    ...
    Personally I clean everything in the applications tab... but you tick what you want...

    Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your passward when you next visit that site) ... click options > cookies > then keep the cookies you want.

    click "analyse" if you want to see a list of what is going to be removed, before it is removed.

    Or

    click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

    "This process will permanently delete files from your system. Are you sure you wish to proceed?"

    click OK.

    THEN........

    Download ewido security suite install, update and run it.

    Please set up as :-

    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    2. Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    3. From the main ewido screen, click on update in the left menu, then click the Start update button.

    4. After the update finishes (the status bar at the bottom will display "Update successful")

    5. You may need to manually update the definitions which you can get HERE

    6. Exit Ewido. DO NOT scan yet.

    Boot into safemode...and scan with Ewido

    7. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

    8. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

    9. Once the ewido scan has completed, there will be a button located on the bottom of the screen called Save report.

    Important - You need to click "Save report" and Save it to your desktop, or you wont have a log

    reboot

    post a hijackthis log + the ewido log

    Also run the Pandascan again and post a new log...

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  3. #3
    Member
    Join Date
    Apr 2006
    Posts
    8
    Points
    0

    Default

    Here are my ewido and hijackthis logs... I wont be able to run PandaScan again tonight because on dialup it takes forever, plus the high explorer.exe usuage it runs even slower... I'll attempt to do another scan tomorrow if need be

    Thanks

  4. #4
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    One word here WOW, you have several problems, looks like many are because of file sharing and the lack of unpatched XP/IE.

    Before we will/can help you must load at least SP1a for XP/IE. Without this it is waste of time on your part and ours. You will always have problems.

    Please go here and down Sp1a and all "fixes". (Do not load Sp2 if asked.)

    http://www.microsoft.com/windowsxp/d...1/default.mspx

    Also please look around this forum and see how HJT are posted, the are not posted as attachments. Your attachments are as little hard to read, as we are used reading them the other way.

    BG

  5. #5
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    As Basementgeek says wow ... I'm surprised your computer is running at all...

    First ... do as BG says and install service pack 1 (without it you have too many security loopholes which malware exploits)

    1. Go to add\remove programs in the control panel and uninstall any of these which are there ...

    180ax
    AdTools Service
    AltnetDM
    BargainBuddy
    CashBack
    DMO
    EliteBar Internet Explorer Toolbar
    Kapabout
    localNRD
    Media Access
    media-motor
    NaviSearch
    SideFind
    untopr1150
    Windows TaskAd


    Then boot to safemode & run EWIDO ... this time let it clean ALL it finds...

    still in safemode ... run hijackthis and place a checkmark next to :-

    O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKLM\..\Run: [Microsoft Configuration 35] microsot1.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsot1.exe
    O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKCU\..\Run: [Microsoft Configuration 35] microsot1.exe
    O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

    O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)


    Run a search for these files and delete any found :-


    msconfig32.exe
    microsot1.exe


    Boot back to normal....

    Please download VundoFix.exe to your desktop.
    1. Double-click VundoFix.exe to run it.
    2. Put a check next to Run VundoFix as a task.
    3. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    4. When VundoFix re-opens - Click the "Scan for Vundo" button.
    5. Once it's done scanning, click the "Remove Vundo" button.
    6. You will receive a prompt asking if you want to remove the files, click "YES".
    7. Once you click yes, your desktop will go blank as it starts removing Vundo.
    8. When completed, VundoFix will prompt that it will shutdown your computer; click "OK".
    9. Turn your computer back on.
    10. Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  6. #6
    Member
    Join Date
    Apr 2006
    Posts
    8
    Points
    0

    Default

    I tried installing sp1a... but it opens for about 2 seconds then closes... same for hijackthis... I can run hijackthis in safemode and delete things off but when I come back in normal mode (to get online to download and install sp1a) codq.exe is back and it closes the things right away again

  7. #7
    Member
    Join Date
    Apr 2006
    Posts
    8
    Points
    0

    Default

    Ok, installed/ing the Service Pack.... it downloaded everything and installed it all, do I wait for Finished to light up or can I end it now? Since, in details, it has been saying the samething for 25 minutes (Running processes after install)

  8. #8
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    We'll know if the service pack installed OK, when we see your hijackthis log...

    You shouldn't wait a week in between posts... goodness knows what has changed in that time...

    Do you have the :-

    C:\vundofix.txt

    recent ewido log

    We'd like to see them along with a new hijackthis log.

    please copy & paste the logs, this time ... no need to attach them as they will not be too large...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  9. #9
    Member
    Join Date
    Apr 2006
    Posts
    8
    Points
    0

    Default

    VundoFix V4.2.69

    Checking Java version...

    Java version is 1.4.2.3

    Java version is 1.4.2.5

    Scan started at 2:41:17 PM 4/17/2006

    Listing files found while scanning....

    C:\WINDOWS.000\System32\nnlkl.dll
    C:\WINDOWS.000\System32\lklnn.ini
    C:\WINDOWS.000\System32\lklnn.bak1
    C:\WINDOWS.000\System32\lklnn.bak2
    C:\WINDOWS.000\System32\lklnn.tmp

    C:\WINDOWS.000\system32\lklnn.bak1
    C:\WINDOWS.000\system32\lklnn.bak2
    C:\WINDOWS.000\system32\lklnn.tmp
    C:\WINDOWS.000\system32\lklnn.ini
    C:\WINDOWS.000\system32\nnlkl.dll
    No infected files were found.


    VundoFix V4.2.69

    Checking Java version...

    Java version is 1.4.2.3

    Java version is 1.4.2.5

    Scan started at 2:41:58 PM 4/17/2006

    Listing files found while scanning....

    C:\WINDOWS.000\System32\nnlkl.dll
    C:\WINDOWS.000\System32\lklnn.ini
    C:\WINDOWS.000\System32\lklnn.bak1
    C:\WINDOWS.000\System32\lklnn.bak2
    C:\WINDOWS.000\System32\lklnn.tmp

    C:\WINDOWS.000\system32\lklnn.bak1
    C:\WINDOWS.000\system32\lklnn.bak2
    C:\WINDOWS.000\system32\lklnn.tmp
    C:\WINDOWS.000\system32\lklnn.ini
    C:\WINDOWS.000\system32\nnlkl.dll
    Attempting to delete C:\WINDOWS.000\System32\nnlkl.dll
    C:\WINDOWS.000\System32\nnlkl.dll Has been deleted!

    Attempting to delete C:\WINDOWS.000\System32\lklnn.ini
    C:\WINDOWS.000\System32\lklnn.ini Has been deleted!

    Attempting to delete C:\WINDOWS.000\System32\lklnn.bak1
    C:\WINDOWS.000\System32\lklnn.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS.000\System32\lklnn.bak2
    C:\WINDOWS.000\System32\lklnn.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS.000\System32\lklnn.tmp
    C:\WINDOWS.000\System32\lklnn.tmp Has been deleted!

    Performing Repairs to the registry.
    Done!


    Logfile of HijackThis v1.99.0
    Scan saved at 5:20:46 PM, on 4/17/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.000\System32\smss.exe
    C:\WINDOWS.000\system32\winlogon.exe
    C:\WINDOWS.000\system32\services.exe
    C:\WINDOWS.000\system32\lsass.exe
    C:\WINDOWS.000\system32\svchost.exe
    C:\WINDOWS.000\System32\svchost.exe
    C:\WINDOWS.000\system32\spoolsv.exe
    C:\WINDOWS.000\Explorer.EXE
    C:\WINDOWS.000\System32\svchost.exe
    C:\Documents and Settings\Owner\Desktop\procexp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\WINDOWS.000\System32\msiexec.exe
    C:\Documents and Settings\Owner\My Documents\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/nba46/
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
    O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7547510B-92DF-47BB-B0B3-B6A15D59F7FD}: NameServer = 207.69.188.187 207.69.188.186




    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 6:01:29 PM, 4/17/2006
    + Report-Checksum: 3AD87FF7

    + Scan result:

    :mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Burstnet : Ignored
    :mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Atdmt : Ignored
    :mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Burstbeacon : Ignored
    :mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Burstbeacon : Ignored
    :mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Doubleclick : Ignored
    :mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Zedo : Ignored
    :mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Zedo : Ignored
    :mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Zedo : Ignored
    :mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Zedo : Ignored
    :mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Zedo : Ignored
    :mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored
    :mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored
    :mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored
    :mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored
    :mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored
    :mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Advertising : Ignored
    :mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Advertising : Ignored
    :mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Advertising : Ignored
    :mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Pointroll : Ignored
    :mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Pointroll : Ignored
    :mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Pointroll : Ignored
    :mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored
    :mozilla.61:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored
    :mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Com : Ignored
    :mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored
    :mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored
    :mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored
    :mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored
    :mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Tribalfusion : Ignored
    :mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Adserver : Ignored
    C:\Documents and Settings\Owner\msdirectx.sys -> Rootkit.Agent.l : Cleaned with backup
    C:\msdirectx.sys -> Rootkit.Agent.l : Cleaned with backup
    C:\WINDOWS.000\system32\eraseme_84570.exe -> Backdoor.SdBot.xd : Cleaned with backup
    C:\WINDOWS.000\sysmgr64.exe -> Backdoor.SdBot.xd : Cleaned with backup
    C:\System Volume Information\_restore{8F1A3374-BD51-4120-ACDD-8C9C70352FBD}\RP530\A0485089.sys -> Rootkit.Agent.l : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
    :mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8yck9gve.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup


    ::Report End

  10. #10
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    Run Ewido again and have it fix everything it finds. Post another Ewido log.

    BG

Page 1 of 2 12 LastLast