Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

need help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

need help

Unread postby rae » December 16th, 2005, 6:04 pm

hello..
well i have a problem with my computer and i was searching the net and went to nick's computer security and they gave me this link
well my problem is that a wanring is on the backsplash of my desktop and it wants me to install some spyware that i have to pay for.
the background is black...
this is what is says...
Warning!your computer might be infected with spyware or adware!!
strange homepage, popups, loss of important data and unstable functioning are the sure signs that you are infected.
spyware remover overview
-compare,test and choose.
click here for moreyour computer is still vulnerable to new attacks!!!
i dont know much about computers and i need help.. i cant get it off my computer and it is slowing it down like crazy...
i have ad-aware se and spybot search and destroy.. and anti virus software...
i really need help.......
rae
Active Member
 
Posts: 4
Joined: December 16th, 2005, 5:49 pm
Advertisement
Register to Remove

Unread postby Linkmaster » December 16th, 2005, 9:18 pm

Hi rae, Welcome to MalWare Removal !!

Please create a folder on your C:\ drive for HijackThis and give it a name (example:HJT)
Download HijackThis 1.99.1© by Merijn
Unzip it in the folder you just created.
Read this Tutorial on how to post a log !!

After the log is posted I can then begin to help you properly!!
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

reply to need help

Unread postby rae » December 20th, 2005, 9:34 pm

Thanks alot this is the log from the hijackthis..






Logfile of HijackThis v1.99.1
Scan saved at 6:29:53 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\PestPatrol\ppmcactivedetection.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\PestPatrol\ppcl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\htj\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.my.msn.com/?page=1&refresh=1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27136b41-ebd2-4efc-985c-58e91f6a6550} - C:\WINDOWS\system32\bexqtlbp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\awtst.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg_73b5.dll"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMCActiveDetection] C:\Program Files\Common Files\PestPatrol\ppmcactivedetection.exe "-ini:C:\Program Files\Common Files\PestPatrol\ppmcad.ini"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [PPCL] "C:\Program Files\Common Files\PestPatrol\ppcl.exe" "C:\Program Files\Common Files\PestPatrol\ppcl.ini"
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg_73b5.dll"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b34120.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZB ... b32846.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://sympatico.zone.msn.com/bingame/p ... online.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 4768170203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4768161593
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zone.msn.com/binFramew ... b34246.cab
O16 - DPF: {BCF9A64D-1440-4404-863C-F5DF2B99F798} (Catan Online Game) - http://zone.msn.com/bingame/zpagames/zp ... b36900.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b31267.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/St ... b35645.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/w ... der_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F0FCC76D-767E-4759-A447-62289CA775AA} (Coreport SSO Client) - http://client.dbm.com/v51/ie/controls/C ... Client.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZP ... b36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
rae
Active Member
 
Posts: 4
Joined: December 16th, 2005, 5:49 pm

Unread postby Linkmaster » December 21st, 2005, 8:01 am

I am working on your log. As soon as a MR Staff Member reviews my fix, I will post it for you.
Thank you for being patient
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby Linkmaster » December 21st, 2005, 10:16 pm

You may wish to print out a copy of these instructions to follow while you complete this procedure

I need you to download some programs to aide in our fix :Do Not Run Them Yet

Download VundoFix.exe© by Atribune
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop

Download and install CCleaner© by CCleaner.com

Download and Install Ad-aware SE© by Lavasoft
NOTE: If you have a previous version of Ad-Aware installed, during the installation of the new version (1.06) you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
Close ALL windows except Ad-Aware SE.

Click on the world icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
Close Adaware SE

Place a shortcut to Panda ActiveScan on your desktop

Download and Install Ewido Security Suite© by Ewido Networks
When installing, under "Additional Options" uncheck :

"Install background guard"
"Install scan via context menu"


Launch Ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido Manual Updates
Close Ewido

Go to Start, Control Panel, Add/Remove Programs and Uninstall the following : (if present)

PCShield
Safeguard Protect


Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

Open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this :

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....


At this point press enter one time.
Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:


At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\awtst.dll

Press Enter to continue with the fix.
Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:


At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\tstwa.*

Press Enter to continue with the fix.

The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HiJackThis, please place a check next to the following items :(if Present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com

O2 - BHO: (no name) - {27136b41-ebd2-4efc-985c-58e91f6a6550} - C:\WINDOWS\system32\bexqtlbp.dll (file missing)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\awtst.dll

O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg_73b5.dll"
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg_73b5.dll"

O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}

O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll


Click Fix Checked

Run CCleaner
NOTE CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner

SETUP
Open CCleaner
DO NOT USE THE ISSUES FEATURE!!!!

On the Windows tab, under Internet Explorer, uncheck Cookies if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit)
If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla

Options, Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours" (for cleaning malware files!)

Options, Settings: Check "Run CCleaner when system starts" (optional)
Options, Settings: Check "Add 'Run Cleaner' option to Recycle Bin context menu" (optional)

Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program
Put check in box to not show message again.
It will automatically clean.
Close out CCleaner.

Run Ad-AwareSE

Click on the Gear icon (second from the left at the top of the window) to access the preferences/settings window:

General Button :
Safety & Settings: Check (Green) all three.

Tweak Button :
Cleaning Engine : UNcheck "Always try to unload modules before deletion"

Click Proceed

Click "Scan Now" at left

Deselect : "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.

Select "Search for low-risk threats"

Select "Perform full system scan"

Click Next

If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

Click on Next and check all the boxes in the window

Click Next and OK to remove

Close AdawareSE

Run Ewido Security Suite
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE:During some scans with ewido it is finding cases of false positives.
**See Below**

**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

You will need to step through the process of cleaning files one-by-one.
If Ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close Ewido Security Suite.

Open Windows Explorer, locate and Delete the following files in BOLD : (if present)

C:\WINDOWS\system32\sfg_73b5.dll
C:\WINDOWS\system32\bexqtlbp.dll
C:\WINDOWS\system32\msctl32.dll


Reboot into Normal Mode

Run Panda's ActiveScan and perform a full system scan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the big Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
Click on Local Disks to start the scan
Save the results

Reboot , run HijackThis and post a fresh HijackThis log, vundofix.txt file, Ewido log, and the Panda Active Scan results here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

reply to need help

Unread postby rae » December 21st, 2005, 11:36 pm

do i really need to reboot the computer in safe mode.. cause for some reason when its in safe mode there is just a blank screen with in every coner it says safe mode there are no icon or toolbar/start menu.. you can right click or anything ... i can't do any thing in safe mode... please help....
rae
Active Member
 
Posts: 4
Joined: December 16th, 2005, 5:49 pm

Unread postby Linkmaster » December 22nd, 2005, 8:07 pm

OK lets do this :

You may wish to print out a copy of these instructions to follow while you complete this procedure

I need you to download some programs to aide in our fix :Do Not Run Them Yet

Download VundoFix.exe© by Atribune
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop

Download and install CCleaner© by CCleaner.com

Download and Install Ad-aware SE© by Lavasoft
NOTE: If you have a previous version of Ad-Aware installed, during the installation of the new version (1.06) you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
Close ALL windows except Ad-Aware SE.

Click on the world icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
Close Adaware SE

Place a shortcut to Panda ActiveScan on your desktop

Download and Install Ewido Security Suite© by Ewido Networks
When installing, under "Additional Options" uncheck :

"Install background guard"
"Install scan via context menu"


Launch Ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido Manual Updates
Close Ewido

Go to Start, Control Panel, Add/Remove Programs and Uninstall the following : (if present)

PCShield
Safeguard Protect


Run CCleaner
NOTE CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner

SETUP
Open CCleaner
DO NOT USE THE ISSUES FEATURE!!!!

On the Windows tab, under Internet Explorer, uncheck Cookies if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit)
If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla

Options, Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours" (for cleaning malware files!)

Options, Settings: Check "Run CCleaner when system starts" (optional)
Options, Settings: Check "Add 'Run Cleaner' option to Recycle Bin context menu" (optional)

Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program
Put check in box to not show message again.
It will automatically clean.
Close out CCleaner.

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

Press Ctrl-Alt-Del keys on your keyboard simultaneously

A box will popup and select Task Manager

Click on the Applications Tab

Click on New Task at bottom and Browse to the location of each of the following apps exe or .bat file. You can then run them from there !!

(EXAMPLE : Browse, select Desktop(that is where the Vundo fix is located. The others will probably be in C:\Program Files\), select all files at bottom of window , then open the Vundo Folder, click on the Vundo.bat file)

Open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this :

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....


At this point press enter one time.
Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:


At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\awtst.dll

Press Enter to continue with the fix.
Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:


At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\tstwa.*

Press Enter to continue with the fix.

The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HiJackThis, please place a check next to the following items :(if Present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com

O2 - BHO: (no name) - {27136b41-ebd2-4efc-985c-58e91f6a6550} - C:\WINDOWS\system32\bexqtlbp.dll (file missing)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\awtst.dll

O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg_73b5.dll"
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg_73b5.dll"

O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}

O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll


Click Fix Checked

Run Ad-AwareSE

Click on the Gear icon (second from the left at the top of the window) to access the preferences/settings window:

General Button :
Safety & Settings: Check (Green) all three.

Tweak Button :
Cleaning Engine : UNcheck "Always try to unload modules before deletion"

Click Proceed

Click "Scan Now" at left

Deselect : "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.

Select "Search for low-risk threats"

Select "Perform full system scan"

Click Next

If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

Click on Next and check all the boxes in the window

Click Next and OK to remove

Close AdawareSE

Run Ewido Security Suite
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE:During some scans with ewido it is finding cases of false positives.
**See Below**

**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

You will need to step through the process of cleaning files one-by-one.
If Ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close Ewido Security Suite.

Open Windows Explorer, locate and Delete the following files in BOLD : (if present)

C:\WINDOWS\system32\sfg_73b5.dll
C:\WINDOWS\system32\bexqtlbp.dll
C:\WINDOWS\system32\msctl32.dll


Reboot into Normal Mode

Run Panda's ActiveScan and perform a full system scan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the big Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
Click on Local Disks to start the scan
Save the results

Reboot , run HijackThis and post a fresh HijackThis log, vundofix.txt file, Ewido log, and the Panda Active Scan results here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby rae » December 23rd, 2005, 1:26 am

hello well here are all the logs

Logfile of HijackThis v1.99.1
Scan saved at 10:18:36 PM, on 12/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\PestPatrol\ppmcactivedetection.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\PestPatrol\ppcl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\htj\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.my.msn.com/?page=1&refresh=1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMCActiveDetection] C:\Program Files\Common Files\PestPatrol\ppmcactivedetection.exe "-ini:C:\Program Files\Common Files\PestPatrol\ppmcad.ini"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [PPCL] "C:\Program Files\Common Files\PestPatrol\ppcl.exe" "C:\Program Files\Common Files\PestPatrol\ppcl.ini"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MSN Messenger 7.5.lnk = ?
O4 - Global Startup: Windows Messenger.lnk = ?
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b34120.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZB ... b32846.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://sympatico.zone.msn.com/bingame/p ... online.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 4768170203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4768161593
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zone.msn.com/binFramew ... b34246.cab
O16 - DPF: {BCF9A64D-1440-4404-863C-F5DF2B99F798} (Catan Online Game) - http://zone.msn.com/bingame/zpagames/zp ... b36900.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b31267.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/St ... b35645.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/w ... der_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F0FCC76D-767E-4759-A447-62289CA775AA} (Coreport SSO Client) - http://client.dbm.com/v51/ie/controls/C ... Client.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZP ... b36385.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe



****************************************
Bazooka Scanner v1.13.03
http://www.kephyr.com/spywarescanner/
http://www.kephyr.com/spywarescanner/library/
support@kephyr.com
Log created 13:12:17.
OS: Windows NT 5.1
Database version: 3.080000
Database format version: 1.020000
Database date: 20050920
Current date: 2005-09-23 13:12


****************************************
Result when scanning:

Internet Optimizer 123.000.003 %ProgramsDir%\Internet Optimizer\
C:\Program Files\Internet Optimizer\
http://www.kephyr.com/spywarescanner/li ... ndex.phtml

ISTBar 122.122.007 %ProgramsDir%\ISTsvc\
C:\Program Files\ISTsvc\
http://www.kephyr.com/spywarescanner/li ... ndex.phtml

PowerScan 070.000.001 %ProgramsDir%\Power Scan\
C:\Program Files\Power Scan\
http://www.kephyr.com/spywarescanner/li ... ndex.phtml

SideFind 695.333.002 %ProgramsDir%\SIDEFIND\
C:\Program Files\SIDEFIND\
http://www.kephyr.com/spywarescanner/li ... ndex.phtml

****************************************
Auto start entries:
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
C:\Program Files\TELUS eCare\bin\matcli.exe -boot
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
C:\Program Files\TELUS eCare\bin\matcli.exe -boot
C:\Documents and Settings\Racine Greenwood\Start Menu\Programs\Startup\DESKTOP.INI
C:\Documents and Settings\Racine Greenwood\Start Menu\Programs\Startup\DESKTOP.INI

Go here to analyse the startup entries and the associated files:
http://www.kephyr.com/filedb/index.php

****************************************
Run entries:
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UpdateManager

PCShield regsvr32 /s "C:\WINDOWS\system32\sfg_73b5.dll"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PCShield

KernelFaultCheck C:\WINDOWS\system32\dumprep 0 -k
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck

dla C:\WINDOWS\system32\dla\tfswctrl.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dla

ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ATIPTA

Motive SmartBridge C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Motive SmartBridge

TELUS Security service C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TELUS Security service

AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC

AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC

WinAntiSpyware 2005 C:\Program Files\WinAntiSpyware 2005\was5.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinAntiSpyware 2005

PCShield regsvr32 /s "C:\WINDOWS\system32\sfg_73b5.dll"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PCShield

WebCamRT.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WebCamRT.exe


Go here to analyse the run entries and the associated files:
http://www.kephyr.com/filedb/index.php

****************************************
Browser helper objects:

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

{3C060EA2-E6A9-4E49-A530-D4657B8C449A} Pop-Up Blocker BHO C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}

{56071E0D-C61B-11D3-B41C-00E02927A304} Form Filler BHO C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}

{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} SafeGuard Protect PCShield C:\WINDOWS\system32\sfg_73b5.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A}

{5CA3D70E-1895-11CF-8E15-001234567890} not set C:\WINDOWS\system32\dla\tfswshx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}

{827DC836-DD9F-4A68-A602-5812EB50A834} not set C:\WINDOWS\system32\awtst.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}


****************************************
Toolbars:

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

{01E04581-4EEE-11D0-BFE9-00AA005B4383} C:\WINDOWS\system32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}

{0E5CBF21-D15F-11D0-8301-00AA005B4383} C:\WINDOWS\system32\SHELL32.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}

{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

{86227D9C-0EFE-4F8A-AA55-30386A3F5686} Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}

{EF99BD32-C1FB-11D2-892F-0090271D4F88} Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

{4528BBE0-4E08-11D5-AD55-00010333D0AD} Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\InprocServer32

System error message: The system cannot find the file specified.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}

{4D5C8C25-D075-11d0-B416-00C04FB90376} C:\WINDOWS\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} C:\WINDOWS\system32\Shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}

{30D02401-6A81-11D0-8274-00C04FD5AE38} C:\WINDOWS\system32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}

{4528BBE0-4E08-11D5-AD55-00010333D0AD} Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}

{EFA24E64-B078-11D0-89E4-00C04FC9E26E} C:\WINDOWS\system32\shdocvw.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}


****************************************
All processes:

[System Process]
System
SMSS.EXE
CSRSS.EXE
WINLOGON.EXE
SERVICES.EXE
LSASS.EXE
ati2evxx.exe
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
LEXBCES.EXE
spoolsv.exe
LEXPPS.EXE
EXPLORER.EXE
tfswctrl.exe
MotiveSB.exe
avgcc.exe
avgemc.exe
avgamsvr.exe
avgupsvc.exe
dvpapi.exe
SVCHOST.EXE
wdfmgr.exe
ALG.EXE
SVCHOST.EXE
mpbtn.exe
was5.exe
spywarescanner.exe
Updater.exe

Go here to analyse the running processes:
http://www.kephyr.com/filedb/index.php

****************************************
Internet Explorer Settings:

Default_Page_URL http://red.clientapps.yahoo.com/customi ... .yahoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

Default_Search_URL http://red.clientapps.yahoo.com/customi ... .yahoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

Local Page http://www.the-exit.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page

Search Bar http://red.clientapps.yahoo.com/customi ... earch.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar

Search Page http://red.clientapps.yahoo.com/customi ... .yahoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page

Start Page http://red.clientapps.yahoo.com/customi ... .yahoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.the-exit.com/search
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\

SearchAssistant http://www.the-exit.com/search
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant

CustomizeSearch http://www.the-exit.com/search
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\

www http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www

http://red.clientapps.yahoo.com/customi ... .yahoo.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\

provider yaho
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\provider

Default_Page_URL http://www.dell.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

Default_Search_URL http://www.the-exit.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

Local Page http://www.the-exit.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page

Search Bar http://red.clientapps.yahoo.com/customi ... earch.html
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar

Search Page http://red.clientapps.yahoo.com/customi ... .yahoo.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

SearchURL http://www.the-exit.com/search
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchURL

Start Page http://www.msn.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

SearchAssistant http://www.the-exit.com/search
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant

CustomizeSearch http://www.the-exit.com/search
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\CustomizeSearch


****************************************

panda active scan

Incident Status Location

Adware:Adware/WebHancer Not desinfected C:\Program Files\Common Files\PestPatrol\Quarantine\20051127200113.zip[whagent.exe]
Adware:Adware/WebHancer Not desinfected C:\Program Files\Common Files\PestPatrol\Quarantine\20051127200113.zip[whAgent.inf]
Virus:Trj/Downloader.GMI Not desinfected C:\Program Files\Common Files\Wise Installation Wizard\WISCDEBF9E7BCEB43A7986CE66377C28ABC_1_0_0.MSI[loadadv458.exe]
Adware:Adware/Secure32 Not desinfected C:\WINDOWS\secure32.html
Spyware:Spyware/Smitfraud Not desinfected C:\WINDOWS\warnhp.html
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:34:10 PM, 12/22/2005
+ Report-Checksum: DF47742B

+ Scan result:

HKLM\SOFTWARE\PSGuard.com -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com\P.S.Guard -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com\P.S.Guard\Autorun -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun\RunOnce -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun\RunOnceEx -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun\RunOnce -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun\RunOnceEx -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com\P.S.Guard\Autorun\StartMenuAllUsers -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com\P.S.Guard\Autorun\StartMenuCurrentUser -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Application Data\PSGuard.com\P.S.Guard\BrowserObjects -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Racine Greenwood\Cookies\racine greenwood@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Program Files\Common Files\PestPatrol\Quarantine\20051127200113.zip/Program Files/webhancer/programs/whagent.exe -> Spyware.WebHancer : Error during cleaning
C:\Program Files\Common Files\PestPatrol\Quarantine\ppqBA.tmp -> Adware.SAHA : Cleaned with backup
C:\Program Files\Common Files\PestPatrol\Quarantine\ppqBD.tmp -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\Program Files\Desktop\loadadv458.exe -> Downloader.PassAlert.c : Cleaned with backup
C:\WINDOWS\hosts -> Trojan.Qhost.el : Cleaned with backup
C:\WINDOWS\SYSTEM32\msctl32.dll -> Not-A-Virus.SpamTool.Win32.Mailbot.l : Cleaned with backup


::Report End
rae
Active Member
 
Posts: 4
Joined: December 16th, 2005, 5:49 pm

Unread postby Linkmaster » December 24th, 2005, 5:23 am

rae,
I dont see the Vundo.txt file Could you post it please?
Can you run in Safe Mode now ??
Do you have your Desktop back??

In Normal Mode:

Download smitRem.exe© by noahdfear and save the file to your desktop.
Double- click it to extract it to it's own folder on the desktop.

Go to Start, Control Panel, Add/Remove Programs and Uninstall the following : (if present)

Internet Optimizer
ISTBar
PowerScan
SideFind
winantispyware 2005
PSGuard
WebHancer
Do Not Reboot until ALL have been uninstalled

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Run smitRem.exe
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, (usually Local Disk C: or partition where your operating system is installed)

Open Windows Explorer, locate and Delete the following folders in BOLD : (if present)

C:\Program Files\Internet Optimizer
C:\Program Files\ISTsvc
C:\Program Files\Power Scan
C:\Program Files\SideFind
C:\Program Files\winantispyware 2005
C:\Program Files\PSGuard
C:\Program Files\WebHancer


With Windows Explorer still open, locate and Delete the following files in BOLD : (if present)

C:\WINDOWS\secure32.html
C:\WINDOWS\warnhp.html


Empty the Pest Patrol quarantine folder

Run CCleaner again

Run Ewido

Reboot to Normal Mode

Open HijackThis
Click on Config... button on bottom right
Click on Misc Tools
Click on Open Uninstall Manager
Click on Save list located on right.
Save the Uninstall_list.txt file to your Desktop

Post a fresh HijackThis log, the smitfiles.txt file, the contents of the Uninstall_list.txt and a fresh Ewido log here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby NonSuch » January 1st, 2006, 11:06 pm

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27301
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 39 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware