Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HELP!: the Curiously Tough SpyTrooper/PSGuard Hijacker

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HELP!: the Curiously Tough SpyTrooper/PSGuard Hijacker

Unread postby otiseversole » November 2nd, 2005, 5:52 pm

Hi! Yes, I have the terrible, horrible, no-good, very-bad virus that displays pop-ups and a Explorer startup page that looks like a page from Windows Security Center. I have run ad-aware, s&d, microsoft anti-spy, the latest symantec defs, some of which recognize the psguard stuff but can't keep it cleaned out. HELP! Here's my HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:48:41 PM, on 11/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\OtisE\Desktop\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\system32\hpFF17.tmp
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Go!Zilla] "C:\Program Files\Go!Zilla\gozilla.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gracehospice.com
O17 - HKLM\Software\..\Telephony: DomainName = gracehospice.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gracehospice.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Please help... I can't get rid of this thing. I even wrote psguard.com asked how much the ransom was. They blamed it on an unethical affiliate.
otiseversole
Regular Member
 
Posts: 20
Joined: November 2nd, 2005, 5:21 pm
Advertisement
Register to Remove

Unread postby dobhar » November 2nd, 2005, 7:24 pm

Hi...

My name is dobhar and I will be looking over your log. Please give me some time to go look it over and I will post back as soon as possible. If you have any questions please post back as a reply to this Thread\Topic and I will be advised by email so I can return and help you. Please do not start another Thread\Topic.

Thank You,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » November 2nd, 2005, 8:38 pm

Hi otiseversole...

Lets' get to it...
_________________________________________________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) availble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
________________________________________________________________________________

Step 1.
==========

We first need to temporarily disable Microsoft Antispyware as it may interfer with our "Fixes"
- Open "Microsoft AntiSpyware"
- Click on "Options" then select "Settings"
- In left-hand window click on "Real-time Protection"
- Under "Startup Options" de-select\uncheck "Enable the Microsoft AntiSpyware Security Agents on startup (recommended)"
- Under "Real-time spyware threat protection" de-select\uncheck "Enable real-time spyware threat protection (recommended)"
- Click "Save button to save your changes
- Close Microsoft AntiSpyware
- Right-click on the "Microsoft AntiSpyware" icon on the taskbar
- Select "Shutdown Microsoft AntiSpyware"
- Click Yes at next window
(Note: After all of the fixes are complete it is very important that you enable Real-time Protection again)

Step 2.
==========

- Please download and install CCleaner from here
(Note: DO NOT run this yet!)

Step 3.
==========

Please download Ewido Security Suite from here.
(Note: As this is a trial version, after the 14 day trial period has expired Ewido will lose some functionality with it. Ewido will then will work as an On-Demand program, make sure to check for updates regularly).
- Install Ewido
- When installing the program, under "Additonal Options" uncheck...
* Install background guard
* Install scan via context menu
- Launch ewido, there should now be an icon on your desktop, double-click it.
- The program will now open to the main screen.
- When you run ewido for the first time, you MAY get a warning "Database could not be found!". Click OK. We will fix this in a moment.
- You will need to update ewido to the latest definition files:
* On the left hand side of the main screen click "Update".
* Then click on "Start Update".
- The update will start and a progress bar will show the updates being installed. (Note: the status bar at the bottom will display "Update successful")
- Close Ewido.
(Note: If you are having problems with the updater, you can manually update ewido from here)

Step 4.
==========

- Download smitRem.exe (by noahdfear) from here and save the file to your desktop.
- Double-click on the file to extract it to it's own folder on the desktop.
(Note: Do NOT run this yet!)

Step 5.
==========

If you have not already installed Ad-Aware SE 1.06, please follow the download and setup instructions below, otherwise, just check to for updates to program:
Ad-Aware SE setup instructions (by rstones12) can be found here
(Note: Please do NOT run it yet!)

Step 6.
==========

- Reboot computer into "Safe Mode" Using the F8 method:
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
(Note: For additional help in booting into Safe Mode, see the PC Hell tutorial here)

Step 7.
==========

We need to make sure all Hidden Files are showing so please:
* Open "My Computer" then click on "Tools" and from the drop down menu select "Folder Options".
* Select the "View" tab.
* Under the "Hidden files and folders" heading SELECT "Show hidden files and folders".
* UNCHECK the "Hide file extensions for known types option".
* Click "Yes" to confirm.
* Click "OK"

Step 8.
==========

- Close all Windows and programs
- Run HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)


- Click the "Fix checked" button...
- Close HijackThis

Step 9.
==========

We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into "Options" => Select "Advanced" => Deselect\uncheck "Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the Run Cleaner button in the lower right-hand corner
- After complete close program
- Empty Recycle Bin

Step 10.
==========

- Open the smitRem folder, then double click the RunThis.bat file to start the tool
- Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
(Note: The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.)

Step 11.
==========

- Start Ad-aware SE 1.06 and do a full scan
- Remove all it finds

Step 12.
==========

- start Ewido Security Suite
- Click on "Scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
- Click on "Complete System Scan", the scan will now begin.
- While the scan is in progress you will be promted to clean files, click "OK".
- When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose "Clean" and click "OK".
- Once the scan has completed, there will be a button located at the bottom of the screen named "Save Report".
- Click "Save Report".
- Now save the report .txt file to your desktop.
- Close Ewido.

Step 13.
==========

- Get into Control Panel and double-click Display
- Select\click the Desktop tab
- Click the Customize Desktop button
- Select\click the Web and deselect\Uncheck "Security Info" if present
- Close Display Properties

Step 14.
==========

- Reboot your computer back into "Normal Mode"
- Run Panda ActiveScan's online virus scan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your Valid Email
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
- Post Panda scan results in your next reply

Step 15.
==========

- Post back a fresh new HijackThis log
- Post back the contents of the "smitfiles.txt"
- Post back the Ewido scan log
- Post the log from Panda Scan
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby otiseversole » November 3rd, 2005, 12:19 pm

dobhar! Thank you for your help! Everything seems to be fine at this point but I look to you for the final word.

Notes:
Step 9. CCleaner indicated that it removed a lot of files but there was nothing in the recycle bin.
Step 12. Ewido reported no infected objects.
Step 13. The "Security Info" option was not present.
Step 14. Panda found no viruses or malicious software.

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:07:10 AM, on 11/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\OtisE\Desktop\hjt\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Go!Zilla] "C:\Program Files\Go!Zilla\gozilla.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gracehospice.com
O17 - HKLM\Software\..\Telephony: DomainName = gracehospice.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gracehospice.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

smitfiles.txt:

smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 11/03/2005
The current time is: 9:28:50.42

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key present!



Running LTDFix/PSGuard.com fix!



PSGuard.com key was successfully removed! :)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

msvol.tlb
ld****.tmp
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp
logfiles


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)


Ewido scan log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:37:51 AM, 11/03/2005
+ Report-Checksum: 31A45C09

+ Scan result:

No infected objects found.


::Report End

No Panda scan report.

In short, it appears that everything is calm and the birds can nest again. I look forward to your thoughts. You are my God!
otiseversole
Regular Member
 
Posts: 20
Joined: November 2nd, 2005, 5:21 pm

Unread postby dobhar » November 3rd, 2005, 3:32 pm

Hi Otiseversole...

Nice job...your log is clean :)

I do have some recommended Program removals in which you will have to make a decision whether you still wnat to run the software...
(1) Viewpoint - Viewpoint components are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting "Disable auto‑updating for the Viewpoint Manager" the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

(2) Go!Zilla - Per the links below...
- http://castlecops.com/s1337-gozilla_exe.html
- http://www3.ca.com/securityadvisor/pest ... =453075465
- http://www.windowsstartup.com/wso/detail.php?id=1042

If you decided to remove the 2 programs then follow the steps below. If you decided to keep the 2 programs then Skip the steps below...You are done. I have posted my {All Clean} speech below for you.
_________________________________________________________________

Step 1.
==========

We first need to temporarily disable Microsoft Antispyware as it may interfer with our "Fixes"
- Open "Microsoft AntiSpyware"
- Click on "Options" then select "Settings"
- In left-hand window click on "Real-time Protection"
- Under "Startup Options" de-select\uncheck "Enable the Microsoft AntiSpyware Security Agents on startup (recommended)"
- Under "Real-time spyware threat protection" de-select\uncheck "Enable real-time spyware threat protection (recommended)"
- Click "Save button to save your changes
- Close Microsoft AntiSpyware
- Right-click on the "Microsoft AntiSpyware" icon on the taskbar
- Select "Shutdown Microsoft AntiSpyware"
- Click Yes at next window
(Note: After all of the fixes are complete it is very important that you enable Real-time Protection again)

Step 2.
==========

We need to uninstall some programs using "Add or Remove Programs" in the Control Panel:
  1. Get into Control Panel.
  2. Double-click "Add or Remove Programs".
  3. Look in the Currently installed programs box for each program listed below and if it is there:
    1. Click on it to select it.
    2. Click Change (or Change/Remove) button.
    3. If you are prompted to confirm the removal of the program, click "Yes"
Go!Zilla
Viewpoint


Step 3.
==========

- Close all Windows and programs
- Run HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked...

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Go!Zilla] "C:\Program Files\Go!Zilla\gozilla.exe" /tray


- Click the "Fix checked" button...
- Close HijackThis

Step 4.
==========

Delete the following Folder(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
Folder(s)...
C:\Program Files\Go!Zilla <<<= Delete This Folder
C:\Program Files\Viewpoint <<<= Delete This Folder

Step 5.
==========

- Re-enable Microsoft Antispyware
_________________________________________________________________

{ALL CLEAN}

I can find nothing bad listed so I'm also posting my standard {All Clean} speech below. It has good information and some recommended tools (Recommended by all who deal with Spyware Nasties). Tools like SpywareBlaster => SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. Definitley recommended!!
____________________________________

The last thing I need you to do is to reset your "Hidden files and folders". System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion...
- Open "My Computer".
- Click on "Tools" and from the drop down menu select "Folder Options".
- Select the "View" tab.
- Under the Hidden files and folders heading UNSELECT "Show Hidden files and folders".
- CHECK the "Hide protected operating system files (recommended) option".
- Click "Yes" to confirm.
- Click "OK".
___________________________

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore or Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs:
    Virus, Spyware, and Malware Protection and Removal Resources
  4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware
  10. Install IE-SPYAD - IE-SPYAD adds a list of sites and domains associated with advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. A tutorial on installing & using IE-SPYAD can be found here:
    Using IE-Spyad to enhance your privacy and security
  11. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby otiseversole » November 3rd, 2005, 4:08 pm

Thank you so very much! I'm going to follow all your recommendations to the letter.

Many, many thanks!

Otis Eversole
otiseversole
Regular Member
 
Posts: 20
Joined: November 2nd, 2005, 5:21 pm

Unread postby dobhar » November 3rd, 2005, 4:14 pm

Hi Otis...

No problem...Very glad to help out... :D

Take care and surf safely... :)
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby NonSuch » November 10th, 2005, 12:58 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware