Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Popups, trojans, on Win XP

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Popups, trojans, on Win XP

Unread postby Sean_Claude » June 13th, 2005, 8:00 pm

On Windows XP, popups, trojans. Run Spyware S&D, and
Trojan Hunter, many Trojans removed. First problem is a
cycling of Windows Explorer popup error mesage and must
close, need to close it every minute or computer freezes.
Then can continue on another window, which I am writing
here. Following is my log, thanks for any help, Claude.


Logfile of HijackThis v1.99.1
Scan saved at 4:46:59 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\vavmun.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\windows\system32\jeinpr.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Peter\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteozi32.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\Services\{FF640711-108F-4395-A95A-D46DC730FD9B}\SVCHOST.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [glagig] c:\windows\system32\dmjkov.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\system32\Services\{FF640711-108F-4395-A95A-D46DC730FD9B}\SECURITY.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vavmun.exe reg_run
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [qfiwif] c:\windows\system32\jeinpr.exe r
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {78586410-51F2-4983-8430-49AE3BE3ED99} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {78586410-51F2-4983-8430-49AE3BE3ED99} - (no file) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: style2 - C:\WINDOWS\q8421078_disk.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm
Advertisement
Register to Remove

Unread postby dobhar » June 13th, 2005, 8:26 pm

Hi sean_claude

My name is dobhar and I will be looking over your log. Please give me some time to go look it over. I will post back as soon as possible.

If you have any questions post them back in this thread do not start another.

Thanks,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » June 14th, 2005, 12:19 am

Hi Sean_Claude...

You've got quite a few "Nasties"...Let's get started...

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
___________________________________

Step 1.
==========

- Open the Control Panel then double click on Add or Remove Programs
- Look for the following and uninstall them if found:
WebSearch Toolbar

Step 2.
==========

- Please download the trial version of Ewido Security Suite from here
- Install ewido security suite...
* Launch ewido...there should be an icon on your desktop double-click it
* When you run ewido for the first time, you could get a warning "Database could not be found!". Click OK
* The program will prompt you to update click the OK button
* The program will now go to the main screen
- You will need to update ewido to the latest definition files
* On the left-hand side of the main screen click Update button
* Click on Start
- The update will start and a progress bar will show the updates being installed
- Once finished updating close ewido
(Note: Do NOT run a scan yet)

Step 3.
==========

- Please download Nailfix from here
- Extract\Unzip it to the Desktop
(Note: Do NOT run it yet as it has to be run in "Safe Mode")

Step 4.
==========

Reboot your computer into "Safe Mode":
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Then press enter on your keyboard to boot into Safe Mode.
(Note: For additional help in booting into Safe Mode, see the following site here)

Step 5.
==========

We need to make sure all hidden files are showing so please:
  • Open "My Computer".
  • Click on "Tools" and from the drop down menu select "Folder Options".
  • Select the "View" tab.
  • Under the "Hidden files and folders" heading SELECT "Show hidden files and folders".
  • UNCHECK the "Hide file extensions for known types option".
  • UNCHECK the "Hide protected operating system files (recommended) option".
  • Click "Yes" to confirm.
  • Click "OK".
Step 6.
==========

- Please double-click on the Nailfix.cmd file on your Desktop
- Your desktop and icons will disappear and reappear, and a window should open and close very quickly <==Don't worry about this, it is normal

Step 7.
==========

- Please start Ewido Security Suite, and run a full scan
* Click on Scanner
* Make sure the following boxes are checked before scanning:
Binder
Crypter
Archives

* Click on Start button to start the scan process
* Let the program scan the machine
- While the scan is in progress you will be prompted to clean files, click OK to proceed.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save Report
* Click Save Report button
* Save the report to your Desktop
- Close ewido

Step 8.
==========

- Close all Windows and Programs
- Start HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [glagig] c:\windows\system32\dmjkov.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [qfiwif] c:\windows\system32\jeinpr.exe r
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)


- Click the "Fix checked" button

Step 9.
==========

Delete the following file(s) and folder(s) in BOLD only. (Don't be concern if they do not exist but advise what files could not be found)
C:\WINDOWS\systb.dll <<<= Delete This File
C:\windows\system32\dmjkov.exe <<<= Delete This File
C:\WINDOWS\wupdt.exe <<<= Delete This File
C:\windows\system32\jeinpr.exe <<<= Delete This File

C:\Program Files\Ebates_MoeMoneyMaker <<<= Delete This Folder


Step 10.
==========

We now need to cleanup all the Temp files and such
- Click the "Start" button, then select "Run"
- Enter cleanmgr in the "Run" menu to start XP's "Disk Cleanup" tool
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are selected then click OK
- When done close "Disk Cleanup"

- Browse to C:\Windows\Prefetch folder. Delete All files within the Prefetch folder <= Not the Prefetch folder itself

Step 11.
==========

- Restart your computer into "Normal Mode"
- Post a fresh new HijackThis log
- Post the Ewido scan log
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby Sean_Claude » June 14th, 2005, 1:41 pm

Thanks for all info. But am having trouble getting started, can't
get to control panel. It does not pop up, but instead get an error
message = "DrWatson Postmortem Debugger has encountered a
problem and needs to Close" Thanks
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby dobhar » June 14th, 2005, 1:50 pm

Hi...

Skip step one and go on to Step 2.
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Results after doing all your instructions

Unread postby Sean_Claude » June 15th, 2005, 8:37 pm

Am amazed how much better it is working. :shock:
Thanks alot, you did an amazing job.

Now for the particulars=
When I run the Ewido Suite, there were many files to delete,
it took several hours, but it seemed to shut down, or recycled
another error message and did not get to save a report. So I
don't have a report for you.
If you have any more instructions, just let me know.
Thanks alot.

Here is my Hijack Log after reboot=

Logfile of HijackThis v1.99.1
Scan saved at 5:25:33 PM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Peter\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [rkrgmx] c:\windows\system32\vboemkf.exe r
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {78586410-51F2-4983-8430-49AE3BE3ED99} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {78586410-51F2-4983-8430-49AE3BE3ED99} - (no file) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: style2 - C:\WINDOWS\q8421078_disk.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby dobhar » June 16th, 2005, 12:45 am

Hi Sean_Claude

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
________________________________________

Step 1.
==========

- Download the "smitfraud.reg" file from here
- Save it to your Desktop
(Note: Do not run this reg file yet)

Step 2.
==========

- Download the Killbox by Option^Explicit from here
- In the event you already have Killbox, this is a new version that I need you to download
- Unzip it to the desktop
(Note: Do not run this program yet)

Step 3.
==========

We need to uninstall a few programs
- Get into Control Panel then Add or Remove Programs
- Remove the following programs, if found:
Security IGuard
Virtual Maid
Search Maid

Exit Add or Remove Programs
(Note: If any problems go on with the rest of the steps)

Step 4.
==========

We need to make sure all hidden files are showing...
- Open "My Computer"
- Click on "Tools" and from the drop down menu select "Folder Options"
- Select the "View" tab
- Under the "Hidden files and folders" heading SELECT "Show hidden files and folders"
- UNCHECK the "Hide file extensions for known types option"
- UNCHECK the "Hide protected operating system files (recommended) option"
- Click "Yes" to confirm
- Click "OK"

Step 5.
==========

- Copy all of the file paths below (in Red) and paste them into Notepad
- Start Killbox
- Select "Delete on Reboot"
- Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C..

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\q8421078_disk.dll


- Return to Killbox, go to the File menu, and choose "Paste from Clipboard"
- Click the red-and-white "Delete File" button
- Click "Yes" at the Delete on Reboot prompt
- Click "No" at the Pending Operations prompt
(Note: If your computer does not restart automatically, please restart it manually and go into Safe Mode)

Step 6.
==========

Reboot computer into "Safe Mode" Using the F8 method...
- Restart the computer
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
- Press the Enter key
(Note: For additional help in booting into Safe Mode, see the following site here)

Step 7.
==========

- Close all Windows and programs
- Start HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked...
O4 - HKLM\..\Run: [rkrgmx] c:\windows\system32\vboemkf.exe r
O9 - Extra button: Microsoft AntiSpyware helper - {78586410-51F2-4983-8430-49AE3BE3ED99} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {78586410-51F2-4983-8430-49AE3BE3ED99} - (no file) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: style2 - C:\WINDOWS\q8421078_disk.dll (file missing)

- Click the "Fix checked" button...

Step 8.
==========

Delete the following file(s) and folder(s) in BOLD only, if found (please do NOT try to find them by "search" because they will not show up that way)
C:\windows\system32\vboemkf.exe <<<=Delete This File

C:\Program Files\Search Maid <<<= Delete This Folder
C:\Program Files\Virtual Maid <<<= Delete This Folder
C:\Windows\System32\Log Files <<<= Delete This Folder
C:\Program Files\Security IGuard <<<= Delete This Folder

Step 9.
==========

- Reboot your computer into "Normal Mode"

Step 10.
==========

- Double-click on the "smitfraud.reg" file I had you save to your desktop
- When asked if you would like to merge the data, click on the Yes button

Step 11.
==========

- Download the Hoster from here to your Desktop
- Extract\Unzip to your Desktop
- Run program
- Press "Restore Original Hosts" and press "OK"
- Exit Program

Step 12.
==========

- Right-Click on DelDomains.inf
- Select "Save Target As" in order to download DelDomains.inf to your desktop
- To use just right-click DelDomains.inf and select Install (no need to restart)
(Note: This will remove all entries in the "Trusted Zone" and "Ranges" also)

Step 13.
==========

We now need to cleanup all the Temp files, Temporary Internet Files, Recycle Bin, etc...
- Click the "Start" button, then select "Run"
- Enter cleanmgr in the "Run" menu to start XP's "Disk Cleanup" tool
- Select the drive you want to clean up. The default will be C:
- Disk Cleanup will calculate the free space on your computer, which may take a few minutes
- After the calculation is complete, confirm that only the following checkboxes are checked:
Temporary Internet Files
Recycle Bin
Temporary (Temp) Files

- Click OK and Yes when prompted to delete files. Disk cleanup will delete the files and close automatically when finished.

- Browse to C:\Windows\Prefetch folder. Delete All files within the Prefetch folder <= Not the Prefetch folder itself

Step 14.
==========

Reboot your computer

Step 15.
==========

- Run this online virus scan from Panda from here
- Save the results from the scan!

Step 16.
==========

- Post a new fresh HiJackThis log
- Post the results from Panda
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby Sean_Claude » June 17th, 2005, 11:42 pm

Hi, did everything you said, on the following step 8, only
found one file the Log file.

Delete the following file(s) and folder(s) in BOLD only, if found (please do NOT try to find them by "search" because they will not show up that way)
C:\windows\system32\vboemkf.exe <<<=Delete This File

C:\Program Files\Search Maid <<<= Delete This Folder
C:\Program Files\Virtual Maid <<<= Delete This Folder
C:\Windows\System32\Log Files <<<= Delete This Folder
C:\Program Files\Security IGuard <<<= Delete This Folder

The wallpaper screen is different now, it is red with a flashing
Danger Spyware letters.

Here is the Panda scan results=

Incident Status Location

Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\cache32_rtneg?
Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/Sqwire No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/IEPlugin No disinfected Windows Registry
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/Searchforit No disinfected C:\Program Files\sf
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free Cell Phone.ico
Adware:Adware/SearchTheWeb No disinfected C:\WINDOWS\system32\Cache\mswinstall.exe
Adware:Adware/Weirdontheweb No disinfected C:\Program Files\WeirdOnTheWeb
Adware:Adware/SearchTheWeb No disinfected C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\G1OHABC1\555[1].ani
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\G1OHABC1\555[2].ani
Virus:Exploit/MIE.CHM No disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\G1OHABC1\files[1].htm
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\JI4NR14P\555[1].ani
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\JI4NR14P\555[2].ani
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\JI4NR14P\555[3].ani
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\ZEJ1HZSJ\sploit[1].anr
Virus:Exploit/HHelp Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\ZEJ1HZSJ\start[1].htm.tcf
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22f52d1d-5cf191d2.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22f52d1d-5cf191d2.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22f52d1d-5cf191d2.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22f52d1d-5cf191d2.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-44b6075e.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-44b6075e.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-44b6075e.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-44b6075e.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-513e81c6-37a9f519.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-513e81c6-37a9f519.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-513e81c6-37a9f519.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-513e81c6-37a9f519.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-73e9be26-3a80c757.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-73e9be26-3a80c757.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-73e9be26-3a80c757.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-73e9be26-3a80c757.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-4821afbb.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-4821afbb.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-4821afbb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-4821afbb.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2b28bb1c-5d297b13.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2b28bb1c-5d297b13.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2b28bb1c-5d297b13.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2b28bb1c-5d297b13.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-4158d47b.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-4158d47b.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-4158d47b.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-4158d47b.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-13236e11.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-13236e11.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-13236e11.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-13236e11.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv175.jar-1417a033-4f18c23f.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv175.jar-1417a033-4f18c23f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv175.jar-1417a033-4f18c23f.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv175.jar-1417a033-4f18c23f.zip[Parser.class]
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\wuiq\wuiqd\wuiqc.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\gbcohj.exe
Adware:Adware/Mirar No disinfected C:\WINDOWS\system32\Cache\876004.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\Cache\InstallAPS.exe
Adware:Adware/SearchTheWeb No disinfected C:\WINDOWS\system32\Cache\mswinstall.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\system32\Cache\Pop1.exe
Adware:Adware/TopRebates No disinfected C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe.tcf
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\Cache\wrapperouter.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free Cell Phone.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free LapTop Computer.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free Ringtones!.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free Sony Playstation.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free U2 iPod.ico
Virus:Trj/Agent.SA Disinfected C:\WINDOWS\system32\msvcrta.dll
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\NBA Giveaway.ico
Adware:Adware/Searchforit No disinfected C:\WINDOWS\system32\SYSsfitb.dll.tcf
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/Mirar No disinfected C:\WINDOWS\system32\WinNB57.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.008
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.bin

-----------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:29:18 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Peter\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby dobhar » June 18th, 2005, 1:05 am

Hi Sean_Claude...

Your doing a great job. :D How is your computer running??

Just a few more things to do...

Step 1.
==========

Locate and delete "C:\WINDOWS\Web\desktop.html " <<<=This File
(Note: if you can't delete it you may have to delete it in Safe Mode)

Step 2.
==========

- Get into Control Panel and double click "Display"
- Click on the "Desktop" tab then click "Customise Desktop..."
- Click on the "Web" tab
- Under "Web pages" look for a check box and "Security"
- If found, Highlight (select) "Security" and click on "Delete"
(Note: You should now be able to change your desktop settings back to how you would like it. If your desktop still looks strange, go into your display properties and click on the Themes tab. Change the theme to Windows XP and you will now be using the default Windows XP settings. Then change them as you see fit)

Step 3.
==========

Going to get you to run the ewido scanner again but this time I need you to do a couple items first...
- Using the instructions from here please disable System Restore, reboot, re-enable System Restore, and create a new fresh install point (very important).
- After creating that new restore point reboot your computer into "Safe Mode"
- Try running ewido again and see how it runs

Step 4.
==========

- Reboot back into "Normal Mode"
- Download, install, setup, and run Ad-aware SE 1.06 and Spybot S&D 1.4 per the instructions found http://www.malwareremoval.com/forum/viewtopic.php?t=13
(Note: If you already have Ad-aware and Spybot make sure they are updated, setup per instructions in link, and re run)

Step 5.
==========

Run these Online Virus\Trojan scans...Let them fix whatever they find
TrendMicro Housecall
Trojan Scan

Step 6.
==========

Please post back results of ewido scan and a fresh new HJT log.

Thanks,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby Sean_Claude » June 18th, 2005, 1:57 pm

Hi Dobhar,
The computer is running alot better
and faster. Thanks

Step 1.
==========
Locate and delete "C:\WINDOWS\Web\desktop.html " <<<=This File
"I could not find this file under the Web folder."

Also I have to be out of town & away from this computer
from the 19th to the 24th. Just so you know, that I will
not beable to respond until after the 24th :(
Thanks for all the help so far. Claude
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby dobhar » June 18th, 2005, 2:27 pm

Hi Sean_Claude...

Just continue on with the rest of the steps in order then. :)

Talk to you when you get back... :D
Last edited by dobhar on June 19th, 2005, 12:47 am, edited 1 time in total.
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby Sean_Claude » June 19th, 2005, 12:36 am

Thanks alot
Claude
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby dobhar » June 25th, 2005, 3:48 pm

Hi Sean_Claude...

Are you back yet? How about a status?
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby Sean_Claude » June 25th, 2005, 6:25 pm

hi Dobhar,
Back and 3/4 the way thru your instructions.
post results soon. :)
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Sean_Claude » June 25th, 2005, 11:33 pm

Hi,
I have did everything you said so far. When I run the
ewido scan, I saved the report, but can't find it now
under Ewido Reports folder. It cleaned several files, though.
Claude
ps Computer is working better with no popups
and the wallpaper can be set to what you want.

Here is my Log=

Logfile of HijackThis v1.99.1
Scan saved at 8:25:10 PM, on 6/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Documents and Settings\Peter\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 382 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware