Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Psguard [CLOSED]


  • This topic is locked This topic is locked

#1
Goingcrazy

Goingcrazy

    Member

  • Member
  • PipPip
  • 17 posts
Please help me :) I am being harrasse by the Psguard malware program and have tried all of the programs recommended by this site before posting a request for help. When I run Adaware it always finds the following problems: Searchclick(1object), Psguard (35 objects), Coolwebsearch (29 objects), MRU list (5objects), and a tracking cookie. I always remove them and they always come back. :tazz: Trend micro found wininet.dll Bloodhound.W32.ep, but could not remove it. My IE6 browser is always being hijacked to about:blank also. I am at my wits end and hope someone can assist me.

Thank you very much!!!

Here is my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 12:28:53 PM, on 9/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sdkrr32.exe
C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\d3mv.exe
C:\WINDOWS\d3mv.exe
C:\Documents and Settings\Russ\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {544BEE35-FE7B-8CC5-6542-98989C13A182} - C:\WINDOWS\system32\ipzs.dll
O2 - BHO: Class - {7656789A-ED76-CC21-B379-9B8792A5DDF6} - C:\WINDOWS\system32\sdkog32.dll (file missing)
O2 - BHO: Class - {BCC63C42-67AA-A5DB-877D-963D27AD9AFA} - C:\WINDOWS\winjv32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D6A3B473-D7BB-A3AE-64E4-E0A97A92906E} - C:\WINDOWS\d3tn32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{E8A8A65B-06B8-49D1-A9CC-2C7E0AABF969}\SVCHOST.EXE
O4 - HKLM\..\Run: [msgx32.exe] C:\WINDOWS\msgx32.exe
O4 - HKLM\..\Run: [javahf32.exe] C:\WINDOWS\javahf32.exe
O4 - HKLM\..\Run: [syscy.exe] C:\WINDOWS\syscy.exe
O4 - HKLM\..\Run: [crdf.exe] C:\WINDOWS\crdf.exe
O4 - HKLM\..\Run: [winyy32.exe] C:\WINDOWS\winyy32.exe
O4 - HKLM\..\Run: [sdkrr32.exe] C:\WINDOWS\system32\sdkrr32.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [d3mv.exe] C:\WINDOWS\d3mv.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Russ"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe -m
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.side...00719/sb028.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {2976BDAD-30FD-4ADD-B6AD-DF7BC54767FA} (AMI Conferencing Control 6.0) - https://smilpacs.shc...iconference.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126240418565
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126240973550
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://showeb207.sh...tall/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://entryware.net...disk1/setup.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - https://showeb207.sh...l/amiviewer.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F9FC6CCD-DCDE-4F9B-96C9-1D4DBD33D798} (AMI ViewApp Control 6.0 (SPA10)) - https://smilpacs.shc...l/amiviewer.cab
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\d3mv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Goingcrazy and welcome to geekstogo!

From what I can see you have a few infections, including smitfraud and DrWatson A:B.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. Click here: http://www.microsoft...p1/default.mspx Apply the update, reboot, and post a fresh Hijack This log.
(DO NOT INSTALL SP2)
  • 0

#3
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thank you so much for getting back to me so fast. I have tried to install the SP1a update through that link over the past few days, but I it does not work for me. When I click on the "express" button, I get the message, "The website has encountered a problem and can not display the page you are trying to review." I have tried several times with my IE6 browser and my AOL browser. I don't know if I have some popup/antivirus program running which is preventing me from connecting.

Thank you again!!!
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
  • Click on Windows Validation Assistant
  • Click on the Validate Now button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click continue
  • When it says "Validation Complete" please click Continue to return to your previous activity
  • Copy what it says and paste it here.

  • 0

#5
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I followed those instructions and it got me to this screen: "Thank you for running the windows validation assistant. It appears that your windows product key is valid...." It says that this is a strong indicator that my operating system is genuine, but it can't make a final determination and wants me to compare my anti-piracy features. Should I continue on with this page? I figured I would not jump beyond your instructions.

Thanks, You're awesome!
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Sure if you can.

Thanks,

:tazz:

Excal
  • 0

#7
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I followed the next few steps, and it did not really lead anywhere. It asked me questions about my certificate of authenticity which I answered, but then it just ended with the advice that I should check with the manufacturer of my recovery solutions cd to see if is genuine. I don't know what all that means, I bought my computer from dell and it came preloaded with microsoft products. I don't doubt their authenticity. I also have a question. Is there a difference between IE 6 SP1 and SP1a? Where to next to try and download the IE service package that I need? Sorry to be such a novice.

Thanks
  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

DOWNLOAD PROGRAMS


Please download and install these programs - don't run them yet!!

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for updates. Please don't run it yet.

Please download and install AD-Aware.

Check Here on how setup and use it - please make sure you update it first.

Download and unzip HSfix to your desktop :
HSRegFix

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download CWShredder here to its own folder.

Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
We will be using this program later.

Download the Host Here
Please do not use program yet


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Open up the Host program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
4. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

5. Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service ( 11F#`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

6. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

7. Close all browsers, windows and unneeded programs.

8. Open HiJack and do a scan.

9. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\guqwh.dll/sp.html#58582
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {544BEE35-FE7B-8CC5-6542-98989C13A182} - C:\WINDOWS\system32\ipzs.dll
O2 - BHO: Class - {7656789A-ED76-CC21-B379-9B8792A5DDF6} - C:\WINDOWS\system32\sdkog32.dll (file missing)
O2 - BHO: Class - {BCC63C42-67AA-A5DB-877D-963D27AD9AFA} - C:\WINDOWS\winjv32.dll
O2 - BHO: Class - {D6A3B473-D7BB-A3AE-64E4-E0A97A92906E} - C:\WINDOWS\d3tn32.dll
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{E8A8A65B-06B8-49D1-A9CC-2C7E0AABF969}\SVCHOST.EXE
O4 - HKLM\..\Run: [msgx32.exe] C:\WINDOWS\msgx32.exe
O4 - HKLM\..\Run: [javahf32.exe] C:\WINDOWS\javahf32.exe
O4 - HKLM\..\Run: [syscy.exe] C:\WINDOWS\syscy.exe
O4 - HKLM\..\Run: [crdf.exe] C:\WINDOWS\crdf.exe
O4 - HKLM\..\Run: [winyy32.exe] C:\WINDOWS\winyy32.exe
O4 - HKLM\..\Run: [sdkrr32.exe] C:\WINDOWS\system32\sdkrr32.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\RunOnce: [d3mv.exe] C:\WINDOWS\d3mv.exe
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.side...00719/sb028.cab
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\d3mv.exe


10. click the Fix Checked box

11. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\Services\{E8A8A65B-06B8-49D1-A9CC-2C7E0AABF969}\SVCHOST.EXE
C:\WINDOWS\msgx32.exe
C:\WINDOWS\javahf32.exe
C:\WINDOWS\syscy.exe
C:\WINDOWS\crdf.exe
C:\WINDOWS\winyy32.exe
C:\WINDOWS\system32\sdkrr32.exe
C:\WINDOWS\d3mv.exe

12. Open the smitRem
folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

13. Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • It will begin to check your computer for malicious files.
  • AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
  • Shut down AboutBuster. A log should have been created.Please Save this log and copy it in your next post.
14. Scan with AdAware and let it remove any bad files found.

15. Run the program CleanUp! (do not reboot yet)

16. Double click on the HSFix and when asked to merge say yes.

17. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

18. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

19. Delete Bad Service:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • click on "delete an NT service"
  • Copy and paste this in the box: 11F#`I <===Notice that there is a space before the first 1, make sure thats in there when entering it in the box
  • Click "ok", then reboot
20. Please post the Active scan log, Ewido log, smitfiles.txt log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#9
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thank you for the instructions. I downloaded everything. When I open Hoster, there is no button in the right upper corner that says "makes hosts writable?", but it says "make hosts read only?" What should I do?

Thanks
  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Skip that step if ur having problems with it. :)


Thanks,

:tazz:

Excal
  • 0

Advertisements


#11
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Excal,

I booted into safe mode and went to services.msc, but could not find the Network Security Service file. I ran ewido in safe mode and it found no viruses, which I find hard to believe. I could not find Hijackthis on my computer while it is in safe mode. I went back to regular mode and ran a HJT scan and did not find the exact files you recommended to check and fix. There were similar ones, but I did not check them. Here is a current HJT scan. Sorry that I am not making much progress.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 1:43:30 PM, on 9/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ieyf32.exe
C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\d3mv.exe
C:\Documents and Settings\Russ\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bxzzt.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bxzzt.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxzzt.dll/sp.html#58582
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bxzzt.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {544BEE35-FE7B-8CC5-6542-98989C13A182} - C:\WINDOWS\system32\ipzs.dll
O2 - BHO: Class - {7656789A-ED76-CC21-B379-9B8792A5DDF6} - C:\WINDOWS\system32\sdkog32.dll (file missing)
O2 - BHO: Class - {BCC63C42-67AA-A5DB-877D-963D27AD9AFA} - C:\WINDOWS\winjv32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D6A3B473-D7BB-A3AE-64E4-E0A97A92906E} - C:\WINDOWS\d3tn32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{E8A8A65B-06B8-49D1-A9CC-2C7E0AABF969}\SVCHOST.EXE
O4 - HKLM\..\Run: [msgx32.exe] C:\WINDOWS\msgx32.exe
O4 - HKLM\..\Run: [javahf32.exe] C:\WINDOWS\javahf32.exe
O4 - HKLM\..\Run: [syscy.exe] C:\WINDOWS\syscy.exe
O4 - HKLM\..\Run: [crdf.exe] C:\WINDOWS\crdf.exe
O4 - HKLM\..\Run: [winyy32.exe] C:\WINDOWS\winyy32.exe
O4 - HKLM\..\Run: [sdkrr32.exe] C:\WINDOWS\system32\sdkrr32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ieyf32.exe] C:\WINDOWS\ieyf32.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Russ"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe -m
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.side...00719/sb028.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2976BDAD-30FD-4ADD-B6AD-DF7BC54767FA} (AMI Conferencing Control 6.0) - https://smilpacs.shc...iconference.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126240418565
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126240973550
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://showeb207.sh...tall/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://entryware.net...disk1/setup.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - https://showeb207.sh...l/amiviewer.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F9FC6CCD-DCDE-4F9B-96C9-1D4DBD33D798} (AMI ViewApp Control 6.0 (SPA10)) - https://smilpacs.shc...l/amiviewer.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\d3mv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#12
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Everything is still there. You need to make sure you are have those programs downloaded on the account thats infected, and go into that account when you enter safe mode.


Thanks,

:tazz:

Excal
  • 0

#13
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Excal,

In the list of things to check in HJT I see similar things but not exact. For example, you want me to fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\guqwh.dll/sp.html#58582

but I find:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bxzzt.dll/sp.html#58582

The difference is guqwh.dll instead of bxzzt.dll. Should I delete those?
  • 0

#14
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Yes please :)

:tazz:

Excal
  • 0

#15
Goingcrazy

Goingcrazy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I think I've gotten rid of some of the problems, but there still are a few left. Microsoft antispyware program still finds an Adware virus, and I am still getting a bunch of pop ups. I was not able to delete 11F#`I in the HJT Misc Tools section. It said it was enabled/ and or running. I could not find it in the services.msc section. Here are the logs for ewido, Panda Active scan, and HJT.

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 6:47:05 PM, on 9/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\crcy32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ieyf32.exe
C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Russ\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {CC3BA8EE-0F8E-BB35-0653-B020878669DC} - C:\WINDOWS\applm32.dll
O2 - BHO: Class - {D0F03457-32E5-5715-6CDD-72C94F05ABBE} - C:\WINDOWS\system32\netrs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ieyf32.exe] C:\WINDOWS\ieyf32.exe
O4 - HKLM\..\RunOnce: [crcy32.exe] C:\WINDOWS\crcy32.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Russ"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe -m
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2976BDAD-30FD-4ADD-B6AD-DF7BC54767FA} (AMI Conferencing Control 6.0) - https://smilpacs.shc...iconference.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126240418565
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126240973550
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://showeb207.sh...tall/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://entryware.net...disk1/setup.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - https://showeb207.sh...l/amiviewer.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {F9FC6CCD-DCDE-4F9B-96C9-1D4DBD33D798} (AMI ViewApp Control 6.0 (SPA10)) - https://smilpacs.shc...l/amiviewer.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\iptb32.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:43:56 AM, 9/18/2005
+ Report-Checksum: D925501B

+ Date of database: 6/19/2005
+ Version of scan engine: v3.0

+ Duration: 47 min
+ Scanned Files: 46436
+ Speed: 16.13 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\wryzd.dll -> Spyware.SearchPage -> Cleaned with backup


::Report End

Activescan:

Incident Status Location

Virus:Trj/Downloader.ERZ Disinfected Operating system
Adware:adware/searchaid No disinfected C:\WINDOWS\SYSTEM32\addor32.exe
Spyware:spyware/betterinet No disinfected C:\WINDOWS\SYSTEM32\in10b6s.dll
Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkas32.exe
Adware:adware/toprebates No disinfected C:\WINDOWS\SYSTEM32\WebRebates_Auto_InstallSilent.exe
Spyware:spyware/petro-line No disinfected C:\Documents and Settings\Russ\Favorites\SITES ABOUT\Ab scissor.url
Adware:adware/sidesearch No disinfected C:\Documents and Settings\Russ\Application Data\Lycos
Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\crnq.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\msps.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\netnv.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\netqo32.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\netwf.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\appvd.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atlxn.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3ft.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\iezset.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcmf.exe
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\msdipo.dll
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\msfaol.dll
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msfdje.gif
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\mshpeb.dll
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\msiaih.dll
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msnapl.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\msvp.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\system32\netlk32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netoj32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ntkl.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\system32\ntvs32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ntww.exe
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected C:\WINDOWS\system32\sdkuo32.exe
Virus:Trj/Downloader.ERZ Disinfected C:\WINDOWS\system32\sysft32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\syszx.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\wuxfs.dll
smitrem:

smitRem log file
version 2.3

by noahdfear

The current date is: Sun 09/18/2005
The current time is: 9:52:54.09

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:


Thanks for your help!

Thanks
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP