Chronolizer

Hi, my pc is also infected with the pesky 'topantispyware' problem, but when I use the forums removal instructions, at the point of doing a full sytem scan with Ad-aware se, my pc says that a certain 'services.exe' has set its function to 0 and pc will begin a countdown (1min) to shut off my pc... the file was located in system32, so i did a customized scan and did'nt check that folder, and itworked.. anyway, my pc also has a nasty trojan CWS-C, when my CWS shredder and Sophos said they deleted it, the message still keeps coming back from the intercheck monitor saying that it has detected the troj. And this message keeps coming every 3-4 seconds.
The log:
Logfile of HijackThis v1.99.1
Scan saved at 19:36:54, on 7-3-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\scmss.exe
C:\WINDOWS\System32\ctfmon.exe
C:\program files\steam\steam.exe
C:\WINDOWS\System32\SPOOLSVU.EXE
C:\WINDOWS\System32\ALG32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos SWEEP for XP\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for XP\SWEEPSRV.SYS
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\CHRONO~1\LOCALS~1\Temp\biop.dat
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\CHRONO~1\LOCALS~1\Temp\gdcj.dat
C:\Documents and Settings\Chronolizer\Mijn documenten\EA Games\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=Userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Security Patch] scmss.exe
O4 - HKLM\..\RunServices: [Security Patch] scmss.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SPOOLSVU] C:\WINDOWS\System32\SPOOLSVU.EXE
O4 - HKCU\..\Run: [ALG32] C:\WINDOWS\System32\ALG32.EXE
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Corel Network monitor worker - {1AABDC5E-EDEC-4942-B283-AB78E65A7B6D} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {1AABDC5E-EDEC-4942-B283-AB78E65A7B6D} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Corel Network monitor worker - {1AABDC5E-EDEC-4942-B283-AB78E65A7B6D} - C:\WINDOWS\System32\intlmain.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {1AABDC5E-EDEC-4942-B283-AB78E65A7B6D} - C:\WINDOWS\System32\intlmain.dll (HKCU)
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup152.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61EBBDFD-9DF2-474A-8159-CEA1FFDE0AA7}: NameServer = 69.50.176.196,195.225.176.37
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for XP\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for XP\SWEEPSRV.SYS

This log was very irritating to get, cause my system froze several timeswhen trying to choose Notepad in the list of programs avaible.
Thanks FOR any help.
Greets
Chronolizer

MicroBell

Hi and Welcome to TSF

Please consider installing SP1/SP2 service packs for both IE6 and XP as this is a big part of your problem.

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

Download and install CleanUp http://cleanup.stevengould.org/

Download DelDomains.inf
Right-click and select..... Save Target As

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\WINDOWS\System32\scmss.exe
C:\WINDOWS\System32\SPOOLSVU.EXE
C:\WINDOWS\System32\ALG32.EXE
C:\DOCUME~1\CHRONO~1\LOCALS~1\Temp\biop.dat
C:\DOCUME~1\CHRONO~1\LOCALS~1\Temp\gdcj.dat

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http://proxy/:8080
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll
O4 - HKLM\..\Run: [Security Patch] scmss.exe
O4 - HKLM\..\RunServices: [Security Patch] scmss.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [SPOOLSVU] C:\WINDOWS\System32\SPOOLSVU.EXE
O4 - HKCU\..\Run: [ALG32] C:\WINDOWS\System32\ALG32.EXE
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O9 - Extra button: Corel Network monitor worker - {1AABDC5E-EDEC-4942-B283-AB78E65A7B6D} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {1AABDC5E-EDEC-4942-B283-AB78E65A7B6D} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra button: Corel Network monitor worker - {1AABDC5E-EDEC-4942-B283-AB78E65A7B6D} - C:\WINDOWS\System32\intlmain.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {1AABDC5E-EDEC-4942-B283-AB78E65A7B6D} - C:\WINDOWS\System32\intlmain.dll (HKCU)
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

C:\WINDOWS\System32\scmss.exe
C:\WINDOWS\System32\SPOOLSVU.EXE
C:\WINDOWS\System32\ALG32.EXE
C:\DOCUME~1\CHRONO~1\LOCALS~1\Temp\biop.dat
C:\DOCUME~1\CHRONO~1\LOCALS~1\Temp\gdcj.dat
C:\WINDOWS\System32\iecustom32.dll
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\System32\intlmain.dll
C:\WINDOWS\SYSTEM32\draw32.dll

Navigate to the C:\Windows\Prefetch folder and delete all files in that folder!

Now run the cleanup utility and reboot/logoff when prompted.

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not.

__________________

Chronolizer

Thanks for replying, Im gonna get right on it!

Chronolizer

OK, I followed your instructions, but I could not access SAFE mode, it just stayed at the screen with the white line blinking constantly in the top left corner. So I followed your instructions in Normal mode..
I was unable to find :
C:\WINDOWS\System32\scmss.exe
C:\WINDOWS\SYSTEM32\draw32.dll
I could however delete the rest of the files you recommended.
New LOG:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos SWEEP for XP\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for XP\SWEEPSRV.SYS
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chronolizer\Mijn documenten\EA Games\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xysearch.biz?wmid=3305
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://xysearch.biz?wmid=3305
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup152.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61EBBDFD-9DF2-474A-8159-CEA1FFDE0AA7}: NameServer = 69.50.176.196,195.225.176.37
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for XP\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for XP\SWEEPSRV.SYS

I hope its fixed now..

greyknight17

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xysearch.biz?wmid=3305
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://xysearch.biz?wmid=3305
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{61EBBDFD-9DF2-474A-8159-CEA1FFDE0AA7}: NameServer = 69.50.176.196,195.225.176.37
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\System32\TGBRFV_.exe
C:\WINDOWS\System32\TGBRFV_5.dll
C:\WINDOWS\System32\TGBRFV_.dll
C:\WINDOWS\System32\TGBRFV_5.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\SYSTEM32\draw32.dll

Run CleanUp program.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.

Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D

Anti-Spyware Tutorial :: Spyware Prevention Tools