Analysing HijackThis Log File

[Marcus Reiter]

Hi,

I had really bad problems with my PC -
first I had heaps of Spyware installed like something from 180 Solutions,
then I had Worms and Trojans and stuff.

Then I searched with Google and followed pretty much this instruction:
http://www.webuser.co.uk/cgi-bin/fo...=142301&page=1&view=collapsed&sb=5&o=93&part=


So I went to Save Mode (with Network drivers to be able to be online) I
installed and ran about 3 different Anti-Spyware programms,
then I used the online Scanners Housecall and Online Trojan Scan -
Housecall found 5 viruses in System32, Trojan Scan found nothing,
last but not least I used Sophos in console mode by typing in
SAV32CLI and it said:

Sophos Anti-Virus
Version 3.89.0 [Win32/Intel]
Virus data version 3.89, January 2005
Includes detection for 98175 viruses, trojans and worms

Then I looked up something new and typed in:
SAV32CLI -DI -P=C:\ELKLOGC.TXT
And it said:

Quick Scanning

2 boot sectors swept.
132602 files swept in 39 minutes and 20 seconds.
2 viruses were discovered.
2 files out of 132602 were infected.
Last but not least right now I am running:
SAV32CLI -REMOVE -P=C:\KLEZLOGC.TXT



I guess it should all be good then, but I am not completly sure, so I made
another HijackThis Protocoll.
Maybe you could have a look and tell me if all is fine now or what else I
will have to do:

Logfile of HijackThis v1.99.0
Scan saved at 02:01:14, on 05.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cmd.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\SAV32CLI\SAV32CLI.EXE
C:\Programme\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Programme\WebCam\FxSvr2.exe
C:\Dokumente und Einstellungen\Marcus\Lokale Einstellungen\Temp\Temporäres
Verzeichnis 1 für hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} -
C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class -
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat
6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} -
C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\bdfkole.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\goegwmr.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AntiVir\AVGNT.EXE" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search -
res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Alles mit FlashGet laden -
C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Mit FlashGet laden -
C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten -
res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Preispiraten 2.1.2 -
{86DE8B3B-1EB7-4386-84BD-EBE94348A913} -
C:\Programme\Preispiraten\Preispiraten2\preispiraten2ie.exe
O9 - Extra button: Preispiraten - {94A15285-AAE6-44E8-B2D7-4A2C6CDA9185} -
C:\Programme\Preispiraten\preispiraten.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -
C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet -
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095606310968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
file://C:\Dokumente und Einstellungen\Marcus\Lokale
Einstellungen\Temp\EI40_\msxml4.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{8DBFDA2C-0C0B-4A25-B537-616DA093B9BE}:
NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Unknown - C:\Programme\Gemeinsame
Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH -
C:\Programme\AntiVir\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany -
C:\Programme\AntiVir\AVWUPSRV.EXE
O23 - Service: cyberJack PC/SC Service - REINER SCT -
C:\WINDOWS\system32\cJPCSC.exe
O23 - Service: Intel(R) Active Monitor - Unknown - C:\Program
Files\Intel\Intel(R) Active Monitor\imonnt.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown -
C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia
Licensing.exe
O23 - Service: MySQL - Unknown - C:\MySQL\bin\mysqld-nt".exe (file missing)
O23 - Service: Sophos Anti-Virus - Sophos Plc - C:\Programme\Sophos Anti
Vir\SWEEPSRV.SYS
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH -
C:\Programme\TuneUp Utilities\WinStylerThemeSvc.exe



Is that all good again or what would you suggest?

Thanks,

Marcus

 

[Max M.Wachtel III]

Hi,

I had really bad problems with my PC -
first I had heaps of Spyware installed like something from 180 Solutions,
then I had Worms and Trojans and stuff.

Then I searched with Google and followed pretty much this instruction:
http://www.webuser.co.uk/cgi-bin/fo...=142301&page=1&view=collapsed&sb=5&o=93&part=


So I went to Save Mode (with Network drivers to be able to be online) I
installed and ran about 3 different Anti-Spyware programms,
then I used the online Scanners Housecall and Online Trojan Scan -
Housecall found 5 viruses in System32, Trojan Scan found nothing,
last but not least I used Sophos in console mode by typing in
SAV32CLI and it said:

Sophos Anti-Virus
Version 3.89.0 [Win32/Intel]
Virus data version 3.89, January 2005
Includes detection for 98175 viruses, trojans and worms



Then I looked up something new and typed in:
SAV32CLI -DI -P=C:\ELKLOGC.TXT
And it said:

Quick Scanning



2 boot sectors swept.
132602 files swept in 39 minutes and 20 seconds.
2 viruses were discovered.
2 files out of 132602 were infected.
Last but not least right now I am running:
SAV32CLI -REMOVE -P=C:\KLEZLOGC.TXT



I guess it should all be good then, but I am not completly sure, so I made
another HijackThis Protocoll.
Maybe you could have a look and tell me if all is fine now or what else I
will have to do:

Logfile of HijackThis v1.99.0
Scan saved at 02:01:14, on 05.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cmd.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\SAV32CLI\SAV32CLI.EXE
C:\Programme\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Programme\WebCam\FxSvr2.exe
C:\Dokumente und Einstellungen\Marcus\Lokale Einstellungen\Temp\Temporäres
Verzeichnis 1 für hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} -
C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class -
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat
6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} -
C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\bdfkole.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\goegwmr.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AntiVir\AVGNT.EXE" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search -
res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Alles mit FlashGet laden -
C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Mit FlashGet laden -
C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten -
res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Preispiraten 2.1.2 -
{86DE8B3B-1EB7-4386-84BD-EBE94348A913} -
C:\Programme\Preispiraten\Preispiraten2\preispiraten2ie.exe
O9 - Extra button: Preispiraten - {94A15285-AAE6-44E8-B2D7-4A2C6CDA9185} -
C:\Programme\Preispiraten\preispiraten.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -
C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet -
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095606310968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
file://C:\Dokumente und Einstellungen\Marcus\Lokale
Einstellungen\Temp\EI40_\msxml4.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{8DBFDA2C-0C0B-4A25-B537-616DA093B9BE}:
NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Unknown - C:\Programme\Gemeinsame
Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH -
C:\Programme\AntiVir\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany -
C:\Programme\AntiVir\AVWUPSRV.EXE
O23 - Service: cyberJack PC/SC Service - REINER SCT -
C:\WINDOWS\system32\cJPCSC.exe
O23 - Service: Intel(R) Active Monitor - Unknown - C:\Program
Files\Intel\Intel(R) Active Monitor\imonnt.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown -
C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia
Licensing.exe
O23 - Service: MySQL - Unknown - C:\MySQL\bin\mysqld-nt".exe (file missing)
O23 - Service: Sophos Anti-Virus - Sophos Plc - C:\Programme\Sophos Anti
Vir\SWEEPSRV.SYS
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH -
C:\Programme\TuneUp Utilities\WinStylerThemeSvc.exe



Is that all good again or what would you suggest?

Thanks,

Marcus

You can find forums to post the log to have it analyzed here:
http://tomcoyote.org/hjt/
-max

--
Virus Removal Instructions: http://www.geocities.com/maxpro4u/
Keeping Windows Clean: http://www.geocities.com/maxpro4u/madmax.html
Virus Cleaning+Fixes: http://www.geocities.com/maxpro4u/TechPros
Change nomail.afraid.org to neo.rr.com so you can reply by e-mail
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)

 

[Peter Seiler]

Max M.Wachtel III - 05.01.2005 05:38 :

~ 200! unnecessary quoting lines (snipped) as usual. And all these many
SIG lines too. Are'nt you learnable?

 

[Dave McAuliffe]

Hi,

Logfile of HijackThis v1.99.0

For starters, paste your log file here:
http://hijackthis.de/index.php?langselect=english. If more help is needed
follow Max's advice.
--
Dave
Central Mass. USA

To email: Replace
mailinator.com with email.com

 

[pp hammer]

in message ..

~ 200! unnecessary quoting lines (snipped) as usual.

* giggles * .. is it all the scrolling, or all the bandwidth, or all the
many seconds lost due to all the scrolling and bandwidth waste, that ticks
you off?

 

[Beauregard T. Shagnasty]

in message ..


* giggles * .. is it all the scrolling, or all the bandwidth, or
all the many seconds lost due to all the scrolling and bandwidth
waste, that ticks you off?

You could add "all the storage space on thousands of news servers" to
that line for the next time... <g>

 

[David H. Lipman]

Somehow I *knew* your reply would follow....

--
Dave




| Max M.Wachtel III - 05.01.2005 05:38 :
|
| ~ 200! unnecessary quoting lines (snipped) as usual. And all these many
| SIG lines too. Are'nt you learnable?
|
| > You can find forums to post the log to have it analyzed here:
| > http://tomcoyote.org/hjt/
| > -max
| >
|
|
| --
| by(e) PS
|
| spam will be killed
|

 

[Gabriele Neukam]

On that special day, Marcus Reiter, ([email protected]) said...

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

Was ist das für ein Dings (what's that)?

O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\bdfkole.exe

"Eigenschaften von bdfkole.exe" bitte angeben (please report "properties
of bdfkole.exe"

(lots of Google toolbar related stuff)

O9 - Extra button: Preispiraten 2.1.2 -
{86DE8B3B-1EB7-4386-84BD-EBE94348A913} -
C:\Programme\Preispiraten\Preispiraten2\preispiraten2ie.ex
O9 - Extra button: Preispiraten - {94A15285-AAE6-44E8-B2D7-4A2C6CDA9185} -
C:\Programme\Preispiraten\preispiraten.exe

This is a certain website in Germany, that is looking for the cheapest
price of a given item...

O17 -
HKLM\System\CCS\Services\Tcpip\..\{8DBFDA2C-0C0B-4A25-B537-616DA093B9BE}:
NameServer = 192.168.0.1

Wozu gehört das / Where does this belong to? Dein eigener Rechner bietet
einen Dienst an / your own machine is offering a service? Für wen / to
whom?

O23 - Service: cyberJack PC/SC Service - REINER SCT -
C:\WINDOWS\system32\cJPCSC.exe

Wozu gehört das? Ich glaube, es ist ein legitimes Programm, aber ich
möchte sicher sein. / Where does that belong to? I think it is legit,
but wnat to be sure.

O23 - Service: Intel(R) Active Monitor - Unknown - C:\Program
Files\Intel\Intel(R) Active Monitor\imonnt.exe (file missing)

Da wurde etwas weg geputzt, aber nicht sein Eintrag / something was
reoved, but not the registry entry.

Du hast http://faq.jors.net/virus gelesen und entsprechend gehandelt?
Bei einer *derartigen* Sammlung gibt es *keine* Garantie mehr, dass Du
Deinen Rechner wieder sauber bekommst. Trojaner neigen dazu, Junge zu
bekommen, im Dutzend, und mit einer hohen Mutationsrate. Kein Programm
der Welt kann *alle* Trojaner erkennen; die Programmierer entwickeln
eine Menge Kreativität, wenn es darum geht, die üblichen Prüfwege zu
umgehen.

Und Dein Rechner hat der Welt als allgemeiner Service zur Verfügung
gestanden

http://board.protecus.de/showtopic.php?threadid=13433

(I told him he cannot be sure that all malware is gone, as trojans tend
to breed, feetch other trojans, and that no progrm on this planet can
identify *all* trojans, with their many methods of sneaking into the
machine, and avoiding detection)

Marcus, you've been told exactly this in the German anti virus
newsgroup, listen to their answers. Back up your data (everything that
is NOT executable), format, re-install, install SP2, do NOT go onto
internet until *everything* is patched, and THEN connect again. Your
machine might have been a DDoS helper, mass mailer, fileserver and
whatnot, and you believe, you can have it going on like that for ever?

http://www.sophos.com/virusinfo/analyses/w32rbotsq.html (Advanced)

Sheesh.


Gabriele Neukam

(e-mail address removed)

 

[pp hammer]

"Beauregard T. Shagnasty" wrote in message

You could add "all the storage space on thousands of news servers" to
that line for the next time... <g>

well since i dont run a news server i wouldnt know.. whats 20,000 * 8kb (8kb
being long post, 9kb being long post with 200 lines quoted) .. hold on hold
on, whats 500,000 * 8kb...

omg omg omg its almost 4GB . i figure they run low on space they parse/cut
the old, out with the old in with the new.. hmm 42 seconds worth of
bandwidth on a gigabit network, if they exist. expensive, but 42 seconds..
and maybe 2% of the total space.. for my next trick i divide 4GB by 2 and
times by 100... nah.. i just cant do the maths..

so our friend peter runs a news server with 1,000,000 users on 60,000
groups? on dialup? with a 20MB hd? oh my god! is he nuts?

 

[Peter Seiler]

David H. Lipman - 05.01.2005 16:11 :

Somehow I *knew* your reply would follow....

I knew you would understand me (as your SIG lines demonstrates). THX.

 

[Beauregard T. Shagnasty]

"Beauregard T. Shagnasty" wrote in message

well since i dont run a news server i wouldnt know.. whats 20,000 *
8kb (8kb being long post, 9kb being long post with 200 lines
quoted) .. hold on hold on, whats 500,000 * 8kb...

omg omg omg its almost 4GB . <snip>

<lol> What's funnier/worse is when a person posts a message:

Picture of my cat.
<attached: mycat.jpg - 400KB>

and someone replies:

Cute cat!
<INCLUDES attached: mycat.jpg - 400KB>

(What's 20,000 * 400KB ...)

 

[Mike Barrett]

winmedplay.exe is a new virus. It is hosing our company right now. We
are in touch with Symantec trying to work something out.

 

[David H. Lipman]

Please submit it to Virus Total -- http://www.virustotal.com/flash/index_en.html and the
suspect will be tested against several AV vendor's scanners.

Please post back the EXACT results.

--
Dave




| winmedplay.exe is a new virus. It is hosing our company right now. We
| are in touch with Symantec trying to work something out.
|

 

[Mike Barrett]

winmedplay.exe is a new virus. It is hosing our company right now. We
are in touch with Symantec trying to work something out.

I misspoke. It is not a virus, but it is defintely new spy/ad/malware.

If you get it, kill the process then delete the file from system32.
Scan the registry and remove all entries. It shows up in Run and Run
Services. The key name is Microsofts MediaScope. Obviously, they want
you to believe it is MS Media Player.

 

[Bart Bailey]

I misspoke. It is not a virus, but it is defintely new spy/ad/malware.

If you get it, kill the process then delete the file from system32.
Scan the registry and remove all entries. It shows up in Run and Run
Services. The key name is Microsofts MediaScope. Obviously, they want
you to believe it is MS Media Player.

Scanning the registry for startups is something HJT is good at,
but if you don't want to be overwhelmed by all the other BHO and toolbar
type info etc. have a go at Mike Lin's Startup Control Panel:
http://www.mlin.net/StartupCPL.shtml