Tech Support Forum banner
Status
Not open for further replies.
1 - 7 of 7 Posts

· Registered
Joined
·
4 Posts
Discussion Starter · #1 ·
I ran ewido and hijack this, my system seems clean except for this virus...it keeps popping up with norton antivirus at startup. It states the following:

Norton Antivirus has detected a virus on your computer

Object Name: C:\Windows\system32\wininet.dll
Virus Name: Bloodhound.W32.ep (this is shown as a link)
Action taken: Unable to repair this file.


I know that the program that i need is smitRem but i cant seem to open that program. I download it and a extract it to the desktop, then i restart into safe mode. Once i click on the runthis.bat file, a ms-dos window pops up and disappears in less than a second. Nothing in there seems to run. I have downloaded and tried to run it more than 6 times. It never seems to stay open. Is there anything that i can do to get past this?

Nothing seems to be working to get rid of this, for some reason i cant even do a system restore, nor do i want to because i havent created a restore point in quite some time. I really need to know a way to get rid of this virus without having to delete anything off of my computer. I really need some help here....please

As far as the updates go, i havent been doing them recently but if you can give me the site where i can get caught up, i will start as soon as i can get the computer cleared up. Also, if i download the latest updates, will i still get protection from all the previous updates?

Here is the Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:13:17 PM, on 8/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Winamp5\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\196_150_ni.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\Program Files\AIM Toolbar\aimhelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [3F5S3mR] svcgen.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp5\winampa.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [odbctrac] C:\WINDOWS\System32\odbctrac.exe
O4 - HKCU\..\Run: [Iou2RgdtR] stkngl32.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/gam...nts/y/ct0_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud3.sports.yahoo.com/java/y/nflst8226_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Lin...204&clcid=0x409
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) -

http://billing-b.mhi.aol.com/netage...s/custappx2.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.c...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: usbui - Unknown owner - C:\WINDOWS\System32\usbui.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE




Here is the ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:59:38 AM, 8/14/2005
+ Report-Checksum: BCE639F2

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
[472] C:\WINDOWS\system32\OLEEXT.dll -> Trojan.Agent.ff : Cleaned with backup
[708] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
C:\Documents and Settings\Panicker\Cookies\[email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Panicker\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\ms32.tmp -> TrojanDownloader.Small.azk : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0136618.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0138473.dll -> TrojanDownloader.Agent.ba : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0138474.exe -> Spyware.Nex : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0138475.exe/ABC2.DLL -> Backdoor.Mox.b : Error during cleaning
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0138475.exe/ACSFX.DLL -> Backdoor.Mox.c : Error during cleaning
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0138475.exe/AFTPSFX.DLL -> Backdoor.Mox.c : Error during cleaning
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0138475.exe/ASSFX.DLL -> Backdoor.Mox.c : Error during cleaning
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0138475.exe/ntcomm.exe -> Backdoor.Cl4 : Error during cleaning
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0138475.exe/SCSFX.DLL -> Backdoor.Ataka.i : Error during cleaning
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0138475.exe/SLSFX.DLL -> Backdoor.Ataka.i : Error during cleaning
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0138476.dll -> TrojanDownloader.Agent.ba : Cleaned with backup
C:\unzipped\hijackthis\backup-20040318-141445-944.dll -> Spyware.MyWay : Cleaned with backup
C:\unzipped\hijackthis\backup-20040427-214545-868.dll -> Spyware.ClearSearch : Cleaned with backup
C:\WINDOWS\syscab\ACSFX.DLL -> Backdoor.Mox.c : Cleaned with backup
C:\WINDOWS\syscab\AFTPSFX.DLL -> Backdoor.Mox.c : Cleaned with backup
C:\WINDOWS\syscab\ASSFX.DLL -> Backdoor.Mox.c : Cleaned with backup
C:\WINDOWS\syscab\SCSFX.DLL -> Backdoor.Ataka.i : Cleaned with backup
C:\WINDOWS\syscab\SLSFX.DLL -> Backdoor.Ataka.i : Cleaned with backup
C:\WINDOWS\syscab\unicodbag.txt -> Worm.Randon.i : Cleaned with backup
C:\WINDOWS\SYSTEM32:iraa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\SYSTEM32\usbui.exe -> Trojan.Downloader.reqlook : Cleaned with backup


::Report End

Please help me figure this out because i desperately need my computer running smoothly again.
 

· TSF Security Team, Emeritus
Joined
·
6,969 Posts
Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)


Download smitRem.exe and save the file to your desktop.
Double click on the file and it will extract it’s files into it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: usbui

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.


Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) =
O4 - HKLM\..\Run: [3F5S3mR] svcgen.exe
O4 - HKCU\..\Run: [odbctrac] C:\WINDOWS\System32\odbctrac.exe
O4 - HKCU\..\Run: [Iou2RgdtR] stkngl32.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O23 - Service: usbui - Unknown owner - C:\WINDOWS\System32\usbui.exe (file missing)


Click fix.

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\WINDOWS\System32\odbctrac.exe
C:\WINDOWS\System32\196_150_ni.exe
stkngl32.exe
svcgen.exe
<--locate and delete these 2.

IMPORTANT:

Make sure Norton/Symantec is disabled as it has a script blocker running and thats preventing Smitrem from running.


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.

Save the scan log and post it along with a new HijackThis Log and the Ewido Log and the smitfiles.txt log.


IMPORTANT!:


Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.


Thank you for your cooperation.
 

· Registered
Joined
·
4 Posts
Discussion Starter · #3 · (Edited)
SmitRem still wont run, i disabled the script blocking, but the ms-dos window still wont stay open, it just flashes across the screen. I'm sure the message that flashes in dos is an error message, and I think it says "find is not recognized as an internal or external command....." but its hard to tell..

As a matter of fact, whatever i type in it says it is not recognized as a command. It opens with the C:\>, and I can't really go anywhere from there, not even into my Documents and Settings (to access my desktop). It will say "DOCUMENTS is not recognized...."
What should I do?
 

· Registered
Joined
·
4 Posts
Discussion Starter · #4 ·
When I go to the Windows Update Page and it searches for updates (or in the taskbar), it says the only update for me to download is SP2. Does this mean I already have SP1? I can't remember if I downloaded SP1 or not, but is there any way for me to check?
 

· TSF Security Team, Emeritus
Joined
·
6,969 Posts
thegamemodo9 said:
When I go to the Windows Update Page and it searches for updates (or in the taskbar), it says the only update for me to download is SP2. Does this mean I already have SP1? I can't remember if I downloaded SP1 or not, but is there any way for me to check?
No you don't have SP1 installed. Make sure you click "Custom" and not Express as it will ask you to install SP2 everytime. It should then scan the PC and give you a list of updates..and SP1 should be one of them.

As for your DOS error..try this...

Copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder. Then run the tool again.
 

· Registered
Joined
·
4 Posts
Discussion Starter · #6 ·
well I already had the autoexec.nt file in my system32 folder, so I overwrote that file, but it still did not work.

I ran xprunregquery.bat (given to me by a member here) to see if I could run a batch file. Double clicking the .bat file opened and closed the file quickly (so I couldn't read the error message). I was given this message after opening it in command prompt:


C:\Documents and Settings\Panicker\Desktop>reg query "HKEY_LOCAL_MACHINE\SOFTWAR
E\Microsoft\Windows\CurrentVersion\Run" 1>>Look.txt
'reg' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Panicker\Desktop>reg query "HKEY_LOCAL_MACHINE\Softwar
e\Microsoft\Shared Tools\Msconfig\startupreg" 1>>Look.txt
'reg' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Panicker\Desktop>reg query "HKEY_CURRENT_USER\SOFTWARE
\Microsoft\Windows\CurrentVersion\Run" 1>>Look.txt
'reg' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Panicker\Desktop>notepad Look.txt
'notepad' is not recognized as an internal or external command,
operable program or batch file.

Anybody know what I can do about this? I want to be able to run smitRem, but that file will open and close as well (when double clicking). When I open it though command prompt, it says " 'find' is not recognized as an internal or external operable command..."

Does you have any ideas about this?
 

· TSF Security Team, Emeritus
Joined
·
6,969 Posts
Click start...run...type in regedit. See if it opens. Your registry editor may have been disabled. Please update to SP1 ASAP!
 
1 - 7 of 7 Posts
Status
Not open for further replies.
Top