somebody mind helping me fight this psguard bastard?
angus 0 Newbie Poster
swatkat 14 Practically a Master Poster
Hi,
Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Next, download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically.
Copy the entire contents of the file and post it here along with Ewido log.
angus 0 Newbie Poster
Thank you for helping out.
Here are the logs:
Logfile of HijackThis v1.99.1
Scan saved at 13:01:37, on 28.8.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\sysbho.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: MSN-työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094965120464
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/isan/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - AppInit_DLLs: sysmain.dll
O21 - SSODL: MSSQLMonitor - {B58AFF20-AB0D-47D7-B179-960B6509E245} - C:\WINDOWS\System32\amstxml4.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 13:00:25, 28.8.2005
+ Report-Checksum: C16DD0C
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
[1064] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Cleaned with backup
[1304] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
[1420] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
[1684] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
[1804] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
[1672] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
[3236] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
C:\!Submit\netdc.exe -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko\Ohjelmat\Käynnistys\netdb.exe -> TrojanDownloader.Small.oc : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Nicklas\Application Data\Mozilla\Firefox\Profiles\fdayhhl4.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Nicklas\Application Data\Mozilla\Firefox\Profiles\fdayhhl4.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Nicklas\Application Data\Mozilla\Firefox\Profiles\fdayhhl4.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate09674169[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate16765412[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate23674169[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate27054709[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate34521416[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate69852103[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate96525894[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\8960875.tmp -> Trojan.Krepper.aj : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\Cookies\nicklas@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\Cookies\nicklas@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\iinstall.exe -> TrojanDownloader.IstBar.ku : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\temp.fr32E6 -> Spyware.AdTools : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\Temporary Internet Files\Content.IE5\HB9BT9LI\winupdate96525894[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp1E.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp1F.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp20.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp21.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp22.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp23.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp25.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp27.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp28.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp29.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2A.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2C.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2D.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2F.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp31.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp32.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp36.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp38.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp39.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3A.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3B.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3C.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3D.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3F.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp44.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp45.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmpE4.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temporary Internet Files\Content.IE5\CP5I1TXS\an[1].exe -> TrojanDownloader.Small.rr : Cleaned with backup
C:\Documents and Settings\Nicklas\msopt.dll -> TrojanDownloader.Small.kq : Cleaned with backup
C:\Documents and Settings\Nicklas\Työpöytä\musik\uninstall.exe -> TrojanDropper.Agent.hy : Cleaned with backup
C:\Program Files\Internet Explorer\fshhvecx.exe -> TrojanDropper.Small.nn : Cleaned with backup
C:\WINDOWS\dltime.dll -> TrojanSpy.Tofger.aw : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\on-line.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\on-line.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\videobox.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\install.exe -> TrojanDownloader.Small.aha : Cleaned with backup
C:\WINDOWS\itshta.exe -> Trojan.Small.cr : Cleaned with backup
C:\WINDOWS\q1214_1.exe -> TrojanDownloader.Small.kq : Cleaned with backup
C:\WINDOWS\system32\6crvk7yfxuk8y.dll -> TrojanDownloader.Small.rr : Cleaned with backup
C:\WINDOWS\system32\intell32.exe -> Spyware.PSGuard : Cleaned with backup
C:\WINDOWS\system32\netdc.exe -> TrojanDownloader.Small.oc : Cleaned with backup
C:\WINDOWS\system32\sys10000.exe -> TrojanDownloader.Domcom.a : Cleaned with backup
C:\WINDOWS\system32\sys10001.exe -> TrojanDownloader.Domcom.a : Cleaned with backup
C:\WINDOWS\system32\webdlg32.dll -> Spyware.SBSoft : Cleaned with backup
C:\WINDOWS\system32\wldr.dll -> TrojanDownloader.Agent.kf : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__sysmain.dll -> Trojan.Krepper.an : Cleaned with backup
C:\WINDOWS\webdlg32.cab/webdlg32.dll -> Spyware.SBSoft : Error during cleaning
C:\WINDOWS\webdlg32.dll -> Spyware.SBSoft : Cleaned with backup
::Report End
Edited by happygeek because: fixed formatting
swatkat 14 Practically a Master Poster
Hi,
Download and install Ad-Aware SE and CCleaner, do not run them now.
Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98).
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.
Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.
Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c5.cab
O20 - AppInit_DLLs: sysmain.dll
O21 - SSODL: MSSQLMonitor - {B58AFF20-AB0D-47D7-B179-960B6509E245} - C:\WINDOWS\System32\amstxml4.dll
Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.
Delete these files:-
C:\WINDOWS\System32\sysbho.exe
C:\WINDOWS\System32\OLEEXT.dll
C:\WINDOWS\System32\sysbho.exe
C:\WINDOWS\System32\amstxml4.dll
Delete this folder:-
C:\Program Files\PSGuard
Go to Start > Search. Here click "All files and folders" in the left pane. Next, click on "More advanced options". Here select the options "Search system folders", "Search hidden files and folders" and "Search subfolders". Next, type/copy the below mentioned filename and search for it, if you find it, right-click on it and click delete:-
sysmain.dll
Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.
After this, run AdAware, and click the "Start" button (in AdAware) and select the options "Perform full system scan", "Scan for neglible risk entries", and click "Next" to start the scan. When the scan is completed, remove all the things it may find.
Reboot to Normal Mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log.
angus 0 Newbie Poster
Ok, I did as you wrote. But there wasn't any:
C:\WINDOWS\System32\OLEEXT.dll
C:\Program Files\PSGuard
or
sysmain.dll
here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 14:23:08, on 28.8.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\HJT\HijackThis.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
O3 - Toolbar: MSN-työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094965120464
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/isan/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
swatkat 14 Practically a Master Poster
Hi,
Log looks clean :D Please post back whether you are experiencing any problems or not, so that i can decide what to do next :)
angus 0 Newbie Poster
Hi,
Log looks clean :D Please post back whether you are experiencing any problems or not, so that i can decide what to do next :)
Thanks again,
Have'nt had any problems for a while now. Looks good so far
swatkat 14 Practically a Master Poster
Hi,
To make sure that everything is clean, you can perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log file it gives after the scan, and post back the same.
angus 0 Newbie Poster
Hi,
To make sure that everything is clean, you can perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log file it gives after the scan, and post back the same.
Incident Status Location
Adware:adware/cws.searchmeup No disinfected C:\new.exe
Adware:Adware/LookNSearch No disinfected C:\Program Files\Internet Explorer\guardian.dll
Adware:Adware/LookNSearch No disinfected C:\Program Files\Internet Explorer\hookDLL.dll
Adware:Adware/LookNSearch No disinfected C:\Program Files\Internet Explorer\r_process.dll
Dialer:Dialer.NE No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\on-line.exe
Adware:adware/spywad No disinfected C:\WINDOWS\ms2.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\backup.old
Dialer:dialer.bb No disinfected C:\WINDOWS\system32\dktibs.exe
Dialer:dialer.xc No disinfected C:\WINDOWS\system32\paydial.exe
Adware:Adware/SBSoft No disinfected C:\WINDOWS\system32\webdlg32.inf
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/Popup.pop No disinfected C:\WINDOWS\system32\winsx.inf
Adware:adware/sbsoft No disinfected C:\WINDOWS\webdlg32.cab
Adware:Adware/SBSoft No disinfected C:\WINDOWS\webdlg32.cab[webdlg32.inf]
Adware:Adware/Startpage.CN No disinfected C:\WINDOWS\webdlg32.cab[webdlg32.dll]
angus 0 Newbie Poster
hmm, I started having some problems. A message tells me wininet.dll is missing when attempting certain functions and my computer reboots from time to time.
Any ideas?
swatkat 14 Practically a Master Poster
Hi,
Delete these files:-
C:\new.exe
C:\Program Files\Internet Explorer\guardian.dll
C:\Program Files\Internet Explorer\hookDLL.dll
C:\Program Files\Internet Explorer\r_process.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\on-line.exe
C:\WINDOWS\ms2.exe
C:\WINDOWS\system32\backup.old
C:\WINDOWS\system32\dktibs.exe
C:\WINDOWS\system32\paydial.exe
C:\WINDOWS\system32\webdlg32.inf
C:\WINDOWS\system32\winsx.inf
C:\WINDOWS\webdlg32.cab
And, next go to Start > Run and type regsvr32 c:\windows\system32\wininet.dll and press ENTER key. After this, restart the system. Check whether you receive the "Wininet.dll missing" errors, and post back the results.
angus 0 Newbie Poster
hey,
I couldnt delete the following though:
C:\new.exe
C:\WINDOWS\ms2.exe
C:\WINDOWS\system32\dktibs.exe
C:\WINDOWS\system32\paydial.exe
should I try it in safemode?
swatkat 14 Practically a Master Poster
Hi,
Yes, you can try deleting them in safe mode. If they dont get delted, then you can use KillBox to delete them.
(In KillBox, select the options "End Explorer while killing file" and "Standard file kill" and then provide the path of the file to be deleted and click the button with a Cross mark to delete the file)
angus 0 Newbie Poster
Hey,
Got the files deleted in Killbox and I followed the steps you told me to. Im still getting the errormessage about the misssing wininet.dll.
I have downloaded wininet.dll from www.dll-files.com, is it just a matter of putting it in its right place?
Thanks for sticking with this computer caveman.
swatkat 14 Practically a Master Poster
Hi,
Lets use the built-in System File Checker feature first to check and restore the system files. Go to Start > Run and type:-
sfc /scannow
and press ENTER key. This brings up the SFC dialog box which scans the PC for altered/missing system files and restores the original one.
(Note that there is a SPACE between sfc and /)
You can get more info on SFC here : http://www.updatexp.com/scannow-sfc.html
angus 0 Newbie Poster
hey,
I ran the sfc /scannow, but the problem is still there: missing wininet.dll
what now?
swatkat 14 Practically a Master Poster
Hi,
Copy this text C:\WINDOWS\system32\dllcache and paste it in the "Address bar" of My Computer and press ENTER key. This should open the dllcache folder in System32 directory. Here, there will be a backup of Wininet.dll file, copy this and paste it in C:\Windows\System32 folder. Restart the PC, and check if the error occurs or not.
angus 0 Newbie Poster
hmm,
There is no wininet.dll in the dllcache folder.
I think Im losing it here :eek:
swatkat 14 Practically a Master Poster
:oops: Sorry, try pasting the DLL file downloaded from the website, and restart the PC, and check whether the error reoccurs.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.