[shau]

hi there

i have big problems here and would appreciate any help.My brother was on the pc and he was using it for about half an hour and this red icon came up on the bottom right saying we got infected by a virus.he shut down the pc and now i cant get it to start up again,not even in safe mode.It turns on,says loading personal settings(my pc is configured to load me right in without me doing anything)then a black screen,this even happens in safe mode.I do computer science and do know about pcs but fixing them is a pain.I went into dos and found virus like popuper.exe(in windows dir),system32.exe(windows dir),intmon.exe,intmonp.exe,shnlog.exe,msole32.exe.I now dont know wot to do.Any help will be apprecciated

thx

wai

[Advertisements]

Welcome shau to Geeks to Go!

We'll need to transport some files from the computer you are now using, to your infected computer.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.

On your infected computer, boot again in safe mode and open your task manager again.
Now insert the cd, floppy or usb-stick where you saved the smitrem folder in your infected computer.

In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.

Now browse to the drive where your floppy, usb-stick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitrem folder.
Right click on the smitrem folder and choose: Copy

Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there, right click and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.

Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.

When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a hijackthis log in your next reply.

[g2i2r4]

Welcome shau to Geeks to Go!

We'll need to transport some files from the computer you are now using, to your infected computer.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.

On your infected computer, boot again in safe mode and open your task manager again.
Now insert the cd, floppy or usb-stick where you saved the smitrem folder in your infected computer.

In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.

Now browse to the drive where your floppy, usb-stick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitrem folder.
Right click on the smitrem folder and choose: Copy

Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there, right click and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.

Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.

When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a hijackthis log in your next reply.

[shau]

hmm i had a problem which was the browse button doesnt load and just hangs but i managed to do what you said to do in dos.i created a smitrem folder in program files and copied the files there, ran the program and found that wininet.dll was infected and was replaced with a good one ,i restarted the pc and i still have the blank screen or it just hangs while saying loading your personal settings.I did wot you said again though and it found wininet.dll file infected but this time it couldnt find a good copy of the file.So at the moment my pc still shows that blank screen or it hangs while "loading your personal settings".What should i do now?

thank you for your help

[g2i2r4]

See if you can boot to safe mode.
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

***

Try to do this using taskmanager.

Please download FileFind from Atribune.
Unzip the file and save it to your root.

To run FileFind, please do the following:

• type c:\FileFind.exe and press enter.
• In the box labeled "Enter the directory to search"[LIST]
• Enter Drive eg.. C:\

[*]In the box labeled "Enter the file to search"

• Enter wininet.dll

[*]Now click on the "Find" button
[*]Once the utility has found the files click on "Export"
[*]This will save a text file to your C:\ drive as "Export.txt"
[*]Double click on Export.txt, copy and paste this information in your next post

[shau]

ok thx for your help this is whats in export.txt

C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll - 656896 Bytes
C:\WINDOWS\system32\wininet.dll - 656896 Bytes

[g2i2r4]

are you running windows 95/98/ME?

Edited by g2i2r4, 24 July 2005 - 05:58 AM.

[shau]

windows xp

[g2i2r4]

If you do not understand something, please let me know before continuing!

Save the wininet.new to c:\.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Go to your C:\Windows\system32-folder and rename the bad wininet.dll to wininet.old

***

Go to your C:\-folder and rightclick on the good wininet.new and choose copy.
Go back to your C:\Windows\system32-folder, rightclick anywhere in that folder and choose paste.
Then rename this wininet.new to wininet.dll.

REBOOT

Tell we how things are now.

[shau]

thank you very much.Safe mode didnt work(it still shows the blank screen)but i managed to do everything you say thru dos again.Now i can log onto my desktop thank you.Here is my hijackthis log i think it might be clean but ill have you to check incase.

Logfile of HijackThis v1.99.1
Scan saved at 14:01:57, on 24/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zoom\CnxDslTb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115472184046
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7653D3A3-D40F-4652-AA80-5CCC7ED903B8}: NameServer = 192.168.0.1
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UPS - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

thanks very much i really appreciate it

[g2i2r4]

Let's check to be sure.

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!


Download SmitRem
your desktop.
Right click on the file and extract it to it's own folder on the desktop.
It's been updated, so please remove the version you have and use this one.

***

Place a shortcut to Panda ActiveScan on your desktop.

***

Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

[shau]

ok here are my logs


smitRem log file
version 2.2

by noahdfear

The current date is: 24/07/2005
The current time is: 14:36:48.25

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 15:28:29, 24/07/2005
+ Report-Checksum: B59C8BB2

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-3781ef88-6f814aa5.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-7138915e-6c2ed427.class -> Trojan.Byteverify : Cleaned with backup
C:\DocNSet\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\DocNSet\Administrator\Cookies\administrator@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\DocNSet\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\DocNSet\Administrator\Cookies\administrator@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\DocNSet\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\DocNSet\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0DEV8PQN\gba1865[1].exe -> Dialer.Generic : Cleaned with backup
C:\DocNSet\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YPORU98T\dba1865[1].exe -> Dialer.Generic : Cleaned with backup
C:\hijackthis\backups\backup-20050704-053619-307.dll -> Trojan.Puper.m : Cleaned with backup
C:\hijackthis\backups\backup-20050704-053641-710.dll -> Trojan.Puper.m : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\dba1865.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gba1865.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\wininv.dll -> Backdoor.Prorat.11.a : Cleaned with backup
C:\WINDOWS\winlogon.exe -> Backdoor.Prorat.14 : Cleaned with backup


::Report End


Incident Status Location

Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-3f7f89b7.zip[a.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-3f7f89b7.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-3f7f89b7.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-4b7d4689.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-4b7d4689.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-4b7d4689.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-4b7d4689.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-26cce157.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-26cce157.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-26cce157.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-26cce157.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-1b445d50.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-1b445d50.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-1b445d50.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-1b445d50.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-28f5d321.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-28f5d321.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-28f5d321.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\DocNSet\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-28f5d321.zip[Installer.class]
Virus:Bck/Ciadoor.D Disinfected C:\WINDOWS\system31.ere
Logfile of HijackThis v1.99.1
Scan saved at 22:48:18, on 24/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zoom\CnxDslTb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115472184046
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7653D3A3-D40F-4652-AA80-5CCC7ED903B8}: NameServer = 192.168.0.1
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UPS - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

thank u

[g2i2r4]

Panda and Ewido cleaned up nicely.

HijackThis log looks good.

I'm missing the bottom part of smitRem log file, could you post me that one again?

[shau]

oh sorry about that i must of did it wrong here it is,thx for help


smitRem log file
version 2.2

by noahdfear

The current date is: 24/07/2005
The current time is: 14:36:48.25

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!

[g2i2r4]

Aha, please rerun smitrem one more time in safe mode. I see a leftover. If it is still there after that we will remove it in another way.

[shau]

yep i reran it in safe mode and everything looks good


smitRem log file
version 2.2

by noahdfear

The current date is: 24/07/2005
The current time is: 23:58:26.87

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!

thx