I have been attached by the smithfraud

Unknown

Please help.

I have been attacked by smithfraud.c and cannot get it to go away.

Here is my Highjack log:

Logfile of HijackThis v1.99.1
Scan saved at 7:21:03 AM, on 7/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NBS\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\svcnt.exe
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\business\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

Please help.

Shadow2018

You are running Hijack This from a temporary location. Hijack This needs to be moved to your C directory. Once you have completed this make sure you can view all hidden files:

open "my computer">click tools>folder options>click view tab>check show hidden files>untick hide file extensions>click apply>ok>exit.

Post a new log.

skorr

Okay, I have moved it. Here is my new log file:

Logfile of HijackThis v1.99.1
Scan saved at 7:53:08 AM, on 7/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NBS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\svcnt.exe
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab


Thanks for any help you can provide

Shadow2018

Download
Ad-Aware SE 1.06 and save the setup file to a convenient location. Run the setup file and then update Ad-Aware SE with the latest definitions. Exit this for now.


Boot up in safe mode. To enter safe mode>reboot>tap the f8 button at the start up screen> select safe mode from the menu.

Run Hijack This and place a checkmark next to these entries then click Fix Checked:

O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\System32\rasmxs.exe

Then delete these files if they exist:

C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\rasmxs.exe

Now run a "full system scan" with Ad-Aware SE. Remove all files found.

Reboot into normal mode and run Panda software's

activescan . Please save the log from this scan and post it with a new Hijack This log.

You are infected with a variant of Smitfraud. Panda software is the only software that will show me the file names and locations.

skorr

Thanks for helping.

Here are my highjack and panda logs:

Panda:
Incident Status Location

Spyware:Spyware/Smitfraud No disinfected C:\WINDOWS\system32\svcnt.exe
Adware:adware/antivirus-gold No disinfected C:\DOCUMENTS AND SETTINGS\BUSINESS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\AntivirusGold 2.0.lnk
Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
Adware:adware/psguard No disinfected HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437D-B334-DEB7EB4982A3}
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Adware:Adware/Antivirus-gold No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\799AF5C1-FB21-4F35-B07D-7D24E4\0DC0F91C-70EE-4CDB-984D-2161DA
Adware:Adware/Antivirus-gold No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\799AF5C1-FB21-4F35-B07D-7D24E4\3EEF8503-9B62-4FCC-AB81-9D50E3
Possible Virus. No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/PsGuard No disinfected C:\WINDOWS\system32\intel32.exe
Spyware:Spyware/Smitfraud No disinfected C:\WINDOWS\system32\svcnt.exe
Virus:Bck/Pidor.A Disinfected C:\WINDOWS\system32\thn32.dll
Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 6:13:24 AM, on 7/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NBS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\svcnt.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

Thanks again.

skorr

Shadow 2018

Please help me. I am stuck and cannot get any further.

Thanks,
skorr

Shadow2018

Check your add/remove programs for PSguard. If found uninstall it.

Reboot into safe mode and then delete these files:


C:\WINDOWS\system32\svcnt.exe
C:\DOCUMENTS AND SETTINGS\BUSINESS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\AntivirusGold 2.0.lnk
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437D-B334-DEB7EB4982A3}
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
C:\Program Files\Microsoft AntiSpyware\Quarantine\799AF5C1-FB21-4F35-B07D-7D24E4\0DC0F91C-70EE-4CDB-984D-2161DA
AntiSpyware\Quarantine\799AF5C1-FB21-4F35-B07D-7D24E4\3EEF8503-9B62-4FCC-AB81-9D50E3
C:\WINDOWS\system32\intel32.exe

Run Hijack This and place a checkmark next to these entries and click Fix Checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm

Delete these files:

shdocsv.dll/blank.htm
shdocsv.dll/asst.htm

You will need to do a search for the following files to find and delete them:

shdocsv.dll/blank.htm
shdocsv.dll/asst.htm
HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437D-B334-DEB7EB4982A3}
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}

Post a new log when finished. Make sure all hidden files are still viewable.

skorr

I have done all of the above. My internet explorer home page now goes to about:blank. Here is my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 5:22:37 AM, on 7/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NBS\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

Shadow2018

Run Panda's activescan again and post the results. You are still infected wiith Smitfraud.

skorr

Here is my panda log scan:

Incident Status Location

Virus:W32/Smitfraud.C Disinfected Operating system
Adware:adware/psguard No disinfected C:\WINDOWS\SYSTEM32\intel32.exe
Adware:adware/spysheriff No disinfected C:\WINDOWS\SYSTEM32\thn.dll
Adware:adware/antivirus-gold No disinfected C:\DOCUMENTS AND SETTINGS\BUSINESS\START MENU\AntivirusGold 2.0.lnk
Adware:adware/cws.yexe No disinfected HKEY_CLASSES_ROOT\CLSID\{9CB478A2-CA39-0CFD-EFAC-DB80710601D3}
Spyware:Spyware/Smitfraud No disinfected C:\RECYCLER\S-1-5-21-1454471165-573735546-725345543-1003\Dc1.exe
Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-1454471165-573735546-725345543-1003\Dc3.tmp
Adware:Adware/Antivirus-gold No disinfected C:\RECYCLER\S-1-5-21-1454471165-573735546-725345543-1003\Dc4\0DC0F91C-70EE-4CDB-984D-2161DA
Adware:Adware/Antivirus-gold No disinfected C:\RECYCLER\S-1-5-21-1454471165-573735546-725345543-1003\Dc4\3EEF8503-9B62-4FCC-AB81-9D50E3
Adware:Adware/PsGuard No disinfected C:\WINDOWS\system32\intel32.exe
Adware:Adware/E-eliminator No disinfected C:\WINDOWS\system32\shdocsv.dll
Virus:W32/Smitfraud.C Disinfected C:\WINDOWS\system32\wininet.dll

Crunchie

As Shadow2018 is offline I don't think he will mind if I lend some help whilst you are still on .

Download the file I have attached by right clicking on it and selecting 'Save As.' Save, then unzip it to your desktop.
Reboot into Safe Mode and double click RunThis.Bat. It will do a good cleanup on this.
Reboot normally then please post a new HJT log.

==

Open Notepad, and copy/paste the following into a new file:

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

Save this as FindFiles.bat, choose to save it as *all files and place it on your desktop.

Double click on FindFiles.bat and post the content of the text file you get in your next reply

==

I am off to bed now, but will check back in the morning.

skorr

Here the find files:
dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

and here is the hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 11:50:46 AM, on 7/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$NBS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

I see intel32 is still there but I have deleted it many times.

Help.....

Shadow2018

Reboot into safe mode.

Run Hijack This. Be sure to close all open windows except for HJT before fixing. Place a checkmark next to these entries and click Fix Checked:

O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe

Delete these files or directories if they exist:

C:\WINDOWS\system32\svcnt.exe
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\SYSTEM32\thn.dll
C:\DOCUMENTS AND SETTINGS\BUSINESS\START MENU\AntivirusGold 2.0.lnk
C:\WINDOWS\system32\shdocsv.dll

Reboot and post a new log.

Crunchie

You never let the bat file run long enough. The text file will show up on your desktop way before the full text is written to it .
Please run it again because we must find an uninfected wininit file to replace the infected one with.

skorr

Crunchie:

Here is my FindFiles.bat:

Volume in drive C has no label.
Volume Serial Number is 9474-0194

Directory of C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$

08/23/2001 05:00 AM 593,920 wininet.dll
1 File(s) 593,920 bytes

Directory of C:\WINDOWS\LastGood\System32

08/23/2001 05:00 AM 593,920 WININET.DLL
1 File(s) 593,920 bytes

Directory of C:\WINDOWS\LastGood\System32\DllCache

08/23/2001 05:00 AM 593,920 WININET.DLL
1 File(s) 593,920 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819

08/04/2004 12:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes


Shadow:

I cannot delete the winiet file becaus ethen I am unable to get on the internet. I tried this and had to go back and restore my system from a previous date to have internet access.

Any help is dearly appreciated

Crunchie

OK. Please try this first as the fix will attempt to delete the infected wininit file and replace it with a good one .

====

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan it will prompt you to clean files, click OK
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

skorr

I am still showing infections. Here are my log files:

Hijack -
Logfile of HijackThis v1.99.1
Scan saved at 10:08:09 AM, on 7/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NBS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [Panda_cleaner_39194] C:\WINDOWS\System32\ActiveScan\pavdr.exe 39194
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Active Scan -

Incident Status Location

Virus:W32/Smitfraud.C Disinfected Operating system
Adware:adware/spysheriff No disinfected C:\WINDOWS\SYSTEM32\thn.dll
Adware:adware/antivirus-gold No disinfected C:\DOCUMENTS AND SETTINGS\BUSINESS\START MENU\AntivirusGold 2.0.lnk
Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD
Adware:adware/cws.yexe No disinfected HKEY_CLASSES_ROOT\CLSID\{9CB478A2-CA39-0CFD-EFAC-DB80710601D3}
Adware:Adware/E-eliminator No disinfected C:\WINDOWS\system32\shdocsv.dll
Virus:W32/Smitfraud.C Disinfected C:\WINDOWS\system32\wininet.dll
Ewido -

---

ewido security suite - Scan report

---

+ Created on: 9:19:00 AM, 7/26/2005
+ Report-Checksum: 186818CB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@counter2.hitslink[1].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@ehg-simon.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@ehg-traderelectronicmedia.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\business\Cookies\business@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup


::Report End

SmitRem -
Volume in drive C has no label.
Volume Serial Number is 9474-0194

Directory of C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$

08/23/2001 05:00 AM 593,920 wininet.dll
1 File(s) 593,920 bytes

Directory of C:\WINDOWS\LastGood\System32

08/23/2001 05:00 AM 593,920 WININET.DLL
1 File(s) 593,920 bytes

Directory of C:\WINDOWS\LastGood\System32\DllCache

08/23/2001 05:00 AM 593,920 WININET.DLL
1 File(s) 593,920 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819

08/04/2004 12:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes

It seems to be getting better but it is not completely right and the scans still show infections.

Thanks,

skorr

skorr

Okay, I was wrong. It was getting better, however, the wininet.dll was once again completely gone and I had to do a system restore back to last thrusday to even be able to access the net. I have always thought of myself as pretty computer savy but this is beyond me. All your help is appreciated.

Thanks again,

skorr