# ATTENTION! HJT log helpers. New canned fix for SpySherrif, Smitfraud & AntivirusGold



## Flrman1

This fix is posted here primarily as a reference for those who are experienced with helping on the forums with these infections. If you are a victim of this infection, It is not recommended that you attempt to fix this on your own. Before you attempt anything, post your Hijack This log in the Security forum and wait for help from one of our experienced helpers.

The following fix provided by *noadhfear* will work to remove all of these:

*AntiVirusGold
Smitfraud
SpySheriff*

*Note*: The smitRem fix will work on 9x systems also, but ewido will only work on XP/2K systems. In noahdfear's original fix he had Adaware included in the fix, but I've found that the smitRem fix and ewido alone work fine. For 9x systems you should use Adaware instead of Ewido.

*For XP/2k systems:*


> * *Click here* to download smitRem.exe.
> Save the file to your desktop.
> It is a self extracting file.
> Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
> Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.
> 
> * Download the trial version of Ewido Security Suite *here*.
> Install ewido.
> During the installation, under "Additional Options" *uncheck* "Install background guard" and "Install scan via context menu".
> Launch ewido
> It will prompt you to update click the OK button and it will go to the main screen
> On the left side of the main screen click *update*
> Click on *Start* and let it update.
> *DO NOT* run a scan yet. You will do that later in safe mode.
> 
> * *Click here* for info on how to boot to safe mode if you don't already know how.
> 
> * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.
> 
> * Restart your computer into safe mode now. Perform the following steps in safe mode:
> 
> * Open the *smitRem* folder, then double click the *RunThis.bat* file to start the tool. Follow the prompts on screen.
> Wait for the tool to complete and disk cleanup to finish.
> 
> * Run Ewido:
> Click on *scanner*
> Click *Complete System Scan* and the scan will begin.
> During the scan it will prompt you to clean files, click *OK*
> When the scan is finished, look at the bottom of the screen and click the *Save report* button.
> Save the report to your desktop
> 
> * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
> 
> * Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar.If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.
> 
> * Restart back into Windows normally now.
> 
> * Run ActiveScan online virus scan *here*
> 
> When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
> - Save the results from the scan!
> 
> *Post a new HiJackThis log along with the results from ActiveScan and the ewido scan*


*For 98/ME systems:*


> * *Click here* to download smitRem.exe.
> Save the file to your desktop.
> It is a self extracting file.
> Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
> Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.
> 
> * Go *here* and download Ad-Aware SE.
> 
> Install the program and launch it.
> First in the main window look in the bottom right corner and click on *Check for updates now*
> Click *Connect* and download the latest reference files.
> Do not run Adaware yet. Just download the updates and have it ready to run later in safe mode.
> 
> * *Click here* for info on how to boot to safe mode if you don't already know how.
> 
> * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.
> 
> * Restart your computer into safe mode now. Perform the following steps in safe mode:
> 
> * Open the *smitRem* folder, then double click the *RunThis.bat* file to start the tool. Follow the prompts on screen.
> Wait for the tool to complete and disk cleanup to finish.
> 
> * Now launch Adaware:
> 
> From main window click *Start* then under *Select a scan Mode* tick *Perform full system scan*.
> Next deselect *Search for negligible risk entries*.
> Now to scan just click the *Next* button.
> When the scan is finished mark everything for removal and get rid of it.
> Right-click the window and choose *select all* from the drop down menu and click *Next*
> 
> * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
> 
> * Next go to Control Panel > Display. Click on the "Web" tab. Under "View my Active desktop as a web page" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button.
> Remove the check by "View my Active desktop as a web page".
> Click OK then Apply and OK.
> 
> * Restart back into Windows normally now.
> 
> * Run ActiveScan online virus scan *here*
> 
> When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
> - Save the results from the scan!
> 
> *Post a new HiJackThis log along with the results from ActiveScan*


I am attaching my canned fixes for you with all the code tags. Mine is slightly different than the original posted by noadhfear, but not much. Feel free to save it and use it.


----------



## Flrman1

I should also mention that if there are other files and HJT entries involved in the log, you will have to add those options to the fix to delete the related files by adding info to download and use Killbox to to delete any other files. Use Killbox or whatever is your preferred method, but I do highly recommend that all of you that help with the logs start using Killbox. It is much easier on the victim that way. They don't have to go through the tedious process of finding all the files. As we all know many of them can't seem to find files that are there anyway.


----------



## khazars

ok, cheers for the info, killbox it is!
Thx for the update on 9x, this will be very useful. :up:


----------



## Flrman1

I edited the part about removing the Security info page in the Display properties. It should be like so:

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar.If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

Either change that in your text file if you have already downloaded it or redownload it.


----------



## Cheeseball81

I was hoping this would get "Stickied" sooner or later. Great info! Thank you.


----------



## Flrman1

:up:


----------



## Flrman1

Thanks to cybertech for reminding me that ewido only works on xp/2k boxes. The smitrem fix works fine on 9x boxes, but use Adware in combination with it on 9x. I have edited the original post to reflect that and uploaded my canned response for that too.


----------



## cybertech

Thanks Mark, as always *nice job!* :up:


----------



## Cookiegal

Thanks for posting this Mark. Great work, as always!  

Thanks for all you do.


----------



## Flrman1

You're Welcome guys. Noahdfear did all the work. I'm just a Parrot!


----------



## MFDnNC

flrman1 said:


> You're Welcome guys. Noahdfear did all the work. I'm just a Parrot!


Aren't we all !!!!!!!!!!!!!!!!!!!!!!!!


----------



## talon03

MFDnSC said:


> Aren't we all !!!!!!!!!!!!!!!!!!!!!!!!


Nope, I'm an old dog following you guys around trying to learn new tricks! :up:


----------



## beardbuster

I just wanted to says "*THANKS*"
That walk thru really rocks and I was able to get back to normal again after becoming infected with SpySheriff  
I wanted to add that I have WXP and could not follow the instructions in safe made and had to run all the programs in normal bootup... Not sure if I did anything wrong but I tried and tried and was lucky I was real careful what I deleted without being in safe mode...
again THANKS !!!
Clyde


----------



## Flrman1

Welcome to TSG beardbuster. Glad you found this useful! :up:


----------



## beardbuster

THANKS for the







flrman1
I'll be sure to let others know about this place :up:


----------



## tj416

Thanks Mark!!


----------



## Flrman1

You're Welcome! 

noahdfear has come up with a new beta smitRem that checks for the infected wininet.dll file and tries to replace it. Since it is beta we can only use it on a few cases here and there. Also we can only post it in a thread as an attachment then remove the attachment immediately after the victim has used it. 

If any of you want to try it out, PM me.


----------



## tj416

Just incase someone is wondering what wininet.dll has to do with the infection. oleadm32.dll, a file that comes with the new variant of AVGold, replaces the legit copy of wininet.dll (It usually infects the one located at %SystemRoot%\system32). To resolve this, we used to make them run a batch file that would list all the locations of wininet.dll on the computer. We would then rename the infected copy and then take a clean copy of wininet.dll from the dllcache (or any other location). Hopefully noahdfear's batch will make life easier for us.


----------



## Flrman1

The directions for fixing the desktop on the 9x instrutions need to be changed. They should be like so:

Go to Control Panel > Display. Click on the "Web" tab. Under "View my Active desktop as a web page" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. 
Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.

I'm uploading my canned post revised with that change.


----------



## Flrman1

Ewido has updated to version 3.5. The new version no longer has the option to check or uncheck Binder, Crypter and Archives.

Canned posts need to be changed from this:

* Run Ewido:
Click on *scanner*
Put a check by the following before you scan:
*Binder
[*]Crypter
[*]Archives*

Click the *Start Scan* button to start the scan.
During the scan it will prompt you to clean files, click *OK*
When the scan is finished, look at the bottom of the screen and click the *Save report* button.
Save the report to your desktop
To this:

* Run Ewido:
Click on *scanner*
Click *Complete System Scan* and the scan will begin.
During the scan it will prompt you to clean files, click *OK*
When the scan is finished, look at the bottom of the screen and click the *Save report* button.
Save the report to your desktop
I have updated my canned posts that are attached to the first post in this thread.


----------



## Cookiegal

Thanks so much for keeping this updated Mark! :up:


----------



## Flrman1

:up:


----------



## Flrman1

The smiRem beta we have been testing is no longer beta. It is ready for public release. Here is the new link:

http://noahdfear.geekstogo.com/click counter/click.php?id=1

Please update your canned posts with the new link.

I am updating the first post in this thread also as well as the attachments,


----------



## khazars

Mark, just to let you and the other forum members know and check out, ccleaner has added a few new features which should possibly be disabled before running as they clean broken dlls , clean off active X and old software and a lot more!


I got this from another forum and I now use these tips before telling anyone to run ccleaner just in case it messes something up or deletes a needed file!



Click on the Issues tab, uncheck both boxes Registry Integrity and File 
Integrity
Click the Applications tab, scroll down to the Multimedia section and uncheck
Macromedia Flash Player.


khaz


----------



## Flrman1

The "Issues" are not dealt with or scanned for when you click "Run Cleaner". To have CCleaner fix those you have to first click "Issues" then "Scan for Issues". After the scan is finished, you have to individually select each issue you want fixed then click the fix button. The user would have to go way out of their way and stray a long way from the given directions to do all that.

The only part you mentioned there that is scanned for in the default scan run by clicking Run Cleaner is Macromedia. I have always run mine with that checked with no problem, but if you know of a problem it can cause please let us know.

It may be a good idea to post a general warning to users to not use CCleaner for anything else other than what you have asked them to do unless they know what they are doing, but I'd say sending them in there playing around with the Issues settings when those are not scanned for by default anyway may be tantamount to awakening "Curious George", as it were. Once you've done that, God only knows what some folks will be tempted to do.

I guess we could all discuss this here and decide among ourselves to what extent we should warn users about using CCleaner, but I honestly don't think we need to start them messing with those settings. If anyone disagress with that, then it's up to you. Do what you feel is appropriate and safe. I want hold it against you.


----------



## MFDnNC

flrman1 said:


> The smiRem beta we have been testing is no longer beta. It is ready for public release. Here is the new link:
> 
> http://noahdfear.geekstogo.com/click counter/click.php?id=1
> 
> Please update your canned posts with the new link.
> 
> I am updating the first post in this thread also as well as the attachments,


You took kill box out of the canned fix - any reason why?


----------



## Flrman1

I never had Killbox included in these directions MFD. I did make this post referencing Killbox:


flrman1 said:


> I should also mention that if there are other files and HJT entries involved in the log, you will have to add those options to the fix to delete the related files by adding info to download and use Killbox to to delete any other files. Use Killbox or whatever is your preferred method, but I do highly recommend that all of you that help with the logs start using Killbox. It is much easier on the victim that way. They don't have to go through the tedious process of finding all the files. As we all know many of them can't seem to find files that are there anyway.


I meant that for files and HJT entries other than those that are normally associated with Smit, SpySheriff and Antivirus Gold. I never did clarify all that, but the smitRem will remove all thus far known files and reg entries associated with those infections so if the victim has no other malware showing in the log there is no need for Killbox and there is no need to have them fix the entries in HJT associated with those infections.

If a user has only a few other entries and files not associated with Smit, SpySheriff and Antivirus Gold, I will usually include Killbox in the fix and have them fix it all in one shot, but if there are multiple infections present I will just run the basic canned smiRem fix and deal with the rest after seeing what ewido has cleaned.


----------



## MFDnNC

Could have sworn it was in an earlier version, but the rest is clear - I agree that killbox, lathough it is another DL and unzip it works better thatn having them hunt for files, especially ones like ??vhost - tnks


----------



## Flrman1

While we are discussing matters in here, I have thought about this a few times and never asked, but do you MFD, Khazars, Cheeseball and any of the other regular TSG HJT helpers have or use Yahoo or Windows Messenger? If you do, I would like to add you guys to my Friends/Contacts lists so if we need to get in touch with each other for any reason while one or the other of us is not here at the board we can. Any of you that want to do that, pm me your Yahoo ID or Windows Messenger ID. I used to have mine available in my profile, but that didn't work out too well. I started getting too many people sending me instant messages wanting help.


----------



## Cheeseball81

I fell behind on this one. Thanks for the updated fixes, Mark. 

I also think that's a really good idea to keep in touch via Messenger.
Makes it easier than having to report the posts.


----------



## Flrman1

PM me your Yahoo ID if you have one Nicole.


----------



## Cheeseball81

flrman1 said:


> PM me your Yahoo ID if you have one Nicole.


Sent


----------



## Flrman1

:up:


----------



## khazars

I don't use MSN or any other messenger but I can supply my e-mail if that's any use to you?


----------



## MFDnNC

I don't use any messengers


----------



## tj416

Hi Mark,

I use MSN Messenger. I can send you my email address if you like.


----------



## Flrman1

Yes, please pm me with those email addresses guys. Also let me have your NSN Messenger ID TJ.


----------



## tj416

Sent


----------



## ketsueki13

I missed this one somehow... Sorry about that flrman.


----------



## Flrman1

We all miss things from time to time.


----------



## poppet234

i have tried the fix for smitfraud but because i still have zango (which i can seem to get rid of ) im unable to download any zip files they are just being converted into media files,can you help


----------



## cybertech

poppet234, please return to your thread http://forums.techguy.org/showthread.php?t=378375 and post your problems there. This thread is not for solving it is here for information.


----------



## $teve

I see you guys have been busy while ive been on my "Sabatical" 
Now I have to bone up on a few things,its suprising how much you miss in just a few weeks so keep an eye on my posts wont you.Ill be around more and more as I pick things up again.


----------



## Cookiegal

Great to have you back $teve.  

I know it won't take you long to get back into the loop.


----------



## joe budden

I need some help i did what you said at the start of the thread i have got all 3 of those.I think i got rid of all 3 not sure when i put my comp in norm mode to scan the winnet.dll is missing so went on my moms comp download new winnet.dll and put it in the system file but still no luck can any one help me my computer is 98.


----------



## ~Candy~

joe budden, welcome to Tech Support Guy, you need to start your own thread for assistance. This is an information thread only.


----------



## joe budden

ok thx very much


----------



## Flrman1

Good to have you back $teve! :up:


----------



## $teve

Great to be back............its AAAALL coming back to me


----------



## Kingszito

I am very grateful to you guys. You are are doing a great job, especially you, flrman1. My PC has a problem, which I have posted my hjt logfile to Windows NT/2000/XP forum, I will be very grateful if you, flrman1 or other great guys attend to it. Thanks


----------



## napamac

Where can i get info on KillBox?


----------



## Cookiegal

napamac said:


> Where can i get info on KillBox?


http://forum.malwareremoval.com/viewtopic.php?t=320


----------



## Flrman1

SmitRem has been updated again. New files and reg entries have been added and it is now a self extracting archive. I have updated the first post in this thread and the attached canned speaches to reflect the change.


----------



## HOBOcs

Just thought I'd throw in my 2 cents... Great job guys. 
This reference material really helps me out! It assist me in helping others and leaves the threads open for the real tough stuff.
 :up:


----------



## Flrman1

Thanks Ucurl! :up:


----------



## Flrman1

Just a little heads up guys. Due to some recent information I have discovered on another forum about CCleaner, I have decided to discontinue the use of CCleaner in my cleanup recommendations. Although it has not been totally proven, it is believed that CCleaner has been the cause of some serious issues on some machines, particularly on 9x, the evidence is enough for me to decide not to use it until it is proven that these issues were not caused by CCleaner or the problem is rectified. It is your decision what you do, but I recommend that all of you discontinue recommending the use of CCleaner for now.

Here is an example:

http://www.alegsa.com.ar/Visitas/i70/Recovering windows.php

I have removed it from the posts in this thread. It was somewhat redundant with SmitRem anyway as it automatically runs Windows Disk cleanup.


----------



## Cheeseball81

Thanks for the heads up, Mark. 

I am guessing that means we should not include it in CWS fixes as well?

I suppose discontinuation all together would be best until we know for sure that the issue has been resolved.


----------



## Flrman1

I have already removed it from all my canned speaches and replaced it with Cleanup.

Here is my, or I should say one I borrowed and modified slightly, canned for it:

*Download Cleanup from *Here* 

 A window will open and choose *SAVE*, then *DESKTOP* as the destination.
 On your Desktop, click on *Cleanup40.exe icon.*
 Then, click *RUN* and place a checkmark beside "*I Agree*"
 Then click *NEXT* followed by *START* and *OK.*
 A window will appear with many choices, *keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.*
 Click* OK*
 *DO NOT RUN IT YET*

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.
As with CCleaner, it should be run in safe mode when the other steps that pertain to a fix are done in safe mode. I have also attached it with all the code tags.


----------



## cybertech

Thanks Mark! :up:


----------



## Flrman1

:up:


----------



## Cookiegal

Thanks for that info Mark.


----------



## Flrman1

You're welcome!


----------



## D_Trojanator

Flrman1 - am i able to use this canned speech , or do i have to make my own?
David


----------



## Flrman1

You are welcome to use this one.


----------



## Flrman1

It appears that there are a lot of problems with the link to Cleanup so here is another link:

http://www.spywareaid.com/index.php?file=showsoftware&id=1


----------



## ~Candy~

Did you guys see this???? 

http://www.eweek.com/article2/0,1895,1845248,00.asp


----------



## D_Trojanator

I don;t understand what i means 
David


----------



## ~Candy~

During the research, Sunbelt researcher Patrick Jordan deliberately installed the "CoolWebSearch application on a machine and immediately noticed that the infected system became a spam zombie that was placing callbacks to a remote server.

When Jordan visited the remote server, he was shocked to find that it was being used to distribute sensitive personal information from millions of PC users infected by the spyware application.


----------



## D_Trojanator

Ohhh i see after a very quick galnce i thought sunbelt was doing wrong!!!!
David


----------



## EAFiedler

AcaCandy said:


> Did you guys see this????
> 
> http://www.eweek.com/article2/0,1895,1845248,00.asp


That is very scary!!


----------



## sekirt

flrman1 said:


> Just a little heads up guys. Due to some recent information I have discovered on another forum about CCleaner, I have decided to discontinue the use of CCleaner in my cleanup recommendations. Although it has not been totally proven, it is believed that CCleaner has been the cause of some serious issues on some machines, particularly on 9x, the evidence is enough for me to decide not to use it until it is proven that these issues were not caused by CCleaner or the problem is rectified. It is your decision what you do, but I recommend that all of you discontinue recommending the use of CCleaner for now.


There are reviews at download.com, here is a link to the negative ones. Quite a few mention system crashes:
http://www.download.com/CCleaner/3640-2144_4-10417699.html?pn=1&sb=3&v=1

Ccleaner isn't my first choice but I haven't had any problems like that on Win 98se. Using version 1.20.118 - (I see there is a newer version out now 1.21.130)

Lately I mention IE Privacy Keeper for net clean-up. The worst thing I found was that certain cookies don't always get deleted.

http://browsertools.net/IE-Privacy-Keeper/

sekirt


----------



## Byteman

Hi, At the Ewdio online scan site it has this:

(I don't mean the downloaded version of Ewido security suite)

"""Please note that this is an unfinished beta version. Therefore it shouldn't be used on productive systems as errors could occur."""

http://www.ewido.net/en/onlinescan/

I know it runs only on 2000 and XP, but have not had a chance to try it> I see a few people reccommending it in fixes, and I havent seen anything negative, so what do you all think...is it fairly safe to include in our posts now?

EDIT: Gee, my post happened to be the last made in this thread, that was backed up before the server lost a hard drive Monday evening....post back anything you had put in here if you still have it handy! Thanks!

A lot of you know this I suppose, but>

A good thing to do if disaster strikes like that, and you have a reply that will not submit, is to copy and paste it quickly to a Notepad or other text editor, then you can save it locally and repost it later when things are running again. If you just close the page, it's lost. In this case, since we lost the whole day, it really wouldn't matter much, but that tip might save something for someone at some point!


----------



## Byteman

Hi, RE> post above, has anyone tried the online scanner from Ewido?

I'd like to reccommend it when needed but would like to know it's reasonably OK and doesn't cause problems since it is a beta scanner.


----------



## Cookiegal

I haven't tried it yet but probably will for those whose trial period has expired.


----------



## Flrman1

I'm going to go ahead and close this thread to prevent any more logs being posted here.

Anyone who needs help removing this infection please start a "New Thread" here in the Security forum.


----------



## ~Candy~

Good idea, why didn't I think of that?


----------



## Flrman1

smitRem has been updated to version 2.5

Registry entries added for removal:

HKEY_CLASSES_ROOT\CLSID\{15DC7116-E58E-4395-A45A-A1C99B17C030}
HKEY_CLASSES_ROOT\CLSID\{17E02586-A91D-4A9D-A74E-187B05DFFE6F}
HKEY_CLASSES_ROOT\CLSID\{1BD98DFD-2DA9-4C54-85D7-BE03A0F9C487}
HKEY_CLASSES_ROOT\CLSID\{1C94EA51-3800-4F08-B5DC-A5B67823FFEA}
HKEY_CLASSES_ROOT\CLSID\{20D1AF34-6E19-42D8-AF9F-BDFBE45C2454}
HKEY_CLASSES_ROOT\CLSID\{21E132C9-1F98-4151-BDAD-7D9B49C60A8E}
HKEY_CLASSES_ROOT\CLSID\{23F7AD29-F51A-4BA1-BE70-143B1CB25BD1}
HKEY_CLASSES_ROOT\CLSID\{2C59D5EC-6B91-4896-BD6F-5F121D87A7F8}
HKEY_CLASSES_ROOT\CLSID\{2F34E0E0-F0BB-477F-AFB8-509262FA0AD1}
HKEY_CLASSES_ROOT\CLSID\{35ED274E-3F42-4A78-BBDC-3B7D73E85578}
HKEY_CLASSES_ROOT\CLSID\{3D74D140-F780-4AE3-8D6D-F8DC39107213}
HKEY_CLASSES_ROOT\CLSID\{49443D6E-CE4E-47A9-8DEB-F5774CE14984}
HKEY_CLASSES_ROOT\CLSID\{52034AD2-914C-4634-B375-9299631E5525}
HKEY_CLASSES_ROOT\CLSID\{7702C521-76AE-42C0-A181-3B5A96C2EEF7}
HKEY_CLASSES_ROOT\CLSID\{7ADDA344-1D36-4446-9F4B-B2351FB19EFD}
HKEY_CLASSES_ROOT\CLSID\{7D98221E-AF8F-4D29-8BB1-1DFABC288173}
HKEY_CLASSES_ROOT\CLSID\{9746B450-6064-4EC8-9480-72A289AA2237}
HKEY_CLASSES_ROOT\CLSID\{C5A40FCE-0A0F-40CA-985E-661C28B5B431}
HKEY_CLASSES_ROOT\CLSID\{C7F22879-7151-4C71-8C50-9557AFDA66C6}
HKEY_CLASSES_ROOT\CLSID\{CA5E7959-60B5-47B7-80AC-1606309733F3}
HKEY_CLASSES_ROOT\CLSID\{CEABF027-6CDC-4D47-ADF6-AC5D065826A6}
HKEY_CLASSES_ROOT\CLSID\{E0AA0493-C410-4CBD-B1DB-1723374FA8E0}
HKEY_CLASSES_ROOT\CLSID\{E5D78BD8-3874-4AA0-9D45-CFB79382C484}


Folders added for removal:

%userprofile%\application data\shudder global limited (NT)
%windir%\application data\shudder global limited (9X)


----------



## Flrman1

SmitRem has been updated to version 2.6:


noahdfear said:


> Added removal of HKLM\Software\PSGuard.com and related entries........
> LTDFix.exe has been removed......the necessary info for fixing has been added to RunThis.bat, along with PSGuard.com
> Added removal of %systemroot%\Application Data\Shudder Global Limited for NT
> Added removal of %systemdrive%\Program Files\P.S.Guard
> Added a few %system% ico files


----------



## Flrman1

SmitRem has been updated. It now includes the SpyAxefix.


noahdfear said:


> smitRem version 2.8 has been uploaded. It now removes SpyAxe also. There will be a registry export of the sharedtasks key in the smitfiles.txt as well. I will be removing the SpyAxeFix download in a day or two.


----------

