help with trojans

Looks like I’m infected by a Win32:trojan. I’m definitely no techie, so any help you give me would be appreciated here is the HIJACK log. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 7:45:41 PM, on 2/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\atlfm32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\JUSearch\juspc.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\netfw.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\BibleWorks 6\bw600.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\HIJACK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchforfree.info/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://searchforfree.info/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {572CC3BC-F47C-72F9-991D-07F17112FD33} - C:\WINDOWS\system32\wineo32.dll (file missing)
O2 - BHO: Class - {ABA388C5-AC45-44CB-9816-6536A674986F} - C:\WINDOWS\system32\sdkum32.dll (file missing)
O2 - BHO: Class - {BFF9AA12-B35F-5FD0-E04C-538197D788AE} - C:\WINDOWS\ntpu.dll
O2 - BHO: Class - {C902789B-AF19-4056-CC6A-4E38EC39868F} - C:\WINDOWS\system32\wintx.dll (file missing)
O2 - BHO: Class - {CC3C2CF2-A3EE-2261-69DA-A3A388D404C9} - C:\WINDOWS\system32\iein.dll
O2 - BHO: Class - {D53C9B47-4C61-5E63-5486-F572BE0C0090} - C:\WINDOWS\appuy.dll (file missing)
O2 - BHO: Class - {E057CF21-D46C-343B-7955-D8C449B5966D} - C:\WINDOWS\javaag32.dll (file missing)
O2 - BHO: Class - {E4D353C5-F038-4827-9CDA-ABDCF49E5AB5} - C:\WINDOWS\apppi32.dll
O2 - BHO: Class - {E5AEC6A2-E0DA-BCCF-46E8-C8D57F1BAB09} - C:\WINDOWS\apiyj32.dll (file missing)
O2 - BHO: Class - {EC15E88B-8211-11D5-283C-E2E36C934580} - C:\WINDOWS\system32\apifp32.dll
O2 - BHO: Class - {F007D83D-E7B6-F6E1-AE66-146D284B5A3C} - C:\WINDOWS\syssg.dll (file missing)
O2 - BHO: Class - {FA168010-C6D6-4D24-E877-91477B61A199} - C:\WINDOWS\winaf32.dll (file missing)
O2 - BHO: Class - {FA24E3A3-830C-7CE5-9AA3-9E1D994407F0} - C:\WINDOWS\system32\sysxn32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [atlfm32.exe] C:\WINDOWS\atlfm32.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup
O4 - HKCU..\Run: [spc_w] “C:\Program Files\JUSearch\juspc.exe” -w
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098494961168
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: ugosWXQIloK - {C871EA18-62DB-40B2-5356-37B0ADCEF7DE} - C:\WINDOWS\System32\hrphgf.dll (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netfw.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Welcome to the forums, clueless2! :slight_smile:

Here is what I can see is wrong. But, please wait for a second opinion from others here and not just my word as to what is wrong. :wink:

Internet Explorer is out of date. You should have IE6 SP2!
Your Operating System is out of date. You should have XP SP2!
I see no sign of a firewall. If you are not using a hardware firewall, it is highly recommended to install a software firewall. Otherwise, you will have more trouble.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchforfree.info/browser/
(this is a bad BHO also known as a browser highjacker)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://searchforfree.info/browser/
(this second R0 is the same item as above)

R3 - default urlsearchhook is missing unknown and not needed.

04 - startup: powerreg scheduler.exe … is spyware.
(read here … http://research.sunbelt-software.com/threat_display.cfm?name=PowerReg%20Scheduler&threatid=9940 )

015 - trusted zone: *.awmdabest.com … is adware/spyware/trojan
(read here … http://castlecops.com/atxlist-1198.html )

015 - trusted zone: *.frame.crazywinnings.com … is adware/spyware/trojan as above.

016 - dpf: {4ed9ddf0-7479-4bbe-9335-5a1edb1d8a21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4
016 - dpf: {bcc0ff27-31d9-4614-a68e-c18e1ada4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1
(if you are using avast anti-virus then these 2 need to be removed)

As I stated above, please wait for a second opinion on my suggestions above.
I hope this helps you. :slight_smile:


:slight_smile: Clueless2 :

  I have CharleyO's "out-of-date" XP SP1 & am ok; however,
  I have lots of security programs that you do NOT have.
  I do NOT see an antiSPYWARE program on your machine;
  I would encourage you to download, then install Ad-Aware
  from www.majorgeeks.com/download506.html .
  Since there are lots of problems indicated by your HJT log,
  go to www.landzdown.com ; that site has experienced
  persons who are knowledgeable in the use of HijackThis
  logs .

I would also recommend ewido, it’s one of the best at getting rid of spyware and trojans. They also have daily updates, which most others don’t.

http://www.ewido.net/en/

Hello clueless2. Welcome to the Avast forums. Your HijackThis log indicates that you have a CWS (CoolWebSearch) infection. I will be happy to help you get rid of it. Please follow these instructions carefully and if you have any questions along the way, feel free to stop and ask, but once you’ve disconnected from the net, go to another computer and ask.

First of all, you will need to download a few programs to aid in the removal of the infection.

Go here and download About:Buster.
Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the aboutbuster.exe icon and then click on the Update button to check for new updates. If any updates exist, please install them. Do not run it yet.

Now go here and download CWShredder. Save it to your desktop. Open it and click the “Check for Update” button. Download the updates if it says a new version is available. Then exit the program; you will run it later.

Download and install ewido anti-malware trial from:
http://www.ewido.net/en/download/

  • When installing, under “Additional Options”, uncheck both “Install background guard” and “Install scan via context menu”.
    * When you run Ewido for the first time, you could get a warning “Database could not be found!”. Click Ok.
    * The program will prompt you to update. Click the Ok button.
    * The program will now go to the main screen.

You will need to update Ewido to the latest definition files.

* On the left-hand side of the main screen click the Update button.
* Click on Start. The update will start and a progress bar will show the updates being installed.

Once finished updating, close Ewido. Do NOT run it yet.

Next, download CleanUp! from here. Save it to your desktop. Don’t run it yet.

Now, download Pocket killbox from here. Leave it on the desktop for now. We may need it later.

Print out the following instructions or copy them to Wordpad as you will not have internet access for a bit.

Now, please close all browsers and physically pull the cord to your internet connection and remain disconnected for the remainder of the fix. Do NOT open up Internet Explorer again until the fix is complete. The infection will attempt to reinstall itself if you do.

IMPORTANT — we need to disable an NT service first.

Click “Start” > “Run” and type “Services.msc” (without quotes) then hit “Ok”.
Click the “Extended” tab.
Scroll down and find the service called Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netfw.exe
Click once on the service to highlight it.
Click “Stop”.
Right-click on the service.
Click on “Properties”.
Select the “General” tab.
Click the Arrow-down tab on the right-hand side on the “Start-up Type” box.
From the drop-down menu, click on “Disabled”.
Click “Apply”, then “OK”.

Now we will delete the service:

Open HijackThis.
Click on the “Open Misc. tools section” button.
Click on the “Delete an NT service” button.
Copy and Past the following line in the space provided and click OK:

11Fßä#·ºÄÖ`I

The program will ask you to reboot. Accept.

Boot into Safe Mode. (If you’re not sure how to do this, click this link):
http://www.bleepingcomputer.com/tutorials/tutorial61.html

Now let’s set Windows to show all files:

To enable the viewing of Hidden files follow these steps:

  1. Close all programs so that you are at your desktop.
  2. Double-click on the “My Computer” icon.
  3. Select the “Tools” menu and click “Folder Options”.
  4. After the new window appears select the “View” tab.
  5. Put a checkmark in the checkbox labeled “Display the contents of system folders”.
  6. Under the Hidden files and folders section select the radio button labeled “Show hidden files and folders”.
  7. Remove the checkmark from the checkbox labeled “Hide file extensions for known file types”.
  8. Remove the checkmark from the checkbox labeled “Hide protected operating system files”.
  9. Press the “Apply” button and then the “OK” button and shutdown My Computer.
  10. Now your computer is configured to show all hidden files.

Because XP will not always show you hidden files and folders by default,
Go to Start > Search and under “More advanced search options”.
Make sure there is a check by “Search System Folders” and “Search hidden files and folders” and “Search system subfolders”

Now it’s time to run the AboutBuster program on the desktop (stay in Safe Mode).

Double-click on it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Please save the log so I can view it later. Then exit the program.

Now open up CWShredder. Press “Fix” > “OK” and when it’s done scanning, press “Next” > “Exit”.

(Continued in next post)

Now open up HijackThis again and click on “Do a system scan only”.
When it finishes, put a check before the following lines:
[b]
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchforfree.info/browser/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cllnn.dll/sp.html#28129%resultposition.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://searchforfree.info/browser/

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {572CC3BC-F47C-72F9-991D-07F17112FD33} - C:\WINDOWS\system32\wineo32.dll (file missing)

O2 - BHO: Class - {ABA388C5-AC45-44CB-9816-6536A674986F} - C:\WINDOWS\system32\sdkum32.dll (file missing)

O2 - BHO: Class - {BFF9AA12-B35F-5FD0-E04C-538197D788AE} - C:\WINDOWS\ntpu.dll

O2 - BHO: Class - {C902789B-AF19-4056-CC6A-4E38EC39868F} - C:\WINDOWS\system32\wintx.dll (file missing)

O2 - BHO: Class - {CC3C2CF2-A3EE-2261-69DA-A3A388D404C9} - C:\WINDOWS\system32\iein.dll

O2 - BHO: Class - {D53C9B47-4C61-5E63-5486-F572BE0C0090} - C:\WINDOWS\appuy.dll (file missing)

O2 - BHO: Class - {E057CF21-D46C-343B-7955-D8C449B5966D} - C:\WINDOWS\javaag32.dll (file missing)

O2 - BHO: Class - {E4D353C5-F038-4827-9CDA-ABDCF49E5AB5} - C:\WINDOWS\apppi32.dll

O2 - BHO: Class - {E5AEC6A2-E0DA-BCCF-46E8-C8D57F1BAB09} - C:\WINDOWS\apiyj32.dll (file missing)

O2 - BHO: Class - {EC15E88B-8211-11D5-283C-E2E36C934580} - C:\WINDOWS\system32\apifp32.dll

O2 - BHO: Class - {F007D83D-E7B6-F6E1-AE66-146D284B5A3C} - C:\WINDOWS\syssg.dll (file missing)

O2 - BHO: Class - {FA168010-C6D6-4D24-E877-91477B61A199} - C:\WINDOWS\winaf32.dll (file missing)

O2 - BHO: Class - {FA24E3A3-830C-7CE5-9AA3-9E1D994407F0} - C:\WINDOWS\system32\sysxn32.dll (file missing)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM..\Run: [atlfm32.exe] C:\WINDOWS\atlfm32.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab

O21 - SSODL: ugosWXQIloK - {C871EA18-62DB-40B2-5356-37B0ADCEF7DE} - C:\WINDOWS\System32\hrphgf.dll (file missing)

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netfw.exe
[/b]

Then make sure ALL windows are closed except HijackThis and hit the “Fix checked” button.

Next, using Window’s explorer and/or search function, navigate to and delete the files listed in bold below if they are found to exist. Delete ONLY the part in bold.

C:\WINDOWS[b]cllnn.dll[/b]

C:\WINDOWS\system32[b]wineo32.dll [/b]

C:\WINDOWS\system32[b]sdkum32.dll[/b]

C:\WINDOWS[b]ntpu.dll[/b]

C:\WINDOWS\system32[b]wintx.dll[/b]

C:\WINDOWS\system32[b]iein.dll[/b]

C:\WINDOWS[b]appuy.dll [/b]

C:\WINDOWS[b]javaag32.dll[/b]

C:\WINDOWS[b]apppi32.dll[/b]

C:\WINDOWS[b]apiyj32.dll[/b]

C:\WINDOWS\system32[b]apifp32.dll[/b]

C:\WINDOWS[b]syssg.dll [/b]

C:\WINDOWS[b]winaf32.dll[/b]

C:\WINDOWS\system32[b]sysxn32.dll [/b]

C:\WINDOWS[b]atlfm32.exe

PowerReg Scheduler.exe[/b] (I don’t know the path, so you can just search for it.)

C:\Program Files\Common Files\MySoftware[b]NewsFlsh.exe[/b]

C:\WINDOWS\Downloaded Program Files[b]file://c:\ied_s7.cab[/b] – (the file with any part of that name)

C:\WINDOWS\Downloaded Program Files[b]file://c:\x.cab[/b] – (the file with any part of that name)

C:\WINDOWS\System32[b]hrphgf.dll[/b]

C:\WINDOWS[b]netfw.exe[/b]

Now it is time to search for some files that we do NOT want to delete. Hopefully the malware program hasn’t erased them. They are:

control.exe
rundll32.exe
wmplayer.exe
msconfig.exe
notepad.exe
shell.dll
SDHelper.dll

If a Windows search fails to turn up any of the above files, make a note of which ones were not found so that you will be able to download them.

Now run the CleanUp! program that you downloaded:
Double-click on the icon.
Hit the “CleanUp!” button.
When the report window indicates that it has finished, hit the “Close” button. It’s that simple.

Let’s get an ewido Security Suite scan now. It will probably take a while, so please be patient.

Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

Open the program

Click on scanner

Click on Settings

* Under "How to scan" all boxes should be selected
* Under "Possibly unwanted software" all boxes should be selected
* Under "What to scan" select scan every file
* Click OK

Click on Complete system scan

Let the program scan the machine

If ewido finds anything, it will pop up a notification. NOTE: We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AOL, pcAnywhere and the game “Risk” have been flagged. In particular, watch for alerts that have the word “Heuristic” in them - if you recognize the file name as “friendly,” these may actually be false positives) select “none” as the action. DO NOT check “Perform action with all infections.” If you are unsure of an entry, select “none” for the time being. I’ll see that in the log you will post later and let you know if ewido needs to be run again.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.

Click Save report

Save the report to your desktop

Exit ewido

Now restart the computer back into Normal Mode.

Run a fresh HijackThis scan and save the log.

Reconnect to the internet and post the logs from AboutBuster, ewido, and THE LATEST HijackThis log back to this same thread. If any missing files were noted in the above-mentioned search, you can go ahead and download them from: http://www.richardthelionhearted.com/?url=merijn.richardthelionhearted.com

doc_esb

great post doc! 8) Fantastic effort. :wink:

Thanks Cloussau. It looks like I missed one though. CharleyO is correct – Power Reg Scheduler is malware and should be included in the fix. I am going to modify the post to include it and keep an eye out for it in the next log in case clueless2 has already begun the fix.

doc_esb


Woohoo … I got one right! :wink:
(well, a few more actually … I’m no expert at that but a few things stood out as being very wrong … :slight_smile: )

I was sure I did not have all of it which is why I suggested for clueless2 to wait for more input. :slight_smile:

Thanks for your input, Spiritsongs! :wink:

Yep, a great effort you did, doc! :smiley:


Thanks so much for the help. I will let you know what happens.

a little less clueless

doc,

reading your posts is like watching an artist at his easel.

Geez, thanks mauserme. I give the credit to my teachers. :slight_smile:

doc_esb