Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan is onboard somewhere

Started by amcallis , Sep 02 2006 06:15 PM

  • Please log in to reply

#1
amcallis
Posted 02 September 2006 - 06:15 PM

amcallis

    Member

  • Member
  • PipPip
  • 27 posts
Hello - I followed the tutorial "How-to remove VirusRescue, SpyAxe, SpywareStrike, SpySheriff, Winhound and Smitfraud using noahdfear's smitRem.exe removal tool"
Located here:
http://www.geekstogo...aud-t91731.html

I was keyed to that since SpybotS&D detected "smitfraud"
Also, I had detection of "adware_commandservice" from the trendmicro housecall virus scan. This virus scan was unable to remove "command service".

After running the tutorial, there were still problems according to Panda. Please help! I attached ewido log file, panda log, and smitRem log file, plus a post-tutorial HJT log file.

HJT has been updated, I disabled "system restore".

Thank you for helping - I just can't do this myself it doesn't look like :whistling:

(Originally, I attached the log files. I think everyone prefers I paste the contents into my post (so then it is searchable, i assume?). I removed the attchments and pasted their contents below:

<<<<<<<<<<<<<<Ewido_report.txt>>>>>>>>>>>>>>>>>>>
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:48:54 PM 9/2/2006

+ Scan result:



HKU\S-1-5-21-1202660629-117609710-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\Lang -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\Lang\English.ini -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\Logs -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\Quarantine -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\msvcp71.dll -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\msvcr71.dll -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\Program Files\SpyQuake2.com\uninst.exe -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\WINDOWS\system32\8494eaeb.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\Documents and Settings\amcallis\Cookies\amcallis@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\amcallis\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned.


::Report end





<<<<<<<<<<<<<<Smitfiles_reportLog.txt (from tutorial)>>>>>>>>>>>>>>>>>>>.

smitRem © log file
version 3.1

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Sat 09/02/2006
The current time is: 16:26:51.81

Running from
C:\Documents and Settings\amcallis\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Safety Bar


~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

issearch.exe
ixt*.dll
amcompat.tlb
nscompat.tlb
logfiles


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 796 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :blink:



[ note from amcallis: the enthusiastic "CLEAN! :help:" seems to be incorrect, based on the Panda scan below. ]



<<<<<<<<<<<<<<Panda Activescan Log>>>>>>>>>>>>>>>>>>>

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vtuurol.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\amcallis\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\amcallis\Desktop\smitRem.exe[smitRem/Process.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{EC095BCB-08A3-1033-0425-050125050001}\services.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\QW5keQ\kqc4yk.vbs
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awtqpqn.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wvutssp.dll



<<<<<<<<<<<<<<HijackThis Log>>>>>>>>>>>>>>>>>>>
Logfile of HijackThis v1.99.1
Scan saved at 5:15:05 PM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netsecurity.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [8494eaeb.exe] C:\Documents and Settings\amcallis\Local Settings\Application Data\8494eaeb.exe
O4 - HKCU\..\Run: [urii] C:\PROGRA~1\COMMON~1\urii\uriim.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: .NETSecurity - Unknown owner - C:\WINDOWS\system32\netsecurity.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by amcallis, 03 September 2006 - 10:56 AM.

  • 0

Advertisements

#2
don77
Posted 02 September 2006 - 06:50 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hello and welcome amcallis
  • Please go to Jotti's malware scan
  • Copy and paste the following file path C:\WINDOWS\system32\netsecurity.exe
    into the box on the top of the page:

  • Click on the submit button
  • Please post the results in your next reply.

also
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Please post the logs rather then attach them
Thanks
Don
  • 0

#3
amcallis
Posted 02 September 2006 - 10:32 PM

amcallis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Thanks for responding so quickly.

Jotti's Malware Scan had the following results:

AntiVir - Found nothing
ArcaVir - Found nothing
Avast - Found nothing
AVG Antivirus - Found nothing
BitDefender - Found nothing
ClamAV - Found nothing
Dr.Web - Found nothing
F-Prot Antivirus - Found nothing
Fortinet - Found nothing
Kaspersky Anti-Virus - Found nothing
NOD32 - Found nothing
Norman Virus Control - Found nothing
UNA - Found nothing
VirusBuster - Found nothing
VBA32 - Found nothing

I am now going to try out VundoFix.
  • 0

#4
amcallis
Posted 02 September 2006 - 10:43 PM

amcallis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
And here is the VundoFix log file:


VundoFix V6.1.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 9:33:37 PM 9/2/2006

Listing files found while scanning....

C:\WINDOWS\system32\awtqpqn.dll
C:\WINDOWS\system32\jkkhecb.dll
C:\WINDOWS\system32\vtuurol.dll
C:\WINDOWS\system32\wvutssp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqpqn.dll
C:\WINDOWS\system32\awtqpqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkhecb.dll
C:\WINDOWS\system32\jkkhecb.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\vtuurol.dll
C:\WINDOWS\system32\vtuurol.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvutssp.dll
C:\WINDOWS\system32\wvutssp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 9:37:29 PM 9/2/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkkhecb.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkhecb.dll
C:\WINDOWS\system32\jkkhecb.dll Has been deleted!

Performing Repairs to the registry.
Done!
  • 0

#5
amcallis
Posted 02 September 2006 - 11:56 PM

amcallis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Edit: I THOUGHT was able to successfully remove the trojan. It's still on the computer, unfortunately. Hre's the steps I tried.

I went to Symantec's Security Check (http://security.symantec.com/) and ran the Virus Detection.

The scan found the following items:
C:\WINDOWS\Temp\win2EF.tmp.exe is infected with Adware.MaxSearch
C:\WINDOWS\system32\__delete_on_reboot__u_r_r_o_x_t_l_._d_l_l_ is infected with Adware.SpySheriff
C:\WINDOWS\system32\components\flx3.dll is infected with Adware.SpySheriff
C:\WINDOWS\QW5keQ\kqc4yk.vbs is infected with Spyware.ISearch
C:\Program Files\Common Files\{EC095BCB-08A3-1033-0425-050125050001}\services.dll is infected with Adware.MaxSearch
C:\Documents and Settings\amcallis\Local Settings\Temporary Internet Files\Content.IE5\G54BI7UP\wlzip32[1].exe is infected with Downloader
C:\Documents and Settings\amcallis\Local Settings\Temporary Internet Files\Content.IE5\CVKVA5GD\wlzip32[1].exe is infected with Adware.MaxSearch
C:\Documents and Settings\amcallis\Local Settings\Application Data\8494eaeb.exe is infected with Downloader

I rebooted in safe mode and changed all the .dll files to .bad
I deleted all of the files in C:\WINDOWS\Temp
I deleted all of the Temporary Internet files
I changed C:\Documents and Settings\amcallis\Local Settings\Application Data\8494eaeb.exe to C:\Documents and Settings\amcallis\Local Settings\Application Data\8494eaeb.bad

The tough part was accessing C:\WINDOWS\QW5keQ\kqc4yk.vbs

This file and the folder QW5keQ were both hidden and had read-only permissions. I was able to edit this file by opening a Command Prompt window and typed: notepad C:\WINDOWS\QW5keQ\kqc4yk.vbs

I commented out all of the lines in that file and saved it to C:\

I then went to My Computer, copied the C:\kqc4yk.vbs file, then navigated to C:\WINDOWS\QW5keQ and pasted it. I was prompted to replace the existing file which I answered yes to. After doing this, I could now see the file and was able to delete both that file and the QW5keQ folder.

After doing this, I rebooted and was able to remove all of the spyware/adware using Spybot S&D and Ad-Aware.

For reference, here is the the contents of the C:\WINDOWS\QW5keQ\kqc4yk.vbs file:

On Error Resume Next
res = MsgBox("Are you sure you wish to remove the application: Command?" _
& Chr(13) & "Removing this application may cause dependent applications to stop functioning.", _
vbYesNo+vbExclamation, "Confirm Application Delete")
If res = vbYes Then
Set WSHShell = CreateObject("WScript.Shell")
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "http://command.adser...ninstall.php",3
Set WshShell = Nothing
End If


Edited by amcallis, 03 September 2006 - 02:31 AM.

  • 0

#6
amcallis
Posted 03 September 2006 - 02:34 AM

amcallis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
There is a system tray icon that is flashing a yellow triangle with "!" symbol in it, apparently trying to help me remove the virus. Obviously it's the virus, and it links me to a site to pay for some anti-virus software that will supposedly fix it.

Also, I occasionally get IE based popup ads. At some point this evening, I was able to open IE without it being hijacked, but it's hijacked again. Bummer.

The "antivirus" software it links me to are "winAntiVirus Pro 2006" at http://www.winantivirus.com, and also I get popups for "http://antivirusgolden.com"

Edited by amcallis, 03 September 2006 - 02:38 AM.

  • 0

#7
don77
Posted 03 September 2006 - 07:13 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
we still have a bit of work to do here,

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log back here for me please.

IMPORTANT: Do NOT run any other options until you are asked to do so!
  • 0

#8
amcallis
Posted 03 September 2006 - 10:52 AM

amcallis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK! Here's the search results:

Rapport.txt contents:
SmitFraudFix v2.83

Scan done at 9:51:48.09, Sun 09/03/2006
Run from C:\Documents and Settings\amcallis\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\amcallis\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\amcallis\FAVORI~1

C:\DOCUME~1\amcallis\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#9
don77
Posted 03 September 2006 - 10:57 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Also post back a fresh HJT log for me as well please

Warning : running option #2 on a non infected computer will remove your Desktop background.
  • 0

#10
amcallis
Posted 03 September 2006 - 02:15 PM

amcallis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK, followed your directions.
S&D found nothing on a scan.
Adaware finds nothing.
Ewido finds nothing.
Opened IE to do a panda scan: IE is still hijacked :whistling:
Panda activescan finds things (log included below)
Then I ran Trendmicro again, and found this (Trendmicro housecall thinks it successfully removes it, but subsequent housecall scans still find this trojan): ADWARE_VIRTUMUNDO

<<<<< smitfraudfix log >>>>>
SmitFraudFix v2.83

Scan done at 12:04:37.62, Sun 09/03/2006
Run from C:\Documents and Settings\amcallis\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\DOCUME~1\amcallis\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End




>>>>>> Hijack This Log <<<<<<
Logfile of HijackThis v1.99.1
Scan saved at 12:50:38 PM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netsecurity.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [8494eaeb.exe] C:\Documents and Settings\amcallis\Local Settings\Application Data\8494eaeb.exe
O4 - HKCU\..\Run: [urii] C:\PROGRA~1\COMMON~1\urii\uriim.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: .NETSecurity - Unknown owner - C:\WINDOWS\system32\netsecurity.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

<<<<<< panda activescan >>>>>

Incident Status Location

Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\amcallis\Application Data\Mozilla\Firefox\Profiles\v32p2bk2.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Malwarewipe Not disinfected C:\Documents and Settings\amcallis\Cookies\amcallis@malwarewipe[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\amcallis\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\amcallis\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\amcallis\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\amcallis\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\amcallis\Local Settings\Application Data\Mozilla\Firefox\Profiles\v32p2bk2.default\Cache\633285D9d01[SmitfraudFix/Process.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{EC095BCB-08A3-1033-0425-050125050001}\services.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{EC095BCB-08A3-1033-0425-050125050001}\services_dll.bad
Adware:Adware/CommAd Not disinfected C:\RECYCLER\S-1-5-21-1202660629-117609710-682003330-1003\Dc2.txt
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-1202660629-117609710-682003330-1003\Dc3.exe[²ƒÇ]
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\awtqpqn.dll
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\jkkhecb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\vtuurol.dll
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wvutssp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ssqpmjk.dll
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\WINDOWS\Temp\sa2B.exe[Spy-Quake2.exe]
  • 0

Advertisements

#11
don77
Posted 03 September 2006 - 02:57 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
We're getting there


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Next
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O4 - HKCU\..\Run: [8494eaeb.exe] C:\Documents and Settings\amcallis\Local Settings\Application Data\8494eaeb.exe
O4 - HKCU\..\Run: [urii] C:\PROGRA~1\COMMON~1\urii\uriim.exe



Next Reboot into SAFE MODE
Search for and delete the Folders highlighted in Blue Files highlighted in BOLD
C:\Documents and Settings\amcallis\Local Settings\Application Data\8494eaeb.exe
C:\PROGRA~1\COMMON~1\urii
C:\Program Files\Common Files\{EC095BCB-08A3-1033-0425-050125050001}\services.dll
C:\Program Files\Common Files\{EC095BCB-08A3-1033-0425-050125050001}\services_dll.bad
C:\WINDOWS\Temp\sa2B.exe

Go ahead and delete this folder
C:\VundoFix Backups

Go ahead and delete smitfraud fix from your desktop

Empty your recycle bin


Restart your computer,

Rescan with active scan and post back what it finds please

Post back a fresh HJT log as well please


I don't see an Anti Virus or firewall program running
Anti Virus, both free choose one and install itIt is critical to have both a firewall and anti virus to protect your system and to keep them updated.
  • 0

#12
amcallis
Posted 03 September 2006 - 03:50 PM

amcallis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK - was unable to find the files:

C:\Documents and Settings\amcallis\Local Settings\Application Data\8494eaeb.exe
C:\WINDOWS\Temp\sa2B.exe

There was something like 8494eaeb.exe_bac in a trendmicro quarantine folder. I deleted this. I did a search for sa2B.exe, but didn't find it anywhere.

When I restarted, and opened IE to run Activescan, I went to google first, and there was a malicious popup.

Here is the activescan log:


Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\amcallis\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\amcallis\Desktop\smitRem.exe[smitRem/Process.exe]

<<<< HJT Log >>>>
Logfile of HijackThis v1.99.1
Scan saved at 2:49:50 PM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\system32\netsecurity.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: .NETSecurity - Unknown owner - C:\WINDOWS\system32\netsecurity.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Any clue about that persistant IE popup? BTW, I installed this trojan :whistling: I thought it was a neato pocket PC application, but instead, trojan. I did a cursory scan on the file, but should have looked a little closer at it before running (should have at least put it thru trendmicro).

EDIT: By the way, ewido just caught a bunch of stuff. I'll post the ewido log.

Edited by amcallis, 03 September 2006 - 03:52 PM.

  • 0

#13
amcallis
Posted 03 September 2006 - 03:57 PM

amcallis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
The ewidio things that are coming up are:

Not-A-Virus.Hoax.Win32.Renos.ds
SpywareQuake
Adware.Generic
C:\Program Files\Safety Bar\Safety Bar.dll
C:\WINDWOS\system32\urroxtl.dll
C:\Program Files\ToolBar888\MyToolBar.dll
C:\Program Files\SpyQuake2.com\Spy-Quake2.exe
Downloader.Obfuscated.a

I've got a thing in the system tray that is a blue circle with a white question mark that has a tooltip "Virus-Alert!"

The log:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:57:14 PM 9/3/2006

+ Scan result:



C:\Program Files\Safety Bar -> Adware.Generic : Cleaned.
C:\Program Files\Safety Bar\Uninstall.bat -> Adware.Generic : Cleaned.
C:\Program Files\ToolBar888 -> Adware.ToolBar888 : Cleaned.
C:\Program Files\ToolBar888\MyToolBar.dll -> Adware.ToolBar888 : Cleaned.
C:\Program Files\ToolBar888\Uninst.exe -> Adware.ToolBar888 : Cleaned.
C:\Documents and Settings\amcallis\Local Settings\Application Data\8494eaeb.exe -> Downloader.Obfuscated.a : Cleaned.
C:\Documents and Settings\amcallis\Local Settings\Temporary Internet Files\Content.IE5\G54BI7UP\wlzip32[1].exe -> Downloader.Obfuscated.a : Cleaned.
C:\WINDOWS\system32\8494eaeb.exe -> Downloader.Obfuscated.a : Cleaned.
C:\WINDOWS\system32\__delete_on_reboot__u_r_r_o_x_t_l_._d_l_l_ -> Not-A-Virus.Hoax.Win32.Renos.ds : Cleaned.
C:\Documents and Settings\amcallis\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\amcallis\Cookies\amcallis@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.


::Report end
  • 0

#14
don77
Posted 03 September 2006 - 04:09 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets have a look at an unistall list
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into this topic please,


And a winpfind log

Download winpfind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.


This one is bothering me
C:\WINDOWS\system32\netsecurity.exe

Could you see if you can send me a copy of it please
send it to iamdon77"at"yahoo.com ( replace the "at" with @ )

Lets also see what happens if we disable it

Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

NETSecurity

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.
  • 0

#15
amcallis
Posted 03 September 2006 - 04:27 PM

amcallis

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I emailed you the netsecurity.exe. In the Services list, it was listed as ".NETSecurity" with status "Automatic". I disabled this one. There wasn't anything in the services list without the period in the front (e.g., no "netsecurity").

I'm running WinPFind right now...
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP