[Justin]

Hello!

Wininet.dll is clean. That is good.

Are you still getting the messages about the missing .dlls?

A-squared Free is a trojan removal tool. To be able to use it, you must set up a free a-squared Account, to get access to the update server.
Please setup an a-squared account at the following link:
http://www.emsisoft....oftware/account

Then download a-squared free from this link:

http://www.emsisoft....ftware/download

Install it and update it.

Then boot your computer to safe mode by tapping the F8 key repeatedly on reboot until you get a boot menu. From this boot menu choose safe mode.

Once in safe mode fire up a-squared and let it run. Do not fix anything yet lets just see what it finds. When it is done scanning click the save log as html button.

Reboot to normal windows and upload that html file with your next post. I will go through and analyze the log to tell you if any of the files should not be removed.

[Advertisements]

Well, since the last post, things have been better, but slow. The PS stuff has disppeared for now, but my nachine still seems to run slow. Shall I do another HiJackThis and forward??

Also, should I make any chnages to the System restore settings, like turn it off, reboot, and turn it on again? Not sure how to do that in ME...

[kkpjm]

Well, since the last post, things have been better, but slow. The PS stuff has disppeared for now, but my nachine still seems to run slow. Shall I do another HiJackThis and forward??

Also, should I make any chnages to the System restore settings, like turn it off, reboot, and turn it on again? Not sure how to do that in ME...

[kkpjm]

Sorry about that, I added my new post without noticing your latest one...I will got through what you specified.

The missing .dll file notices only came up whe i was getting into safe mode...right after I chose safe mode option and the desktop came up....there were at least 6 or 7 messages that came up. I jst kept clicking thru all of them until they stopped happening. I thought it was part of the safe mode stuff.

I'll post results shortly. Thanks

[kkpjm]

Here's the results...by the way, no more missing .dll files now.

Attached Files

•  report_9112005_105445_AM.html   4.75KB   7 downloads

[Justin]

Hello!

Some files are stuck in your restore files, so lets clear the restore points:

To Clear Restore points, please do the following:

• Go to Start > Settings > Control Panel.
• Double-click the System icon.
  • NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.
• Click the Performance tab, and then click File System.
• Click the Troubleshooting tab, and then put a check by Disable System Restore.
• Click OK. Click Yes when you are prompted to restart Windows.

After reboot, you must turn System Restore back on:

• Go to Start > Settings > Control Panel.
• Double-click the System icon.
• Click the Performance tab, and then click File System.
• Click the Troubleshooting tab, and then UNcheck Disable System Restore.
• Click OK. Click Yes when you are prompted to restart Windows.

then,

Please do an online virus scan with Panda ActiveScan Here. You need to use Internet Explorer for this scan.

• Once you get to the Panda site, scroll down a bit and click on Scan your PC
• A new window will appear; click on Check Now!
• A new window will appear; fill in the boxes (Country, State, email addy)
• Click on Scan Now! >
  If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
• From "Select a device to scan...", choose "My Computer"
• Allow the scan to run. It'll take a while.
• When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
• I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here.

[kkpjm]

Here's the results of the panda scan...

Incident Status Location

Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM\oleext.dll
Adware:adware/psguard No disinfected C:\WINDOWS\SYSTEM\intell32.exe
Adware:adware/topspyware No disinfected C:\WINDOWS\SYSTEM\srpcsrv32.dll
Adware:Adware/TopSpyware No disinfected C:\_RESTORE\TEMP\A0025080.CPY
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\TEMP\A0019734.CPY
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS115.CAB[A0019575.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS115.CAB[A0019580.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS115.CAB[A0019587.CPY]
Spyware:Spyware/Smitfraud No disinfected C:\_RESTORE\ARCHIVE\FS114.CAB[W0108495.CPY]
Virus:Trj/Downloader.CED No disinfected C:\_RESTORE\ARCHIVE\FS91.CAB[A0015443.CPY]
Virus:W32/Ehijack.A.worm No disinfected C:\_RESTORE\ARCHIVE\FS92.CAB[A0016436.CPY]
Virus:W32/Smitfraud.B No disinfected C:\_RESTORE\ARCHIVE\FS113.CAB[A0019546.CPY]
Virus:W32/Ehijack.A.worm No disinfected C:\_RESTORE\ARCHIVE\FS120.CAB[A0021748.CPY]
Virus:W32/Ehijack.A.worm No disinfected C:\_RESTORE\ARCHIVE\FS120.CAB[A0021757.CPY]
Virus:W32/Ehijack.A.worm No disinfected C:\_RESTORE\ARCHIVE\FS120.CAB[A0021764.CPY]
Adware:Adware/TopSpyware No disinfected C:\_RESTORE\ARCHIVE\FS121.CAB[A0021862.CPY]
Adware:Adware/TopSpyware No disinfected C:\_RESTORE\ARCHIVE\FS121.CAB[A0021867.CPY]
Adware:Adware/TopSpyware No disinfected C:\_RESTORE\ARCHIVE\FS121.CAB[A0021874.CPY]
Adware:Adware/TopSpyware No disinfected C:\_RESTORE\ARCHIVE\FS121.CAB[A0021940.CPY]
Virus:W32/Smitfraud.E No disinfected C:\_RESTORE\ARCHIVE\FS126.CAB[W0125808.CPY]
Virus:W32/Smitfraud.E No disinfected C:\_RESTORE\ARCHIVE\FS125.CAB[A0024060.CPY]
Virus:W32/Smitfraud.E No disinfected C:\_RESTORE\ARCHIVE\FS124.CAB[W0124808.CPY]
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM\srpcsrv32.dll
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM\spoolsrv32.exe

[Justin]

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy everything in the box below to the clipboard by highlighting them and pressing Control-C:

Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM\oleext.dll
Adware:adware/psguard No disinfected C:\WINDOWS\SYSTEM\intell32.exe
Adware:adware/topspyware No disinfected C:\WINDOWS\SYSTEM\srpcsrv32.dll 
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM\srpcsrv32.dll
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM\spoolsrv32.exe 

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Then let me know how things are running.

[kkpjm]

Well, the PS Guard stuff seems to be gone, but now EVERYTHING that I do runs extremely slow. It takes 15 seconds for a one-page word document, with no graphics or pics, to show up. Even to pull up a new balnk doc takes that long.

Is this now a hardware problem, or have I downloaded so many tools that the system is overloaded? It just doesn't seem like it's running right!

[Justin]

Post a new HiJackThis log for me, and I will see if there is anything that would be slowing down your system.

[kkpjm]

Logfile of HijackThis v1.99.1
Scan saved at 11:21:08 AM, on 9/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SK9910DM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETZERO INSTALLATION\NETZERO\EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETZERO INSTALLATION\NETZERO\EXEC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETZERO INSTALLATION\NETZERO\QSACC\X1EXEC.EXE
C:\MALWARE STUFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.ne...=A&UT=companion
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\NETZERO INSTALLATION\NETZERO\QSACC\X1IEBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO INSTALLATION\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunOnce: [untd_recovery] "C:\PROGRAM FILES\NETZERO INSTALLATION\NETZERO\QSACC\X1EXEC.EXE"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\NETZERO INSTALLATION\NETZERO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\NETZERO INSTALLATION\NETZERO\QSACC\appres.dll/227
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab

[kkpjm]

Also wanted to know your opinion on Antivirus protection after all of this is resolved. I have the old original Norton 2001, but was considering going to a free service like grisoft's...any thoughts? I understand that running more than one could compromise security.

[Justin]

Hello!

That is probably why your computer is running slow. Norton AntiVirus consumes a lot of resources. I actaually suggest that everyone uninstalls it. Grisoft's AVG Free is a great AVG (its better than norton). If you want to pay for a good AntiVirus, go with Kaspersky or NOD32.

Try uninstalling Norton AV, and install AVGFree

Then let me know how things are running.

[Justin]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[Justin]

Hello!

Please post a new HiJackThis log and we will make sure that there are no new infections lurking around.

[kkpjm]

I'll get right on it.