Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan-spy html.smitfraud.c[CLOSED]

Started by ksavage , May 04 2005 11:20 PM

This topic is locked

#1
ksavage

Posted 04 May 2005 - 11:20 PM

New Member

Member
7 posts

Please help I have smitfraud. c virus and cant get ridd of it. Blue screen and computer seem like its kinda getting slower. I did everything you said before coming in to post topic and still same problem. Have read other people threads on how to get of this virus but stop real quickly. About the Third instuction on the one I read stated press CTRL ALT DELETE and click on the processes tab, well dont have that tab so I stop. Did read in one topic that the person stated he was going to throw his computer to the street I bet I can throw mine further. Thanks for any assistance you help me with.

Logfile of HijackThis v1.99.1
Scan saved at 11:57:44 PM, on 05/04/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\WP.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PREMIER - ACCOUNTANT EDITION\COMPONENTS\QBAGENT\QBDAGENT2002.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: (no name) - {702117A0-736F-11D7-9207-000102298083} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [SourcePath] c:\cabs\gwreg.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [Mskexe] c:\program files\mcafee\spamkiller\spamkiller.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [hahatyt] C:\WINDOWS\hahatyt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE /0
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{911A0409-6000-11D3-8CFE-0050048383C9}\misc.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier - Accountant Edition\Components\QBAgent\QBDAgent2002.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {F6441660-BC16-11D9-9207-000102298083} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F6441660-BC16-11D9-9207-000102298083} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {F6441660-BC16-11D9-9207-000102298083} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F6441660-BC16-11D9-9207-000102298083} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O12 - Plugin for .quake2: C:\PROGRA~1\INTERN~1\PLUGINS\npq2plug.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtange...ybad/wtinst.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.co...22/ComCtl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipbrowser.c...ite/fvliteY.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.mo...eAutoLaunch.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#2
Guest_thatman_*

Posted 06 May 2005 - 12:16 PM

Guest

Hi ksavage

Please read through the instructions before you start (you may want to print this out).

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet, though.
Run CWShredder to fix your CWS problem.

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
O3 - Toolbar: (no name) - {702117A0-736F-11D7-9207-000102298083} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [hahatyt] C:\WINDOWS\hahatyt.exe
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {F6441660-BC16-11D9-9207-000102298083} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F6441660-BC16-11D9-9207-000102298083} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {F6441660-BC16-11D9-9207-000102298083} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F6441660-BC16-11D9-9207-000102298083} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipbrowser.c...ite/fvliteY.cab
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WP.EXE
C:\WINDOWS\hahatyt.exe
Exit Explorer.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.
C:\WP.EXE
C:\WINDOWS\hahatyt.exe

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:

#3
ksavage

Posted 06 May 2005 - 11:27 PM

New Member

Topic Starter
Member
7 posts

Thanks Thatman,

For your time and knowledge. I did everything you told me and created a log for you with panda software but I could not figure a way to create a log for you with HJT so I wrote down the three things that HJT found and there path. Hope this will help you help me find a way to clean my computer.

Thanks.....Ksavage

HJT report:

JOKE CRAZYICONS. A NON-CLEANABLE
C:\windows\temp\crazyicons

TROJ DLOADER.KV
C:\windows\msxmidi.EXE

TROJ HIJACK.A
c:\recycled\dc8.EXE

PANDA LOG:
Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\WINDOWS\SYSTEM\Xcite.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM\FLEOK
Adware:Adware/BrowserAid No disinfected C:\WINDOWS\SYSTEM\stlbupdt.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\TEMP\SAHUpdate
Adware:Adware/Superbar No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\WINDOWS\Application Data\Lycos
Adware:Adware/MSView No disinfected C:\WINDOWS\TEMP\msview.inf
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\TEMP\asmfiles.cab
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msxmidi.exe
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\SYSTEM\kyf.dat
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\wb.dll
Adware:Adware/Comet No disinfected C:\WINDOWS\SYSTEM\CometTB.dll
Adware:Adware/Comet No disinfected C:\WINDOWS\SYSTEM\CometTB.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\Agent.dll
Adware:Adware/MSView No disinfected C:\WINDOWS\SYSTEM\nostalgia.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\OMsetup.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\cm1.dll
Adware:Adware/BrowserAid No disinfected C:\WINDOWS\SYSTEM\stlbupdt.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM\Xcite.exe
Adware:Adware/MyWay No disinfected C:\WINDOWS\SYSTEM\Xcite.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\msss.exe
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\SYSTEM\kyf.dat
Adware:Adware/SaveNow No disinfected C:\WINDOWS\TEMP\saveinstwm.exe
Adware:Adware/MSView No disinfected C:\WINDOWS\TEMP\MSView.inf
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\TEMP\asmfiles.cab
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\TEMP\asmfiles.cab[asm.exe]
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\TEMP\__unin__.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msxmidi.exe
Adware:Adware/WinActive No disinfected C:\RECYCLED\DC1\unbzip2s.dll
Adware:Adware/BlueScreenWarningNo disinfected C:\RECYCLED\DC8.EXE
Adware:Adware/BlueScreenWarningNo disinfected C:\wp.bmp

#4
Guest_thatman_*

Posted 07 May 2005 - 02:53 AM

Guest

Hi ksavage

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.
C:\WINDOWS\SYSTEM\Xcite.dll
C:\WINDOWS\SYSTEM\FLEOK
C:\WINDOWS\SYSTEM\stlbupdt.dll
C:\WINDOWS\TEMP\SAHUpdate
C:\WINDOWS\Application Data\Lycos
C:\WINDOWS\TEMP\msview.inf
C:\WINDOWS\TEMP\asmfiles.cab
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\SYSTEM\kyf.dat
C:\WINDOWS\SYSTEM\wb.dll
C:\WINDOWS\SYSTEM\CometTB.dll
C:\WINDOWS\SYSTEM\CometTB.exe
C:\WINDOWS\SYSTEM\Agent.dll
C:\WINDOWS\SYSTEM\nostalgia.dll
C:\WINDOWS\SYSTEM\OMsetup.exe
C:\WINDOWS\SYSTEM\cm1.dll
C:\WINDOWS\SYSTEM\stlbupdt.dll
C:\WINDOWS\SYSTEM\Xcite.exe
C:\WINDOWS\SYSTEM\Xcite.dll
C:\WINDOWS\SYSTEM\msss.exe
C:\WINDOWS\SYSTEM\kyf.dat
C:\WINDOWS\TEMP\saveinstwm.exe
C:\WINDOWS\TEMP\MSView.inf
C:\WINDOWS\TEMP\asmfiles.cab
C:\WINDOWS\TEMP\asmfiles.cab[asm.exe]
C:\WINDOWS\TEMP\__unin__.exe
C:\WINDOWS\msxmidi.exe
C:\RECYCLED\DC1\unbzip2s.dll
C:\RECYCLED\DC8.EXE
C:\wp.bmp

Reboot as normal

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and a new HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:

#5
ksavage

Posted 07 May 2005 - 08:41 PM

New Member

Topic Starter
Member
7 posts

Thanks agian Wouldnt know what to do without the help of you and this site.

I think we are going in the right direction.
Nothing showed up on HJT.log and I will paste panda log for you .

Thanks again and my computer thanks u.
cident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM\FLEOK
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\TEMP\SAHUpdate
Adware:Adware/Superbar No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\WINDOWS\Application Data\Lycos
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry

#6
Guest_thatman_*

Posted 08 May 2005 - 03:01 AM

Guest

Hi ksavage

How is the system running

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\SYSTEM\FLEOK
C:\WINDOWS\TEMP\SAHUpdate
C:\WINDOWS\Application Data\Lycos

Kc :tazz:

#7
ksavage

Posted 08 May 2005 - 10:13 PM

New Member

Topic Starter
Member
7 posts

Hey Thatman,

Ran panda and still have six things showing up but nothing on HJT.
Will paste panda log for you. System is running good am having a problem
starting up sometimes it locks up and I have to restart a couple of times.

Thanks agian.......Ksavage
Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM\FLEOK
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\TEMP\SAHUpdate
Adware:Adware/Superbar No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\WINDOWS\Application Data\Lycos
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry

Edited by ksavage, 08 May 2005 - 10:15 PM.

#8
Guest_thatman_*

Posted 08 May 2005 - 10:55 PM

Guest

Hi ksavage

C:\WINDOWS\SYSTEM\FLEOK<--Delete this folder
C:\WINDOWS\TEMP\SAHUpdate<--Delete all file's in the windows temp folder.
C:\WINDOWS\Application Data\Lycos<--Delete this folder

Adware/Superbar how to remove:
http://www.doxdesk.c...e/SuperBar.html

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Reboot when prompted to let it clean out the remaining files.

Reboot as normal
Post a new Panda scan.log and HJT.Log

Kc :tazz:

#9
ksavage

Posted 09 May 2005 - 04:16 PM

New Member

Topic Starter
Member
7 posts

Hey agian,

Hope what im writing you make sense. Did a file find on pc for c:\windows\system\fleok. and c:\windows\application data\lycos cound not find either. But did find c:\windows\temp\sahupdate and I think its gone panda did not find it. Think I messed up on adware super bar going to retry removing it and running another panda scan will tell you on later post on that.Steve gould web site would not let me in under address you posted so I did find and found it under HTTP://cleanup.stevengould.org. It did clean some out about 88.2mb but im still having a bad boot problem takes me anywere from 3 to 9 times to get computer back up and running. It gets all the way to desk top and freezes shows me icon and all but mouse either wont move or if it does I cant click on anything. Have to manuely shut it down with the off button and turn it back on. Just a question do you think mcfee antivirse could be causeing this problem at startup. Hey one good thing im down to 5 viruses. Thanks for all your help.

dware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM\FLEOK
Adware:Adware/Superbar No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\WINDOWS\Application Data\Lycos
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry

#10
ksavage

Posted 10 May 2005 - 07:27 PM

New Member

Topic Starter
Member
7 posts

Hey Thatman.

Did a couple of things right and got virus down to 1. Still having a boot problem.
but did run another panda check and heres the log. Still nothing on HJT.

Thanks agian..... Ksavage

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry

#11
Guest_thatman_*

Posted 11 May 2005 - 02:59 AM

Guest

Hi ksavage

Please read through the instructions before you start (you may want to print this out).

Read this Demystifying the Windows Registry

Most of the following registery entry will have been removed.you may find a number of reg keys for this savenow program but they are harmless and are just left overs.
Useless with no program to run.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Delete the ‘SaveNow’, ‘WhenUSave’, ‘WhenUSearch’ or ‘VVSN’ values. Reboot and you should be able to delete the ‘SaveNow’, ‘Save’, ‘WhenUSearch’, ‘WhenUSearchWHSE’ or ‘VVSN’ folder inside ‘Program Files’.

To remove the ActiveX objects installed by the Download and Db variants, open the ‘Downloaded Program Files’ folder inside the Windows folder, and delete the SaveNow object. The name of this is ‘WhenUDownload’ in the Download variant, ‘FC327B3F-377B-4CB7-8B61-27CD69816BC3’ in the Db variant, and ‘E2F2B9D0-96B9-4B25-B90C-636ECB207D18’ in the WUInst variant.

HKEY_CLASSES_ROOT\clsid\{c285d18d-43a2-4aef-83fb-bf280e660a97}
HKEY_CLASSES_ROOT\clsid\{e2f2b9d0-96b9-4b25-b90c-636ecb207d18}
HKEY_CLASSES_ROOT\clsid\{fee7fd53-3356-4d4d-8978-2c4ae3a7e109}
HKEY_CLASSES_ROOT\typelib\{e2f2b9d0-96b9-4b25-b90c-636ecb207d18}
HKEY_CLASSES_ROOT\typelib\{fc327b3f-377b-4cb7-8b61-27cd69816bc3}
HKEY_CURRENT_USER\software\whenu
HKEY_LOCAL_MACHINE\software\classes\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
HKEY_LOCAL_MACHINE\software\classes\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader.1\clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\curver
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\savenow\changed
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\savenow\slowinfocache
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\whenusearch\changed
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\whenusearch\slowinfocache
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/mirarsetup.exe\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/mirarsetup.exe\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/sndbmark.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/sndbmark.dll || {fc327b3f-377b-4cb7-8b61-27cd69816bc3}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/sndbmark.dll\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/windmy.dll\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/windmy.dll\{8a0dcbda-6e20-489c-9041-c1e8a0352e75}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\savenow
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\remove at boot 902
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls\c:\winnt\downloaded program files\conflict.1\sndbmark.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls\c:\winnt\downloaded program files\sndbmark.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\gdivx
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\savenow
HKEY_LOCAL_MACHINE\software\whenu
HKEY_LOCAL_MACHINE\software\whenusave\partners\wusv
HKEY_USERS\.default\software\whenu

Kc :tazz:

#12
ksavage

Posted 14 May 2005 - 10:00 AM

New Member

Topic Starter
Member
7 posts

Hey, Thatman

Didnt find anything under hkey_local_machine\software\microsoft\windows\currentversion\run

On activex couldnt find anything there in "downloaded program files".

Now on the bottom part of your post you listed different hives did you want me to
enter them into killbox and remove them? I did learn how to back up my registry.

Sorry for being so stupid just dont know alot about computers.

Thanks for the help!.... Ksavage

#13
Guest_thatman_*

Posted 15 May 2005 - 11:11 AM

Guest

Hi ksavage

Download and install EasyCleaner:
http://personal.inet...rts/ecleane.htm

After installing it check under Settings > Registry tab if the backup
option is checked and if the directory it points to exists.
This should be true by default, but check anyway.

Then click OK and click Registry
Then click Search. When it is done select all the items per color,
(most, if not all should be green) and click Remove.

Reboot when you are done and let us know how it goes.

Kc :tazz:

#14
Guest_thatman_*

Posted 30 May 2005 - 10:00 AM

Guest

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.