system
1
hi, i am a beginner at computers… i have a few trojans in my virus chest, so i downloaded hijackthis, thinking i could get some help in removal if i post my scan results. however, once i scanned using hijackthis, when i tried to save the log file on my desktop, avast! popped up saying the log file contained a virus. i immediately put the hijackthis log file into my chest.
Virus found in my hijackthis.log : Win32:Mhtplo-18 [Trj]
other viruses found on my com: Win32:Trojano-203 [Trj]
Win32:Trojano-213 [Trj]
Win32:Trojano-299 [Trj]
VBS:Malware
pls help!!! do i need to provide more info??
Eddy
2
The log file of HijackThis is just a text file and does not contain a virus.
Are you sure it is the log file that is detected as being infected?
If so, please submit the file to hjtbeta@yahoo.com for analyses.
system
3
i just ran hijackthis again, and the same problem occured, identifying hijackthis.log as a virus… however, this time i ignored avast! and saved it. will send the file to the email provided. below is the log… i will move it to the virus chest after sending it in the email. what shd i do?
Logfile of HijackThis v1.99.0
Scan saved at 6:09:31 PM, on 1/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Program Files\HijackThis\hijackthis.exe
con’t below
system
4
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwebsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sg8l.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://weba.directwebsearch.net/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://sg8l.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 69.31.79.101 auto.search.msn.com
O1 - Hosts: 69.31.79.101 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM..\Run: [RoxioEngineUtility] “C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe”
O4 - HKLM..\Run: [RoxioDragToDisc] “C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe”
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [WinCinemaMgr] “C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe”
O4 - HKLM..\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [fcnmjyf] C:\WINDOWS\fcnmjyf.exe
O4 - HKLM..\Run: [hwxcfsj] C:\WINDOWS\hwxcfsj.exe
O4 - HKLM..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM..\Run: [HP Software Update] “C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://sg8l.hpwis.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/winsearchie32.chm::/winsearchie32.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
system
5
help!!! whats happening now? avast! keeps popping up and detecting a virus as i open the post i sent regarding the log file… its a virus in temporary internet files… and is the same virus i reported earlier, Win32:Mhtplo-18[Trj]… wonder whats wrong now…
system
6
system
7
thanx very much lee… at least i know its safe… anyone has any idea whats wrong…
Eddy
8
Yup, it is a false positive by Avast. I was able to find the exact string that triggers the alert and will send it to Alwil.
edit: String and info send to Karel.
system
9
thats good… so it means the hijackthis log file was fine after all… now, how do i get rid of the viruses still in my com? what shd i do?
Eddy
10
This is the result of my HijackThis Log Analyzer:
THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
\program files\theweathernetwork\weathereye\weathereye.exe
r1 - hkcu\software\microsoft\internet explorer,search = http://weba.directwebsearch.net/search.html
r1 - hkcu\software\microsoft\internet explorer,searchurl = http://weba.directwebsearch.net/search.html
r1 - hklm\software\microsoft\internet explorer,search = http://weba.directwebsearch.net/search.html
r1 - hklm\software\microsoft\internet explorer,searchurl = http://weba.directwebsearch.net/search.html
r1 - hkcu\software\microsoft\internet explorer\main,default_search_url = http://weba.directwebsearch.net/search.html
r1 - hkcu\software\microsoft\internet explorer\main,search bar = http://weba.directwebsearch.net/search.html
r1 - hkcu\software\microsoft\internet explorer\main,search page = http://weba.directwebsearch.net/search.html
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = http://weba.directwebsearch.net/search.html
r1 - hklm\software\microsoft\internet explorer\main,search bar = http://weba.directwebsearch.net/search.html
r1 - hklm\software\microsoft\internet explorer\main,search page = http://weba.directwebsearch.net/search.html
r0 - hklm\software\microsoft\internet explorer\main,start page = http://weba.directwebsearch.net/index.html
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = http://weba.directwebsearch.net/search.html
r1 - hkcu\software\microsoft\internet explorer\search,customizesearch = http://weba.directwebsearch.net/search.html
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = http://weba.directwebsearch.net/search.html
r0 - hklm\software\microsoft\internet explorer\search,customizesearch = http://weba.directwebsearch.net/search.html
r1 - hkcu\software\microsoft\windows\currentversion\internet settings,proxyoverride = localhost
o1 - hosts: 69.31.79.101 auto.search.msn.com
o1 - hosts: 69.31.79.101 auto.search.msn.com
o2 - bho: (no name) - {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - (no file)
o4 - hklm..\run: [fcnmjyf] c:\windows\fcnmjyf.exe
o4 - hklm..\run: [hwxcfsj] c:\windows\hwxcfsj.exe
o4 - hklm..\run: [windows sa] c:\program files\windowssa\omniscient.exe
o4 - hkcu..\run: [weathereye] c:\program files\theweathernetwork\weathereye\weathereye.exe
o16 - dpf: {00b71cfb-6864-4346-a978-c0a14556272c} (checkers class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
o16 - dpf: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/winsearchie32.chm::/winsearchie32.exe
o16 - dpf: {2917297f-f02b-4b9d-81df-494b6333150b} (minesweeper flags class) - http://messenger.zone.msn.com/binary/minesweeper.cab31267.cab
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/quicktimeinstaller.exe
o16 - dpf: {665585fd-2068-4c5e-a6d3-53ac3270ecd4} (filesharingctrl class) - http://appdirectory.messenger.msn.com/appdirectory/p4apps/filesharing/en/filesharingctrl.cab
o16 - dpf: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatsclient.cab
o16 - dpf: {9aa73f41-ec64-489e-9a73-9cd52e528bc4} (zoneaxrcmgr class) - http://messenger.zone.msn.com/binary/zaxrcmgr.cab
o16 - dpf: {a3009861-330c-4e10-822b-39d16ec8829d} (cravonline object) - http://www.ravantivirus.com/scan/ravonline.cab
o16 - dpf: {ab86ce53-ac9f-449f-9399-d8abca09ec09} (get_activex control) - https://h17000.www1.hp.com/ewfrf-java/secure/hpgetdownloadmanager.ocx
o16 - dpf: {b9191f79-5613-4c76-aa2a-398534bb8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
o16 - dpf: {fe1a240f-b247-4e06-a600-30e28f5af3a0} - file://c:\install.cab
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
Nothing found.
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:
o4 - hklm..\run: [cammonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe
o4 - hklm..\run: [hphupd05] c:\program files\hewlett-packard{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
o4 - hklm..\run: [roxioengineutility] “c:\program files\common files\roxio shared\system\engutil.exe”
o4 - hklm..\run: [roxiodragtodisc] “c:\program files\roxio\easy cd creator 6\dragtodisc\drgtodsc.exe”
o4 - hklm..\run: [hp software update] “c:\program files\hewlett-packard\hp software update\hpwuschd2.exe”
o4 - hklm..\run: [tkbellexe] “c:\program files\common files\real\update_ob\realsched.exe” -osboot
o4 - hkcu..\run: [ldm] c:\program files\logitech\desktop messenger\8876480\program\backweb-8876480.exe
o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
o4 - startup: wkcalrem.lnk = c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe
system
11
thanx eddy… one last question, i hope… 
i’m a new user, so i dun really understand. so i shd check the items under
‘THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :’,
and click ‘FIX CHECKED’ in the hijackthis window? what will this do? is this irreversible?
what about the items labeled
‘THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :’?
what shd i do with them?
Eddy
12
First question: Yes
Second question : That’s up to you. (users own choice)
system
13
i'm a new user, so i dun really understand. so i shd check the items under
'THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :',
and click 'FIX CHECKED' in the hijackthis window?
Yes
is this irreversible?
No, hijackthis makes backups of what you fix, you can get to them by clicking config in hijackthis then clicking backups (both buttons), from the backup screen you can restore or delete the backups.
what about the items labeled
'THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :'?
what shd i do with them?
These are items that load when windows starts up (you can see most of them in your taskbar nest to your system clock), for example this line here is MSN messenger “o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background”, fixing this will stop msn messenger showing when you start up your pc, you will still be able to use these programs by clicking on there icons or from the programs bar, they just won’t load at system start up, which means your computer will start up much much quicker then usal.
–lee
system
14
thank u so much eddy and lee! you’ve both been a great help and i feel much better having a ‘clean’ computer… so now tt i’ve fixed it using hijackthis, what do i do with the infected files in my avast! chest? is it safe to delete them now?
http://C:\Documents and Settings\DANIEL G\Desktop\scr shot
Eddy
15
Yup, safe to delete them if your system is working like it should.
system
16
wanted to post a screen shot, but dunno how to… anyway, these are the infected files in the avast! chest…
install.htm C:\install.htm VBS:Malware
Key2.txt C:\WINDOWS\Key2.txt Win32:Trojano-213[Trj]
winupd C:\WINDOWS\system32\winupd.exe Win32:Trojano-299[Trj]
winupd C:\WINDOWS\system32\winupd.exe\winupd.exe Win32:Trojano-299[Trj]
A0022929.exe C:\System Volume Information\_restore{2E......}\RP184\A0022929.exe Win32:Trojano-203[Trj]
A0022977.exe C:\System Volume Information\_restore{2E......}\RP184\A0022977.exe Win32:Trojano-299[Trj]
so i can delete them yah?
what about kernel32, winsock, wsock32? these are in the chest under system files, not infected files.. what does tt mean? shd i just leave them lying there?
Eddy
17
Delete the infected files from the virus chest.
About the other 3 files:
They are copies of the original ones, created by Avast. This way avast can restore them if they get infected.
system
18
thank u so much… have learnt alot from all these… cheers to ppl like u! thanks!