Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus.Win32.Nsag.b


  • Please log in to reply

#1
mizone

mizone

    New Member

  • Member
  • Pip
  • 3 posts
:tazz: please
First symptom: black screen with the "Warning! Your computer is vulnerable..."
ran charter high speed security suite and f secure
results no more warning, same black screen
charter kept trying to remove Virus.Win32.Nsag.b
also kept getting an error message about a task unsuccessful concerning C:\WINDOWS\SYSTEM32\WININET.DLL
I have a yeild sign with an exclamation point blinking in the system tray
a anti spyware kept trying to download itself razor something or other
completed all your steps to ewido (was time consuming and I will do a hijackthis log later as I have to get a few hours of sleep before I go to work)
after running spy bot I started getting this error message
Runner file name(fspex.exe)lacks a '-'(the app id separator)



Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, September 22, 2005 6:49:39 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R67 20.09.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R47 24.05.2005
Internal build : 55
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 476246 Bytes
Total size : 1439523 Bytes
Signature data size : 1408291 Bytes
Reference data size : 30720 Bytes
Signatures total : 40174
CSI Fingerprints total : 886
CSI data size : 30371 Bytes
Target categories : 15
Target families : 679

9-22-2005 1:15:30 PM Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R67 20.09.2005
Internal build : 79
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 524443 Bytes
Total size : 1576182 Bytes
Signature data size : 1543004 Bytes
Reference data size : 32666 Bytes
Signatures total : 43850
CSI Fingerprints total : 1047
CSI data size : 37307 Bytes
Target categories : 15
Target families : 746


9-22-2005 1:16:13 PM Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:21 %
Total physical memory:196080 kb
Available physical memory:40816 kb
Total page file size:478104 kb
Available on page file:221884 kb
Total virtual memory:2097024 kb
Available virtual memory:2043308 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


9-22-2005 6:49:39 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 420
ThreadCreationTime : 9-22-2005 5:58:50 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 476
ThreadCreationTime : 9-22-2005 5:58:52 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 500
ThreadCreationTime : 9-22-2005 5:58:53 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 544
ThreadCreationTime : 9-22-2005 5:58:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 556
ThreadCreationTime : 9-22-2005 5:58:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 716
ThreadCreationTime : 9-22-2005 5:58:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 784
ThreadCreationTime : 9-22-2005 5:58:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 856
ThreadCreationTime : 9-22-2005 5:58:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 900
ThreadCreationTime : 9-22-2005 5:58:58 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 972
ThreadCreationTime : 9-22-2005 5:58:59 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [lexbces.exe]
ModuleName : C:\WINDOWS\system32\LEXBCES.EXE
Command Line : C:\WINDOWS\system32\LEXBCES.EXE
ProcessID : 1236
ThreadCreationTime : 9-22-2005 5:59:01 PM
BasePriority : Normal
FileVersion : 9.37
ProductVersion : 9.37
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:12 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1272
ThreadCreationTime : 9-22-2005 5:59:01 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [lexpps.exe]
ModuleName : C:\WINDOWS\system32\LEXPPS.EXE
Command Line : LEXPPS.EXE
ProcessID : 1284
ThreadCreationTime : 9-22-2005 5:59:01 PM
BasePriority : Normal
FileVersion : 9.37
ProductVersion : 9.37
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:14 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1456
ThreadCreationTime : 9-22-2005 5:59:02 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:15 [msole32.exe]
ModuleName : C:\WINDOWS\system32\msole32.exe
Command Line : "C:\WINDOWS\system32\msole32.exe"
ProcessID : 1548
ThreadCreationTime : 9-22-2005 5:59:04 PM
BasePriority : Normal


#:16 [fsm32.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
Command Line : "C:\PROGRAM FILES\CHARTER HIGH-SPEED SECURITY SUITE\COMMON\FSM32.EXE" /SPLASH
ProcessID : 1584
ThreadCreationTime : 9-22-2005 5:59:04 PM
BasePriority : Normal
FileVersion : 5.61.7670
ProductVersion : 5.61 Build 7670
ProductName : F-Secure Management Agent
CompanyName : F-Secure Corporation
FileDescription : F-Secure Settings and Statistics
InternalName : FSM
LegalCopyright : Copyright © 1998-2004 F-Secure Corporation. All rights reserved.
LegalTrademarks : Windows ™ is a trademark of Microsoft Corporation
OriginalFilename : FSM32.EXE

#:17 [abmtsr.exe]
ModuleName : C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
Command Line : "C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe"
ProcessID : 1696
ThreadCreationTime : 9-22-2005 5:59:06 PM
BasePriority : Normal
FileVersion : 5.0
ProductVersion : 5.0
ProductName : PhotoImpact Bundled Ed.
CompanyName : Ulead Systems, Inc.
FileDescription : PhotoImpact Album
InternalName : ALBUM
LegalCopyright : Copyright © 1992-1999. Ulead Systems, Inc.
LegalTrademarks : Ulead Systems, MediaStudio and ImagePals are registered trademarks of Ulead Systems, Inc.
OriginalFilename : ALBUM.EXE

#:18 [calcheck.exe]
ModuleName : C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
Command Line : "C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe"
ProcessID : 1704
ThreadCreationTime : 9-22-2005 5:59:06 PM
BasePriority : Normal
FileVersion : 4, 0, 0, 0
ProductVersion : 1, 0, 0, 1
ProductName : Calendar Checker Application
CompanyName : Ulead Systems, Inc.
FileDescription : Photo Express -- Calendar Checker
InternalName : CalCheck
LegalCopyright : Copyright © 1992-1999.Ulead Systems, Inc.
LegalTrademarks : Ulead Systems, MediaStudio, PhotoImpact and Photo Express are registered trademarks of Ulead Systems, Inc.
OriginalFilename : CalCheck.EXE

#:19 [servic~1.exe]
ModuleName : C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
Command Line : C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
ProcessID : 1784
ThreadCreationTime : 9-22-2005 5:59:09 PM
BasePriority : Normal


#:20 [fsgk32st.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
Command Line : "C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe"
ProcessID : 1816
ThreadCreationTime : 9-22-2005 5:59:09 PM
BasePriority : Normal
FileVersion : 1, 0, 7360, 0
ProductVersion : 1, 0, 7360, 56
ProductName : F-Secure Corp. Startup service
CompanyName : F-Secure Corp.
FileDescription : fsgk32st
InternalName : fsgk32
LegalCopyright : Copyright © 2001
OriginalFilename : fsgk32st.exe
Comments : Startup service for Gatekeeper Handler

#:21 [fsbwsys.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
Command Line : "C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe"
ProcessID : 1836
ThreadCreationTime : 9-22-2005 5:59:09 PM
BasePriority : Normal
FileVersion : 6.70.730
ProductVersion : 6.70
ProductName : F-Secure BackWeb
CompanyName : F-Secure Corp.
FileDescription : fsbwsys
InternalName : fsbwsys
LegalCopyright : Copyright © 2004 F-Secure Corporation
OriginalFilename : fsbwsys.exe

#:22 [fsgk32.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
Command Line : "C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE" /service /stopevent=28
ProcessID : 1848
ThreadCreationTime : 9-22-2005 5:59:09 PM
BasePriority : Normal
FileVersion : 5.53.10121
ProductVersion : 5.53.10121
ProductName : F-Secure Corp. fsgk32
CompanyName : F-Secure Corp.
FileDescription : Gatekeeper Handler II
InternalName : fsgk32
LegalCopyright : Copyright © 2003
OriginalFilename : fsgk32.exe
Comments : release

#:23 [fsma32.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
Command Line : "C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE"
ProcessID : 1864
ThreadCreationTime : 9-22-2005 5:59:09 PM
BasePriority : Normal
FileVersion : 5.61.7670
ProductVersion : 5.61 Build 7670
ProductName : F-Secure Management Agent
CompanyName : F-Secure Corporation
FileDescription : F-Secure Management Agent
InternalName : VCH
LegalCopyright : Copyright © 1998-2004 F-Secure Corporation. All rights reserved.
LegalTrademarks : Windows ™ is a trademark of Microsoft Corporation
OriginalFilename : FSMA32.EXE

#:24 [fspex.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
Command Line : "C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe"
ProcessID : 1876
ThreadCreationTime : 9-22-2005 5:59:09 PM
BasePriority : Normal


#:25 [fsmb32.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
Command Line : 1.3.6.1.4.1.2213.11.1.23
ProcessID : 1920
ThreadCreationTime : 9-22-2005 5:59:10 PM
BasePriority : Normal
FileVersion : 5.61.7670
ProductVersion : 5.61 Build 7670
ProductName : F-Secure Management Agent
CompanyName : F-Secure Corporation
FileDescription : F-Secure Message Broker
InternalName : FSMB
LegalCopyright : Copyright © 1998-2004 F-Secure Corporation. All rights reserved.
LegalTrademarks : Windows ™ is a trademark of Microsoft Corporation
OriginalFilename : FSMB32.EXE

#:26 [fssm32.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
Command Line : "C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe" 3 1756 1752 1748
ProcessID : 1928
ThreadCreationTime : 9-22-2005 5:59:10 PM
BasePriority : Normal
FileVersion : 5.53.10210
ProductVersion : 5.53.10210
ProductName : F-Secure Corp. fssm32
CompanyName : F-Secure Corp.
FileDescription : fssm32
InternalName : fssm32
LegalCopyright : Copyright © 2003
OriginalFilename : fssm32.exe
Comments : release

#:27 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k imgsvc
ProcessID : 2044
ThreadCreationTime : 9-22-2005 5:59:10 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:28 [fch32.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
Command Line : 1.3.6.1.4.1.2213.11.1.15
ProcessID : 372
ThreadCreationTime : 9-22-2005 5:59:12 PM
BasePriority : Normal
FileVersion : 5.61.7670
ProductVersion : 5.61 Build 7670
ProductName : F-Secure Management Agent
CompanyName : F-Secure Corporation
FileDescription : F-Secure Configuration Handler
InternalName : FCH
LegalCopyright : Copyright © 1998-2004 F-Secure Corporation. All rights reserved.
LegalTrademarks : Windows ™ is a trademark of Microsoft Corporation
OriginalFilename : FCH32.EXE

#:29 [fameh32.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
Command Line : 1.3.6.1.4.1.2213.11.1.18
ProcessID : 460
ThreadCreationTime : 9-22-2005 5:59:13 PM
BasePriority : Normal
FileVersion : 5.61.7670
ProductVersion : 5.61 Build 7670
ProductName : F-Secure Management Agent
CompanyName : F-Secure Corporation
FileDescription : F-Secure Alert and Management Extension Handler
InternalName : FAMEH
LegalCopyright : Copyright © 1998-2004 F-Secure Corporation. All rights reserved.
LegalTrademarks : Windows ™ is a trademark of Microsoft Corporation
OriginalFilename : FAMEH32.EXE

#:30 [fspc.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
Command Line : 1.3.6.1.4.1.2213.28
ProcessID : 560
ThreadCreationTime : 9-22-2005 5:59:14 PM
BasePriority : Normal
FileVersion : 3.00.1090
ProductVersion : 3.00 Build 1090
ProductName : F-Secure Parental Control
CompanyName : F-Secure Corporation
FileDescription : F-Secure Parental Control
InternalName : FSPC
LegalCopyright : Copyright © 1998-2004 F-Secure Corporation. All rights reserved.
LegalTrademarks : Windows ™ is a trademark of Microsoft Corporation
OriginalFilename : FSPC.EXE

#:31 [fshttps.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
Command Line : "C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe"
ProcessID : 1000
ThreadCreationTime : 9-22-2005 5:59:32 PM
BasePriority : Normal
FileVersion : 3.00.1090
ProductVersion : 3.00 Build 1090
ProductName : F-Secure Parental Control
CompanyName : F-Secure Corporation
FileDescription : F-Secure Http Server
InternalName : FSHTTPS
LegalCopyright : Copyright © 1998-2004 F-Secure Corporation. All rights reserved.
LegalTrademarks : Windows ™ is a trademark of Microsoft Corporation
OriginalFilename : FSHTTPS.EXE

#:32 [fsdfwd.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
Command Line : "C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe"
ProcessID : 1800
ThreadCreationTime : 9-22-2005 5:59:33 PM
BasePriority : Normal
FileVersion : 5.70.550
ProductVersion : 5.70 Build 550
ProductName : F-Secure Anti-Virus Internet Shield
CompanyName : F-Secure Corporation
FileDescription : F-Secure Anti-Virus Internet Shield daemon
InternalName : fsdfwd
LegalCopyright : Copyright © F-Secure Corporation 1997-2004
OriginalFilename : fsdfwd.exe

#:33 [fsav32.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
Command Line : 1.3.6.1.4.1.2213.12
ProcessID : 2520
ThreadCreationTime : 9-22-2005 5:59:46 PM
BasePriority : Normal
FileVersion : 5.53.10480
ProductVersion : 5.53.10480
ProductName : F-Secure Anti-Virus
CompanyName : F-Secure Corporation
FileDescription : FSAV Handler
InternalName : FSAV32
LegalCopyright : Copyright © 1998-2004, F-Secure Corporation
OriginalFilename : FSAV32.exe

#:34 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 2648
ThreadCreationTime : 9-22-2005 6:00:02 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:35 [iexplore.exe]
ModuleName : C:\Program Files\Internet Explorer\iexplore.exe
Command Line : "C:\Program Files\Internet Explorer\iexplore.exe"
ProcessID : 2656
ThreadCreationTime : 9-22-2005 6:00:03 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:36 [fsguiexe.exe]
ModuleName : C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
Command Line : fsguiexe.exe
ProcessID : 3152
ThreadCreationTime : 9-22-2005 6:00:30 PM
BasePriority : Normal
FileVersion : 5, 70, 1221, 0
ProductVersion : 5, 0, 560, 0
ProductName : ISP 2005
FileDescription : gui standby component
InternalName : fsguiexe
LegalCopyright : Copyright © 2004
OriginalFilename : fsguiexe.exe

#:37 [wuauclt.exe]
ModuleName : C:\WINDOWS\system32\wuauclt.exe
Command Line : "C:\WINDOWS\system32\wuauclt.exe"
ProcessID : 3764
ThreadCreationTime : 9-22-2005 6:02:22 PM
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:38 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 392
ThreadCreationTime : 9-22-2005 6:13:29 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1677128483-1708537768-1004\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1677128483-1708537768-1004\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1677128483-1708537768-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1677128483-1708537768-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1409082233-1677128483-1708537768-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 6




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

7:16:49 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:27:10.24
Objects scanned:102651
Objects identified:0
Objects ignored:0
New critical objects:0



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:17:34 PM, 9/22/2005
+ Report-Checksum: 9C7E079B

+ Scan result:

C:\Documents and Settings\joseph\Cookies\joseph@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\joseph\Cookies\joseph@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\joseph\Cookies\joseph@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\system32\INTELL32.0XE -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\UNINSTIU.0XE -> Trojan.Small.ev : Cleaned with backup


::Report End


I will wait for a response before I proceed.
Thanks in advance
  • 0

Advertisements


#2
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Please Click here!, and follow the recommendations in the guide.

If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
  • 0

#3
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#4
mizone

mizone

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:04:49 PM, on 10/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\joseph\Desktop\HijackThis.exe

O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121642974771
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124308964331
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup156.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\PROGRA~1\RXTOOL~1\sfcont.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
  • 0

#5
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi mizone,

You have disabled startup items. Please go to Start>Run and type: msconfig

Under the startup tab put a check next to all items, then under general choose normal startup.

Reboot and post a new log.
  • 0

#6
mizone

mizone

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:50:15 PM, on 10/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\joseph\Desktop\HijackThis.exe

O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121642974771
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124308964331
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup156.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\PROGRA~1\RXTOOL~1\sfcont.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
  • 0

#7
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Please print these instructions for use in safe mode.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Run your Ewido and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\PROGRA~1\RXTOOL~1\sfcont.dll

===================================================

Close HiJackThis.

Go to Control Panel Add/Remove Programs and uninstall these if there is an entry:

RXTOOLBAR
TBONBin


Then delete these folders:

C:\Program Files\TBONBin
C:\Program Files\RXTOOLBAR

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP