AndyManchesta

Members
  • Content Count

    89
  • Joined

  • Last visited

Community Reputation

0 Neutral

About AndyManchesta

  • Rank
    Advanced Member
  • Birthday 08/26/1978

Contact Methods

Profile Information

  • Location
    Manchester, UK
  • Interests
    Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
  1. Hi Russ Don't worry about sending the killbox folder, usually if its in a password protected zipped folder the email scanner doesn't interfere with them but if it wouldn't send then just delete the C:\!KillBox and C:\!Killbox.zip folder from your system. Its also showing on your F:\Drive (F:\!KillBox.rar) so also delete that. Delete this folder if it still exists: C:\Documents and Settings\All Users\Application Data\SecTaskMan It looks like you may have a Vundo infection here so we can check for that next. Ewido detected C:\WINDOWS\system32\wineij32.dll running in memory and that starts up from the Winlogon Notify key but there is no sign of it in the HijackThis log which might mean you have Vundo as that hides the 02 & 020 entries Open hijackthis and click Open the Misc Tools section Then click Delete a file on reboot In the File Name field, copy and paste this: C:\WINDOWS\system32\wineij32.dll Then click Open Hijackthis will tell you that this file will be deleted when the system reboots and ask you if you want to reboot now. Click Yes Your system should then reboot Please then download VundoFix.exe to your C:\Drive. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HiJackThis log. Cheers Andy
  2. Hi Russ , Nice work, that's looking alot better I forgot to mention putting HijackThis into a folder so the backups are kept with the program so could you do that first, right click an empty space on the desktop and choose New then Folder, name it HJT or HijackThis then left click the HijackThis.exe file and drag it over the new folder, release the mouse button and it will go into the folder. Also move the Backups folder into the HijackThis folder. Delete the NewDotNet folder (I left it off the last list incase it had a Add/Remove screen entry) C:\ProgramFiles\NewDotNet (It shows as NEWDOT~1 in the log so there could be any letters after NEWDOT but it will likely say NewDotNet and hopefully be easy enough to find) Can you send me a copy of the Killbox folder if you get the time so I can have a closer look at the infections, Goto Start Menu > My Computer > C:\drive and then locate !Killbox Right click that folder and choose Send To then Compressed Zipped Folder. This will create a copy of the !Killbox folder and add it to another location on C:\Drive, Right click that zipped folder (!Killbox.zip) and choose Explore then goto file on the top bar and choose Add a Password , make the password malware (all lowercase letters) and send it to AndyManchesta(AT) hotmail.com (replace (AT) with @) You can then delete the C:\!Killbox folder and the !Killbox.zip folder as it contains backups of what we removed and they are not needed now. Open Notepad (Start Menu > Run > Type notepad and press OK) Copy and Paste the contents of the code box into Notepad making REGEDIT4 the top line. REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run] [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Fix.reg then save it to your desktop Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes and the reg key's will be removed. Run Hijack This and choose Do A System Scan then place a check next to these entries O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - ht*p://awbeta.net-nucleus.com/FIX/WinATS.cab O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\system32\v199.dll Close all open browser and other windows except for Hijack This and press the Fix Checked button Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Next Download Ewido Anti-Spyware Load Ewido and then click the Update tab at the top. Under Manual Update click Start update. After the update finishes (the status bar at the bottom will display "Update successful") Exit Ewido for now as we will be using it again in safe mode. Run Ccleaner and press the Run Cleaner button to remove Temp files from your system. Then or copy the below instructions to a Notepad file and save it to your desktop for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log. The report can also be found at the root of the system drive, usually at C:\rapport.txt Running option #2 will remove your Desktop background because Trojans related to these infections sometimes set a spyware warning as a wallpaper that cannot be removed, once the system reboots you can then restore the Wallpaper you want to use. Run Ewido Anti-Spyware Click on the Scanner tab at the top and then click on Complete System Scan Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will then display "All actions have been applied" on the right. Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back Reboot Back To Normal Mode. Please then post back the SmitfraudFix report (C:\rapport.txt), the Ewido log and a new HijackThis log Cheers Andy
  3. Hi Russ That didnt go very well, time for plan B Can you disable the Real Time protection on Microsoft Anti-Spyware so it doesnt interfere with the HijackThis fixes or Malware removal Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye). Click on "Security Agents Status". Click on "Disable real-time protection". You can reenable it once your system is clean. Copy and paste this reply to Notepad and save it to your desktop as some steps will require all browser windows closing and rebooting the PC. Check the Add/Remove screen for these and remove them if found: PurityScan, OuterInfo Network, QuickLinks, Toolbar888, EliteMediaGroup and any programs by OIN if they are on the list, reboot if you remove any. Once that's done run Hijack This and choose Do A System Scan then place a check next to these entries R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ht*p://www.2020search.com/search/9884/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = ht*p://www.2020search.com/search/9884/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = ht*p://www.2020search.com/search/9884/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = ht*p://www.mrfindalot.com/search.asp?si=20069&k= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = ht*p://www.mrfindalot.com/search.asp?si=20069&k= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R3 - URLSearchHook: (no name) - <default> - (no file) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yhgop.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kcnrais.exe O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s O4 - HKLM\..\Run: [18773b9f.exe] C:\WINDOWS\system32\18773b9f.exe O4 - HKLM\..\Run: [13f7c6c5.exe] C:\WINDOWS\system32\13f7c6c5.exe O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\system32\bdpn.exe" O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe O4 - HKLM\..\Run: [win320924-13351104] C:\WINDOWS\win320924-13351104.exe O4 - HKLM\..\Run: [surfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - HKCU\..\Run: [13f7c6c5.exe] C:\Documents and Settings\Russ\Local Settings\Application Data\13f7c6c5.exe O4 - HKCU\..\Run: [Ocrp] "C:\PROGRA~1\MANTEC~1\explorer.exe" -vt yazr O4 - HKCU\..\Run: [18773b9f.exe] C:\Documents and Settings\Russ\Local Settings\Application Data\18773b9f.exe O4 - HKCU\..\Run: [Jlnj] C:\DOCUME~1\Russ\MYDOCU~1\DOBE~1\smss.exe O4 - HKCU\..\Run: [surfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll O15 - Trusted Zone: *.elitemediagroup.net O15 - Trusted Zone: *.i-lookup.com O15 - Trusted Zone: *.media-motor.net O15 - Trusted Zone: *.mmohsix.com O15 - Trusted Zone: *.offshoreclicks.com O15 - Trusted Zone: *.teensguru.com O15 - Trusted Zone: ht*p://click.getmirar.com (HKLM) O15 - Trusted Zone: ht*p://click.mirarsearch.com (HKLM) O15 - Trusted Zone: ht*p://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: ht*p://awbeta.net-nucleus.com (HKLM) O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - ht*p://install.wildtangent.com/ActiveLaunc...iveLauncher.cab O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - ht*p://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162 O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - ht*p://awbeta.net-nucleus.com/FIX/WinATS.cab O18 - Filter: text/html - (no CLSID) - (no file) O20 - AppInit_DLLs: scanregw.dll Close all open browser and other windows except for Hijack This and press the Fix Checked button Dont worry if it shows a error when trying to fix the 020 entry. Download Killbox from Here http://www.killbox.net/downloads/KillBox.exe Click killbox.exe Select the option "Delete on reboot". Click the button: All Files (Important!) Now it should flash green. Next copy the contents of the code box to clipboard by left clicking and covering the text then right click inside the highlighted area and choose Copy: C:\WINDOWS\system32\18773b9f.exe C:\WINDOWS\system32\13f7c6c5.exe C:\WINDOWS\thiselt.exe C:\WINDOWS\system32\mptft.exe C:\WINDOWS\system32\bdpn.exe C:\WINDOWS\CCZoop05.exe C:\WINDOWS\win320924-13351104.exe C:\WINDOWS\system32\ssec.exe C:\Documents and Settings\Russ\Local Settings\Application Data\13f7c6c5.exe C:\Documents and Settings\Russ\Local Settings\Application Data\18773b9f.exe C:\PROGRA~1\MANTEC~1\explorer.exe C:\PROGRA~1\MANTEC~1 C:\DOCUME~1\Russ\MYDOCU~1\DOBE~1\smss.exe C:\DOCUME~1\Russ\MYDOCU~1\DOBE~1 C:\WINDOWS\system32\dmonwv.dll C:\WINDOWS\system32\scanregw.dll C:\WINDOWS\scanregw.dll C:\WINDOWS\system32\tfthot.exe C:\Program Files\Common Files\{B06BD4E8-086E-1033-0114-040607040001}\Update.exe C:\Program Files\Common Files\{B06BD4E8-086E-1033-0114-040607040001} After copying the above text to Clipboard click File on the killbox menu bar and choose Paste From Clipboard Then press the Delete File button (Red Circle with a White X). Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES If you don't get that message, reboot manually. Your computer should reboot now. Finally can you export some information from your registry: Open Notepad (Start Menu > Run > Type notepad and press OK) Copy and Paste the contents of the code box into Notepad if exist Export.txt del /q Export.txt regedit /e Check1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" regedit /e Check2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies" Type Check*.txt > Export.txt del /q Check*.txt regedit /e Uninstall1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]>>Uninstall.txt FIND "DisplayName" < Uninstall1.txt | find /v "QuietDisplayName" | find /v "ParentDisplayName" | find /v "WebFldrs XP" >>Uninstall.txt Type Uninstall.txt >>Export.txt del /q Uninstall*.txt Notepad Export.txt Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop Double click Check.bat and it will export the contents of the policy keys and the Uninstall key and open the information in notepad, please post the contents of that text file (Export.txt) back on the forum Please then post back a new HijackThis log and the above reg export (Export.txt) , let us know if you have any problems or questions Thanks Andy
  4. Your Welcome If we can help with any problems in the future just let us know Happy Surfing
  5. Hi Nightraine This is someone elses thread so it would of been best to start a new topic but we may as well continue now you have post the log, That is a very infected machine you have Id like to see the contents of the Add/Remove screen before we start to manually remove all the files to see which programs have uninstallers present but lets start with getting rid of Qoologic and SurfSideKick then we can deal with the rest in the next post Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip Unzip all files to a convenient location such as C:\Qoofix. Go to the folder you unzipped all files and run Qoofix.exe. Click Begin Removal and wait for the scan to finish. If an infection has been found, select yes to restart your computer. Post the contents of the Qoofix logfile which is saved to the same location as Qoofix into your next post. Goto Start Menu > Control Panel > Add or Remove Programs and remove SurfSideKick , enter the number on screen and then reboot the pc when prompted Finally generate a list of the Add/Remove screen entries Open Hijackthis, Click Open the Misc tools section Then click the Open Uninstall Manager... button. The Add/Remove Programs Manager panel should appear. In this panel click the Save list button. Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply. Please then post back the Add/remove screen list and the Qoofix logfile Cheers Andy
  6. Hi rdonline Thanks for the logs You have alot of policy values in place that are not on a clean install of Windows but none of the restrictions are enabled so they are not causing any problems It looks like the Antispyware tools you used before posting the log managed to clear the problems as the logs look fine Andy
  7. Hi fishkilr18, The HijackThis log looks fine , how's things running now ? Clear out the temp folders and Nortons Protected Bin and then run scans with Spybot and Ad-Aware to make sure there is no remaining issues Clear Nortons Protected Recycle Bin as described Here Download Ccleaner from Here if you do not already have it installed. When the download page opens scroll down to the center download which is called (CCleaner v1.31.325 - Basic - No Toolbar - 561KB) then click Download Now. Run the setup file and press Next, click I Agree on the Licence Agreement then Next again, click Install and then finally click Finish, Run Ccleaner and press the Run cleaner button to remove Temp files from the system Run Ad-Aware on a full system scan and remove anything found Finally run Spybot (here's the setup instructions if its not already installed) Spybot-S&D Install Spybot-S&D and run it. Select Search for updates and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click Download updates. When all updates have downloaded, click on Check for problems. When the scan has finished, select any entries listed in red and click Fix selected problems. Also enable Spybots Immunize feature. Let us know if there's any remaining problems Cheers Andy
  8. Hi WS Sorry for the delay, that looks great I have included a couple of recommended steps below to help protect your computer from future infections. Keep Ewido on the system as it shows its a 30 day trial but it works fine after that has expired as a "On-Demand" scanner and remover which you can manually update and use anytime. Consider installing SpywareBlaster to help prevent infections. A tutorial on using SpywareBlaster can be found Here Please make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/ More information on how to prevent malware and to explain how you got infected can be found Here (By Tony Klein) and Here These steps will lower the chances of getting more malware issues but let us know if you have any questions or problems anytime. Happy Surfing Andy
  9. Hi Prophecy Sorry for the delay. That looks fine, are you still having any problems ? I have included afew recommended steps below to help keep the PC clean and prevent future infections. Keep Ewido on the system as it shows its a 30 day trial but it works fine after that has expired as a "On-Demand" scanner and remover which you can manually update and use anytime. In order to protect yourself against spyware, you should consider installing and running the following free programs: Spybot Search & Destroy A tutorial on using Spybot to remove spyware from your computer may be found Here Please also enable Spybots Immunize feature. SpywareBlaster A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found Here Please make sure to run your Antivirus software regularly, and to keep it up-to-date also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/ More information on how to prevent malware and to explain how you got infected can be found Here (By Tony Klein) and Here These steps will lower the chances of getting any more malware issues but let us know if you have any more questions or problems. Cheers Andy
  10. That is the best advise as like you say each system will be different, this machine has a few different infections so their's maybe not as bad, the [email protected] Virus is not on any of the machines but the machines are infected by a Smitfraud variant. This infection changes the homepage and sometimes the desktop wallpaper then adds alot of trojan files and starts popping up alerts from the system tray to make it look like the alerts are from Windows, the intention is to get people to click the pop up links or the links on the homepage if present and then buy whatever rogue scanner they are promoting, which tends to change from week to week but they are all junk and some are even malicious themselves. I need to go out for a while but I'll check back later for any updates Thanks
  11. Hi Atol If you want to run some scanners it cannot do any harm but Id like you to also perform the steps in my last post, If you havent run Ad-Aware yet (which is required before posting a log) then please do that, if by running Microsoft you mean Windows Defender then that is beta software so the person using that has to fully understand that beta software is just a test and could cause them problems which Microsoft would not be responsible for as they have agreed to take part in beta testing and they are fully aware of the potential problems that may cause. Adding it to the system at this stage would also mean its Real Time protection would have to be disabled so it doesnt interfere with the HijackThis fixes we may have to make later or the fixtools. Online scans are a good idea but I will be suggesting them anyway when we get the log looking cleaner as some will generate a report that can be post back which helps us to determine whats left on the machine, having cookies set to accept all will not cause any malware issues as they are only text files, they are more of a privacy concern so if they are concerned about them then you can set it to medium but cookies will still get on the system, even logging into hotmail would add 'Tracking' cookies by doubleclick so they are not anything to be worried about. Finally regarding Myspaces, it's not possible for your infections to come through that site unless they have downloaded malicious files from someones page or if the page they are viewing has malicious scripts embedded, even then it would be difficult to exploit the machine if the system has all the Service Packs and Security Updates installed and a working AV and Firewall so I doubt MySpaces would be connected to these infections. Let us know if you have any more questions, if the PC is at a different address you maybe best posting the logs from there so we can continue with the clean up to save you having to go back and forth. Chat to you later Andy
  12. Hi fishkilr18 Thanks for the logs, Its nice to hear Symantecs fixtool found no traces of the Abwiz Trojan but it was on your system at some stage O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe That line showed in your first log and that is what Symantec refer to as Trojan.Abwiz.F , this Trojan does have rootkit features which allows it to hide any file named taskdir (taskdir.exe & taskdir.dll) until the main executable has been removed, we can run a rootkit scan to make sure its not still present but SmitFraudFix and the fixtool would of detected it if it exists so maybe Norton already removed the file and left the Run key behind. Can you place HijackThis into a folder so the backups are kept with the program, right click an empty space on the desktop and choose New then Folder, name it HJT or HijackThis then left click the HijackThis.exe file and drag it over the new folder, release the mouse button and it will go into the folder Optional Fixes Run Hijack This and choose Do A System Scan then place a check next to any of these entries that you want to fix, close all open browser and other windows except for Hijack This and press the Fix Checked button O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present These restrictions can be used by some malware to prevent you from changing settings like your homepage. It can also be set by you (using protection programs like Spybot S&D) to prevent malware changing your settings, or System Administrators to prevent their users changing settings. If you or a system administrator didn't impose those restrictions then please check these entries for fixing with HijackThis. If you had a malicious homepage when you posted the first log then it would indicate these have been placed there by malware to make it more difficult for you to change the homepage. O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) If you have removed the AOL Toolbar from the system then this entry can be fixed. Download Blacklight beta HERE and save it to your desktop. Run the program, accept statement > click next then scan When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file. Download Ewido Anti-Spyware Load Ewido and then click the Update tab at the top. Under Manual Update click Start update. After the update finishes (the status bar at the bottom will display "Update successful") Click on the Scanner tab at the top and then click on Complete System Scan Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will then display "All actions have been applied" on the right. Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back Please then post back the Ewido report, Blacklight's log if it finds any hidden files and a new HijackThis log Cheers Andy
  13. Hi Atol Thanks for the logs, It looks like we still have alot of work to do. You still have some Trojans showing in the log but SmitfraudFix also shows that it removed them so Im not sure if that means the removal failed or if the log was taken before the fixtools were run. Can you do the below steps and run the tools again then post a new HijackThis log and we can see what's then remaining. Copy this to notepad and save it to your desktop again as some steps require a reboot. Open hijackthis and click Open the Misc Tools section Then click Delete a file on reboot In the File Name field, copy and paste this: C:\WINDOWS\system32\fxsrxy.dll Then click Open Hijackthis will tell you that this file will be deleted when the system reboots and ask you if you want to reboot now. Click Yes Your system should then reboot Next delete the C:\vundofix.txt file and then run VundoFix again and make sure it then show's clear, if it shows any files once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt into your next reply. Load Ewido and then click the Update tab at the top. Under Manual Update click Start update. After the update finishes (the status bar at the bottom will display "Update successful") Click on the Scanner tab at the top and then click on Complete System Scan Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will then display "All actions have been applied" on the right. Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back Next Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Finally generate a list of the Add/Remove screen entries so we can make sure there is no problems there Open Hijackthis, Click Open the Misc tools section Then click the Open Uninstall Manager... button. The Add/Remove Programs Manager panel should appear. In this panel click the Save list button. Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply. Please then post back the Ewido scanlog, the VundoFix log (C:\vundofix.txt ), the new SmitfraudFix report, the Uninstall list and a new HijackThis log. (post them in different replies if needed so all the information is included) Let us know if you have any problems Thanks Andy
  14. No Problem Atol, Let us know how you get on Andy