Solved: need help with smitfraud, hijacklog included

[_Thomas_]

I got this last tuesday and have been trying to get rid of it ever since, but so far no luck. Found plenty of other stuff that needed removing in the process at least. But I suspect there might be more then smitfraud left on my comp anyway. So I finally found my way here and saw what great help other folks have gotten from you, so figured I'd ask for your aid as well.

I'm running on xp home, and the problems I'm still noticing is not being able to set my own internet starting page, nor access most of the options for my screen options (like I can't set any picture or whatever as background). Also the search function seems messed up, if I search for, for example, system32 or whatever I get no hits, plus the search is conducted about 60 times faster then it used to be. I can still get hits though, but am guessing it only searches some 'safe' areas of the computer. That didn't happen immediately after I got smitfraud, was about a day later.

Am pretty tired atm, so can't come to think of anything more to tell, but am looking forward to getting a response from you!


Logfile of HijackThis v1.99.1
Scan saved at 02:50:32, on 2005-06-28
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Internet Security\ISSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Microsoft Hardware\Keyboard\type32.exe
C:\Program\HP\HP Software Update\HPWuSchd.exe
C:\Program\HP\hpcoretech\hpcmpmgr.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp6699.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WinTools] C:\Program\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program\VisualRoute\vrie.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37A1A8D2-E44F-4D94-A41D-F5D81374EC2B}: NameServer = 193.11.224.20,193.11.224.21
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
O20 - Winlogon Notify: style2 - C:\WINDOWS\q137093_disk.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program\Common files\WinTools\WToolsS.exe (file missing)

 

[_Thomas_]

Oh right, one more thing - my xp aint fully updated, for one thing I still don't have the service pack 2 - is it ok to/should I get that before I get rid of smitfraud and whatever else there might be left on my comp?

And a second thing - I've always only used one hd, but I might have one more now, or else it's just another thing messed up with the search function. There's a new search area (which is used as default) under This Computer, namely Local Harddrives (C, whereas before the default was Local Harddrive (C. That still exists under This Computer, and it doesn't seem to do any difference on which/how many search results I get nm if I search drives, or drive, or this comp. That drives is also labelled as C: gives me hope that there haven't been any new harddrives made and kept unavailable from me, but aint sure.

Clicking this comp I still only see Local Disc (C under harddrives, nothing else. Though this got me thinking, it's disc when going in on this comp, but harddrives when searching. Is that mby always so?

Well, now I'll hit the sack, so g'nite!

 

[Flrman1]

Hi Thomas_

Welcome to TSG!

Please read these instructions carefully and copy them to notepad! Save the notepad file to your desktop so you will have it to refer to. Be sure to follow ALL instructions!


** Before you proceed with the removal directions below you need to turn off Spybot's Tea Timer as it will interfere with the changes we are trying to make.

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.



* * Go here to download CCleaner.

• Install CCleaner
• Launch CCleaner and look in the upper right corner and click on the "Options" button.
• Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
• Click OK
• Do not run CCleaner yet. You will run it later in safe mode.

* Click Here and download Killbox and save it to your desktop.


* Click here to download smitfraud.reg. Download it and "Save" it to your desktop and have it ready to run later.


* Click here for info on how to boot to safe mode if you don't already know how.


* Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
PSGuard
AdwareDelete
Search Maid

Exit Add/Remove Programs.


* Click Start > Run > and type in:

services.msc

Click OK.

In the services window find WinTools for IE service.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp6699.tmp

O4 - HKLM\..\Run: [windows auto update] msblast.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [WinTools] C:\Program\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe

O4 - HKLM\..\Run: [PSGuard] C:\Program\PSGuard\PSGuard.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)

O20 - Winlogon Notify: style2 - C:\WINDOWS\q137093_disk.dll (file missing)


Next in Hijack This click on the "Config" button in the lower right corner. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Copy and paste the following line in that box:

WinToolsSvc

Click OK


* Restart your computer into safe mode now. Perform the following steps in safe mode:



* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\wp.exe

C:\wp.bmp

C:\bsw.exe

C:\Windows\sites.ini

C:\Windows\popuper.exe

C:\Windows\system32\hhk.dll

C:\Windows\System32\wldr.dll

C:\Windows\System32\wp.bmp

C:\Windows\System32\helper.exe

C:\Windows\System32\intmon.exe

C:\Windows\System32\shnlog.exe

C:\WINDOWS\System32\OLEADM.dll

C:\Windows\System32\intmonp.exe

C:\WINDOWS\system32\hp6699.tmp

C:\WINDOWS\System32\winnook.exe

C:\Windows\system32\hookdump.exe

C:\Windows\System32\msmsgs.exe

C:\Windows\system32\msole32.exe

C:\WINDOWS\system32\hp5C68.tmp

C:\Windows\System32\ole32vbs.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


* Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Find and delete these folders if they exist:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\PSGuard
C:\Program Files\AdwareDelete
C:\Program Files\Security IGuard
C:\Program\Common files\WinTools
C:\WINDOWS\System32\Services
C:\Windows\System32\Log Files
C:\WINDOWS\System32\P2P Networking


* IMPORTANT!: If you forget to run the smitfraud.reg file you may not be able to boot your computer normally. DO NOT forget this step. Locate smitfraud.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of instructions below.


* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Restart back into Windows normally now.


* Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.


* Run ActiveScan online virus scan here.

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

 

[_Thomas_]

Ok, gone through it all now. Two questions first... Is GlobalSCAPE spy/adware, or if not, then what? Still have that on comp, but it didn't alert panda.

And about the "find and delete these folders"-instruction, one of the ones to look for was C:\WINDOWS\System32\Services

There was no folder, but an .exe and a .msc file... Should I keep or delete those?

Here follows the latest pandascan:

Adware:Adware/SaveNow No disinfected Windows Registry

Couldn't find that one... On first scan there was four adwares in win reg that I couldn't delete, but only one left on second scan after I deleted the other stuff. In case you want the first scan it follows here.

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\Documents and Settings\All Users\Start-meny\Program\Gain Publishing
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\Program\PerfectNav
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/MyWebSearch No disinfected C:\Program\Search Toolbar
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\Thomas och Sara\Application Data\PSGuard.com

And finally then the hijacklog.

Logfile of HijackThis v1.99.1
Scan saved at 01:24:38, on 2005-06-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Internet Security\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Microsoft Hardware\Keyboard\type32.exe
C:\Program\HP\HP Software Update\HPWuSchd.exe
C:\Program\HP\hpcoretech\hpcmpmgr.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program\VisualRoute\vrie.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37A1A8D2-E44F-4D94-A41D-F5D81374EC2B}: NameServer = 193.11.224.20,193.11.224.21
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

 

[Flrman1]

GlobalSCAPE is fine as far as I know:

http://www.cuteftp.com/

services.exe and services.masc are both legit Windows files. Don't delete them.

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Boot to safe mode and delete these folders:

C:\Documents and Settings\All Users\Start-menu\Program\Gain Publishing
C:\Program\PerfectNav
C:\Program\Search Toolbar

Delete this file:

C:\Documents and Settings\Thomas och Sara\Application Data\PSGuard.com

 

[_Thomas_]

Already did that, but thanks anyway. Guess I'm fine then... Dl'ing windows updates atm to, but omg they're slow. Guess they'll be finished come morning.

Huge thanks for all the help, was awesome! So glad to be rid of it!

 

[Flrman1]

You're Welcome!

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

 

[_Thomas_]

Gah...

Got some system error when installing xp sp2, can't even start the comp up now. Tried rebooting from cd to repair/restore, but can't remember the admin pw, so doesn't work. In safe mode there's an option to ignore the system fault and not keep restarting the comp, might it be safe to use that or might everything get screwed up if I try that?

Or is there some other way to fix this?

 

[_Thomas_]

Oh, and I did the system restore thingie before this happened.

 

[Flrman1]

Try booting to "Last known good configuration"

 

[_Thomas_]

That didn't work, so I reinstalled windows instead. This time around the update to sp2 couldn't be completed... And it's weird, whenever I try to go to windowsupdate.microsoft.com I just get a blank page, nothing at all loads. Autoupdate does load when I start comp, but it slows the comp down a whole lot, and after this latest partial install it doesn't seem to want to do anything more. Not to mention that checking up update.exe everyone seems to agree that that file should be uninstalled - but by now I've got about 20 of'em, every security hotfix that was successfully dl'd has one. And spybot doesn't seem to find any fault with it either.

I tried going to http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=sv as well, but after dl'ing and installing the latest version of the program nothing more happens.

All this trouble... Does it indicate that there might still be some bogus stuff on my comp, or might it be something else that lies behind it? And how bad is it really to not have that sp2? I could imagine going on without it, it's just that I'm not feeling all too certain that the comp is really clean when I'm having this much trouble still with something that, imo, should be easy.

 

[Flrman1]

When you say you reinstalled Windows, do you mean you reformated the hard drive and did a clean install or did you do a repair install?

 

[_Thomas_]

I didn't reformat, but I 'think' it was a complete installation overwriting the old one. Couldn't do the repair when I tried, so I chose new installation - but then I got a repair option which I chose, and then installation started without any more info or pw prompting, so maybe a repair is what it was.

 

[Flrman1]

I suggest that you back up all your data then reformat and do a clean install of XP.