Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyquake 2.3 Still Not Removed


  • This topic is locked This topic is locked
17 replies to this topic

#1 mclittle1

mclittle1

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 26 July 2006 - 02:28 PM

Hello -

From the posts I've seen it looks like you guys and gals have helped out a lot of people, so hopefully you can help me. I run Panda on my laptop and yesterday it told me I had an unidentified threat, which turned out to be spyquake 2.3. Panda wasn't able to get rid of it on it's own, every time I reboot Panda says:

deleting adware

Adware name:
Adware\SpywareQuake

Location:
c:\windows\system32\components\flx3.dll

so I decided to follow your automatic tutorial, which didn't work. Here are my too log files that were asked for in the self help tutorial.

I suspect the solution would be to follow the manual instructions for the file location given by panda but I'm not sure.

Any help would be greatly appreciated,

Cheers,
mclittle1

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


Logfile of HijackThis v1.99.1
Scan saved at 3:15:37 PM, on 7/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
E:\Panda\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
E:\Panda\pavsrv51.exe
E:\Panda\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
e:\panda\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Panda\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
E:\Panda\PsImSvc.exe
E:\Panda\apvxdwin.exe
E:\Panda\WebProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\issearch.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\System32\ismon.exe
E:\Net Gear\wlancfg5.exe
C:\WINDOWS\System32\wuauclt.exe
E:\Panda\AvltMain.exe
E:\Fire Fox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\Panda\psimreal.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [APVXDWIN] "E:\Panda\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ws2_32] C:\WINDOWS\System32\ws2_32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [fouqRWamh] rpclobby.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\adobe\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.6.0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150898803167
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - E:\Panda\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - E:\Panda\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - e:\panda\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - E:\Panda\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - E:\Panda\TPSrv.exe


:thumbsup:

BC AdBot (Login to Remove)

 


#2 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:11 AM

Posted 26 July 2006 - 02:42 PM

Hello.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#3 mclittle1

mclittle1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 26 July 2006 - 02:55 PM

Hi pomp,

Thanks for the quick reply, I was down on the jersey shore last week and I don't know how you find the time to fight malware with all the beautiful beaches you have down there. :thumbsup:

I followed your directions and here is the log file you requested:

Cheers

SmitFraudFix v2.75b

Scan done at 15:50:36.27, Wed 07/26/2006
Run from C:\Documents and Settings\mclittle\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !

C:\Documents and Settings\mclittle\Application Data


Start Menu


C:\DOCUME~1\mclittle\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End

#4 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:11 AM

Posted 26 July 2006 - 02:59 PM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#5 mclittle1

mclittle1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 26 July 2006 - 03:52 PM

Hi again,

I ran SmitfraudFix in safe mode via your instructions and all went as you said it would.

When I rebooted in normal mode I ran a Panda scan again and it found SpyQuake in:

c:\windows\system32\components\flx1.dll

Panda deleted it, I rebooted and this time it wasn't there, :thumbsup:.

However, I'm still concerened that my system seems slower, at least to start up, than it was before, any more suggestions or do you think I'm totally clean and just being paranoid.

Cheers,
mclittle1

Here's the logfile you asked for:

SmitFraudFix v2.75b

Scan done at 16:06:08.95, Wed 07/26/2006
Run from C:\Documents and Settings\mclittle\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismon.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#6 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:11 AM

Posted 26 July 2006 - 05:30 PM

Please scan with hijackthis and post a new log.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#7 mclittle1

mclittle1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 26 July 2006 - 05:49 PM

Hi,

Hoping all is well, I've been working on removing this all day, here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:46:34 PM, on 7/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
E:\Panda\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
E:\Panda\pavsrv51.exe
E:\Panda\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
e:\panda\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Panda\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
E:\Panda\PsImSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
E:\Panda\apvxdwin.exe
E:\Net Gear\wlancfg5.exe
E:\Panda\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
E:\FIREFO~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.savewealth.com/support/ie6/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.savewealth.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.savewealth.com
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [APVXDWIN] "E:\Panda\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [ws2_32] C:\WINDOWS\System32\ws2_32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [fouqRWamh] rpclobby.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\adobe\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.6.0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150898803167
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - E:\Panda\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - E:\Panda\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - e:\panda\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - E:\Panda\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - E:\Panda\TPSrv.exe

Cheers,
mclittle1

#8 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:11 AM

Posted 26 July 2006 - 09:09 PM

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\System32\ws2_32.exe
  • Click on the submit button
  • Please post the results in your next reply.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#9 mclittle1

mclittle1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 26 July 2006 - 09:22 PM

Thanks for the reply, but I'm not at my computer right now, I'll do it first thing in the morning.

Cheers,
mclittle1

#10 mclittle1

mclittle1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 27 July 2006 - 02:21 PM

Hello again,

Here is what I got:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.

I got this message twice the second time it was after I disabled my Panda firewall.

I double checked to make sure the file still existed and it did and it was 73 not 0 bytes.

Also when I started my computer today Panda neutralized a adware I have not seen before "csw", I have not re-booted my computer yet to see if it comes back.

Anymore insight into getting my system clean would be a great help.

Cheers,
mclittle1

#11 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:11 AM

Posted 27 July 2006 - 02:48 PM

hello..

Please go here C:\WINDOWS\System32\ and find this file: ws2_32.exe ... zip up the file and then please attach the archive to an email and send it to : marcin@malwarebytes.org


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#12 mclittle1

mclittle1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 27 July 2006 - 04:02 PM

Pomp,

The email has been sent with subject: bleeping computer C:\WINDOWS\System32\ws2_32.exe.

What should I don now??

Cheers,
Matt

#13 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:11 AM

Posted 27 July 2006 - 04:58 PM

You sent the .dll instead of the .exe ... go here : http://www.xtra.co.nz/help/0,,4155-1916458,00.html to see how to unhide all files..

then go back into system32 and find ws2_32.exe and zip that file up and submit it to the same email.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#14 mclittle1

mclittle1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 27 July 2006 - 05:15 PM

I followed the directions at the link but still could not find the .exe file

#15 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:10:11 AM

Posted 31 July 2006 - 01:56 AM

Please go here http://siri.urz.free.fr/upload/

in the first box put the link to this thread ..

in the second box put this path: C:\Program Files\Safety Bar\Safety Bar.dll

Then click Upload


Now, have hijackthis fix the following:

R3 - Default URLSearchHook is missing
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKCU\..\Run: [ws2_32] C:\WINDOWS\System32\ws2_32.exe
O4 - HKCU\..\Run: [fouqRWamh] rpclobby.exe

Find and delete the following files/folders, if there:

C:\Program Files\Safety Bar
rpclobby.exe

Empty recycle bin.

Restart your computer.. Scan with hijackthis and post a new log.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users