Skip to main content

Need Help!

Comments

61 comments

  • Customer

    A few basic things you can do..

     

    1. Go to your control panel, add/remove programs, and see if you can find any programs that you did not install and you know are not part of your computers preinstalled software. If you do try and uninstall them.

    2. Run a Anti Virus Scan and try to clean/delete anything on there. ( See below if you dont have an antivirus) If that resolves it do not continue on.

    3. If you dont have any important *programs* that you installed AFTER getting this virus you can do a system restore. Note that word documents etc. will not be deleted.

     

    To do this..

    1.Go to start, all programs,accesories. system tools, system restore.

    2. Click on restore my computer to an earlier time.

    3. Click on a BOLDED date closest to the time before you got the virus.

    4. Click ok/restore.

     

    Note: I am assuming you are using windows XP. To undo this restoration if you see it did not help, repeat step one and click on undo my last restoration.

     

    --------------------------------------------

     

    If you do not have an antivirus please go to the following link to scan your computer with McAfee AntiVirus. I feel it does a better job.

     

    http://us.mcafee.com/root/mfs/default.asp

     

    If that doesnt help, please download a free antivirus in the following link.

     

    http://www.download.com/AVG-Anti-Virus-Fre...tml?tag=lst-0-2

     

     

     

    I hope I was able to help. {email address removed by LS CalamityJane}

    0
  • Customer

    Can anyone help?

    0
  • Customer

    That didnt Help, thanks for your effort.

    0
  • Customer

    The Main problem is that my start up and shut down have been taking sooooo long!!

    0
  • Customer

    You have too many programs starting up when your computer turns on. I'll try to help you configure those.

     

    1. Please install CCleaner with the link I provided before.

    2. Run the program, and go to the tab titled "tools".

    3. On the left, click on startup.

    4. Find programs you don’t want to startup and click delete entry.

     

    Note: This does NOT delete the file just from the startup.

     

    Another problem may be that your files are scattered around the registry rather than packed together so it takes longer for the computer to find those. I'll help you fix that too.

     

    1. Go to start>all programs>accessories>system tools>Disk Defragmenter.

    2. Click on your C: drive.

    3. Click defragment.

     

    Note this may take a while depending on how many files you have and how big your hard drive is. It may take up to 2 hours so please be patient. It may hang every now and then as well.

     

    I hope I was able to help.

    0
  • Customer

    Hi, Niall.

     

    The next time you want to watch a program you downloaded, scan it first!

     

    As you may end up back with Janie, I suggest you start here first with an Ad-Aware SE logfile and someone will be along to take a look at it. (Not all infections are cleaned with the SmitFraud fix. )

    0
  • Customer

    I know i shouldn't.... here is my ad-aware log file...

     

    Also i installed AVG virus protection

     

    i keep getting this message>>>>>

     

    While opening file: C:\System Volume Information\_restore{BCFD79B8-86E2-412D-8796-870B9B46DF3E}\RP280\A0226915.dll

     

    Trojan horse Proxy.BFJ

     

    When i press heal it keeps popping up...

     

    Ad-Aware SE Build 1.06r1

    Logfile Created on:13 July 2006 11:52:43

    Created with Ad-Aware SE Personal, free for private use.

    Using definitions file:SE1R114 08.07.2006

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    References detected during the scan:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    MRU List(TAC index:0):3 total references

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Ad-Aware SE Settings

    ===========================

    Set : Search for negligible risk entries

    Set : Safe mode (always request confirmation)

    Set : Scan active processes

    Set : Scan registry

    Set : Deep-scan registry

    Set : Scan my IE Favorites for banned URLs

    Set : Scan my Hosts file

     

    Extended Ad-Aware SE Settings

    ===========================

    Set : Unload recognized processes & modules during scan

    Set : Scan registry for all users instead of current user only

    Set : Always try to unload modules before deletion

    Set : During removal, unload Explorer and IE if necessary

    Set : Let Windows remove files in use at next reboot

    Set : Delete quarantined objects after restoring

    Set : Include basic Ad-Aware settings in log file

    Set : Include additional Ad-Aware settings in log file

    Set : Include reference summary in log file

    Set : Include alternate data stream details in log file

    Set : Play sound at scan completion if scan locates critical objects

     

     

    13-07-2006 11:52:43 - Scan started. (Full System Scan)

     

    MRU List Object Recognized!

    Location: : C:\Documents and Settings\niall mclaughlin\recent

    Description : list of recently opened documents

     

     

    MRU List Object Recognized!

    Location: : software\microsoft\directdraw\mostrecentapplication

    Description : most recent application to use microsoft directdraw

     

     

    MRU List Object Recognized!

    Location: : S-1-5-21-1844237615-1935655697-1708537768-1004\software\microsoft\windows\currentversion\explorer\recentdocs

    Description : list of recent documents opened

     

     

    Listing running processes

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    #:1 [smss.exe]

    FilePath : \SystemRoot\System32\

    ProcessID : 488

    ThreadCreationTime : 13-07-2006 10:49:22

    BasePriority : Normal

     

     

    #:2 [csrss.exe]

    FilePath : \??\C:\WINDOWS\system32\

    ProcessID : 548

    ThreadCreationTime : 13-07-2006 10:49:24

    BasePriority : Normal

     

     

    #:3 [winlogon.exe]

    FilePath : \??\C:\WINDOWS\system32\

    ProcessID : 580

    ThreadCreationTime : 13-07-2006 10:49:32

    BasePriority : High

     

     

    #:4 [services.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 624

    ThreadCreationTime : 13-07-2006 10:49:33

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Services and Controller app

    InternalName : services.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : services.exe

     

    #:5 [lsass.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 636

    ThreadCreationTime : 13-07-2006 10:49:33

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : LSA Shell (Export Version)

    InternalName : lsass.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : lsass.exe

     

    #:6 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 788

    ThreadCreationTime : 13-07-2006 10:49:35

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:7 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 844

    ThreadCreationTime : 13-07-2006 10:49:35

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:8 [svchost.exe]

    FilePath : C:\WINDOWS\System32\

    ProcessID : 908

    ThreadCreationTime : 13-07-2006 10:49:35

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:9 [svchost.exe]

    FilePath : C:\WINDOWS\System32\

    ProcessID : 992

    ThreadCreationTime : 13-07-2006 10:49:35

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:10 [svchost.exe]

    FilePath : C:\WINDOWS\System32\

    ProcessID : 1036

    ThreadCreationTime : 13-07-2006 10:49:36

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:11 [spoolsv.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1344

    ThreadCreationTime : 13-07-2006 10:49:39

    BasePriority : Normal

    FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

    ProductVersion : 5.1.2600.2696

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Spooler SubSystem App

    InternalName : spoolsv.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : spoolsv.exe

     

    #:12 [avgamsvr.exe]

    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

    ProcessID : 1448

    ThreadCreationTime : 13-07-2006 10:49:39

    BasePriority : Normal

    FileVersion : 7,1,0,365

    ProductVersion : 7.1.0.365

    ProductName : AVG Anti-Virus System

    CompanyName : GRISOFT, s.r.o.

    FileDescription : AVG Alert Manager

    InternalName : avgamsvr

    LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.

    OriginalFilename : avgamsvr.EXE

     

    #:13 [avgupsvc.exe]

    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

    ProcessID : 1468

    ThreadCreationTime : 13-07-2006 10:49:40

    BasePriority : Normal

    FileVersion : 7,1,0,349

    ProductVersion : 7.1.0.349

    ProductName : AVG 7.0 Anti-Virus System

    CompanyName : GRISOFT, s.r.o.

    FileDescription : AVG Update Service

    InternalName : avgupsvc

    LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.

    OriginalFilename : avgupdsvc.EXE

     

    #:14 [wuauclt.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1248

    ThreadCreationTime : 13-07-2006 10:50:36

    BasePriority : Normal

    FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)

    ProductVersion : 5.8.0.2469

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Automatic Updates

    InternalName : wuauclt.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : wuauclt.exe

     

    #:15 [wmiprvse.exe]

    FilePath : C:\WINDOWS\System32\wbem\

    ProcessID : 1008

    ThreadCreationTime : 13-07-2006 10:50:59

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : WMI

    InternalName : Wmiprvse.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : Wmiprvse.exe

     

    #:16 [explorer.exe]

    FilePath : C:\WINDOWS\

    ProcessID : 220

    ThreadCreationTime : 13-07-2006 10:51:14

    BasePriority : Normal

    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 6.00.2900.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Windows Explorer

    InternalName : explorer

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : EXPLORER.EXE

     

    #:17 [s3hotkey.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 272

    ThreadCreationTime : 13-07-2006 10:51:22

    BasePriority : Normal

    FileVersion : 1.0.0.4

    ProductVersion : 1.0.0.4

    ProductName : S3 Graphics, Inc. S3Hotkey

    CompanyName : S3 Graphics, Inc.

    FileDescription : S3Hotkey

    InternalName : S3Hotkey

    LegalCopyright : Copyright © 2001 by S3 Graphics, Inc.

    OriginalFilename : S3Hotkey

     

    #:18 [jusched.exe]

    FilePath : C:\Program Files\Java\jre1.5.0_06\bin\

    ProcessID : 972

    ThreadCreationTime : 13-07-2006 10:51:22

    BasePriority : Normal

     

     

    #:19 [cfd.exe]

    FilePath : C:\Program Files\BroadJump\Client Foundation\

    ProcessID : 1328

    ThreadCreationTime : 13-07-2006 10:51:22

    BasePriority : Normal

     

     

    #:20 [motivesb.exe]

    FilePath : C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\

    ProcessID : 1392

    ThreadCreationTime : 13-07-2006 10:51:22

    BasePriority : Normal

    FileVersion : 5.6.7.asst_classic.smartbridge.20031210_035000

    ProductVersion : 5.6.7.asst_classic.smartbridge

    ProductName : Motive System

    CompanyName : Motive Communications, Inc.

    FileDescription : ntl:home broadband medic alerts

    InternalName : version

    LegalCopyright : Copyright 1998-2003

    OriginalFilename : version

     

    #:21 [ituneshelper.exe]

    FilePath : C:\Program Files\iTunes\

    ProcessID : 1516

    ThreadCreationTime : 13-07-2006 10:51:23

    BasePriority : Normal

    FileVersion : 6.0.4.2

    ProductVersion : 6.0.4.2

    ProductName : iTunes

    CompanyName : Apple Computer, Inc.

    FileDescription : iTunesHelper Module

    InternalName : iTunesHelper

    LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.

    OriginalFilename : iTunesHelper.exe

     

    #:22 [avgcc.exe]

    FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

    ProcessID : 1928

    ThreadCreationTime : 13-07-2006 10:51:23

    BasePriority : Normal

    FileVersion : 7,1,0,381

    ProductVersion : 7.1.0.381

    ProductName : AVG Anti-Virus System

    CompanyName : GRISOFT, s.r.o.

    FileDescription : AVG Control Center

    InternalName : AvgCC

    LegalCopyright : Copyright © 2006, GRISOFT, s.r.o.

    OriginalFilename : AvgCC.EXE

     

    #:23 [msnmsgr.exe]

    FilePath : C:\Program Files\MSN Messenger\

    ProcessID : 1916

    ThreadCreationTime : 13-07-2006 10:51:23

    BasePriority : Normal

    FileVersion : 7.5.0324

    ProductVersion : 7.5.0324

    ProductName : MSN Messenger

    CompanyName : Microsoft Corporation

    FileDescription : MSN Messenger

    InternalName : msnmsgr

    LegalCopyright : Copyright © Microsoft Corporation 1997-2004

    LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.

    OriginalFilename : msnmsgr.exe

     

    #:24 [13090212.exe]

    FilePath : C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\

    ProcessID : 1972

    ThreadCreationTime : 13-07-2006 10:51:24

    BasePriority : Normal

     

     

    #:25 [ipodservice.exe]

    FilePath : C:\Program Files\iPod\bin\

    ProcessID : 448

    ThreadCreationTime : 13-07-2006 10:51:25

    BasePriority : Normal

    FileVersion : 6.0.4.2

    ProductVersion : 6.0.4.2

    ProductName : iTunes

    CompanyName : Apple Computer, Inc.

    FileDescription : iPodService Module

    InternalName : iPodService

    LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.

    OriginalFilename : iPodService.exe

     

    #:26 [wkcalrem.exe]

    FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\

    ProcessID : 1128

    ThreadCreationTime : 13-07-2006 10:51:29

    BasePriority : Normal

    FileVersion : 6.00.1828.1

    ProductVersion : 6.00.1828.1

    ProductName : Microsoft® Works 6.0

    CompanyName : Microsoft® Corporation

    FileDescription : Microsoft® Works Calendar Reminder Service

    InternalName : WkCalRem

    LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved.

    OriginalFilename : WKCALREM.EXE

     

    #:27 [windowssearch.exe]

    FilePath : C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\

    ProcessID : 1428

    ThreadCreationTime : 13-07-2006 10:51:30

    BasePriority : Normal

    FileVersion : 02.05.0001.1119

    ProductVersion : 02.05.0001.1119

    ProductName : MSN Search Toolbar

    CompanyName : Microsoft Corporation

    FileDescription : Windows Desktop Search Tool Tray Admin

    InternalName : WindowsSearch.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : WindowsSearch.exe

     

    #:28 [windowssearchindexer.exe]

    FilePath : C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\

    ProcessID : 2520

    ThreadCreationTime : 13-07-2006 10:51:44

    BasePriority : Normal

    FileVersion : 2.5.1.1119

    ProductVersion : 2.5.1.1119

    ProductName : Windows Desktop Search

    CompanyName : Microsoft Corporation

    FileDescription : Windows Desktop Search executable

    InternalName : windowssearchindexer.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : windowssearchindexer.exe

    Comments : Windows Desktop Search executable

     

    #:29 [mpbtn.exe]

    FilePath : C:\Program Files\ntl\broadband medic\bin\

    ProcessID : 2652

    ThreadCreationTime : 13-07-2006 10:51:50

    BasePriority : Normal

     

     

    #:30 [mpbtn.exe]

    FilePath : C:\Program Files\BT Broadband Basic Help\bin\

    ProcessID : 2664

    ThreadCreationTime : 13-07-2006 10:51:50

    BasePriority : Normal

     

     

    #:31 [ad-aware.exe]

    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

    ProcessID : 2980

    ThreadCreationTime : 13-07-2006 10:52:01

    BasePriority : Normal

    FileVersion : 6.2.0.236

    ProductVersion : SE 106

    ProductName : Lavasoft Ad-Aware SE

    CompanyName : Lavasoft Sweden

    FileDescription : Ad-Aware SE Core application

    InternalName : Ad-Aware.exe

    LegalCopyright : Copyright © Lavasoft AB Sweden

    OriginalFilename : Ad-Aware.exe

    Comments : All Rights Reserved

     

    Memory scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 3

     

     

    Started registry scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Registry Scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 3

     

     

    Started deep registry scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Deep registry scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 3

     

     

    Started Tracking Cookie scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

     

    Tracking cookie scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 3

     

     

     

    Deep scanning and examining files (C:)

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Disk Scan Result for C:\

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 3

     

     

    Scanning Hosts file......

    Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Hosts file scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    33 entries scanned.

    New critical objects:0

    Objects found so far: 3

     

     

     

     

    Performing conditional scans...

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Conditional scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 3

     

    12:10:47 Scan Complete

     

    Summary Of This Scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Total scanning time:00:18:04.880

    Objects scanned:139786

    Objects identified:0

    Objects ignored:0

    New critical objects:0

    0
  • Support

    Hi Niall,

     

    What AVG is seeing is a backup in your System Restore (which can't infect you at the moment) and we'll be clearing all those out AFTER your PC is cleaned up. For now, just ignore those alerts if they are in System Volume Information directory (AVG can't clean it in there either, it's protected by Windows from 3rd party apps)

     

    We are going to need a HijackThis log

    Instructions on creating a HijackThis Log

    http://www.lavasoftsupport.com/index.php?showtopic=216

     

    I also see something suspect in your Adaware log. I need to examine the file a little closer to see what it is

     

    Go here to upload the file as an attachment

    http://www.thespykiller.co.uk/forum/index.php?board=1.0

    Just press new topic (Make the subject: For CalamityJane from Niall at LS ),

    fill in a short message & then press the browse button and then navigate to & select this file on your computer, then press the *Post* button to upload the file

     

    File to upload:

     

    C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe

     

    (Do not post HJT logs there as they will not get dealt with)

     

    You DO NOT need to be a member to upload, anybody can upload the files

     

    You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the file from there and will reply back here to you in this topic with steps to remove it, once I determine what it is.

     

    After uploading file, please post a HijackThis log for me to review

    0
  • Support

    Thanks for upload the file Niall. It is a downloader trojan.

     

    There are 3 more files showing on this log that I need to take a look at as well.

     

    Upload the files here as you did before:

    http://www.thespykiller.co.uk/forum/index.php?topic=2094

     

    Use the "Reply" button: then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

     

    Files to upload:

     

    c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

     

    C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

     

    C:\WINDOWS\system32\2236_27.dll

     

    I will be able to collect them from there, but will reply to you back here with removal steps to take after I've had a chance to examine them

    0
  • Customer

    Here is my hijackthis log

     

    Logfile of HijackThis v1.99.1

    Scan saved at 15:35:44, on 13/07/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\S3hotkey.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\Program Files\BroadJump\Client Foundation\CFD.exe

    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe

    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

    C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

    C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe

    C:\DOCUME~1\NIALLM~1\LOCALS~1\Temp\7252\607112.exe

    C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

    O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

    O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - HKLM\..\Run: [13090212.exe] C:\WINDOWS\system32\13090212.exe

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

    O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - HKCU\..\Run: [13090212.exe] C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe

    O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

    O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

    O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

    O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

    O20 - Winlogon Notify: ddirectz - ddirectz.dll (file missing)

    O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

    O21 - SSODL: TmzbxY - {AC610320-06CB-A98A-1E5A-D0409FC68462} - C:\WINDOWS\system32\xk.dll (file missing)

    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_27.dll

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    0
  • Customer

    I posted those files.

     

    Quick question: What do i do if i want to open something i have downloaded from say limewire for example. How do i know they are not infected? or how do i check them?

    0
  • Support

    Any files you download you should scan with a good up to date AV (like AVg you have board there), however, be aware that many of those files that you download at Limewire may likely contain new, undetected nasties.

     

    It would be much more effective to scan any file you download at one (preferably both) of the following:

     

    Virus Total

    http://www.virustotal.com/

     

    or here:

     

    Jotti Malware Scan

    http://virusscan.jotti.org/

     

    Those sites scan a single file with more than a dozen AVs to get a better detection.

     

    There is a limitation on file size however.

     

    10 mb at Virus Total and 15, I think, at Jotti

     

    This other file I got from you is somekind of backdoor trojan, not detected by very many. I'll have to write up some steps for you to remove all of them. I'll do that next.

    0
  • Support

    Please copy these instructions to have handy because the later steps will have to be done in SAFE MODE and disconnected from the internet so you won't be able to view this window. Please review the whole process before starting so you can understand what we will be doing.

     

    1. Please download the Killbox by Option^Explicit.

    http://www.downloads.subratam.org/KillBox.zip

     

    Unzip/Extract the contents to your desktop

    How to extract (decompress) zipped or compressed files

    http://www.lvsonline.com/compresstut/index.shtml

     

    (we'll use it later in SAFE MODE)

     

    2. Reboot into Safe Mode

    You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

     

    How to start the computer in Safe mode

    http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

     

    3. Once in Safe mode, open HijackThis and choose *system scan only*

    When it finishes, checkmark the following listed entries in the list and then press the *fix checked* button

     

    O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

     

    O4 - HKLM\..\Run: [13090212.exe] C:\WINDOWS\system32\13090212.exe

     

    O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

     

    O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

     

    O4 - HKCU\..\Run: [13090212.exe] C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe

     

    O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

     

    O20 - Winlogon Notify: ddirectz - ddirectz.dll (file missing)

     

    O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

     

    O21 - SSODL: TmzbxY - {AC610320-06CB-A98A-1E5A-D0409FC68462} - C:\WINDOWS\system32\xk.dll (file missing)

     

    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_27.dll

     

    4. Open Killbox by clicking on Killbox.exe

     

    5. Select *Delete on Reboot* in the first column

     

     

    6. Press the *All Files* button IMPORTANT STEP!

     

     

    7. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C

     

    c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    C:\WINDOWS\system32\13090212.exe

    C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe

    C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

    C:\WINDOWS\system32\xk.dll (file missing)

    C:\WINDOWS\system32\2236_27.dll

     

    8. In Killbox, select the "File" tab at the top

     

    9. Choose "Paste from Clipboard" in the drop down menu

     

    10. Press the red button with the white x in it.

     

    11. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?

    Choose Yes when asked if you want to reboot. If your computer does not restart, please reboot it manually

     

     

    Note: Backups will be stored in the following directory created on the Hard-drive (usually C):

    C:\!KillBox

     

    12. Navigate to the Killbox backup folder:

    C:\!KillBox

     

    a. Right–click folder !KillBox

     

    b. Point to Send To

     

    c. Then click Compressed (zipped) Folder

     

    This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.

    C:\!KillBox.zip

     

    13. Now I want you to assign a password of: infected

    to the compressed file you just made:

    1. Double-click the compressed folder that you want to password protect.

    2. On the File menu, click Add a Password.

    3. In the Password box, type the password that you want to use: infected

    . Type the same password in the Confirm Password box, and then click OK.

    Note that when you attempt to move or open a password-protected file, a Password Needed dialog box appears. Type the correct password in the Password box, and then click OK.

     

    14. Go here to upload the file as an attachment as you did before

    http://www.thespykiller.co.uk/forum/index.php?topic=2094

    Press reply, browse to the !KillBox.zip file and then press the *post* button to upload it.

     

    15. Ok, now please scan and post a fresh HijackThis log. There may be more to do

    0
  • Customer

    OK I did everthing you said. I posted the zip file on the other forum for you.

     

    Here is a new hjackthis log:

     

    Logfile of HijackThis v1.99.1

    Scan saved at 22:31:51, on 13/07/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\S3hotkey.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\Program Files\BroadJump\Client Foundation\CFD.exe

    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

    C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

    C:\WINDOWS\system32\wuauclt.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

    C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

    O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

    O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

    O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

    O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

    O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

    O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    0
  • Support

    Very odd! It seems to have gotten all but one, however, neither the new files were in the folder nor the log reflects any action by killbox. We'll try a different tool.

     

    1. Please download The Avenger by Swandog46 to your Desktop.

    • Click on Avenger.zip to open the file

    • Extract avenger.exe to your desktop

    2. Copy the bold black text below to your Clipboard by highlighting it and pressing (Ctrl+C):

     

    Files to delete:

    c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

     

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

     

    3. Now, start The Avenger program by clicking on its icon on your desktop.

    • Under "Script file to execute" choose "Input Script Manually".

    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"

    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).

    • Click Done

    • Now click on the Green Light to begin execution of the script

    • Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    • It will Restart your computer.

    • On reboot, it will briefly open a black command window on your desktop, this is normal.

    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log

    0
  • Customer

    It looks like from that log, the files I fixed are still there, is that a problem?

    0
  • Support

    And you entered these two lines in the script box right?

     

    Files to delete:

    c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

     

    It could be there is a problem with the file name.

     

    Could you get me a log from this tool please:

    (Note: run this tool in normal mode)

     

    1. Download this file - combofix.exe

    http://download.bleepingcomputer.com/sUBs/combofix.exe

     

    2. Double click on combofix.exe & follow the prompts.

     

    Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)

    Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

     

    Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

     

    3. When finished, it shall produce a log for you. Post that log in your next reply

    0
  • Customer

    OK when I put file in and press the green light, after the first YES i get these boxes

     

    First

    >>>>>>>>>>>>

     

    Error: Selected file does not appear to be valid script.

     

    Then

     

    Press ok to log error and continue or cancel to abort

     

    Then

     

    error code 0

    0
  • Customer

    OK i didnt put in the File to delete part in! i will do that now... sorry about that i thought i just need the file name.

    0
  • Customer

    Here is the Avenger

     

    Logfile of The Avenger version 1, by Swandog46

    Running from registry key:

    \Registry\Machine\System\CurrentControlSet\Services\fbwouelj

     

    *******************

     

    Script file located at: \??\C:\qmuvnfho.txt

    Script file opened successfully.

     

    Script file read successfully

     

    Backups directory opened successfully at C:\Avenger

     

    *******************

     

    Beginning to process script file:

     

     

     

    File c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe not found!

    Deletion of file c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe failed!

     

    Could not process line:

    c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    Status: 0xc0000034

     

     

    Completed script processing.

     

    *******************

     

    Finished! Terminate.

    0
  • Customer

    Do you still want me to do the Other step?

    0
  • Customer

    Here is HJT Log

     

    Logfile of HijackThis v1.99.1

    Scan saved at 00:32:42, on 14/07/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\S3hotkey.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\Program Files\BroadJump\Client Foundation\CFD.exe

    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

    C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

    C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\Do######ents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

    O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

    O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

    O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

    O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

    O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

    0
  • Support

    Ok, that's it. Yes both lines need to be in there. You can try again please?

    0
  • Support

    Do you still want me to do the Other step?

    Not right now. Let's see if the Avenger will work using both lines as I posted up there

    0
  • Customer

    I did that and posted the Avenger log...

     

    Thanks so Much for all your time!!

    0
  • Customer

    I did the Avenger again just incase you needed it.

     

    Logfile of The Avenger version 1, by Swandog46

    Running from registry key:

    \Registry\Machine\System\CurrentControlSet\Services\bmjmubrq

     

    *******************

     

    Script file located at: \??\C:\Do######ents and Settings\bggentkm.txt

    Script file opened successfully.

     

    Script file read successfully

     

    Backups directory opened successfully at C:\Avenger

     

    *******************

     

    Beginning to process script file:

     

     

     

    File c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe not found!

    Deletion of file c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe failed!

     

    Could not process line:

    c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    Status: 0xc0000034

     

     

    Completed script processing.

     

    *******************

     

    Finished! Terminate.

    0
  • Support

    Ok, you did great! That error code means the file has already been removed (probably by a prior cleaning step)

     

    So, we can use HijackThis to remove the startup entries.

     

    Open HijackThis and do a *system scan only*

    When it finishes, checkmark these next entries in the list and press the *fix checked* button.

     

    O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

     

    O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

     

    O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

     

    Close HijackThis and reboot.

     

    Scan once more with HijackThis and post a fresh log please?

    0
  • Customer

    Here it the HJT log... those files still seem to be there...

     

    Logfile of HijackThis v1.99.1

    Scan saved at 01:09:56, on 14/07/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\S3hotkey.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\Program Files\BroadJump\Client Foundation\CFD.exe

    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

    C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

    C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

    C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

    C:\WINDOWS\system32\wuauclt.exe

    C:\Do######ents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

    O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

    O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

    O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

    O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

    O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

    O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

    O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

    O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    0
  • Support

    First, please get an online scan at the following (it's free) and let it clean any malware found. Please save the report at the end (if anything found) and post the results back here:

    eTrust Antivirus Web Scanner

    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

    (if prompted, please *allow* Active X and the install of software - this is needed to scan your system)

    It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

    0
  • Customer

    Hi again,

     

    It didnt find anything... Is my system clean or is there more stuff?

    0

Please sign in to leave a comment.