Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help removing PSguard [CLOSED]

Started by Alecto , Jul 20 2005 03:52 PM

  • This topic is locked This topic is locked

#1
Alecto
Posted 20 July 2005 - 03:52 PM

Alecto

    Member

  • Member
  • PipPip
  • 20 posts
I need Help :tazz:

My computer has been infected with PSguard. I have run adaware (which found several coolwebsearch trojans). I have also run Cwshredder and spybot search and destroy, which found nothing.

I am unable to run ewido ( I have windows Me), and also get an error message when I run smitrem runthis.bat , stating that 1batch file is missing.

I have also attempted to remove the program from the add/remove folder under the control panel. It is no longer on the list, but I still have the black background, and red exclaimation point telling me that my computer is infected with spyware.

Below is my latest highjackthis log
Logfile of HijackThis v1.99.1
Scan saved at 5:48:29 PM, on 7/20/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\LETC\PCSH.EXE
C:\UVNXC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {505B5704-8C8D-E42E-EB9F-9172C7F7FCAE} - C:\WINDOWS\SYSTEM\DOR.DLL (file missing)
O2 - BHO: (no name) - {1641A63C-328B-1821-F8B9-64A398FEFECD} - C:\WINDOWS\SYSTEM\HLNCHCGA.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Ncps] C:\Program Files\letc\pcsh.exe
O4 - HKCU\..\Run: [Zkmhl] \uvnxc.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winf...nnerInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab




---

Any assistance would be greatly appreciated!

Edited by Alecto, 20 July 2005 - 03:54 PM.

  • 0

Advertisements

#2
Justin
Posted 04 August 2005 - 09:38 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello, and welcome to the GeekstoGo Forums. My name is Jfcap,and I will be helping you clean your system. I would like to start off by apologizing in the delay in our response time. We try not to let posts slip through the cracks, but things do happen due the the ammount of posts on our website, so again I apologize.

Please post a new HiJackThis log so I can see how things have changed. Then we can get a fix going for you. :tazz:
  • 0

#3
Alecto
Posted 05 August 2005 - 07:47 AM

Alecto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Okay I seemed to be able to fix it for a few days then it came back.

Anyway, here's the latest hijackthis log file

Logfile of HijackThis v1.99.1
Scan saved at 9:50:11 AM, on 8/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\UVNXC.EXE
C:\PROGRAM FILES\LETC\PCSH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {505B5704-8C8D-E42E-EB9F-9172C7F7FCAE} - C:\WINDOWS\SYSTEM\DOR.DLL (file missing)
O2 - BHO: (no name) - {1641A63C-328B-1821-F8B9-64A398FEFECD} - C:\WINDOWS\SYSTEM\HLNCHCGA.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Zkmhl] \uvnxc.exe
O4 - HKCU\..\Run: [Ncps] C:\Program Files\letc\pcsh.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winf...nnerInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#4
Justin
Posted 05 August 2005 - 12:07 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:
===================================================
O2 - BHO: (no name) - {505B5704-8C8D-E42E-EB9F-9172C7F7FCAE} - C:\WINDOWS\SYSTEM\DOR.DLL (file missing)
O2 - BHO: (no name) - {1641A63C-328B-1821-F8B9-64A398FEFECD} - C:\WINDOWS\SYSTEM\HLNCHCGA.DLL
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [Zkmhl] \uvnxc.exe
O4 - HKCU\..\Run: [Ncps] C:\Program Files\letc\pcsh.exe.
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.

Open Windows Explorer and delete the following:

C:\Program Files\letc\pcsh.exe.


Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log by using Add Reply.
Let us know if any problems persist.
  • 0

#5
Alecto
Posted 05 August 2005 - 06:46 PM

Alecto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Okay I seem to have cleared up a few things.

But everytime I restart my computer I get the Intell32.exe program, no matter how many times I delete it.

Anyway, here are the log files.

ogfile of HijackThis v1.99.1
Scan saved at 8:44:54 PM, on 8/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winf...nnerInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab






smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!! :tazz:






Incident Status Location

Adware:adware/topspyware No disinfected C:\WINDOWS\SYSTEM\srpcsrv32.dll
Adware:adware/imgiant No disinfected C:\WINDOWS\DESKTOP\Download Movies.url
Adware:adware/mediatickets No disinfected Windows Registry
Virus:W32/Smitfraud.B Disinfected C:\_RESTORE\TEMP\A0005852.CPY
Virus:W32/Smitfraud.B Disinfected C:\_RESTORE\TEMP\A0005924.CPY
Hacktool:Hacktool/Processor No disinfected C:\_RESTORE\TEMP\A0008821.CPY
Hacktool:Hacktool/Processor No disinfected C:\_RESTORE\TEMP\A0009958.CPY
Hacktool:Hacktool/Processor No disinfected C:\_RESTORE\TEMP\A0009965.CPY
Virus:W32/Smitfraud.B Disinfected C:\_RESTORE\TEMP\A0010224.CPY
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS7.CAB[A0000481.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS7.CAB[A0000486.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS7.CAB[A0000558.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS29.CAB[W0002906.CPY]
Adware:Adware/PurityScan No disinfected C:\_RESTORE\ARCHIVE\FS20.CAB[A0001803.CPY]
Adware:Adware/PurityScan No disinfected C:\_RESTORE\ARCHIVE\FS20.CAB[A0001806.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS20.CAB[A0001813.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS20.CAB[A0001818.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS20.CAB[A0001880.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS20.CAB[A0001884.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS20.CAB[A0001895.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS21.CAB[A0001960.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS21.CAB[A0001964.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS21.CAB[A0001967.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS22.CAB[A0002055.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS22.CAB[A0002060.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS22.CAB[A0002072.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0002133.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0002137.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0002140.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0002203.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0002207.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS23.CAB[A0002218.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS24.CAB[A0002274.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS24.CAB[A0002278.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS24.CAB[A0002281.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0002381.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0002386.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0002389.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0002476.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0002480.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0002484.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0002547.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0002551.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS26.CAB[A0002554.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS27.CAB[A0002654.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS27.CAB[A0002658.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS27.CAB[A0002661.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS35.CAB[W0003427.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS32.CAB[A0003018.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS32.CAB[A0003021.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS33.CAB[A0003084.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS33.CAB[A0003089.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS33.CAB[A0003092.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS33.CAB[A0003178.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS33.CAB[A0003183.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS34.CAB[A0003200.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS48.CAB[W0004658.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS41.CAB[A0003591.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS41.CAB[A0003597.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS49.CAB[A0004563.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS49.CAB[A0004569.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS40.CAB[W0003658.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS42.CAB[A0003631.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS42.CAB[A0003635.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS42.CAB[A0003638.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS42.CAB[A0003703.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS42.CAB[A0003707.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS42.CAB[A0003710.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS4.CAB[W0000277.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000020.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000025.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000028.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000032.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000035.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000038.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000042.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000067.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000069.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000073.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000076.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000079.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000083.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS1.CAB[A0000086.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS2.CAB[A0000147.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS2.CAB[A0000151.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS2.CAB[A0000154.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS3.CAB[A0000250.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS3.CAB[A0000254.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS3.CAB[A0000257.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS28.CAB[A0002709.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS28.CAB[A0002713.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS28.CAB[A0002716.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS28.CAB[A0002747.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS28.CAB[A0002751.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS28.CAB[A0002754.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS44.CAB[A0003868.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS44.CAB[A0003872.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS44.CAB[A0003875.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS45.CAB[A0004012.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS45.CAB[A0004016.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS45.CAB[A0004020.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS46.CAB[A0004085.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS46.CAB[A0004089.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS46.CAB[A0004092.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS55.CAB[W0005658.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS38.CAB[A0003352.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS38.CAB[A0003357.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS47.CAB[A0004165.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS47.CAB[A0004169.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS51.CAB[A0004779.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS51.CAB[A0004783.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS51.CAB[A0004786.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS51.CAB[A0004849.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS51.CAB[A0004853.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS51.CAB[A0004856.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS52.CAB[A0004932.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS52.CAB[A0004936.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS52.CAB[A0004939.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005004.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005008.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005012.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005055.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005059.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005062.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005065.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005069.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005072.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005075.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005079.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0005082.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS54.CAB[A0005085.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS54.CAB[A0005089.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS54.CAB[A0005092.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS54.CAB[A0005118.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS54.CAB[A0005122.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS54.CAB[A0005125.CPY]
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM\srpcsrv32.dll
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM\spoolsrv32.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\Shex.exe
Adware:Adware/SaveNow No disinfected C:\Program Files\BearShare\Installer\saveinstwm.exe
Dialer:Dialer.Gen No disinfected D:\WINDOWS\od-stnd12.exe
Adware:Adware/SaveNow No disinfected D:\Program Files\Save\SaveUninst.exe
Adware:Adware/SaveNow No disinfected D:\Program Files\WeatherCast\Uninst.exe
  • 0

#6
Justin
Posted 06 August 2005 - 12:02 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:
===================================================
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Rescan your computer using Ewido, then post the log from Ewido and a new log from HiJackThis.
  • 0

#7
Alecto
Posted 18 August 2005 - 03:04 PM

Alecto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Okay, I am unable to run Ewido. I have Windows Me, and it states its not compatible.

When I run the runthis.bat from smitrem I get a message saying "sharing violation reading drive c" and that wininet.dll is infected.

Here are the latest Hijackthis and Smitrem file logs

Logfile of HijackThis v1.99.1
Scan saved at 4:56:41 PM, on 8/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\YAHOO!\MESSENGER\ypager.exe" -quiet
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winf...nnerInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab



smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!! :tazz:
  • 0

#8
Justin
Posted 18 August 2005 - 03:08 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:
  • Click on FileFind.exe
  • In the box labeled "Enter the directory to search"[list]
  • Enter Drive eg.. C:\
[*]In the box labeled "Enter the file to search"
  • Enter the file Wininet.dll
[*]Now click on the "Find" button
[*]Once the utility has found the files click on "Export"
[*]This will save a text file to your C:\ drive as "Export.txt"
[*]Double click on Export.txt, copy and paste this information in your next post
  • 0

#9
Alecto
Posted 18 August 2005 - 03:19 PM

Alecto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks for the quick reply.

Here's the Export. txt

C:\WINDOWS\SYSTEM\WININET.DLL - 574976 Bytes
  • 0

#10
Justin
Posted 18 August 2005 - 03:31 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

That did not show the results that we wanted. Lets try this:

Copy everything in the code box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.
  • 0

Advertisements

#11
Alecto
Posted 18 August 2005 - 03:48 PM

Alecto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Okay after doing that the files.txt notepad shows up blank.

I get a message under a program called Finished-wininet that pops up:

C:\WINDOWS\Desktop>dir \wininet.dll /a h /s > files.txt
Too many parameters - h

C:\WINDOWS\Desktop>start notepad files.txt
  • 0

#12
Justin
Posted 18 August 2005 - 03:58 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
hmm, it seems to do that on ME systems.

Try this:

Copy everything in the code box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

dir %Systemdrive%\wininet.dll /a:h /s > files.txt
start notepad files.txt

Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.
  • 0

#13
Alecto
Posted 18 August 2005 - 04:08 PM

Alecto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Okay tried it again here's what the files.txt came up with:


Volume in drive C is MAIN
Volume Serial Number is 2656-09DC

Directory of C:\WINDOWS\Desktop

71,270.13 MB free
  • 0

#14
Justin
Posted 18 August 2005 - 04:46 PM

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello

Navigate to
C:\WINDOWS\SYSTEM\WININET.DLL

And highlight it

Once highlighted, press CTRL-C to copy it.

Now navigate to your desktop.

Then Press CTRL-V

This will paste Wininet.dll on your desktop.

Then, using Internet Explorer, and run Panda ActiveScan<<<Accept default settings, save and post the log.

After the scan, please highlight Wininet.dll on your Desktop

And press CTRL-C

Then Navigate to
C:\Windows\Sysyem

And press CTRL-V.

Then run SmitRem.exe.

After running smitrem.exe post the log from PandaScan, and the log from SmitRem.
  • 0

#15
Alecto
Posted 18 August 2005 - 07:37 PM

Alecto

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Ok I did what you asked, but when I tried to copy and past wininet.dll from the desktop to C:\Windows\system I got an error message stating "Cannot create or replace wininet: the specified file is being using by windows" and another stating "Cannot move wininet: A file with the name you specified already exists, specify a different file name."


Here's the smitrem log:


smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!!


and the panda scan log:
Incident Status Location

Virus:W32/Smitfraud.E Disinfected Operating system
Adware:adware/mediatickets No disinfected Windows Registry
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\SYSTEM\WININET.DLL
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\Desktop\WININET.DLL
Adware:Adware/PurityScan No disinfected C:\My Documents\backups\backup-20050805-180244-815.dll
Adware:Adware/PurityScan No disinfected C:\uvnxc.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP