Author Topic: Winhound (Read 6862 times)

Miromc · « **on:** December 15, 2005, 10:27:53 PM »

Like others here one of my computers has become infected with WinHound and SpySheriff, but my problem goes beyond this.

I cannot access the Internet now. I get error messages everytime I try to open Internet Explorer and I don't have Mozillia. I know there are ways to get rid of these programs, but since i can't get into Internet Explorer I can't do any of it. Can anyone here help me.

The error message I get is "Cannot find 'file://C:/WINDOWS/blank.mht'. Make sure the path or Internet address is correct."

Then I get this message

"The instruction at "0x76f6110c" referenced memory at "0x00000008". The memory could not be "read". Click on OK to terminate the program"

guestolo · « **Reply #1 on:** December 15, 2005, 10:35:35 PM »

How are you accessing the Internet right now?

You can download Mozilla Firefox installer to this machine and transfer it to the other computer
http://www.mozilla.com/firefox/

By the way, I'll need to see a Hijackthis log also
Here's the Instructions

Miromc · « **Reply #2 on:** December 15, 2005, 10:36:05 PM »

[quote name=\'guestolo\' post=\'77318\' date=\'Dec 15 2005, 10:31 PM\']How are you accessing the Internet right now?

You can download Mozilla Firefox installer to this machine and transfer it to the other computer
http://www.mozilla.com/firefox/[/quote]

I'm accessing the Internet from my other computer.

How do I download the Mozilla installer to this one, but install it on the other PC?

guestolo · « **Reply #3 on:** December 15, 2005, 10:40:53 PM »

You can download the firefox installer to the machine with Internet access

Then if you have a Usb thumbdrive or a CDBurner
You can transfer that to the computer without Internet on IE
Copy and paste the firefox installer to the desktop of the computer having problems
Double click to Install
Follow the prompts

Once you Have access to the internet, come back here and post a Hijackthis log

Miromc · « **Reply #4 on:** December 15, 2005, 10:47:47 PM »

Here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 10:45:07 PM, on 12/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\kernels64.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\sywsvcs.exe
C:\winstall.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\DOCUME~1\CHERYL~1\LOCALS~1\Temp\dmxB4.tmp
C:\WINDOWS\System32\sachostc.exe
C:\WINDOWS\System32\sachostb.exe
C:\WINDOWS\System32\sachosts.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Cheryl McHugh\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels64.exe
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\System32\apwiz.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker011.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb011.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb011.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\System32\msvcp.exe
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels64.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sywsvcs.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\g503273.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

guestolo · « **Reply #5 on:** December 15, 2005, 10:54:23 PM »

I'm confused, looks like your running Internet Explorer to post the hijackthis log?

Can you now do the following
Open Hijackthis>>Open Misc tools section>>Open Uninstall manager>>
Click the SAVE LIST button
Save the list to a convienent location then copy and paste back here the Whole contents

Miromc · « **Reply #6 on:** December 15, 2005, 11:00:19 PM »

Here is the list.

Adobe Acrobat 4.0
Adobe Download Manager 2.0 (Remove Only)
ALPS Touch Pad Driver
AOL
ArcSoft Camera Suite
ArcSoft Panorama Maker 3.0
ATI Control Panel
ATI Display Driver
Best Search Engine!!!
Broadcom Advanced Control Suite
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Dell Modem-On-Hold
Dell Solution Center
Dell Support 5.0.0 (766)
DVDSentry
Easy CD Creator 5 Basic
HijackThis 1.99.1
hp instant support
HP Memories Disc
HP Photo and Imaging 1.1 - Photosmart Cameras
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Photo and Imaging 2.0 - Photosmart Printer Series
HP Software Update
Internet Update
InterVideo WinDVD
Logitech MouseWare 9.70
McAfee.com SecurityCenter
McAfee.com VirusScan Online
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Interactive Training
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Modem Helper
Mozilla Firefox (1.5)
Nikon View 6
Odyssey Client
PCTEL 2304WT V.92 MDC Modem Drivers
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
Photosmart 140,240,7200,7600,7700,7900 Series
QuickSet
QuickTime
RealPlayer Basic
Simply Accounting 2004 Basic
SpySheriff
Viewpoint Media Player (Remove Only)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) Q818966
Wireless-G Notebook Adapter

I know Spysheriff is on the list. When I uninstall it it keeps on coming back. I could go into MSCONFIG and get rid of this, but that seems like a temporary fix, not a permanent one.

I did run Mozilla when I did everything. Does the fact that I just unzipped HiJackThis to the desktop to the desktop alter anything?

guestolo · « **Reply #7 on:** December 15, 2005, 11:08:24 PM »

Are you trying to disable anything else with Msconfig
I don't want you to do this at this time, I want to see everything
Please go back into msconfig and under the STARTUP tab enable all
Under the General tab>>Select Normal startup
Click apply>>close
But don't reboot the computer yet

Instead, come back here and post a fresh hijackthis log then we'll start getting some tools to fix your problems

Miromc · « **Reply #8 on:** December 15, 2005, 11:12:23 PM »

Everything is applied. Sorry if I worded it wrong.

I had some of it disabled, but then when I did the scan I went into it and enabled everything, so the logs are correct.

guestolo · « **Reply #9 on:** December 15, 2005, 11:15:11 PM »

Okay, good, can you relax for a bit
I won't be long, but I just have company at the door, they'll be here for about an hour or so
Then I'll come back and look over your log and post some instructions

guestolo · « **Reply #10 on:** December 16, 2005, 01:49:11 AM »

I'm going to get you too download a few tools
You don't have none of these, so I want to make sure we have you run them and then you can get back to me, most users will have Spybot and Ad-Aware installed
You don't have no spywareremoval tools
You can hold onto a most of these afterwards too

It may look like a bit of work, but most scans don't take that long

Here's the tools we're going to run

A few special tools
CWShredder.exe and save to your desktop
Don't run it yet

==Download SmitRem.exe by Noahdfear and save the file to your desktop.
Don't run it yet

==Download Win32delfkil.exe
Save it on your desktop.

Some tools to run and hold onto:
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run it yet

==Download and Install Ad-Aware SE Personal 1.06

Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Ensure Ad-Aware is updated, but Don't run a scan yet

==Download and Install Spybot 1.4 from
HERE
or HERE
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Close it out for now, we'll need it later

=Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Now that we have the tools, let's try some fixes on this machine

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

Double click on win32delfkil.exe and install it.(installeren) This creates a new folder on your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.

Follow the prompts and perform exactly as mentioned in the screen!
The computer should reboot afterwards

Back in windows
Double click on CWShredder.exe
Run the FIX part of it, let it fix what it finds
When it's done

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu

In safe mode, find and delete this folder if found
C:\Program Files\WinHound <-this folder

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections

Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

Do another "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels64.exe
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\System32\apwiz.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker011.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\System32\ztoolb011.dll
O3 - Toolbar: ZToolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\System32\ztoolb011.dll

O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\System32\msvcp.exe
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels64.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe

O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sywsvcs.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\g503273.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

Please Reboot the computer at this time, try and reboot back to SAFE MODE
Back in Windows
Open Ad-Aware Se personal 1.06
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

At this time restart back to Normal mode

Back in Windows

I need to see a few logs please
Try and supply them all

1. Post a fresh Hijackthis log
2. The full report from Ewido's
3. Post the Whole log made from SmitRem located here C:\Smitfiles.txt
4. Post the Report from win32delfkil>> c\windelf.txt

Miromc · « **Reply #11 on:** December 16, 2005, 04:05:42 AM »

I'll post everything probably around 1 am EST tomorrow. My battery just died on me when (after waiting an hour) I was doing the Ewido scan. Its now 4am, and I have to go to work tomorrow afternoon, so I probably won't have time to work on this until after midnight.

Miromc · « **Reply #12 on:** December 16, 2005, 02:35:26 PM »

Here is the HiJackThis Log.

Logfile of HijackThis v1.99.1
Scan saved at 2:31:36 PM, on 12/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\g178466.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Ewido Scan (second one (after the battery died))
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         1:17:27 PM, 12/16/2005
+ Report-Checksum:      48BA57D7

+ Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{FFF5092F-7172-4018-827B-FA5868FB0478} -> Spyware.ZToolbar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} -> Spyware.SimpleBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Replace.HBO -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Replace.HBO\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Replace.HBO\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Replace.HBO.1 -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77} -> Spyware.SimpleBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.activator -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.activator\CLSID -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.activator\CurVer -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.activator.1 -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.ParamWr -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CLSID -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CurVer -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.ParamWr.1 -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.StockBar -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CLSID -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CurVer -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\ZToolbar.StockBar.1 -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\CLSID -> Spyware.PurityScan : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -> Spyware.Azsearch : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFF5092F-7172-4018-827B-FA5868FB0478} -> Spyware.ZToolbar : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Best Search Engine!!! -> Spyware.CoolWebSearch : Cleaned with backup
   HKU\S-1-5-21-3222761670-2276315923-441188155-1006\Software\Microsoft\Internet Explorer\Keywords -> Spyware.CoolWebSearch : Cleaned with backup
   [232] C:\WINDOWS\system32\msupdate32.dll -> Proxy.Delf.al : Cleaned with backup
   [884] C:\WINDOWS\System32\vxh8jkdq6.exe -> Downloader.Small.atl : Cleaned with backup
   C:\birdihuy32.dll -> Proxy.Small.ct : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023632.dll -> Proxy.Small.ct : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023633.exe -> Downloader.Small.bfy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023634.exe -> Logger.Goldun.fq : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023635.dll -> Downloader.Delf.zu : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023636.dll -> Downloader.Delf.zu : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023637.dll -> Downloader.Delf.zu : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023638.dll -> Downloader.Delf.zu : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023639.dll -> Downloader.Delf.zu : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023640.dll -> Downloader.Delf.zu : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023641.dll -> Downloader.Delf.zu : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023642.exe -> Worm.Locksky.k : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023643.exe -> Dropper.Agent.aax : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023644.dll -> Downloader.Agent.zi : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023645.exe -> Dropper.Agent.aax : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023646.exe -> Backdoor.Agent.px : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023647.dll -> Logger.Goldun.fr : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023648.dll -> Downloader.Small.ajp : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023649.dll -> Trojan.Spabot.t : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023650.exe -> Proxy.Lager.f : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023651.exe -> Trojan.Dialer.ay : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023652.exe -> Trojan.Inject.i : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023653.dll -> Worm.Locksky.k : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023654.exe -> Downloader.Small.aqu : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023655.exe -> Dropper.Small.wp : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023656.exe -> Downloader.Small.cap : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023657.exe -> Worm.Locksky.k : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023658.exe -> Worm.Locksky.k : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023659.exe -> Worm.Locksky.k : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023660.exe -> Worm.Locksky.k : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023661.exe -> Worm.Locksky.k : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023662.exe -> Proxy.Lager.f : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023663.dll -> Downloader.Small.avw : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023664.exe -> Dropper.Agent.ri : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023665.exe -> Downloader.Small.bwr : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023666.exe -> Dropper.Small.aih : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023667.exe -> Downloader.Small.aqu : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023668.exe -> Downloader.Small.bxc : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023669.exe -> Dropper.Agent.abu : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023670.exe -> Downloader.Small.bho : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023671.dll -> Downloader.Agent.pi : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023672.dll -> Spyware.Zbar : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023676.dll -> Proxy.Delf.al : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023677.dll -> Proxy.Small.ct : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023678.exe -> Downloader.Small.atl : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023679.dll -> Downloader.Delf.zu : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023680.dll -> Trojan.Small.ev : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023704.dll -> Proxy.Small.ct : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023705.dll -> Downloader.Agent.zi : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023725.dll -> Adware.SpySheriff : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023727.dll -> Spyware.SpywareNo : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023728.dll -> Adware.SpySheriff : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023730.exe -> Adware.SpySheriff : Cleaned with backup
   C:\WINDOWS\g178466.dll -> Downloader.Delf.zu : Cleaned with backup
   C:\WINDOWS\SYSTEM\svchost.exe -> Dropper.Agent.aax : Cleaned with backup
   C:\WINDOWS\SYSTEM\svwhost.exe -> Backdoor.Agent.px : Cleaned with backup
   C:\WINDOWS\SYSTEM32\41.dl_ -> Trojan.Spabot.t : Cleaned with backup
   C:\WINDOWS\SYSTEM32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup
   C:\WINDOWS\SYSTEM32\msupdate32.dll -> Proxy.Delf.al : Cleaned with backup
   C:\WINDOWS\SYSTEM32\qvxgamet3.exe -> Downloader.Small.aqu : Cleaned with backup
   C:\WINDOWS\SYSTEM32\qvxgamet4.exe -> Downloader.Small.aqu : Cleaned with backup
   C:\WINDOWS\SYSTEM32\vxgame1.exe -> Dropper.Agent.ri : Cleaned with backup
   C:\WINDOWS\SYSTEM32\vxgamet3.exe -> Dropper.Agent.abu : Cleaned with backup
   C:\WINDOWS\SYSTEM32\vxgamet4.exe -> Downloader.Small.bpz : Cleaned with backup
   C:\WINDOWS\SYSTEM32\vxh8jkdq1.exe -> Downloader.Small.bho : Cleaned with backup
   C:\WINDOWS\SYSTEM32\vxh8jkdq6.exe -> Downloader.Small.atl : Cleaned with backup
   C:\WINDOWS\SYSTEM32\zolker011.dll -> Downloader.Agent.pi : Cleaned with backup
   C:\WINDOWS\SYSTEM32\ztoolb011.dll -> Spyware.Zbar : Cleaned with backup

::Report End

Smitfiles Log

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 12/16/2005
The current time is: 12:27:16.42

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

desktop.html

~~~ Drive root ~~~

winstall.exe

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 720 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

wininet.dll INFECTED!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Starting replacement procedure.

~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~

~~~~ dllcache\wininet.dll not present! ~~~~

~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~

~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~

~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~

~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~

~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~

~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~

~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~

~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll not present! ~~~~

~~~ A good copy of wininet.dll was not found. Look for more locations. ~~~

Win32delfkil Log

************************
* WIN32DELFKIL LOGFILE *
************************

BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{F33812FB-F35C-4674-90F6-FD757C419C51} REG_SZ DDE
{203B1C4D9-BC71-8916-38AD-9DEA5D213614} REG_SZ OLE Module
{0BC9BC01-54D4-4CCE-2B7D-955164314CD4} REG_SZ OLE Module

Notify key
----------

AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{F33812FB-F35C-4674-90F6-FD757C419C51} REG_SZ DDE
{203B1C4D9-BC71-8916-38AD-9DEA5D213614} REG_SZ OLE Module
{0BC9BC01-54D4-4CCE-2B7D-955164314CD4} REG_SZ OLE Module

Notify key
----------

guestolo · « **Reply #13 on:** December 16, 2005, 08:27:50 PM »

I'm on my way out for a Xmas dinner for the Shop

In the meantime, can you do the following please
You have a new entry in your hijackthis log
Plus it appears that wininet.dll is infected, this is an important file
Updating to Service pack 2 will help replace it with a legit copy
But I don't want you going that route yet

Download Hoster.zip and save it to your Desktop.
UNZIP the contents to your desktop or folder

Can you try the following please
Do another scan with Hijackthis and put a check next to these entries:

F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O20 - Winlogon Notify: st3 - C:\WINDOWS\g178466.dll (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run CWShredder again and Click on The FIX option and let it fix what it finds

Reboot your computer
Back in Windows

Locate the Hoster folder , open it and double click on Hoster.exe
Click on Restore Original Hosts
In the confirmation window, click on OK.

After that is done
Panda's should be able to disinfect the infected wininet.dll
I need you to try and use Internet Explorer and run an Online Virus scan at Panda's
It's safe to supply them with an email address and additional info needed
When it's loaded
Choose to scan "Local Disks"
When the scan is done, if anything is found
Click the See Report
Save this report to your desktop

Reboot the computer again when it's done

back in Windows
Please post a fresh hijackthis log and the whole report from Panda's

Miromc · « **Reply #14 on:** December 17, 2005, 02:26:11 AM »

Here is the HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 2:22:47 AM, on 12/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Now, as for the Panda, I made a slight mistake here. When I first did it, I selected scan "My Computer" after I realized my mistake I stopped the scan, didn't save the logfile, and went to scan the "Local Disks", so only 1 file actually showed up in this log. There were 10 on the other one.....

Here is the log anyway.

Incident Status Location

Adware:Adware/Tibs Not desinfected C:\boot.inx

guestolo · « **Reply #15 on:** December 17, 2005, 03:58:36 AM »

Quote

Now, as for the Panda, I made a slight mistake here. When I first did it, I selected scan "My Computer" after I realized my mistake I stopped the scan, didn't save the logfile, and went to scan the "Local Disks", so only 1 file actually showed up in this log. There were 10 on the other one.....

Well, that's not good, MyComputer would of been OK to scan
Now I have to guess if you are clean or not? EDIT>>Should of put a smiley face here

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Can you do the following please

Can you go to this site
Jotti's Online Malware scan
Give this site time to load if busy

Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\System32\wininet.dll <-this file
Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please

Miromc · « **Reply #16 on:** December 17, 2005, 01:24:48 PM »

I think these are the results you want me to post.

Service
Service load:
0%              100%
File:    WININET.dll
Status:
OK
MD5    4c319e3c7d3a1fd6f73e7619a9c6d75a
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

guestolo · « **Reply #17 on:** December 17, 2005, 01:46:29 PM »

That looks good

Can you do the following please

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Reboot back to safe mode

In safe mode, find this file and send it to the recycle bin
C:\boot.inx <-this file, don't mistake it for Boot.ini

Remove this folder also if found
C:\WINDOWS\inet20001 <-this folder

Stay in safe mode
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Reboot back to Normal mode

Can you post a fresh hijackthis log and again post the new log from SmitRem>>C:\Smitfiles.txt
Let me know how everythings running

Miromc · « **Reply #18 on:** December 17, 2005, 02:10:43 PM »

Here is the log

Logfile of HijackThis v1.99.1
Scan saved at 2:08:07 PM, on 12/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

SmitRem

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 12/17/2005
The current time is: 13:58:46.74

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Everything seems to be running now. Now the computer is just being its usual slow piece of %$$%#

guestolo · « **Reply #19 on:** December 17, 2005, 02:43:15 PM »

Everything looks good, but you optionally could disable some entries from running on startup
We'll get too that later

Final Cleanup
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

Afterwards, For added protections
You should install this free tool
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection...."

Additionally, use the Immunize feature of Spybot
Open Spybot, click on Immunize>>OK>>Immunize at the top green cross
Do this after every update

Have you ran a Disk Defragment lately?
If not this would be a good time, I like to do this in safe mode to ensure minimal is running
Start>>Programs>>Accessories>>System Tools>>Disk Defragmenter
Click the Defragment button
This could take some time if you haven't done it in awhile

Return to Normal windows

If you would like to disable some entries from running on startup using resources
I like this small little too
It's a small download
Don't disable something unless your sure, obviously don't disable your AV from running on startup
Codestuff's Starter
UNZIP it to a folder of it's own
Eg...Open MyDocuments>>Right click an empty spot and left click NEW>>Folder
Name it something like "Starter"
Uncheck an item to disable on startup
Or look within a program first to disable on startup

Use this link to track down what you need or don't need
http://castlecops.com/modules.php?name=StartupList

Here's an example
This entry in your log
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
In castlecops link if I put this into the Search field
OSA.EXE
I get these results

Quote

Application which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog, and some users claim there's no difference with or without it but it usually isn't required - Note: if you make use of the Microsoft Office Shortcut Bar outside an office program this application will need to be enabled for it to show.

Of course, I have Office startup disabled

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I'm not sure of your system specs.
How much Ram in your computer?

News:

Author Topic: Winhound (Read 6862 times)