Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Problem - Log posted


  • This topic is locked This topic is locked
7 replies to this topic

#1 cd-spencer

cd-spencer

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 05 September 2005 - 02:37 AM

Hi

I have received help removing unwanted spyware and viruses etc before through this website and would like to know if anyone can help me remove some nasty bits that have attached themselves to my computer now.

I have completed a hijackthis log below.

Thanks in advance for your help.

CHRIS


Logfile of HijackThis v1.99.1
Scan saved at 5:38:07 PM, on 9/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\iehe.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\appni.exe
C:\WINDOWS\System32\intell32.exe
C:\Program Files\Tesco\Picture Suite\InsDetect.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\WINDOWS\Explorer.EXE C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s R3 - Default URLSearchHook is missing O2 - BHO: Class - {4A5C0B03-44B3-2F5D-257F-562F674EEA19} - C:\WINDOWS\system32\javank.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [appni.exe] C:\WINDOWS\appni.exe O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\CHRISS~1\LOCALS~1\Temp\7.tmp" /m O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O4 - HKCU\..\Run: [Tesco Insert Detect] C:\Program Files\Tesco\Picture Suite\InsDetect.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINDOWS\iehe.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:14 PM

Posted 05 September 2005 - 07:28 AM

Hello,

I don't know what you are using instead of notepad, but this log is difficult to read, because several lines are written in one line.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

Place a shortcut to Panda ActiveScan on your desktop.

Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

* Download CWShredder. Don't let it run yet!

* Download this regfix: HSfix
Unzip it and place it on your desktop, don't use it yet!

* Reboot into Safe Mode`: ( without networking support !)
To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\msxah.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {4A5C0B03-44B3-2F5D-257F-562F674EEA19} - C:\WINDOWS\system32\javank.dll
O4 - HKLM\..\Run: [appni.exe] C:\WINDOWS\appni.exe
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\CHRISS~1\LOCALS~1\Temp\7.tmp" /m
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINDOWS\iehe.exe


* Click on Fix Checked when finished and exit HijackThis.

*Start Aboutbuster and let it scan. When the scan is done and you choose exit, it will automatically create a log in the same folder where aboutbuster is in.

*Start Cwshredder and click FIX

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Open Ad-aware and do a full scan. Remove all it finds.


Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the log smitfiles.txt (which you will find on your C:\) and the Ewido Log by using Add Reply.

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 cd-spencer

cd-spencer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 05 September 2005 - 01:51 PM

Hi

Thanks for you help so far, below are the logs as requested....the only one that I could not find was the smitfiles.txt

Thanks again for your time...

CHRIS


ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:21:24 PM, 9/5/2005
+ Report-Checksum: 320B50B6

+ Scan result:

HKLM\SOFTWARE\Apropos -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Apropos\Client -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\q1va1ILlcKOL -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\q1vs1ILlcKOL -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\ae23.ae23Obj -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ae23.ae23Obj\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ae23.ae23Obj\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806} -> Spyware.SubmitHook : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{62160EEF-9D84-4C19-B7B8-6AC2526CD726} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8085E374-ACBB-42F9-873F-49EC7E244F97} -> Spyware.Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\iefeatsl.ViewSource -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\iefeatsl.ViewSource\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\iefeatsl.ViewSource\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\SearchHook.SearchHookObject -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\SearchHook.SearchHookObject\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\SearchHook.SearchHookObject\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\Classes\SearchRelevancy\CLSID -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\Classes\ShowSearch.ViewSource -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ShowSearch.ViewSource\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ShowSearch.ViewSource\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{ED7A0B22-11D9-4F74-8C1D-0936EFA66B3D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Effective-i -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{FD9BC004-8331-4457-B830-4759FF704C22} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\70tovmto -> Spyware.SAHA : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEFeatSL_Uninstall -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\salm -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Relevancy -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchHook -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShowSearch -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Submit URL -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\salm -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Apropos -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Apropos\Client -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Apropos\Client\Cookies -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Apropos\Client\Cookies\Data -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Apropos\Client\Cookies\Data\net -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Apropos\Client\Cookies\Data\net\contextplus -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Apropos\Client\Cookies\Data\net\contextplus\adchannel.contextplus.net/services/AdChannelServer -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\d78ffc13 -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\d78ffc13\red81542 -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Effective-i -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Effective-i\TheSearchAccelerator -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Effective-i\TheSearchAccelerator\IE5 -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Maxthon\Plugin\toolbar\{44BE0690-5429-47f0-85BB-3FFD8020233E} -> Spyware.UCmore : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\{FD9BC004-8331-4457-B830-4759FF704C22} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\salm -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\WinTools -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-839522115-688789844-1060284298-1003_Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78} -> Dialer.Generic : Cleaned with backup
C:\FOUND.000\FILE0001.CHK -> TrojanProxy.Agent.ex : Cleaned with backup
C:\temp\SearchRelevancy.exe -> Spyware.Relevance.b : Cleaned with backup
C:\temp\SAHPackage.exe -> Adware.SAHA : Cleaned with backup
C:\temp\sahagent.exe -> Adware.SAHA : Cleaned with backup
C:\temp\salmhook.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\SYSTEM\svchost.dll -> TrojanProxy.Agent.ex : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxgame1.exe -> TrojanDropper.Small.wv : Cleaned with backup
C:\WINDOWS\SYSTEM32\udaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\SYSTEM32\bln02nqv.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\SYSTEM32\gah95on6.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\SYSTEM32\2b3fsk0h.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxh8jkdq1.exe -> TrojanDownloader.Small.aqu : Cleaned with backup
C:\WINDOWS\SYSTEM32\ker_ps.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\SYSTEM32\kpssja.exe -> TrojanDownloader.Apropo.aa : Cleaned with backup
C:\WINDOWS\SYSTEM32\wppp.html -> Spyware.PSGuard : Cleaned with backup
C:\WINDOWS\SYSTEM32\vxh8jkdq8.exe -> TrojanDownloader.Small.aqu : Cleaned with backup
C:\WINDOWS\cliotx.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\dtskik.dat -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\popup.html -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\desktop.html -> Spyware.Spywad : Cleaned with backup
C:\WINDOWS\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab : Cleaned with backup
C:\WINDOWS\70tovmto.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\byutla.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\bqhvvd.dat -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apwdru.log -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sppite.log -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\lsp_.dll -> Adware.SAHA : Cleaned with backup
C:\backups\backup-20050516-173626-340.dll -> TrojanDownloader.Apropo.w : Cleaned with backup
C:\backups\backup-20050516-173626-951.dll -> Spyware.Relevance : Cleaned with backup
C:\backups\backup-20050517-185126-907.dll -> Spyware.WinAD : Cleaned with backup
C:\ms32.tmp -> TrojanDownloader.Small.azk : Cleaned with backup
C:\Program Files\Windows TaskAd\WinProject.dll -> Spyware.WinAD : Cleaned with backup
C:\Program Files\TheSearchAccelerator\IUCmore.dll -> Spyware.UCmore : Cleaned with backup
C:\Program Files\PSGuard -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\msvcp71.dll -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\msvcr71.dll -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\PSGuard.exe -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\WndSystem.dll -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\Core.dll -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\Localization.dll -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\database.pkg -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\PSGuard.exe.local -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\Uninstall.exe -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\Quarantine -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\Logfile.txt -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Chris Spencer\Local Settings\Temp\ICD2.tmp\AdStatServX.dll -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Chris Spencer\Local Settings\Temp\7.tmp -> TrojanDownloader.Small.bau : Cleaned with backup
C:\Documents and Settings\Chris Spencer\Local Settings\Temp\B.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP29\A0010075.dll -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP29\A0010076.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP29\A0010077.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP29\A0010079.dll -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP29\A0010080.dll -> TrojanDownloader.Apropo.w : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP29\A0010081.exe -> TrojanDownloader.Apropo.r : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP29\A0010084.dll -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011118.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011131.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011151.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011155.EXE -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011156.EXE -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011157.EXE -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011160.dll -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011161.dll -> TrojanProxy.Small.bk : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011162.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011164.dll -> Spyware.SearchPage : Cleaned with backup
C:\Recycled\svchost.dll -> TrojanProxy.Agent.ex : Cleaned with backup


::Report End

.............................................


Incident Status Location

Virus:W32/Smitfraud.E Disinfected Operating system
Adware:adware/psguard No disinfected C:\DOCUMENTS AND SETTINGS\CHRIS SPENCER\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\PSGuard spyware remover.lnk
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/wupd No disinfected C:\WINDOWS\SYSTEM32\ide21201.vxd
Adware:adware/ncase No disinfected C:\TEMP\salm.log
Adware:adware/searchaid No disinfected C:\DOCUMENTS AND SETTINGS\CHRIS SPENCER\FAVORITES\Search the web.url
Adware:adware/ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\uninstIU.exe
Adware:adware/freecomm No disinfected C:\PROGRAM FILES\Submit
Adware:adware/searchrelevancy No disinfected C:\PROGRAM FILES\SearchRelevant
Adware:adware/sahagent No disinfected C:\WINDOWS\SYSTEM32\SahImages
Adware:adware/topconvert No disinfected Windows Registry
Dialer:dialer.bqw No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC
Adware:adware/cws.searchmeup No disinfected Windows Registry
Dialer:dialer.qi No disinfected HKEY_CLASSES_ROOT\TypeLib\{9A9C9133-E640-4CA7-81C1-123FAC78855F}
Virus:Trj/Small.NM Disinfected C:\WINDOWS\SYSTEM\update.exe
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\SYSTEM32\wininet.dll
Adware:Adware/Ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Dialer:Dialer.Gen No disinfected C:\WINDOWS\Downloaded Program Files\1041290.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\submit2.exe
Adware:Adware/SearchRelevancy No disinfected C:\Program Files\SearchRelevant\uninstall.exe
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Chris Spencer\Local Settings\Temp\ICD1.tmp\ysbactivex.inf
Dialer:Dialer.BIW No disinfected C:\Documents and Settings\Chris Spencer\Local Settings\Temp\A.tmp
Adware:Adware/Ucmore No disinfected C:\Documents and Settings\Chris Spencer\Start Menu\Programs\UCmore - The Search Accelerator\UCmore Tour.lnk
Adware:Adware/Ucmore No disinfected C:\Documents and Settings\Chris Spencer\Start Menu\Programs\UCmore - The Search Accelerator\How To Uninstall.lnk
Dialer:Dialer.CHB No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP29\A0010078.exe
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP29\A0010082.dll
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP29\A0010085.exe
Virus:Trj/Shellbot.A Disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011168.dll
Adware:Adware/Adsmart No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011169.exe
Adware:Adware/SearchAid No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011170.dll
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011171.exe
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011172.exe
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011173.dll
Adware:Adware/Tibs No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011174.exe
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011175.exe
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011176.exe
Adware:Adware/Tibs No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011177.exe
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011178.exe
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011179.exe
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011180.dll
Adware:Adware/SearchRelevancy No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011181.dll
Adware:Adware/WinAD No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011182.dll
Adware:Adware/WUpd No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011183.dll
Adware:Adware/Ucmore No disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011184.dll
Virus:Trj/Shellbot.A Disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP36\A0011192.dll
Virus:Trj/Small.NM Disinfected C:\System Volume Information\_restore{929B40F6-01FC-4AAA-80FB-6E707A6160DE}\RP37\A0011199.exe

...............................................

Logfile of HijackThis v1.99.1
Scan saved at 7:47:08 PM, on 9/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Tesco\Picture Suite\InsDetect.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Panda_cleaner_46363] C:\WINDOWS\System32\ActiveScan\pavdr.exe 46363
O4 - HKCU\..\Run: [Tesco Insert Detect] C:\Program Files\Tesco\Picture Suite\InsDetect.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5695A50-A62D-468D-88E7-1EC6E218C163}: NameServer = 212.67.96.129 212.67.120.148
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\iehe.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:14 PM

Posted 05 September 2005 - 02:27 PM

Hi, can you please REBOOT and post a new hijackthislog? Because Panda has a task to perform. (most probably disinfecting wininet.dll --- I hope panda won't delete it this time :thumbsup: )

The reason why you couldn't find smitfiles.txt is because you forgot to run smitrem.

So AFTER REBOOT

Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

*Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service Remote Procedure Call (RPC) Helper
(please make sure you choose the one with Helper in it.. because there's also a legit service called Remote Procedure Call (RPC) Locator and Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one. )
Doubleclick the Remote Procedure Call (RPC) Helper . In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

REBOOT once again and post a new hijackthislog with the smitfiles-log which you will find on your C:\

Edited by miekiemoes, 05 September 2005 - 02:45 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 cd-spencer

cd-spencer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 September 2005 - 02:58 PM

Hi

Thanks again for you help...please find a new hijack this log and smitfiles log below.

CHRIS


Logfile of HijackThis v1.99.1
Scan saved at 8:52:18 PM, on 9/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Tesco\Picture Suite\InsDetect.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Tesco Insert Detect] C:\Program Files\Tesco\Picture Suite\InsDetect.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

.........................
smitRem log file
version 2.3

by noahdfear

The current date is: Tue 09/06/2005
The current time is: 20:46:59.53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:14 PM

Posted 06 September 2005 - 03:18 PM

Looks clean. :thumbsup:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap http://windowsupdate.microsoft.com/ to update to SP2!

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 cd-spencer

cd-spencer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 07 September 2005 - 02:39 AM

Hi

Thats great, thanks a lot for you help and advice.

CHRIS

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:14 PM

Posted 07 September 2005 - 03:29 AM

Glad I could help you. :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users