Help with fixing desktop
#1
Posted 13 November 2005 - 03:50 AM
Register to Remove
#2
Posted 13 November 2005 - 08:19 AM
Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!
***
Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box and/or Uncheck Resident.
Close Spybot.
***
Please download noahdfear's smitRem.exe©. Save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.
***
Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.
***
If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.
***
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
***
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.
***
Open Ad-aware and do a full scan. Remove all it finds.
***
Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.
***
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
***
Reboot back into Windows
You will need to allow the popups for this site!
Run the Free use Panda Active Scan.
- Click on Scan your PC. A new browser window will open with Panda ActiveScan. If this is the first time you scan your PC, you'll have to download the ActiveX controls (8 MB).
- A new window will open
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When the download is complete, click on my computer to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
#3
Posted 14 November 2005 - 06:40 AM
Panda scan
Incident Status Location
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\SHDOCSVC.EXE
Possible Virus. No disinfected C:\WINDOWS\system32\shdocsvc.exe
Virus:W32/Smitfraud.D Disinfected Operating system
Possible Virus. No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OSA.exe
Adware:adware/antivirus-gold No disinfected C:\WINDOWS\desktop.html
Adware:adware/psguard No disinfected C:\WINDOWS\warnhp.html
Possible Virus. No disinfected C:\WINDOWS\system32\shdocsvc.exe
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/PsGuard No disinfected C:\WINDOWS\system32\FF.tmp
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\html.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP139\A0013345.com
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP139\A0013347.com
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013432.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013434.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013440.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013441.exe
Adware:Adware/SAHAgent No disinfected C:\Recycled\NPROTECT\00001744.inf
Possible Virus. No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OSA.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\WHO\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4c2073ff.zip[a.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\WHO\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4c2073ff.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\WHO\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4c2073ff.zip[VerifierBug.class]
Hikack this log
Logfile of HijackThis v1.99.1
Scan saved at 11:27:04 PM, on 11/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\shdocsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
D:\Programs\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsvc.dll/blank.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [FHStart] C:\WINDOWS\system32\shdocsvc.exe home
O4 - HKLM\..\RunOnce: [Panda_cleaner_41898] C:\WINDOWS\System32\ActiveScan\pavdr.exe 41898
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
Smitfiles[b]
smitRem © log file
version 2.7
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 11/14/2005
The current time is: 22:25:58.31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
warnhp.html
desktop.html
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
warnhp.html
desktop.html
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
wininet.dll is missing!!
[b]
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:57:10 PM, 11/14/2005
+ Report-Checksum: 838389E4
+ Scan result:
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013448.exe -> Spyware.Raze : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013449.exe -> TrojanDropper.Agent.ri : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013450.exe -> TrojanDownloader.Small.bho : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013451.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013452.DLL -> TrojanDownloader.IstBar.gu : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013453.DLL -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013454.EXE -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013455.exe -> TrojanDownloader.Small.rr : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013456.exe -> Trojan.LowZones.cu : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013460.dll -> TrojanProxy.Small.ct : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013461.dll -> Trojan.Small.ev : Cleaned with backup
C:\Documents and Settings\WHO\Cookies\who@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\WHO\Cookies\who@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\WHO\Cookies\who@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\WHO\Cookies\who@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\WHO\Cookies\who@ehg-idg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
::Report End
P.S. I used Ad aware Professional ver6 instead of the SE 1.06. Is that a problem?
#5
Posted 15 November 2005 - 04:50 AM
#6
Posted 15 November 2005 - 04:53 AM
Please download FileFind from Atribune.
Unzip the file and save it to your desktop.
To run FileFind, please do the following:
- Click on FileFind.exe
- In the box labeled "Enter the directory to search"
- Enter Drive eg.. C:\
- In the box labeled "Enter the file to search"
- Enter wininet.dll
- Now click on the "Find" button
- Once the utility has found the files click on "Export"
- This will save a text file to your C:\ drive as "Export.txt"
- Double click on Export.txt, copy and paste this information in your next post
#7
Posted 15 November 2005 - 04:57 AM
#8
Posted 15 November 2005 - 04:59 AM
#9
Posted 15 November 2005 - 05:02 AM
#10
Posted 15 November 2005 - 05:16 AM
It might be Spyware doctor keeping us from cleaning.
Just to be sure:
Upload and scan that C:\Windows\system32\wininet.dll on the next site to make sure this one is clean:
http://virusscan.jotti.org/
let it scan and post the results in your next reply.
***
Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
- Click the Spyware Doctor icon in the System Tray.
- Click Settings.
- Click Startup Settings under Pick a Category.
- Uncheck Run at Windows startup.
- Click Apply and Exit Spyware Doctor
***
Download the Killbox version 2.0.0.473 .
Unzip it to the desktop
Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each
C:\WINDOWS\system32\shdocsvc.exe
For these files, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
***
Reboot to safe mode.
***
Let's rerun Runthis (again, sorry).
***
Open HijackThis and put a check to these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsvc.dll/blank.html
O4 - HKLM\..\Run: [FHStart] C:\WINDOWS\system32\shdocsvc.exe home
press 'fix checked'.
***
Reboot back to normal mode.
Please post me the smitfiles.txt and a fresh HijackThis log.
Register to Remove
#11
Posted 15 November 2005 - 05:46 AM
Service load: 0% 100%
File: WININET.DLL
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 6626545292428ae1ed5b4237404b346a
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
Smitfiles
smitRem © log file
version 2.7
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 11/15/2005
The current time is: 22:34:22.57
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
warnhp.html
desktop.html
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
warnhp.html
desktop.html
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
wininet.dll is missing!!
Logfile of HijackThis v1.99.1
Scan saved at 10:44:09 PM, on 11/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
D:\Programs\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
#12
Posted 15 November 2005 - 06:09 AM
Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each
C:\WINDOWS\desktop.html
C:\WINDOWS\warnhp.html
C:\WINDOWS\system32\FF.tmp
C:\WINDOWS\Downloaded Program Files\html.exe
For these files, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
***
Can you rerun Panda and post me the report please?
#13
Posted 15 November 2005 - 06:43 AM
#14
Posted 15 November 2005 - 08:40 AM
- Download the FxNetsky.exe file from: http://securityrespo...er/FxNetsky.exe.
- Save the file to a convenient location, such as your downloads folder or the Windows desktop, or removable media known to be uninfected.
- Close all the running programs before running the tool.
- If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
- Disable System Restore.
- Double-click the FxNetsky.exe file to start the removal tool.
- Click Start to begin the process, and then allow the tool to run.
- Restart the computer.
- Run the removal tool again to ensure that the system is clean.
- Re-enable System Restore.
#15
Posted 16 November 2005 - 06:08 AM
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users