Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.downloader.small.cml


  • This topic is locked This topic is locked
20 replies to this topic

#1 MaN227

MaN227

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 28 October 2006 - 07:27 PM

I've gotten some nasties in the last few days, ishost.exe is still in my rig and trying to execute , it seems spyware doctor is keeping it at bay with one of its many guards.

I have seen maxifiles, mytoolbar888, trojan popupper to name a few that I recall a name of.

this has gotten quite frustrating how well these things can hide and replace deleted files. I want off of this merry-go-round :thumbsup:

That is why I have come to you good folks here in hopes that you can get my rig back in order and rid of all these nasties once and for all. I want to thank you in advance for all your time and effort. look forward to your reply ;)

Logfile of HijackThis v1.99.1
Scan saved at 9:07:46 AM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Windows Media Connect 2\wmccds.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\HIS iTurbo\iTurbo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\windows\BricoPacks\Vista Inspirat\YzShadow\YzShadow.exe
C:\Program Files\HiJackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2395.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [iTurbo] "C:\Program Files\HIS iTurbo\iTurbo.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsen.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Y'z Shadow.lnk = C:\windows\BricoPacks\Vista Inspirat\YzShadow\YzShadow.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76AB021-D772-49C9-90F2-5E4C8698FF5D}: NameServer = 165.76.0.243,165.76.176.2
O20 - Winlogon Notify: winzlo32 - C:\WINDOWS\SYSTEM32\winzlo32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\windows\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe



BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 04 November 2006 - 09:46 PM

Hi MaN227,

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. See here if you don't know how. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with a fresh HijackThis log in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

#3 MaN227

MaN227
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 08 November 2006 - 09:57 PM

here is the latest log just made.

Logfile of HijackThis v1.99.1
Scan saved at 11:18:02 AM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\HIS iTurbo\iTurbo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\BricoPacks\Vista Inspirat\YzShadow\YzShadow.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Windows Media Connect 2\wmccds.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HiJackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [iTurbo] "C:\Program Files\HIS iTurbo\iTurbo.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvxug.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - Startup: Y'z Shadow.lnk = C:\windows\BricoPacks\Vista Inspirat\YzShadow\YzShadow.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76AB021-D772-49C9-90F2-5E4C8698FF5D}: NameServer = 165.76.0.243,165.76.176.2
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\windows\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

about the smitfraud deal, nod32 wouldn't allow the download and if I turned it off and download the files it would delete them when I would restart nod32.

during the time I was waiting for a reply here I had run the smitfraud in safe mode selecting [2] to clean.
it seemed to have deleted more than it should have. anyway, I since have begun to run "spyware doctor" and have not noticed again this ishost.exe and other stuff . . . . .

EXCEPT this friggin' winantispyware still will not go away. it loads at startup and gives me the " you may be infected" popup. [its a shield, red on left half green on the right , with question mark in the middle] If i choose exit it never "appears" again, I say appears because it does not list in the task manager EVEN when it shows in the tray.

I may be WAY off the mark here but I somehow feel some of the other stuff may be tied to the use of internet explorer 7, it may have just been coincidence that the other "nasties' would appear again after i would use that browser. just thought i'd put that out there.

Just did a Spyware Doctor quick scan and it finds nothing.

If you know where the offending files are that are associated with this Winantispyware, I can manually delete them and the reg entries as well.

Please advise, thanks for your time and service :D

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 08 November 2006 - 10:19 PM

about the smitfraud deal, nod32 wouldn't allow the download and if I turned it off and download the files it would delete them when I would restart nod32.

Well, that's a problem. You're still infected. You need to download and run the SmitfraudFix. Never heard of NOD deleting the tool before. Are you sure? Could it be your firewall Kaspersky Anti-Hacker, or Spyware Doctor doing it?

Edited by amateur, 08 November 2006 - 10:47 PM.


#5 MaN227

MaN227
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 09 November 2006 - 08:34 AM

I'm positive its nod32 mate, here is what I get when trying to open the download page

NOD32 antivirus system alert: IMON
Infiltration detected !


Infiltration details:

Web page:
http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Infiltration:
Win32/PrcView application

Description:
Access to the web page was blocked by IMON.

www.nod32.com


it is one file of the 11 in the zip that gets deleted, I don't recall the name of it. how do you consider this a sign of infection? Not trying to be confrontational , I just don't see a connection with nod32 not liking a spicific file in the zip and being infected.

as stated, the other stuff seems to be gone. only Winantivirus remains.

what should I do now then? a different course of action? or disable nod and run the test [1] of smitfraudfix, or the fix[2] ?

after a few minutes of brain racking i THINK the file it didn't like was process.exe, not 100% but fairly certain.

mind you I have nod32 set up in a rather secure manner , more secure than default . [ lol hard to tell being as I've had and have unwanted nasties on my rig huh? :D ]

Edited by MaN227, 09 November 2006 - 08:50 AM.


#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 09 November 2006 - 09:04 AM

Yes, the process.exe in SmitfraudFix is flagged as bad, but in this case it's not. You can allow it when Nod alerts you.

I just don't see a connection with nod32 not liking a spicific file in the zip and being infected.


the sign of the infection is this line in your log, not any of the files in the Smitfraud zip.

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvxug.dll,startup

during the time I was waiting for a reply here I had run the smitfraud in safe mode selecting [2] to clean.

You've already run Smitfraudfix # 2, before I instructed you to do it. Now, I don't know what it found, what it deleted and what it couldn't.

I have to go out now, I'll come back with a suggestion later in the day.

#7 MaN227

MaN227
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 09 November 2006 - 09:30 AM

ok got you about the infection and the hjt entry that alerted you .

I didn't run the smitfraud AFTER you mentioned it and told me not to run it , I had run it before that, in researching my problems a few places I looked said that smitfraud fix was what would fix things. so I ran it.
sorry :thumbsup:

as it stands now nothing seems to show up in scans with nod and spyware doc

the only think i KNOW for sure is left is this darn Winantispyware.

again, bear in mind I didn't do what u told me not to after you told me. I did it before.

tell me what I should and/or shouldn't do and i will follow your instruction to the T.

thanks for your time and help mate it really is greatly appreciated.

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 09 November 2006 - 05:36 PM

Hi,


If you didn't click on the Winantispyware popup, it's most likely that it didn't install, but let's check. Go to Start>Control Panel>Add/Remove Programs and look for Winantispyware. If present, remove it. Let me know how that went.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

===========================================

Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
  • Click the Spyware Doctor icon in the System Tray.
  • Click Settings.
  • Click Startup Settings under Pick a Category.
  • Uncheck Run at Windows startup.
  • Click Apply and Exit Spyware Doctor
Once your log is clean you can re-enable Spyware Doctor.

============================================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

============================================

Boot into Safe Mode (without networking)

============================================

Now, run HijackThis. Close all windows and browsers except HijackThis.
Go to Config > Misc tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINDOWS\system32\drvxug.dll
Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, click on Scan and put a check in front of the following

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvxug.dll,startup

Close all other windows/browsers/applications, except HijackThis and click on Fix checked. Exit HijackThis but stay in Safe Mode.

============================================

Clean out your Temporary Internet files. Proceed like this:

Quit all browsers and quit any instances of Windows Explorer.

From Safe Mode, using Windows Explorer, Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

For Internet Explorer 4.x and Up
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then click Empty Recycle Bin.

=========================================

Still in Safe Mode, run AVG Anti Spyware

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode. If you get any alerts from your security tools about the changes, allow it.

=========================================

Please post back the AVG Anti Spyware scan report and a fresh HijackThis log. Let me know how the computer is running now.

#9 MaN227

MaN227
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 10 November 2006 - 12:29 AM

Hi,

I did [first time I seen it, Winantispyware] run the "quick scan"I think it was called and then it opened a webpage and thats as far as I've gone. When windows boots up I simply r clk and choose exit and it doen't come up again. but every restart its there.

It is NOT listed in the add/remove prog's nor in uruninstaller.

next up . . . I guess is AVG antispy. this is odd and confusing to me. I had been using it for quite awhile before it changed name from EWIDO. It worked great then one day for no reason I can discern it would crash windows EVERY time it would scan, always while scanning the windows folder. Actually I used to use webroot spysweeper and it after some time did the same thing crash windows while in a scan. That is why I started to use EWIDO[avg] antispyware in the first place. I tell you this cause I don't know if there is a connection or not. I have gone so far as to to a "repair" install of the OS. that didn't help.

with that said what the heck can I do now? maybe boot in safe and manually delete or rename that drvxug.dll? Is that the file that makes winantispyware show in my systray? maybe reinstall avg antispy and try to ONLY run it while in safe mode? I have no idea if it would crash then as well or not.

thanks for your time and help

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 10 November 2006 - 04:52 PM

Have you followed my instructions in the order they are presented? Did AVG Anti Spyware crash this time?
Please read my instructions carefully again and follow them in the order they are presented. If you have any errors, take note and let me know later.

#11 MaN227

MaN227
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 11 November 2006 - 09:56 AM

I followed the directions in the order they were given.

running avg antispyware in safe mode gave no errors or crashes.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 7:24:37 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Windows Media Connect 2\wmccds.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\HIS iTurbo\iTurbo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\windows\BricoPacks\Vista Inspirat\YzShadow\YzShadow.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HiJackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [iTurbo] "C:\Program Files\HIS iTurbo\iTurbo.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - Startup: Y'z Shadow.lnk = C:\windows\BricoPacks\Vista Inspirat\YzShadow\YzShadow.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76AB021-D772-49C9-90F2-5E4C8698FF5D}: NameServer = 165.76.0.243,165.76.176.2
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\windows\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe



as for AVG , most things found were on storage partitions , of the reverse engineering type. I don't feel so comfortable posting that log file in this open forum. If you need to see it i can edit out the folder structure and/or just give the offending file names sent via PM.

this is the portion that is from the OS drive

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:18:45 PM 11/11/2006

+ Scan result:



C:\Program Files\SoftwareDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\ErrorDoctor.exe -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\Registry Backups -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\Registry Backups\2006-10-12_23-38-59.reg -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\Registry Backups\2006-10-12_23-46-15.reg -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\Registry Backups\2006-10-18_05-05-46.reg -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\icon.ico -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\ignore.lst -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B74DE36A-B95C-49A1-8F41-A09F3D187747} -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SoftwareDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SoftwareDoctor\ErrorDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SoftwareDoctor\ErrorDoctor\1.4 -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\windows\system32\drvsen.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\windows\system32\drvxop.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\windows\system32\drvxug.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\games\AGON\Data\Bin\ijl15.dll -> Not-A-Virus.Monitor.Win32.HiddenRecorder.a : Cleaned with backup (quarantined).
C:\Program Files\MP3 Splitter & Joiner\*****.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).


let me know about the other stuff avg as has quarantined, if its needed and such.
I wonder how to get rid of all remnants I can find from this 'software doctor ' & 'error doctor'?

as far as "nasties" being in system restore points. Do I assume correctly that disabling system restore. rebooting and then reenabling it will do away with all the data in the saves, including the "nasties" ? or do the files saved from old restores are still there?

with that said, I have done 3 reboots and winantispyware has NOT loaded. thanks a bunch :thumbsup: :flowers: :huh: :huh: :huh: :huh:

I appeciate your patience and matter of fact approach :huh:

Edited by MaN227, 11 November 2006 - 10:00 AM.


#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 11 November 2006 - 11:50 AM

Hi,

I think you said that you've stopped using Webroot's SpySweeper. If you are not using it any longer, you can have the following entry fixed with the HijackThis.

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

as for AVG , most things found were on storage partitions , of the reverse engineering type. I don't feel so comfortable posting that log file in this open forum. If you need to see it i can edit out the folder structure and/or just give the offending file names sent via PM.

You might like to do that. If there are infected files in those sections, you wouldn't want to keep them.

I see that you have Flashget installed. Flashget is bundled with Cydoor adware, but when you register the Ads disappear.
So in case you have the trial version and didn't buy it, I recommend you uninstall it.

Go to Start > Control Panel > Add/Remove Programs toremove it.

let me know about the other stuff avg as has quarantined, if its needed and such.
I will be deleting all remnants I can find from this 'error doctor'.

Software Doctor is a rogue program. AVG AS cleaned it. It may not be there but please check if it's still in the Add/Remove Programs in Control panel and remove it if it exists. Then, using windows explorer locate and delete the folders, if they exist.

C:\Program Files\SoftwareDoctor
C:\Program Files\FlashGet

as far as "nasties" being in system restore points. Do I assume correctly that disabling system restore. rebooting and then reenabling it will do away with all the data in the saves, including the "nasties" ?

Yes, it will. But don't do that just yet. We need to be sure that the system is clean before doing that.

I have done 3 reboots and winantispyware has NOT loaded. thanks a bunch

That's excellent. :thumbsup:

I appeciate your patience and matter of fact approach

No problem. :flowers:

We need to do an online scan as well to make sure that nothing else is lurking around.

Perform an online scan with Internet Explorer with Panda ActiveScan
  • Click on Posted Image located at the bottom of the page.
  • A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  • Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting Posted Image
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on Posted Image then click Posted Image
Please post back the Panda results and a fresh HijackThis log please.

#13 MaN227

MaN227
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 12 November 2006 - 08:21 AM

here are the two edited logs

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:18:45 PM 11/11/2006

+ Scan result:



C:\Program Files\SoftwareDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\ErrorDoctor.exe -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\Registry Backups -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\Registry Backups\2006-10-12_23-38-59.reg -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\Registry Backups\2006-10-12_23-46-15.reg -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\Registry Backups\2006-10-18_05-05-46.reg -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\icon.ico -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
C:\Program Files\SoftwareDoctor\ErrorDoctor\ignore.lst -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B74DE36A-B95C-49A1-8F41-A09F3D187747} -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SoftwareDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SoftwareDoctor\ErrorDoctor -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SoftwareDoctor\ErrorDoctor\1.4 -> Adware.SoftwareDoctor : Cleaned with backup (quarantined).
-> Backdoor.Theef.111 : Cleaned with backup (quarantined).
-> Backdoor.Theef.111 : Cleaned with backup (quarantined).
-> Dropper.Agent.xk : Cleaned with backup (quarantined).
System Volume Information\_restore{17F7A1DA-59BA-4105-A767-9A05566D6E04}\RP263\A0985382.exe -> Dropper.Agent.xk : Cleaned with backup (quarantined).
-> Logger.Delf.or : Cleaned with backup (quarantined).
-> Logger.Delf.ta : Cleaned with backup (quarantined).
-> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup (quarantined).
-> Not-A-Virus.Hacktool.Crack : Cleaned with backup (quarantined).
C:\windows\system32\drvsen.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\windows\system32\drvxop.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\windows\system32\drvxug.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\games\AGON\Data\Bin\ijl15.dll -> Not-A-Virus.Monitor.Win32.HiddenRecorder.a : Cleaned with backup (quarantined).
C:\Program Files\ -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
\System Volume Information\_restore{B7948794-9359-488B-8929-56E9C993D213}\RP36\A0098010.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
-> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
\System Volume Information\_restore{17F7A1DA-59BA-4105-A767-9A05566D6E04}\RP263\A0984453.exe -> Trojan.Agent.ht : Cleaned with backup (quarantined).
-> Trojan.Agent.ht : Cleaned with backup (quarantined).
\PSP\MPHDowngrader\PSP\PHOTO\overflow.tif -> Trojan.PSPBrick : Cleaned with backup (quarantined).


::Report end


panda active scan

Incident Status Location

Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\\cookies.txt[.toplist.cz/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\\cookies.txt[.target.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\\Desktop\SHORTCUTS\Mozilla\Firefox\Profiles\\cookies.txt[.go.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\\Desktop\SHORTCUTS\Mozilla\Firefox\Profiles\\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\\Desktop\SHORTCUTS\Mozilla\Firefox\Profiles\\cookies.txt[.tucows.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\\Desktop\SHORTCUTS\Mozilla\Firefox\Profiles\\cookies.txt[.target.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\\Desktop\SHORTCUTS\Mozilla\Firefox\Profiles\\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\\Desktop\SHORTCUTS\Mozilla\Firefox\Profiles\\cookies.txt[.ccbill.com/]
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\\Desktop\SHORTCUTS\Mozilla\Firefox\Profiles\\cookies.txt[.versiontracker.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\\Desktop\SHORTCUTS\Mozilla\Firefox\Profiles\\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\\Desktop\SHORTCUTS\Mozilla\Firefox\Profiles\\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\\Desktop\SHORTCUTS\Mozilla\Firefox\Profiles\\cookies.txt[.apmebf.com/]
Possible Virus. Not disinfected C:\Documents and Settings\\Desktop\SmitfraudFix\SmitfraudFix\swsc.exe
Possible Virus. Not disinfected C:\Documents and Settings\\Desktop\SmitfraudFix\swsc.exe
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3C02CDC6-0821-1033-1114-030119050001}\Uninst.exe
Possible Virus. Not disinfected C:\Program Files\eRightSoft\SUPER\ffmpeg.exe
Possible Virus. Not disinfected D:\\SmitfraudFix\SmitfraudFix\swsc.exe

Spyware:Cookie/fe.lea.lycos Not disinfected @fe.lea.lycos[1].txt

Spyware:Cookie/fe.lea.lycos Not disinfected @fe.lea.lycos[1].txt


and a just completed HJT log which was NOT edited in any way.

Logfile of HijackThis v1.99.1
Scan saved at 10:13:54 PM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\HIS iTurbo\iTurbo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\windows\BricoPacks\Vista Inspirat\YzShadow\YzShadow.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Windows Media Connect 2\wmccds.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HiJackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [iTurbo] "C:\Program Files\HIS iTurbo\iTurbo.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - Startup: Y'z Shadow.lnk = C:\windows\BricoPacks\Vista Inspirat\YzShadow\YzShadow.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76AB021-D772-49C9-90F2-5E4C8698FF5D}: NameServer = 165.76.0.243,165.76.176.2
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\windows\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe



well there you have it.

now to touch on a few items you mentioned in your reply.

the spysweeper dll. ... so I just run HJT and tell it to fix it? or do I have to do it the same way as I did with the "nasty" dll you have me get rid of from windows?


my copy of flashget is regged ;)

I can't find anything left of software doctor and/or error doctor :D

well not disabling sys restore , sorry too late m8, I disabled it several weeks ago. thats why I asked about the file within restore points being deleted when sys restor is disabled. cause of this scans returning things that are in sys restor points. that still confuses me. [ I disabled it actually because it ran into some other problems before and tried sys restor and it did NOT work so I fig. I would free the space.]

I can't say it enough, BIG THANKS for all the direction m8 :thumbsup: :flowers: :huh: :huh: :huh:

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 13 November 2006 - 09:28 PM

Hi,

Sorry I got tied up and was not able to reply yesterday.

the spysweeper dll. ... so I just run HJT and tell it to fix it? or do I have to do it the same way as I did with the "nasty" dll you have me get rid of from windows?

File is already is missing. So, yes just run HJT and tell it to fix it. That's all.

===============================================

Remember to hide your system files again.

Start>My Computer>Tools>Folder Options>View
Under the Hidden files and Folders heading uncheck Show hidden files and folders.
check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
check the Hide file extensions for known file types.
Click OK.

================================================

Delete the SmitfraudFix from your desktop if you haven't already. Please delete this folder as well

D:\\SmitfraudFix

================================================

Using Windows Explorer (right click on start, click on Explore), locate the following and delete it. If you have problem deleting it in Normal Mode, try it in Safe Mode and let me know how that went:

C:\Program Files\Common Files\{3C02CDC6-0821-1033-1114-030119050001}

================================================

C:\Program Files\eRightSoft <======== Is this a program you know and use? If you do, no problem.

================================================

my copy of flashget is regged ;)

I take it that you have a registered version?

================================================

well not disabling sys restore , sorry too late m8, I disabled it several weeks ago. thats why I asked about the file within restore points being deleted when sys restor is disabled. cause of this scans returning things that are in sys restor points. that still confuses me. I disabled it actually because it ran into some other problems before and tried sys restor and it did NOT work so I fig. I would free the space.


Having no restore point to go back to in case something goes wrong is not a good practice. We would rather have an infected system restore than not have any. Had I known this before I would have asked you to enable it immediately.
  • Click Start | Help and Support | Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name, and then click Create, then Close.
  • Close the Help and Support Center box.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.

This will remove all previous restore points except the newly created one.

================================================

Please let me know how the computer is running now so that we can finish up and secure your system.

#15 MaN227

MaN227
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 15 November 2006 - 08:14 AM

Hi m8, no worries on time, we all have other things to take care of.

I'll address your last posting as best I can.

spysweeper.dll - done.

hide files and extensions. - I want to see all the files system or otherwise. I don't go mucking about with system files though but I like to see what is there. and hide extensions , I hate that, I deal with many files and types of files and to hide the extensions just will not work for me.

smitfraudfix folders - both deleted

C:\Program Files\Common Files\{3C02CDC6-0821-1033-1114-030119050001} - deleted

C:\Program Files\eRightSoft - SUPER is the app name. I actually have looked at it but not really used it as of yet . its a video converting/authoring front end GUI for free tools. If you know it to be a problem then I shall uninstall it. ?

flashget regged - yes a registered copy.

sys restore direction - I have followed your direction and created a restore point yesterday along with the "cleanup" direction. .... my question is this how much space is good enough for a few restore points on each drive. 12% seems a waste of space to me. so instead of %age can you tell me in MB and/or GB as the case may be what is good enough for each drive? for what its worth I have 4 physical drives with 6 partitions.

all seems to be going alright, the rig is getting old-ER :huh: the speed seems as good as can be expected[and a bit faster], except for startup it actually seems slower than before doing any fixes if u can believe that. would adjusting down the "time allowed to show and boot sys" to say 10 seconds be a good thing to try? or is it simply that I have so many apps installed I just have to live with it?

I have mentioned some and you can see the others from the logs of what security apps I use. so from that are there any changes you would make? antispy? firewall? anti virus? and such? just do not say norton ANYTHING or Zonealarm , :thumbsup: been there , done that !

I guess if I may ask about one last thing that would be. if you know why AVG AS and webroot SS both crash windows while doing a scan. that just don't make sense to me. and I like them both and as you know differnt approaches of finding "nasties" , one app can find things that another don't so I'd really like to be able to use these two but just can't.

thanks again for all your help and the tact with which you make your posts :flowers: you do a great service to those of us that have not the same level of "know how" :huh: :huh: and I hope that my problems and your solutions to the same "nasties" being posted here will help others solve their own problems.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users