Member Panel

Correct Green is good. Here is my wife's although it say's realteck is spyware, it aint. I trace route where it tries to go and it dont go anywhere!!

Hey wheres my pic??? Tried it three times?

test


edit: works fine.

hmm does not work for me??? the image shack hosting hmmmm


DUUUUU :oops ? I guess pressing host it would help hu instead of just pressing post!! Man Hengis gotta make it hard on me dont ya :-D

Ooohh , you ment imageshack. Works to :lol:

:laughing@:

Hi tried both methods. this is the results for the PC pit stop scan.
Name Vendor Complete File Name
MSN Queue Manager Microsoft Corporation C:\WINDOWS\LOADQM.EXE

MS Office startup C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

MS Office Find Fast Microsoft Corporation C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE

Universal Plug and Play Microsoft Corporation C:\WINDOWS\SYSTEM\SSDPSRV.EXE

MSN Messenger Microsoft Corporation C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

Still Image Monitor Microsoft Corporation C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\PTSNOOP.EXE

Lexmark International, Inc. C:\WINDOWS\SYSTEM\LXBSPPLS.EXE

Lexmark International, Inc. C:\PROGRAM FILES\LEXMARK\LEXMARK PRECISION PHOTO\MEMCARD.EXE
(Various) Microsoft Corporation C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\INTELL32.EXE
Microsoft Corporation C:\WINDOWS\WUAUCLT.EXE
Wanadoo C:\WANADOO\WANADOOCONNECTIONKIT\ATDIALLER1.EXE

Here is another HJT scan. I tried merlins method with the scanner but unless i do it manually the price of it is too high for me!

Logfile of HijackThis v1.99.1
Scan saved at 10:27:46, on 19/08/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\LXBSPPLS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WANADOO\WANADOOCONNECTIONKIT\ATDIALLER1.EXE
C:\PROGRAM FILES\LEXMARK\LEXMARK PRECISION PHOTO\MEMCARD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\MY DOCUMENTS\JOSH\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.wanadoo.co.uk:8080;ftp=http://www-cache.wanadoo.co.uk:8080
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=LXBSppls.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [MicroDialler] C:\Wanadoo\WanadooConnectionKit\atdialler1.exe
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\SYSTEM\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\IntraLaunch.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB


I heard of a good free firewall called Zone alarm. Would it be worth downloading that?

There are some things in youre log that i can't figure for 100% sure what they are , i will leave some of them for now and first try to get rid of Psguard , ive included some additional scanning apps at the end of the fix , maybe they help with those.

And Zone Alarm is pretty good , and not to difficult to use.I use the pro version myself.




Print out these instructions as we will need to shutdown every window that is open later in the fix.

Enter the Windows Control Panel and double-click on Add/Remove Programs.

When the installed programs list appears, double-click on the following entries if they exists and allow them to uninstall.

Security IGuard
Virtual Maid
Search Maid

Then exit the Add/Remove Programs screen and the Control Panel.

Download: smitfraud.reg and save this file to your desktop.

And download: smitRem.zip and save this file to your desktop.


Locate the smitfraud.reg file on your desktop and double-click it. When asked if you want to merge with the registry, click the YES button. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Make sure Hidden files and folders are set to show.

How to see hidden files in Windows

1.double-click the My Computer icon
2.Click on the View menu, click Folder Options
3.Advanced Settings box, under the "Hidden files" folder, click Show all files.
4.If you see a warning message, click Yes.
5.Click Apply.
6.Click OK.


Download the Killbox by Option^Explicit and save it to your desktop. Extract killbox.zip to your desktop. Then double-click on the killbox.exe program.

When the program is open, select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.

Highlight the list of bolded files below and paste them into notepad.

Note: Killbox will let you know if the file does not exist. Some of them will not exist.



C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\Windows\popuper.exe
C:\Windows\System32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\WINDOWS\System32\hookdump.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\Program Files\PSGuard\PSGuard.exe
C:\WINDOWS\q146937_disk.dll

After they are copied into notepad, highlight them again ONE AT a Time and then copy and paste them into the killbox window titles "Full Path of File to Delete"

Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the reboot prompt until you are on the last file.


If your computer does not restart automatically, please restart it manually in safemode.

While your computer is restarting, keep tapping "F8" until a menu appears. Use your up arrow key to highlight Safe Mode, then press the enter button on your keyboard.

Navigate to the Smitrem.zip file , open it and run it by double clicking on Runthis.bat , wait untill its finished and it will create a log file on youre C:\ disk. (smitfiles.txt)


Using Windows Explorer, delete the following files, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard
C:\Program Files\PSGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Open hijackthis. When the program starts place a check next to each of the following bolded entries, if found, then click FIX CHECKED button.

Did you set these youreself? If not , fix these to:


When it is done fixing the entries, exit the HijackThis program and restart your computer so its back into normal mode.


Replace your hosts file with one of the two options below. I recommend the first option.

Option A.
Replace your host file with the one available here. This one adds a huge list of sites to your host file to help prevent infection. Instructions are provided at that site.

Option B.
Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.

Download, install, and run Ccleaner

And run atleast one online AV scan and also run stinger

Reboot and post another HJT log plus the smitfiles.txt.