Hi. First of all you need to update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by deleting the file manually. Unzip the new version into the hijackthis folder.
Open Task Manager & end process on the following:
smsc.exe
Then go to F:\WINDOWS\System32 and delete the file manually.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - F:\WINDOWS\System32\ruyavo.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - (no file)
O2 - BHO: (no name) - {A903BF95-883E-4E70-AEC8-6C27CDC0A6B2} - F:\WINDOWS\System32\taceoaf.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - F:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PvzP.dll
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
Search for wuamgrd.exe and delete if found.
Reboot after doing the above, rescan with hijackthis making certain that all instances of Internet Explorer are closed, then post that log here please.
crunchie
Most Valuable Poster
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
Questions: I have and use spysweeper. It still indicates that Win32 Driver is present in my register keys. Is there a way to be totally rid of this strain? Also, will my McAfee step up to prevent these viruses from returning? Or is it time to scrap McAfee for Norton Antivirus?
The Win 32 Driver and smsc.exe entries indicate an infection by one of the variants of the AGOBOT/FORBOT worm; assuming that you're using current virus definition updates, any of the major AV packages (including McAfee's) should be able to deal with it.
In terms of your log- it now looks clean, except perhaps for the MaxSpeed entries:
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe
At least one anti-virus company (Sophos) links it to a trojan.
DMR
Wombat At Large
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
Well, my McAfee application is 2004, but that may not mean that it's current enough to deal with whatever trojan strain is occupying my computer.
It isn't the version of your anti-virus program itself that's important- what's important is that you have downloaded the most current virus definition updatesfor that program; new definition updates for any of the major AV programs can be released as often as every other day. If you haven't kept current with those updates since installing the program itself, your AV program is pretty much useless at this point. Both McAfee and Norton offer free updates for a certain period of time (which varies by product) after installing the programs. Within that time period you can freely download all of the current product updates, but after the time expires you will have to pay a monthly or yearly fee in order to download the updates.
DMR
Wombat At Large
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
The deletion of those files should have rid you of the virus.
Go here to TrendMicro for an on-line scan & set it to autoclean for you.
Try this scan at Panda as well.
crunchie
Most Valuable Poster
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
could they have damaged my internet access prior to their removal?
Yes, in a couple of different ways.
If you can reach some/most sites, but cannot reach anti-virus, anti-spyware, or other such security-oriented sites:
- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".
- Navigate to your C:\windows\system32\drivers\etc folder and find the file named "hosts".
- Open that file in Windows Notepad. Aside from the comment lines at the beginning of the file (the lines which begin with a " # "), it should contain only the following entry:
127.0.0.1 localhost
If you find other similar-looking entries below that, deleteall of them and save the file.
Important: Notepad will want to add a .txt extention to the newly-saved filename, so after saving the file and closing Notepad you will need to rename the file back to simply "hosts" (that is, remove the .txt from the end of the filename).
If the connection problem occurs with all/any sites you try to reach, let us know that.
DMR
Wombat At Large
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
OK- keep us posted.
In terms of not being able to change the file association/extension, you do have to be logged in to an account with administrative rights to make such changes.
If the added entries you found in your hosts file refered to sites such as Panda's, Symantec/Norton, McAfee, etc., you should be able to reach those sites now that you've deleted their entries.
Just FYI:
The entries in the "hosts" file are mappings of host names/URLs to their respective IP addresses. This is essentially like having a small DNS server on your own computer, in that when you type a URL into your browser (or click on a link to a URL on a web page), Windows will look in the hosts file to see if the URL you typed/clicked has a matching IP address there. If so, Windows will direct your browser to that IP address; if not, Windows will then look to your DNS servers to match the URL with an actual IP address. (The use of hosts files was how hostname-to-IP address mapping/resolution was done before DNS was invented.)
The problem with this method is that:
A) By default, Windows will consult the local hosts file before consulting any DNS servers on your network or on the Internet.
B) There is no error checking at all concerning validity of the mappings in your hosts file. You (or someone else) can put any hostname-to-IP mapping entry you want into the hosts file; when your browser encounters that hostname, it will automatically ty to go to the associated IP address listed in hosts.
Just for grins, you can test this yourself.
1. Put the following entry at the end of your hosts file and save the file:
64.233.167.99 www.spooge.com
2. Open a web browser and type this in the location/address box:
www.spooge.com
If your browser took you to Google, congratulations- you've just demonstrated what a huge security hole the hosts file presents. :mrgreen:
*Setting the "read only" attribute on the hosts file can keep viruses, hijackers, etc. from making unwanted changes to the file.
DMR
Wombat At Large
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
1.Get rid of SurfMonkey. Why? Because it's a bogus program.
2. Can you tell us what exact problems you're still having (if any)? Aside from the SurfMonkey stuff, you're log looks clean.
DMR
Wombat At Large
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
You're welcome :)
The desktop icon sizing sounds like it could be a separate (non-spyware issue); is it the entire sceen resolution which has changed, or just the size of the icons themselves?
DMR
Wombat At Large
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
